Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Redirect

Started by metrospy , Apr 04 2010 05:46 PM

Please log in to reply

#1
metrospy

Posted 04 April 2010 - 05:46 PM

New Member

Member
3 posts

Hello there,

I've had an annoying little Google/search engine redirect now for just over a week it seems. I've tried various pieces of software which have cleared off minor things like tracking cookies etc, however now they are all showing clean but unfortunately my Google Redirect problem still remains. I followed the steps in your guide to removing Google Redirects here:-

http://www.geekstogo...ts-t267407.html

My GooredFix Log:-

GooredFix by jpshortstuff (08.01.10.1)
Log created at 23:25 on 04/04/2010 (Steve)
Firefox version 3.6.3 (en-GB)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:34 01/11/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [18:08 01/11/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [23:23 01/12/2009]

C:\Users\Steve\Application Data\Mozilla\Firefox\Profiles\8qxu66hx.default\extensions\
{73a6fe31-595d-460b-a920-fcc0f8843232} [18:18 04/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

---------- Old Logs ----------
GooredFix[22.24.42_04-04-2010].txt
GooredFix[22.24.51_04-04-2010].txt

-=E.O.F=-

My TDSSKiller Log:-

23:25:58:187 2784 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:25:58:187 2784 ================================================================================
23:25:58:187 2784 SystemInfo:

23:25:58:187 2784 OS Version: 6.1.7600 ServicePack: 0.0
23:25:58:187 2784 Product type: Workstation
23:25:58:187 2784 ComputerName: STEVE-PC
23:25:58:188 2784 UserName: Steve
23:25:58:188 2784 Windows directory: C:\Windows
23:25:58:188 2784 Processor architecture: Intel x86
23:25:58:188 2784 Number of processors: 2
23:25:58:188 2784 Page size: 0x1000
23:25:58:189 2784 Boot type: Normal boot
23:25:58:189 2784 ================================================================================
23:25:58:192 2784 UnloadDriverW: NtUnloadDriver error 2
23:25:58:192 2784 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:25:58:344 2784 wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:25:58:344 2784 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:25:58:344 2784 wfopen_ex: Trying to KLMD file open
23:25:58:344 2784 wfopen_ex: File opened ok (Flags 2)
23:25:58:358 2784 wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:25:58:358 2784 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:25:58:358 2784 wfopen_ex: Trying to KLMD file open
23:25:58:359 2784 wfopen_ex: File opened ok (Flags 2)
23:25:58:364 2784 Initialize success
23:25:58:364 2784
23:25:58:364 2784 Scanning Services ...
23:25:59:074 2784 Raw services enum returned 450 services
23:25:59:084 2784
23:25:59:084 2784 Scanning Kernel memory ...
23:25:59:084 2784 Devices to scan: 2
23:25:59:084 2784
23:25:59:084 2784 Driver Name: USBSTOR
23:25:59:084 2784 IRP_MJ_CREATE : 90599A02
23:25:59:084 2784 IRP_MJ_CREATE_NAMED_PIPE : 82ABB537
23:25:59:084 2784 IRP_MJ_CLOSE : 90599A7A
23:25:59:084 2784 IRP_MJ_READ : 90599AF2
23:25:59:084 2784 IRP_MJ_WRITE : 90599AF2
23:25:59:084 2784 IRP_MJ_QUERY_INFORMATION : 82ABB537
23:25:59:084 2784 IRP_MJ_SET_INFORMATION : 82ABB537
23:25:59:084 2784 IRP_MJ_QUERY_EA : 82ABB537
23:25:59:084 2784 IRP_MJ_SET_EA : 82ABB537
23:25:59:084 2784 IRP_MJ_FLUSH_BUFFERS : 82ABB537
23:25:59:084 2784 IRP_MJ_QUERY_VOLUME_INFORMATION : 82ABB537
23:25:59:084 2784 IRP_MJ_SET_VOLUME_INFORMATION : 82ABB537
23:25:59:084 2784 IRP_MJ_DIRECTORY_CONTROL : 82ABB537
23:25:59:084 2784 IRP_MJ_FILE_SYSTEM_CONTROL : 82ABB537
23:25:59:084 2784 IRP_MJ_DEVICE_CONTROL : 905995FE
23:25:59:084 2784 IRP_MJ_INTERNAL_DEVICE_CONTROL : 9058C656
23:25:59:084 2784 IRP_MJ_SHUTDOWN : 82ABB537
23:25:59:084 2784 IRP_MJ_LOCK_CONTROL : 82ABB537
23:25:59:084 2784 IRP_MJ_CLEANUP : 82ABB537
23:25:59:084 2784 IRP_MJ_CREATE_MAILSLOT : 82ABB537
23:25:59:084 2784 IRP_MJ_QUERY_SECURITY : 82ABB537
23:25:59:084 2784 IRP_MJ_SET_SECURITY : 82ABB537
23:25:59:084 2784 IRP_MJ_POWER : 905979BA
23:25:59:084 2784 IRP_MJ_SYSTEM_CONTROL : 9059488E
23:25:59:084 2784 IRP_MJ_DEVICE_CHANGE : 82ABB537
23:25:59:084 2784 IRP_MJ_QUERY_QUOTA : 82ABB537
23:25:59:084 2784 IRP_MJ_SET_QUOTA : 82ABB537
23:25:59:094 2784 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:25:59:094 2784
23:25:59:094 2784 Driver Name: nvstor32
23:25:59:094 2784 IRP_MJ_CREATE : 8A660B1C
23:25:59:094 2784 IRP_MJ_CREATE_NAMED_PIPE : 82ABB537
23:25:59:094 2784 IRP_MJ_CLOSE : 8A660BC1
23:25:59:094 2784 IRP_MJ_READ : 82ABB537
23:25:59:094 2784 IRP_MJ_WRITE : 82ABB537
23:25:59:094 2784 IRP_MJ_QUERY_INFORMATION : 82ABB537
23:25:59:094 2784 IRP_MJ_SET_INFORMATION : 82ABB537
23:25:59:094 2784 IRP_MJ_QUERY_EA : 82ABB537
23:25:59:094 2784 IRP_MJ_SET_EA : 82ABB537
23:25:59:094 2784 IRP_MJ_FLUSH_BUFFERS : 82ABB537
23:25:59:094 2784 IRP_MJ_QUERY_VOLUME_INFORMATION : 82ABB537
23:25:59:094 2784 IRP_MJ_SET_VOLUME_INFORMATION : 82ABB537
23:25:59:094 2784 IRP_MJ_DIRECTORY_CONTROL : 82ABB537
23:25:59:094 2784 IRP_MJ_FILE_SYSTEM_CONTROL : 82ABB537
23:25:59:094 2784 IRP_MJ_DEVICE_CONTROL : 8A660C66
23:25:59:094 2784 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A6304B1
23:25:59:094 2784 IRP_MJ_SHUTDOWN : 82ABB537
23:25:59:094 2784 IRP_MJ_LOCK_CONTROL : 82ABB537
23:25:59:094 2784 IRP_MJ_CLEANUP : 82ABB537
23:25:59:094 2784 IRP_MJ_CREATE_MAILSLOT : 82ABB537
23:25:59:094 2784 IRP_MJ_QUERY_SECURITY : 82ABB537
23:25:59:094 2784 IRP_MJ_SET_SECURITY : 82ABB537
23:25:59:094 2784 IRP_MJ_POWER : 8A630556
23:25:59:094 2784 IRP_MJ_SYSTEM_CONTROL : 8A660DB8
23:25:59:094 2784 IRP_MJ_DEVICE_CHANGE : 82ABB537
23:25:59:094 2784 IRP_MJ_QUERY_QUOTA : 82ABB537
23:25:59:094 2784 IRP_MJ_SET_QUOTA : 82ABB537
23:25:59:114 2784 C:\Windows\system32\DRIVERS\nvstor32.sys - Verdict: 1
23:25:59:114 2784
23:25:59:114 2784 Completed
23:25:59:114 2784
23:25:59:114 2784 Results:
23:25:59:114 2784 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:25:59:114 2784 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:25:59:114 2784 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:25:59:114 2784
23:25:59:114 2784 fclose_ex: Trying to close file C:\Windows\system32\config\system
23:25:59:114 2784 fclose_ex: Trying to close file C:\Windows\system32\config\software
23:25:59:114 2784 KLMD(ARK) unloaded successfully

Sadly neither appear to have picked up the issue and the redirect problem still occurs.

I have then moved onto your Malware and Spyware cleaning guide:-

http://www.geekstogo...uide-t2852.html

Malwarebytes log:-

Malwarebytes' Anti-Malware 1.44
Database version: 3890
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

04/04/2010 23:36:25
mbam-log-2010-04-04 (23-36-25).txt

Scan type: Quick Scan
Objects scanned: 106264
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log:-

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-05 00:11:17
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Steve\AppData\Local\Temp\uglcypob.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1BAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A03634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A03898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1BF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1C1A8

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\ACPI_HAL \Device\00000044 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

OTL Logs:-

OTL logfile created on: 05/04/2010 00:17:02 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\Steve\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 69.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 162.69 Gb Free Space | 54.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVE-PC
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/05 00:12:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Downloads\OTL.exe
PRC - [2010/04/02 13:59:00 | 001,265,264 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/04/02 13:59:00 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/07/17 16:48:16 | 000,180,224 | ---- | M] () -- C:\Windows\System32\WinService.exe

========== Modules (SafeList) ==========

MOD - [2010/04/05 00:12:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Downloads\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/04/02 13:59:00 | 001,265,264 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/09 15:13:53 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/11/16 09:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/07/20 13:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2007/07/17 16:48:16 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Windows\System32\WinService.exe -- (SCM_Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC BB D0 B6 4B D2 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.61

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 19:20:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 19:20:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/04/02 11:09:36 | 000,000,000 | ---D | M]

[2009/11/01 18:34:39 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions
[2010/04/04 19:18:19 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\extensions
[2010/04/04 19:18:16 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/03/23 22:16:27 | 000,001,820 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\searchplugins\bing.xml
[2010/04/04 19:18:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/13 22:27:39 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/03/13 22:27:39 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/03/13 22:27:39 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/03/13 22:27:39 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photob...?20091105115744 (PhotoboxPhotowaysUploader5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/14 03:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/04 23:24:42 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\GooredFix Backups
[2010/04/04 19:17:22 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/02 18:15:57 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\SUPERAntiSpyware.com
[2010/04/02 17:11:45 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/02 11:29:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/04/02 11:29:33 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/02 11:09:36 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2010/04/02 11:09:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/01 21:27:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/04/01 21:27:08 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/01 21:02:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/28 19:21:48 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Google

========== Files - Modified Within 14 Days ==========

[2010/04/05 00:18:06 | 004,194,304 | -HS- | M] () -- C:\Users\Steve\NTUSER.DAT
[2010/04/04 23:36:41 | 000,013,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/04 23:36:41 | 000,013,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/04 23:35:33 | 000,619,206 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/04 23:35:33 | 000,107,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/04 23:35:32 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/04 23:32:07 | 000,001,003 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/04 23:30:05 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/04/04 23:29:36 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/04 23:29:36 | 000,000,308 | -HS- | M] () -- C:\Windows\tasks\Yxxnpzr.job
[2010/04/04 23:29:34 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/04 23:29:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/04 23:29:28 | 2213,453,824 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/04 23:28:53 | 001,142,075 | -H-- | M] () -- C:\Users\Steve\AppData\Local\IconCache.db
[2010/04/04 23:26:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/04 18:24:01 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/02 18:09:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/04/02 18:09:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/04/02 18:08:16 | 000,000,089 | ---- | M] () -- C:\Windows\wininit.ini
[2010/04/01 21:27:30 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/03/28 19:22:49 | 000,002,242 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk

========== Files Created - No Company Name ==========

[2010/04/04 23:30:05 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/04/02 18:09:20 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/04/02 18:09:20 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/04/02 18:08:16 | 000,000,089 | ---- | C] () -- C:\Windows\wininit.ini
[2010/04/02 11:29:46 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/03/28 19:22:49 | 000,002,242 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/03/28 19:21:56 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/28 19:21:55 | 000,000,878 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/16 22:15:33 | 000,064,512 | RHS- | C] () -- C:\Windows\System32\InkEdp.dll
[2010/02/20 16:43:24 | 000,001,498 | ---- | C] () -- C:\Users\Steve\.recently-used.xbel
[2009/11/10 00:56:32 | 000,000,324 | ---- | C] () -- C:\Windows\game.ini
[2009/11/02 00:11:53 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009/11/02 00:11:52 | 000,138,056 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\PnkBstrK.sys
[2009/11/01 18:04:05 | 004,194,304 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT
[2009/11/01 18:04:05 | 000,524,288 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/11/01 18:04:05 | 000,524,288 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/11/01 18:04:05 | 000,262,144 | -HS- | C] () -- C:\Users\Steve\ntuser.dat.LOG1
[2009/11/01 18:04:05 | 000,065,536 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/11/01 18:04:05 | 000,000,020 | -HS- | C] () -- C:\Users\Steve\ntuser.ini
[2009/11/01 18:04:05 | 000,000,000 | -HS- | C] () -- C:\Users\Steve\ntuser.dat.LOG2
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

========== LOP Check ==========

[2009/12/06 20:44:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\gtk-2.0
[2010/03/18 20:43:18 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\ICAClient
[2010/03/18 20:37:18 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Juniper Networks
[2009/11/01 18:09:44 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Leadertech
[2009/11/27 21:11:46 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\SumatraPDF
[2009/12/27 16:29:53 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Ubisoft
[2010/04/01 16:34:10 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\uTorrent
[2010/04/04 23:30:05 | 000,000,370 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2010/03/27 09:08:49 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/04/04 23:29:36 | 000,000,308 | -HS- | M] () -- C:\Windows\Tasks\Yxxnpzr.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVRAID.SYS >
[2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) MD5=3F3D04B1D08D43C16EA7963954EC768D -- C:\Windows\System32\drivers\nvraid.sys
[2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) MD5=3F3D04B1D08D43C16EA7963954EC768D -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvraid.sys
[2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) MD5=3F3D04B1D08D43C16EA7963954EC768D -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvraid.sys

< MD5 for: NVRD32.SYS >
[2009/08/04 18:44:12 | 000,139,296 | ---- | M] (NVIDIA Corporation) MD5=6F922993C8AA8BF555B0A8428AAB5731 -- C:\NVIDIA\nForceWinVista\15.51\English\IDE\Win7\sataraid\nvrd32.sys
[2009/08/04 18:44:12 | 000,139,296 | ---- | M] (NVIDIA Corporation) MD5=6F922993C8AA8BF555B0A8428AAB5731 -- C:\NVIDIA\nForceWinVista\15.51\English\IDE\WinVista\sataraid\nvrd32.sys

< MD5 for: NVSTOR.SYS >
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: NVSTOR32.SYS >
[2009/08/04 18:44:14 | 000,213,024 | ---- | M] (NVIDIA Corporation) MD5=269DE658DEAF032564E8B6430B5BD170 -- C:\NVIDIA\nForceWinVista\15.51\English\IDE\Win7\sataraid\nvstor32.sys
[2009/08/04 18:44:14 | 000,213,024 | ---- | M] (NVIDIA Corporation) MD5=269DE658DEAF032564E8B6430B5BD170 -- C:\NVIDIA\nForceWinVista\15.51\English\IDE\WinVista\sataraid\nvstor32.sys
[2009/08/04 18:43:40 | 000,213,024 | ---- | M] (NVIDIA Corporation) MD5=3FF57A9A657C9690ECBC8B1E3B6E3979 -- C:\NVIDIA\nForceWinVista\15.51\English\IDE\Win7\sata_ide\nvstor32.sys
[2009/08/04 18:43:40 | 000,213,024 | ---- | M] (NVIDIA Corporation) MD5=3FF57A9A657C9690ECBC8B1E3B6E3979 -- C:\NVIDIA\nForceWinVista\15.51\English\IDE\WinVista\sata_ide\nvstor32.sys
[2009/08/04 18:43:40 | 000,213,024 | ---- | M] (NVIDIA Corporation) MD5=3FF57A9A657C9690ECBC8B1E3B6E3979 -- C:\Windows\System32\drivers\nvstor32.sys
[2009/08/04 18:43:40 | 000,213,024 | ---- | M] (NVIDIA Corporation) MD5=3FF57A9A657C9690ECBC8B1E3B6E3979 -- C:\Windows\System32\DriverStore\FileRepository\nvstor32.inf_x86_neutral_40ee9c3d357e7b66\nvstor32.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/16 22:15:33 | 000,064,512 | RHS- | M] () Unable to obtain MD5 -- C:\Windows\System32\InkEdp.dll

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/04/04 23:29:36 | 000,000,308 | -HS- | M] () Unable to obtain MD5 -- C:\Windows\Tasks\Yxxnpzr.job

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< End of report >

**OTL Extras

OTL Extras logfile created on: 05/04/2010 00:17:02 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\Steve\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 69.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 162.69 Gb Free Space | 54.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVE-PC
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.scr [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis®
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{12520A80-8124-4630-A288-61B6BCDD94B3}" = IES VE-Ware/Toolkits
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4102037D-E8E0-48E0-B203-E521D194FB71}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{656C0E21-331E-11DF-81CE-005056806466}" = Google Earth
"{6864ABC3-A982-436B-BEF1-5652D6303361}" = ESET NOD32 Antivirus
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{894084B6-BC69-43B7-BF06-B93AECFEA520}" = GameSpy Comrade
"{8CFA9151-6404-409A-AF22-4632D04582FD}" = Assassin's Creed
"{90120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{90120000-0014-0000-0000-0000000FF1CE}_PRO_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0014-0000-0000-0000000FF1CE}_PRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PRO_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A62F50D4-EED7-4417-A382-E89ABCF11BAC}" = SketchUp DWG Importer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{D53A3D44-C983-4D21-ABF6-2AA2AB88FB28}" = Battlefield Bad Company 2 - BETA
"{DCFD26A8-60A5-4C69-A52D-264D0386FDB3}" = Microsoft Xbox 360 Accessories 1.2
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F59A3B93-6C1C-4C3E-BCC4-4897490E2963}" = LG Bluetooth Drivers
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Fraps" = Fraps (remove only)
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"OpenAL" = OpenAL
"PRO" = Microsoft Office Professional 2007
"PunkBusterSvc" = PunkBuster Services
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 12750" = GRID
"Steam App 17410" = Mirror's Edge
"Steam App 24860" = Battlefield 2
"Steam App 35110" = Just Cause 2 Demo
"Steam App 400" = Portal
"Steam App 440" = Team Fortress 2
"Steam App 500" = Left 4 Dead
"Steam App 590" = Left 4 Dead 2 Demo
"SumatraPDF" = Sumatra PDF reader
"Tomb Raider: Underworld" = Tomb Raider: Underworld 1.0
"uTorrent" = µTorrent
"WinGimp-2.0_is1" = GIMP 2.6.7

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Citrix_Services" = Juniper Citrix Services Client
"Juniper_Networks_Cache_Cleaner 6.5.0" = Juniper Networks Cache Cleaner 6.5.0
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Juniper_Term_Services" = Juniper Terminal Services Client
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/03/2010 13:59:43 | Computer Name = Steve-PC | Source = VSS | ID = 8194
Description =

Error - 16/03/2010 14:46:42 | Computer Name = Steve-PC | Source = Application Hang | ID = 1002
Description = The program NOTEPAD.EXE version 6.1.7600.16385 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 33c Start
Time: 01cac538f1695508 Termination Time: 0 Application Path: C:\Windows\system32\NOTEPAD.EXE

Report
Id: 418b9529-312c-11df-9eca-00044b0081d7

Error - 16/03/2010 17:46:07 | Computer Name = Steve-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Ecotect.exe, version: 2010.0.0.2, time
stamp: 0x00000000 Faulting module name: nvoglv32.DLL, version: 8.17.11.9621, time
stamp: 0x4b4c0709 Exception code: 0xc0000005 Fault offset: 0x006d3591 Faulting process
id: 0x5b0 Faulting application start time: 0x01cac54e67d45ca0 Faulting application
path: C:\Program Files\Autodesk\Ecotect Analysis 2010\Ecotect.exe Faulting module
path: C:\Windows\system32\nvoglv32.DLL Report Id: 53597bd0-3145-11df-9da6-00044b0081d7

Error - 16/03/2010 20:37:34 | Computer Name = Steve-PC | Source = Application Error | ID = 1000
Description = Faulting application name: PerfectGold.exe, version: 2.0.0.0, time
stamp: 0x4b93dafd Faulting module name: PerfectGold.exe, version: 2.0.0.0, time
stamp: 0x4b93dafd Exception code: 0xc0000005 Fault offset: 0x002bd969 Faulting process
id: 0x1348 Faulting application start time: 0x01cac569958208bc Faulting application
path: C:\Program Files\GEEdit2\PerfectGold.exe Faulting module path: C:\Program
Files\GEEdit2\PerfectGold.exe Report Id: 46c628ec-315d-11df-b2ae-941394bcd74a

Error - 17/03/2010 16:08:25 | Computer Name = Steve-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.

Error - 17/03/2010 18:26:12 | Computer Name = Steve-PC | Source = Application Error | ID = 1000
Description = Faulting application name: GooredFix.exe, version: 2.0.0.679, time
stamp: 0x4b4786c3 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time
stamp: 0x4a5bdadb Exception code: 0xc0000008 Fault offset: 0x0007f49f Faulting process
id: 0xf8c Faulting application start time: 0x01cac620d00ed2f0 Faulting application
path: C:\Users\Steve\Downloads\GooredFix.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 176d6c10-3214-11df-9f97-afb23b8fd872

Error - 17/03/2010 20:02:43 | Computer Name = Steve-PC | Source = Application Hang | ID = 1002
Description = The program SketchUp.exe version 7.1.6860.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1534 Start
Time: 01cac62890ec5f90 Termination Time: 30 Application Path: C:\Program Files\Google\Google
SketchUp 7\SketchUp.exe Report Id: 90b8c531-3221-11df-a039-a73e7d706d4e

Error - 20/03/2010 14:36:47 | Computer Name = Steve-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 26/03/2010 14:39:10 | Computer Name = Steve-PC | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 1.9.2.3727 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: e40 Start
Time: 01cacd111a3ceeec Termination Time: 12 Application Path: C:\Program Files\Mozilla
Firefox\firefox.exe Report Id: dc0688d9-3906-11df-ae67-00044b0081d7

Error - 04/04/2010 18:24:44 | Computer Name = Steve-PC | Source = Application Error | ID = 1000
Description = Faulting application name: GooredFix.exe, version: 2.0.0.679, time
stamp: 0x4b4786c3 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time
stamp: 0x4a5bdadb Exception code: 0xc0000005 Fault offset: 0x0002fc47 Faulting process
id: 0x928 Faulting application start time: 0x01cad44598dd880c Faulting application
path: C:\Users\Steve\Downloads\GooredFix.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: de19dd6c-4038-11df-9687-00044b0081d7

[ System Events ]
Error - 04/04/2010 14:24:24 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:24:24 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:29:25 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:29:25 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:29:25 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:31:32 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:31:32 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 14:31:32 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 04/04/2010 18:30:46 | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 04/04/2010 18:39:34 | Computer Name = Steve-PC | Source = DCOM | ID = 10010
Description =

< End of report >

If you can provide any help that'd be great! Many thanks for taking a look.

#2
RKinner

Posted 04 April 2010 - 07:57 PM

Malware Expert

Expert
24,625 posts

Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:OTL
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

:Files
C:\Windows\tasks\Yxxnpzr.job
C:\Windows\System32\InkEdp.dll

:Commands
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

OTL Log
MBAM log
Combofix log

Ron

#3
metrospy

Posted 05 April 2010 - 06:08 AM

New Member

Topic Starter
Member
3 posts

Many thanks!

OTL log 1:-

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Malwarebytes Anti-Malware (reboot) deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== FILES ==========
C:\Windows\tasks\Yxxnpzr.job moved successfully.
C:\Windows\System32\InkEdp.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Steve
->Temp folder emptied: 935967 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 72377646 bytes
->Flash cache emptied: 1071 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 23926852 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 93.00 mb

OTL by OldTimer - Version 3.2.1.0 log created on 04052010_104150

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

OTL Log 2:-

OTL logfile created on: 05/04/2010 10:45:10 - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\Steve\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 162.69 Gb Free Space | 54.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVE-PC
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/05 00:12:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Downloads\OTL.exe
PRC - [2010/04/04 19:20:05 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/02 13:59:00 | 001,265,264 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/04/02 13:59:00 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/11/16 09:03:32 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/20 13:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe
PRC - [2009/07/10 13:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2007/07/17 16:48:16 | 000,180,224 | ---- | M] () -- C:\Windows\System32\WinService.exe

========== Modules (SafeList) ==========

MOD - [2010/04/05 00:12:50 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Downloads\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/04/02 13:59:00 | 001,265,264 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/09 15:13:53 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/11/16 09:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/07/20 13:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2007/07/17 16:48:16 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Windows\System32\WinService.exe -- (SCM_Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC BB D0 B6 4B D2 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.61

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 19:20:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 19:20:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/04/02 11:09:36 | 000,000,000 | ---D | M]

[2009/11/01 18:34:39 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions
[2010/04/05 10:44:08 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\extensions
[2010/04/04 19:18:16 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/03/23 22:16:27 | 000,001,820 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\searchplugins\bing.xml
[2010/04/05 10:39:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/13 22:27:39 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/03/13 22:27:39 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/03/13 22:27:39 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/03/13 22:27:39 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photob...?20091105115744 (PhotoboxPhotowaysUploader5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/05 10:41:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/05 10:39:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/04/05 10:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/04 23:24:42 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\GooredFix Backups
[2010/04/02 18:15:57 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\SUPERAntiSpyware.com
[2010/04/02 17:11:45 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/02 11:29:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/04/02 11:29:33 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/02 11:09:36 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2010/04/02 11:09:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/01 21:27:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/04/01 21:27:08 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/01 21:02:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/28 19:21:48 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Google

========== Files - Modified Within 14 Days ==========

[2010/04/05 10:43:44 | 004,194,304 | -HS- | M] () -- C:\Users\Steve\NTUSER.DAT
[2010/04/05 10:43:05 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/04/05 10:42:42 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/05 10:42:41 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/05 10:42:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/05 10:42:28 | 2213,453,824 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/05 10:39:45 | 000,013,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/05 10:39:44 | 000,013,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/05 10:38:42 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/05 10:38:42 | 000,619,206 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/05 10:38:42 | 000,107,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/05 01:27:31 | 001,195,309 | -H-- | M] () -- C:\Users\Steve\AppData\Local\IconCache.db
[2010/04/05 01:26:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/04 23:32:07 | 000,001,003 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/04 18:24:01 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/02 18:09:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/04/02 18:09:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/04/02 18:08:16 | 000,000,089 | ---- | M] () -- C:\Windows\wininit.ini
[2010/04/01 21:27:30 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/03/28 19:22:49 | 000,002,242 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk

========== Files Created - No Company Name ==========

[2010/04/05 10:43:05 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/04/02 18:09:20 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/04/02 18:09:20 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/04/02 18:08:16 | 000,000,089 | ---- | C] () -- C:\Windows\wininit.ini
[2010/04/02 11:29:46 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/03/28 19:22:49 | 000,002,242 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/03/28 19:21:56 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/28 19:21:55 | 000,000,878 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/20 16:43:24 | 000,001,498 | ---- | C] () -- C:\Users\Steve\.recently-used.xbel
[2009/11/10 00:56:32 | 000,000,324 | ---- | C] () -- C:\Windows\game.ini
[2009/11/02 00:11:53 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009/11/02 00:11:52 | 000,138,056 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\PnkBstrK.sys
[2009/11/01 18:04:05 | 004,194,304 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT
[2009/11/01 18:04:05 | 000,524,288 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/11/01 18:04:05 | 000,524,288 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/11/01 18:04:05 | 000,262,144 | -HS- | C] () -- C:\Users\Steve\ntuser.dat.LOG1
[2009/11/01 18:04:05 | 000,065,536 | -HS- | C] () -- C:\Users\Steve\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/11/01 18:04:05 | 000,000,020 | -HS- | C] () -- C:\Users\Steve\ntuser.ini
[2009/11/01 18:04:05 | 000,000,000 | -HS- | C] () -- C:\Users\Steve\ntuser.dat.LOG2
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

========== LOP Check ==========

[2009/12/06 20:44:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\gtk-2.0
[2010/03/18 20:43:18 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\ICAClient
[2010/03/18 20:37:18 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Juniper Networks
[2009/11/01 18:09:44 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Leadertech
[2009/11/27 21:11:46 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\SumatraPDF
[2009/12/27 16:29:53 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Ubisoft
[2010/04/01 16:34:10 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\uTorrent
[2010/04/05 10:43:05 | 000,000,370 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2010/03/27 09:08:49 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

MalwareBytes Log:-

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3955

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

05/04/2010 11:38:11
mbam-log-2010-04-05 (11-38-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 280973
Time elapsed: 45 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combofix Log:-

ComboFix 10-04-04.01 - Steve 05/04/2010 12:40:22.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2815.1599 [GMT 1:00]
Running from: c:\users\Steve\Desktop\george.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 11:45 . 2010-04-05 11:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-05 11:40 . 2010-04-05 11:40 -------- d-----w- c:\users\Steve\AppData\Local\ESET
2010-04-05 09:52 . 2010-03-29 14:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 09:52 . 2010-03-29 14:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 09:41 . 2010-04-05 09:41 -------- d-----w- C:\_OTL
2010-04-05 09:39 . 2010-04-05 09:39 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 17:15 . 2010-04-04 18:17 -------- d-----w- c:\users\Steve\AppData\Roaming\SUPERAntiSpyware.com
2010-04-02 16:11 . 2010-04-04 18:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-02 12:59 . 2010-04-02 12:59 516480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-04-02 12:59 . 2010-04-02 12:59 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-04-02 10:29 . 2010-04-04 17:24 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-02 10:29 . 2010-04-02 10:29 -------- d-----w- c:\programdata\Hitman Pro
2010-04-02 10:29 . 2010-04-02 10:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-02 10:09 . 2010-04-02 10:09 -------- d-----w- c:\program files\ESET
2010-04-01 20:27 . 2010-04-01 20:27 -------- d-----w- c:\programdata\Alwil Software
2010-04-01 20:27 . 2010-04-01 20:27 -------- d-----w- c:\program files\Alwil Software
2010-04-01 20:02 . 2010-04-04 18:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-30 19:09 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-28 18:21 . 2010-03-28 18:22 -------- d-----w- c:\users\Steve\AppData\Local\Google
2010-03-21 11:43 . 2010-03-21 11:43 -------- d-----w- c:\users\Steve\AppData\Roaming\Malwarebytes
2010-03-21 11:43 . 2010-04-05 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 11:43 . 2010-03-21 11:43 -------- d-----w- c:\programdata\Malwarebytes
2010-03-20 22:33 . 2010-03-20 18:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-20 18:36 . 2010-03-20 18:36 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-20 18:36 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-20 18:36 . 2010-03-20 18:37 -------- d-----w- c:\programdata\Lavasoft
2010-03-20 18:36 . 2010-03-20 18:36 -------- d-----w- c:\program files\Lavasoft
2010-03-20 16:57 . 2010-03-20 16:57 -------- d-----w- C:\NCM
2010-03-18 19:43 . 2010-03-18 19:43 -------- d-----w- c:\users\Steve\AppData\Roaming\ICAClient
2010-03-18 19:42 . 2010-03-18 19:42 73728 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}\liteico.exe.827545C6_7013_4DE1_8E6C_DAEE4C57F54A.exe
2010-03-18 19:42 . 2010-03-18 19:42 73728 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}\ARPICON.exe
2010-03-18 19:42 . 2010-03-18 19:42 -------- d-----w- c:\users\Steve\AppData\Local\Citrix
2010-03-17 00:34 . 2010-03-17 00:34 3026 ----a-w- c:\windows\system32\drivers\hwinterface.sys
2010-03-17 00:33 . 2010-03-17 00:34 -------- d-----w- c:\program files\GEEdit2
2010-03-16 23:38 . 2010-03-16 23:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-16 22:47 . 2010-04-04 18:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-16 21:19 . 2010-03-16 21:19 -------- d-----w- c:\programdata\FLEXnet
2010-03-16 21:17 . 2010-03-16 21:17 -------- d-----w- c:\programdata\Autodesk
2010-03-07 17:28 . 2010-03-07 17:28 -------- d--h--r- c:\users\Steve\AppData\Roaming\SecuROM
2010-03-07 16:54 . 2010-01-11 21:00 4332136 ----a-w- c:\windows\system32\NVStWiz.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 09:49 . 2009-11-01 17:44 -------- d-----w- c:\programdata\NVIDIA
2010-04-05 09:39 . 2009-11-01 18:08 -------- d-----w- c:\program files\Java
2010-04-04 18:17 . 2009-11-01 17:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-01 15:34 . 2009-11-01 18:24 -------- d-----w- c:\users\Steve\AppData\Roaming\uTorrent
2010-03-28 18:22 . 2010-02-20 15:53 -------- d-----w- c:\program files\Google
2010-03-20 18:37 . 2010-03-20 18:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-20 18:37 . 2010-03-20 18:37 95024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-20 18:37 . 2010-03-20 18:37 598368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-20 18:37 . 2010-03-20 18:37 566608 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-20 18:37 . 2010-03-20 18:37 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-20 18:37 . 2010-03-20 18:37 1230160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-20 18:37 . 2010-03-20 18:37 247120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-20 18:37 . 2010-03-20 18:37 6330848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-20 18:37 . 2010-03-20 18:37 17480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-18 19:37 . 2010-02-22 21:02 -------- d-----w- c:\users\Steve\AppData\Roaming\Juniper Networks
2010-03-18 19:37 . 2010-02-23 19:29 234792 ----a-w- c:\users\Steve\AppData\Roaming\Juniper Networks\Java Secure Application Manager\jsamtool.exe
2010-03-13 22:37 . 2009-11-01 18:34 -------- d-----w- c:\program files\Steam
2010-03-10 23:43 . 2009-12-08 17:57 -------- d-----w- c:\programdata\Microsoft Help
2010-03-09 20:38 . 2009-11-01 23:11 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-09 20:38 . 2009-11-01 23:11 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-09 18:42 . 2009-11-01 18:34 -------- d-----w- c:\program files\Common Files\Steam
2010-03-09 03:28 . 2009-11-01 18:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-07 17:21 . 2009-11-01 23:11 138056 ----a-w- c:\users\Steve\AppData\Roaming\PnkBstrK.sys
2010-03-07 17:21 . 2009-11-01 23:11 138056 ----a-w- c:\users\Steve\AppData\Roaming\PnkBstrK.sys
2010-03-07 17:20 . 2010-01-30 20:07 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-03-07 17:20 . 2009-11-01 23:11 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-07 17:04 . 2009-11-01 22:58 -------- d-----w- c:\program files\Electronic Arts
2010-03-07 16:54 . 2009-11-01 17:44 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-24 18:44 . 2009-11-01 18:25 -------- d-----w- c:\program files\uTorrent
2010-02-24 09:16 . 2009-11-01 17:21 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 19:33 . 2010-02-23 19:33 162656 ----a-w- c:\users\Steve\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-02-22 21:03 . 2010-02-22 21:03 292704 ----a-w- c:\users\Steve\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-02-21 22:55 . 2010-02-21 18:40 -------- d-----w- c:\program files\LG Electronics
2010-02-21 18:43 . 2010-02-21 18:43 -------- d-----w- c:\program files\MSXML 4.0
2010-02-21 18:42 . 2009-11-01 17:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-21 18:42 . 2010-02-21 18:42 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-20 16:07 . 2010-02-20 16:07 -------- d-----w- c:\programdata\IESLink
2010-02-20 16:04 . 2010-02-20 16:04 -------- d-----w- c:\programdata\ies
2010-02-20 16:01 . 2010-02-20 16:01 -------- d-----w- c:\program files\IES
2010-02-20 10:00 . 2010-02-20 10:00 -------- d-----w- c:\program files\iTunes
2010-02-20 10:00 . 2010-02-20 10:00 -------- d-----w- c:\program files\iPod
2010-02-20 10:00 . 2010-01-03 15:19 -------- d-----w- c:\program files\Common Files\Apple
2010-02-20 09:58 . 2010-02-20 09:58 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-04 15:53 . 2010-03-20 18:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 07:45 . 2010-02-23 19:28 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-18 23:29 . 2010-02-09 18:30 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-09 18:30 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-09 18:30 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-09 18:30 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-09 18:30 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-09 18:30 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-09 18:30 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-09 18:30 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-12 18:31 . 2009-11-01 18:23 108824 ----a-w- c:\users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-11 22:18 . 2010-01-11 22:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 22:18 . 2010-01-11 22:18 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-01-11 22:18 . 2010-01-11 22:18 1515112 ----a-w- c:\windows\system32\nvsvcr.dll
2010-01-11 22:18 . 2010-01-11 22:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 22:18 . 2010-01-11 22:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 22:18 . 2010-01-11 22:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-08 03:18 . 2010-02-09 18:30 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-09 18:30 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-11-1 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 12:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 18:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
2009-09-30 17:57 718688 ----a-w- c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 136176]
R2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [2007-07-17 180224]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S1 hwinterface;hwinterface;c:\windows\system32\Drivers\hwinterface.sys [2010-03-17 3026]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-12-18 95896]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-02 1265264]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-11 240232]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys [2009-06-19 12032]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys [2009-06-19 10496]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys [2009-06-19 12928]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]

.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 12:59]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 18:21]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 18:21]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091105115744
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\8qxu66hx.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\users\Steve\AppData\Roaming\Mozilla\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-573916433-1136016603-1936599637-1000\Software\SecuROM\License information*]
"datasecu"=hex:15,e0,c4,89,5e,c2,3c,dc,e6,c5,b1,9f,f3,5d,24,98,4f,ac,34,06,e2,
a8,c9,e0,98,e0,26,75,f3,11,18,be,ec,20,47,1c,c6,d6,00,84,4b,78,c4,50,df,f6,\
"rkeysecu"=hex:ea,e2,b7,6d,55,6e,e3,b9,47,5a,1c,54,e1,8e,bb,08

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-05 12:47:46
ComboFix-quarantined-files.txt 2010-04-05 11:47

Pre-Run: 174,599,913,472 bytes free
Post-Run: 174,517,129,216 bytes free

- - End Of File - - 3663FCCF2B2AE2E2162D991A3B313F13

Once again thanks for taking a look.

#4
RKinner

Posted 05 April 2010 - 08:47 AM

Malware Expert

Expert
24,625 posts

Are you still getting redirected?

Did you intentionally kill off UAC? I see this:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

But MS says the values should be 0, 1 or 2 so I'm not sure what 5 and 3 do for you.

Ron

#5
metrospy

Posted 05 April 2010 - 03:31 PM

New Member

Topic Starter
Member
3 posts

Thanks Ron, I appreciate your hard work.

I can confirm that I am no longer being redirected and all seems completely fine. Have been using it today and no problems to report.

I have left UAC set to "Default - Notify me only when programs try to make changes to my computer"

I can confirm that to my knowledge this was the setting that it was on whilst I performed the scans.

Many thanks

Steve