Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Search Redirect

Started by rockshard , Sep 12 2010 07:56 PM

Please log in to reply

#1
rockshard

Posted 12 September 2010 - 07:56 PM

New Member

Member
7 posts

Hello,
I am having an issue with my Google search results redirecting me to sites unrelated to my topic of interest. I want to add thank you up here so in doesn't get lost in the mess of logs.
So far I have done the following:

Step 1: Ran a scan with Panda Cloud Antivirus program. This didn't fix the issue, however the following is a scan report in case it helps.

Event Date/Time Status More details
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan ...\9/11/2010 1 Finished Scanning: All My Computer
Suspicious file detected ...\9/11/2010 1 Neutralized. Location: C:\Users\[myUserName]\Desktop\boit\Caliburst.dll
Adware detected Adware/AntimalwareDoctor ...\9/11/2010 1 Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\D985AA8207F98488EF5D865A40137A01\enemies-names.txt
Suspicious file detected ...\9/11/2010 1 Neutralized. Location: C:\ProgramData\ResultDns\resultdns112.exe
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQEA76.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQD761.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQB2C6.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQAC95.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQC6CB.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQB247.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQA546.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ985B.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ5A06.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ50A5.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ6A3C.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ6F6B.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ5410.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4382.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ27AA.tmp
Trojan detected Trj/Katusha.M ...\9/11/2010 1 Deleted. Location: C:\ProgramData\Symantec\SRTSP\Quarantine\APQ10B.tmp
Cookie detected Cookie/QuestionMarket 9/11/2010 7:38:57 AM Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\cookies.sqlite[.questionmarket.com/]
Cookie detected Cookie/Doubleclick 9/11/2010 7:38:57 AM Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\cookies.sqlite[.doubleclick.net/]
Cookie detected Cookie/Mediaplex 9/11/2010 7:38:57 AM Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\cookies.sqlite[.mediaplex.com/]
Cookie detected Cookie/Atlas DMT 9/11/2010 7:38:57 AM Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\cookies.sqlite[.atdmt.com/]
Cookie detected Cookie/Apmebf 9/11/2010 7:38:56 AM Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\cookies.sqlite[.apmebf.com/]
Cookie detected Cookie/Advertising 9/11/2010 7:38:56 AM Deleted. Location: C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\cookies.sqlite[.advertising.com/]
Scan 9/11/2010 7:38:35 AM Started Scanning: All My Computer ===========================================================================================================================================================================================
Step 2: Followed instructions on http://www.geekstogo...ogle-redirects/

Step 3: Followed instructions on http://www.geekstogo...cleaning-guide/

Following are the OTL logs:

OTL logfile created on: 9/12/2010 8:57:01 PM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\[myUserName]\Downloads\Tools to fix google redirect virus
Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 37.45 Gb Free Space | 33.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: [myComputerName]
Current User Name: [myUserName]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/12 20:20:22 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\[myUserName]\Downloads\Tools to fix google redirect virus\OTL.exe
PRC - [2010/08/24 22:31:19 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/08/24 22:31:10 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/08/23 18:59:04 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
PRC - [2010/05/14 15:06:28 | 000,406,848 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
PRC - [2010/04/30 13:47:28 | 000,136,448 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
PRC - [2010/03/08 22:52:48 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2009/11/19 23:51:10 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/06 19:08:16 | 007,772,704 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/07/20 13:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/10 13:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/24 14:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 14:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2007/06/02 15:59:08 | 001,457,152 | ---- | M] (Phoenix Labs) -- C:\Program Files\PeerGuardian2\pg2.exe
PRC - [2007/02/10 09:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2007/02/10 06:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/01/01 17:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Program Files\Google\Google Talk\googletalk.exe

========== Modules (SafeList) ==========

MOD - [2010/09/12 20:20:22 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\[myUserName]\Downloads\Tools to fix google redirect virus\OTL.exe
MOD - [2010/03/08 22:55:54 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2009/07/20 13:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/20 13:25:22 | 000,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll
MOD - [2009/07/13 21:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 21:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 21:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 21:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 21:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 21:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 21:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 21:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 21:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 21:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 21:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
MOD - [2009/06/10 17:23:11 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\msvcr80.dll
MOD - [2007/04/19 15:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/09/09 16:49:56 | 002,854,488 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3746.dll -- (Akamai)
SRV - [2010/06/25 13:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/04/30 13:47:28 | 000,136,448 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe -- (NanoServiceMain)
SRV - [2010/04/06 12:28:30 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpActivator)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetPipeActivator)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetMsmqActivator)
SRV - [2010/03/04 12:34:22 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/20 13:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/16 17:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/07/13 21:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 21:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 21:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 21:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 21:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 21:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 21:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 21:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 21:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 21:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 21:15:21 | 000,308,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV - [2009/07/13 21:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 21:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 21:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 21:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 21:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 21:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/04/24 14:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2007/11/07 09:58:18 | 003,004,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2007/02/10 09:29:54 | 029,178,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2007/02/10 09:29:47 | 000,242,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 06:29:56 | 000,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/10/14 06:50:19 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\[myUserName]\AppData\Local\Temp\ALSysIO.sys -- (ALSysIO)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2010/06/25 13:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2010/05/27 18:39:33 | 000,141,384 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSINAflt.sys -- (PSINAflt)
DRV - [2010/05/12 10:57:56 | 000,111,176 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSINProt.sys -- (PSINProt)
DRV - [2010/05/04 08:36:32 | 000,125,960 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\Windows\System32\drivers\PSINKNC.sys -- (PSINKNC)
DRV - [2010/04/30 13:46:32 | 000,111,112 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\PSINProc.sys -- (PSINProc)
DRV - [2010/04/30 13:46:30 | 000,099,336 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\PSINFile.sys -- (PSINFile)
DRV - [2009/12/06 15:32:48 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/10/06 18:52:50 | 002,779,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/07/13 21:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 21:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 21:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 21:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 21:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 21:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 21:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 21:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 21:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 21:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 21:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 21:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 21:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 21:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 21:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 21:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 21:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 21:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 21:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 21:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 21:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 21:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 21:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 21:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 21:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 21:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 21:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 21:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 21:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 21:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 21:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 21:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 21:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 21:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 21:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 21:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 21:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 21:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 21:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 21:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 21:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 21:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 20:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 20:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 20:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 19:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 19:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 19:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 19:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 19:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 19:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 19:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 19:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 19:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 19:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 19:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 19:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 19:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 19:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 19:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 19:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 18:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 18:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 18:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 18:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 18:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 18:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 18:02:52 | 000,139,776 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009/07/13 18:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 18:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 18:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/17 12:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009/06/17 12:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 12:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/10 17:19:48 | 009,853,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/06/02 14:59:42 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)
DRV - [2006/09/24 09:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\Windows\system32\speedfan.sys -- (speedfan)
DRV - [1996/04/03 15:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BA C8 EB 13 50 80 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Amazon.com"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/09 19:44:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/09 19:44:17 | 000,000,000 | ---D | M]

[2010/09/09 19:44:35 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Mozilla\Extensions
[2010/08/17 18:50:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\[myUserName]\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/09/12 20:56:31 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\extensions
[2010/09/10 19:55:56 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/09/12 20:56:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [PSUNMain] C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe (Panda Security, S.L.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Users\[myUserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.150 68.87.75.198
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/06 11:58:12 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\OblivionLauncher.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/12 19:37:03 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Roaming\Malwarebytes
[2010/09/12 19:36:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/09/12 19:36:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/09/12 19:36:55 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/09/12 19:36:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/10 22:14:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2010/09/10 20:10:12 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Desktop\evo
[2010/09/09 18:34:18 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Documents\Simply Super Software
[2010/08/31 22:48:33 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedFan
[2010/08/23 22:45:47 | 000,000,000 | ---D | C] -- C:\Program Files\HxD
[2010/08/22 20:12:46 | 000,679,936 | ---- | C] (Generated by JEDI) -- C:\Windows\System32\D3DX81ab.dll
[2010/08/22 20:12:46 | 000,000,000 | ---D | C] -- C:\Program Files\Cheat Engine
[2010/08/20 21:05:51 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Local\Sunbelt Software
[2010/08/20 21:00:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/08/19 21:57:20 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Local\Windows Server
[2010/08/17 18:50:22 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Desktop\ThunderbirdPortable
[2010/08/15 14:21:39 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Documents\BioWare
[2010/08/15 14:20:40 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/08/12 22:39:52 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Roaming\Mael
[2010/08/11 07:16:49 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Roaming\Amazon
[2010/08/11 07:14:52 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon
[2010/08/05 17:49:58 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\.netbeans-registration
[2010/08/05 17:33:22 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\.nbi
[2010/08/05 17:25:21 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Documents\JAVA Programs
[2010/08/04 07:42:54 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Documents\C programs
[2010/08/01 18:32:33 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Roaming\Wireshark
[2010/08/01 18:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010/08/01 18:09:09 | 000,000,000 | ---D | C] -- C:\Program Files\Wireshark
[2010/07/27 03:10:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010/07/26 16:50:31 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\SC2-WingsOfLiberty-enUS-Installer
[2010/07/26 16:50:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Blizzard Entertainment
[2010/07/24 11:01:47 | 000,000,000 | ---D | C] -- C:\Program Files\PeerGuardian2
[2010/07/19 23:27:29 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp
[2010/07/16 07:28:21 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\Desktop\boit
[2010/07/09 20:56:58 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2010/07/06 19:11:40 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/07/04 17:21:45 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Roaming\Hex-Rays
[2010/07/04 17:20:43 | 000,000,000 | ---D | C] -- C:\Program Files\IDA
[2010/06/29 22:52:57 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Roaming\Ubisoft
[2010/06/29 21:31:52 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/06/25 13:07:40 | 000,096,784 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\System32\Packet.dll
[2010/06/25 13:07:24 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\System32\wpcap.dll
[2010/06/25 13:07:14 | 000,035,088 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\System32\drivers\npf.sys
[2010/06/24 18:34:27 | 000,000,000 | ---D | C] -- C:\Users\[myUserName]\AppData\Local\PMB Files
[2010/06/24 18:34:25 | 000,000,000 | ---D | C] -- C:\ProgramData\PMB Files
[2010/06/24 18:31:30 | 000,000,000 | ---D | C] -- C:\Program Files\Outspark

========== Files - Modified Within 90 Days ==========

[2010/09/12 20:46:38 | 002,097,152 | -HS- | M] () -- C:\Users\[myUserName]\ntuser.dat
[2010/09/12 20:35:01 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3411781321-375096597-3571137758-1000UA.job
[2010/09/12 20:06:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/12 19:52:49 | 000,015,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/12 19:52:49 | 000,015,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/12 19:51:23 | 000,893,178 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/09/12 19:51:23 | 000,743,116 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/09/12 19:51:23 | 000,149,540 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/09/12 19:45:47 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/12 19:45:13 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/12 19:45:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/12 19:45:05 | 2616,696,832 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/12 19:44:12 | 003,098,964 | -H-- | M] () -- C:\Users\[myUserName]\AppData\Local\IconCache.db
[2010/09/12 19:08:28 | 000,000,586 | ---- | M] () -- C:\Users\[myUserName]\Documents\cc_20100912_190818.reg
[2010/09/12 03:43:23 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3411781321-375096597-3571137758-1000Core.job
[2010/09/10 09:06:50 | 000,002,286 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/09/09 19:44:27 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/09/09 19:44:19 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/08/31 22:48:33 | 000,000,045 | ---- | M] () -- C:\Windows\System32\initdebug.nfo
[2010/08/30 19:49:59 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/08/27 07:29:53 | 000,000,965 | ---- | M] () -- C:\Users\[myUserName]\Desktop\CCleaner.lnk
[2010/08/22 20:12:48 | 000,000,953 | ---- | M] () -- C:\Users\[myUserName]\Desktop\Cheat Engine.lnk
[2010/08/21 07:38:35 | 000,000,782 | -H-- | M] () -- C:\aaw7boot.cmd
[2010/08/20 20:53:12 | 000,814,391 | ---- | M] () -- C:\Users\[myUserName]\Documents\Spyware_wireshark log.pcap
[2010/08/19 20:50:00 | 000,000,214 | ---- | M] () -- C:\Users\[myUserName]\Desktop\Borderlands.url
[2010/08/13 10:57:55 | 000,000,000 | ---- | M] () -- C:\Users\[myUserName]\AppData\Local\eqoyukejub.dll
[2010/08/12 18:35:33 | 000,000,024 | ---- | M] () -- C:\Users\[myUserName]\AppData\Roaming\bawuho.dat
[2010/06/25 13:07:40 | 000,096,784 | ---- | M] (CACE Technologies, Inc.) -- C:\Windows\System32\Packet.dll
[2010/06/25 13:07:24 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\Windows\System32\wpcap.dll
[2010/06/25 13:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) -- C:\Windows\System32\drivers\npf.sys
[2010/06/25 13:03:12 | 000,053,299 | ---- | M] () -- C:\Windows\System32\pthreadVC.dll
[2010/06/24 18:36:15 | 000,230,752 | ---- | M] () -- C:\Windows\patchw32.dll
[2010/06/23 21:24:36 | 000,007,600 | ---- | M] () -- C:\Users\[myUserName]\AppData\Local\resmon.resmoncfg

========== Files Created - No Company Name ==========

[2010/09/12 19:08:25 | 000,000,586 | ---- | C] () -- C:\Users\[myUserName]\Documents\cc_20100912_190818.reg
[2010/09/09 19:44:27 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/09/09 19:44:19 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/09/08 18:38:31 | 000,006,284 | ---- | C] () -- C:\Users\[myUserName]\bookmarks.html
[2010/08/31 22:48:25 | 000,000,045 | ---- | C] () -- C:\Windows\System32\initdebug.nfo
[2010/08/30 03:30:24 | 000,000,912 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3411781321-375096597-3571137758-1000UA.job
[2010/08/30 03:30:24 | 000,000,860 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3411781321-375096597-3571137758-1000Core.job
[2010/08/22 20:12:48 | 000,000,953 | ---- | C] () -- C:\Users\[myUserName]\Desktop\Cheat Engine.lnk
[2010/08/22 20:12:46 | 001,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
[2010/08/21 07:38:35 | 000,000,782 | -H-- | C] () -- C:\aaw7boot.cmd
[2010/08/20 21:02:47 | 000,002,286 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/08/20 21:01:40 | 000,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/20 21:01:38 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/20 20:53:12 | 000,814,391 | ---- | C] () -- C:\Users\[myUserName]\Documents\Spyware_wireshark log.pcap
[2010/08/19 20:50:00 | 000,000,214 | ---- | C] () -- C:\Users\[myUserName]\Desktop\Borderlands.url
[2010/08/13 10:57:55 | 000,000,000 | ---- | C] () -- C:\Users\[myUserName]\AppData\Local\eqoyukejub.dll
[2010/08/12 21:57:13 | 000,061,380 | ---- | C] () -- C:\Users\[myUserName]\Desktop\AdjustedItemProperties.pdf
[2010/08/12 18:35:33 | 000,000,024 | ---- | C] () -- C:\Users\[myUserName]\AppData\Roaming\bawuho.dat
[2010/08/06 16:36:39 | 000,046,080 | ---- | C] () -- C:\Users\[myUserName]\Desktop\[myUserName]_Resume.doc
[2010/07/06 19:11:42 | 000,000,965 | ---- | C] () -- C:\Users\[myUserName]\Desktop\CCleaner.lnk
[2010/06/25 13:03:12 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2010/06/24 18:36:15 | 000,230,752 | ---- | C] () -- C:\Windows\patchw32.dll
[2010/05/21 19:07:50 | 000,000,000 | ---- | C] () -- C:\Users\[myUserName]\AppData\Local\Temp0cdab112c4a6e11872374c7bded4a529.lock
[2010/04/11 11:30:30 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2010/03/11 02:29:18 | 000,069,632 | R--- | C] () -- C:\Windows\System32\xmltok.dll
[2010/03/11 02:29:18 | 000,036,864 | R--- | C] () -- C:\Windows\System32\xmlparse.dll
[2010/01/09 13:47:39 | 000,000,094 | ---- | C] () -- C:\Users\[myUserName]\AppData\Local\fusioncache.dat
[2009/12/24 20:08:30 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/10 08:29:15 | 000,007,600 | ---- | C] () -- C:\Users\[myUserName]\AppData\Local\resmon.resmoncfg
[2009/12/06 15:32:48 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/11/02 11:35:19 | 000,000,172 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/10/23 18:46:54 | 000,000,169 | ---- | C] () -- C:\Windows\RtlRack.ini
[2009/10/23 18:36:10 | 000,147,456 | R--- | C] () -- C:\Windows\System32\RtlCPAPI.dll
[2009/10/23 18:34:15 | 000,000,164 | R--- | C] () -- C:\Windows\avrack.ini
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2006/12/04 02:25:14 | 000,022,723 | ---- | C] () -- C:\Windows\System32\sugs2l3.dll
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== LOP Check ==========

[2010/08/07 07:03:55 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\.purple
[2010/08/11 17:38:55 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Amazon
[2010/04/06 13:12:04 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Autodesk
[2010/05/02 21:46:52 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Bioshock2
[2010/05/02 21:46:52 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\CoreFTP
[2010/09/11 10:22:27 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\D985AA8207F98488EF5D865A40137A01
[2009/12/06 15:36:51 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\DAEMON Tools Lite
[2010/09/12 20:55:57 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\DNA
[2010/01/12 23:24:20 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\FileZilla
[2010/06/25 17:01:28 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\GetRightToGo
[2010/07/04 17:21:45 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Hex-Rays
[2009/12/27 12:06:10 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Leadertech
[2010/08/12 22:39:52 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Mael
[2010/05/02 21:46:53 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Notepad++
[2010/06/04 19:04:22 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Panda Security
[2010/03/24 12:10:30 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Softland
[2010/01/22 16:21:11 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Thinstall
[2010/05/25 22:28:56 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Turbine
[2010/06/29 22:52:57 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Ubisoft
[2010/08/01 18:41:36 | 000,000,000 | ---D | M] -- C:\Users\[myUserName]\AppData\Roaming\Wireshark
[2010/09/07 19:59:31 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/08/21 07:38:35 | 000,000,782 | -H-- | M] () -- C:\aaw7boot.cmd
[2009/06/10 17:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/10/22 16:20:26 | 000,000,211 | -H-- | M] () -- C:\Boot.BAK
[2009/10/23 11:39:32 | 000,000,355 | RHS- | M] () -- C:\Boot.ini.saved
[2009/07/13 21:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009/10/23 11:39:33 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2009/06/10 17:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/09/12 19:45:05 | 2616,696,832 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/22 16:25:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/10/22 16:25:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/12/23 10:37:29 | 000,000,855 | ---- | M] () -- C:\net_save.dna
[2004/08/03 18:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/03 18:59:34 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/09/12 19:45:06 | 3488,931,840 | -HS- | M] () -- C:\pagefile.sys
[2010/09/12 19:07:30 | 000,062,814 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_12.09.2010_19.04.51_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-03-04 16:35:09

========== Alternate Data Streams ==========

@Alternate Data Stream - 198 bytes -> C:\Windows\System32\msln.exe:c317e2320d82a1b67c2c42859dc55526
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:6D30AE98
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:BEB15613

< End of report >

OTL Extras logfile created on: 9/12/2010 8:57:01 PM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\[myUserName]\Downloads\Tools to fix google redirect virus
Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 37.45 Gb Free Space | 33.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: [myComputerName
Current User Name: [myUserName]
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{26B878A8-5704-3B64-BDBC-4F0EACA38121}" = Google Talk Plugin
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{32A3A4F4-B792-11D6-A78A-00B0D0160160}" = Java™ SE Development Kit 6 Update 16
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{926C96FB-9D0A-4504-8000-C6D3A4A3118E}" = Java DB 10.4.2.1
"{951B0F30-9F1A-4BF6-B3DA-99EB0E917B1C}" = FARO LS 1.1.406.58
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{9E1BAB75-EB78-440D-94C0-A3857BE2E733}" = System Requirements Lab
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{DFFE2B1F-07E0-45A9-8801-CD8514CAA876}" = Prince of Persia T2T
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FEB2D0CA-9912-4AA1-8FBE-CFD852F9F1FC}" = Panda Cloud Antivirus
"{FF29527A-44CD-3422-945E-981A13584000}" = VC Runtimes MSI
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Akamai" = Akamai NetSession Interface
"CCleaner" = CCleaner
"Cheat Engine 5.6_is1" = Cheat Engine 5.6
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"doPDF 7 printer_is1" = doPDF 7.1 printer
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Chrome" = Google Chrome
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HxD Hex Editor_is1" = HxD Hex Editor version 1.7.7.0
"IDA Pro Advanced v5.5 with Hex-Rays Decompiler v1.1_is1" = IDA Pro Advanced v5.5 with Hex-Rays Decompiler v1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2009b" = MATLAB R2009b
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.6.9)" = Mozilla Firefox (3.6.9)
"Notepad++" = Notepad++
"Panda Cloud Antivirus" = Panda Cloud Antivirus
"PeerGuardian_is1" = PeerGuardian 2.0
"Pidgin" = Pidgin
"Serv-U_is1" = Serv-U 9.3
"SpeedFan" = SpeedFan (remove only)
"Steam App 630" = Alien Swarm
"Steam App 8980" = Borderlands
"Unlocker" = Unlocker 1.8.9
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"VLC media player" = VLC media player 1.0.5
"WinPcapInst" = WinPcap 4.1.2
"WinRAR archiver" = WinRAR archiver
"Wireshark" = Wireshark 1.2.10

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/8/2010 10:44:13 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0x10f8 Faulting application start time: 0x01cb4fc2fc0164e1 Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: 20b6b27c-bbbc-11df-83e2-001d92d7aea7

Error - 9/9/2010 5:51:45 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0x1c0c Faulting application start time: 0x01cb506677b5c4f3 Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: 7005f32c-bc5c-11df-83e2-001d92d7aea7

Error - 9/9/2010 10:02:38 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0x1fb8 Faulting application start time: 0x01cb507eb538543c Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: 7bfe1b6d-bc7f-11df-83e2-001d92d7aea7

Error - 9/10/2010 7:26:11 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0x69c Faulting application start time: 0x01cb513f1d1f58ca Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: cb9520cc-bd32-11df-83e2-001d92d7aea7

Error - 9/10/2010 8:06:18 PM | Computer Name = [myComputerName] | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Users\[myUserName]\Downloads\Matlab
R2009B Student WIN\win64\utils\uninstall\uninstall.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 9/10/2010 9:28:40 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0xc94 Faulting application start time: 0x01cb514d30f853db Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: e81b6e91-bd43-11df-83e2-001d92d7aea7

Error - 9/10/2010 9:40:34 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0x948 Faulting application start time: 0x01cb51519c771b1f Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: 919f3dd7-bd45-11df-83e2-001d92d7aea7

Error - 9/10/2010 9:59:47 PM | Computer Name = [myComputerName] | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 1.9.2.3888 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1298 Start
Time: 01cb5154db81120a Termination Time: 16 Application Path: C:\Program Files\Mozilla
Firefox\firefox.exe Report Id:

Error - 9/10/2010 9:59:51 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: plugin-container.exe, version: 1.9.2.3888,
time stamp: 0x4c7451ef Faulting module name: xul.dll, version: 1.9.2.3888, time
stamp: 0x4c74519f Exception code: 0xc0000005 Fault offset: 0x0043e0c2 Faulting process
id: 0x18e8 Faulting application start time: 0x01cb5154ddb45599 Faulting application
path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path:
C:\Program Files\Mozilla Firefox\xul.dll Report Id: 430a882a-bd48-11df-83e2-001d92d7aea7

Error - 9/12/2010 8:18:14 PM | Computer Name = [myComputerName] | Source = Application Error | ID = 1000
Description = Faulting application name: Borderlands.exe, version: 1.3.1.0, time
stamp: 0x4c1a7c76 Faulting module name: GameOverlayRenderer.dll, version: 0.92.21.27,
time stamp: 0x4c81932a Exception code: 0xc0000005 Fault offset: 0x00010a23 Faulting
process id: 0xe5c Faulting application start time: 0x01cb52d6288b66c3 Faulting application
path: c:\program files\steam\steamapps\common\borderlands\Binaries\Borderlands.exe
Faulting
module path: C:\Program Files\Steam\GameOverlayRenderer.dll Report Id: 660dc8cd-becc-11df-a73b-001d92d7aea7

[ OSession Events ]
Error - 4/8/2010 9:43:30 AM | Computer Name = [myComputerName] | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1066. This session lasted 36
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/17/2010 8:39:38 PM | Computer Name = [myComputerName] | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Program Compatibility Assistant
Service service, but this action failed with the following error: %%1056

Error - 8/17/2010 9:41:15 PM | Computer Name = [myComputerName] | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 8/20/2010 9:05:43 PM | Computer Name = [myComputerName] | Source = Service Control Manager | ID = 7030
Description = The Lavasoft Ad-Aware Service service is marked as an interactive
service. However, the system is configured to not allow interactive services.
This service may not function properly.

Error - 8/25/2010 1:33:43 AM | Computer Name = [myComputerName] | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 8/26/2010 5:59:31 PM | Computer Name = [myComputerName] | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:53:53 PM on ?8/?26/?2010 was unexpected.

Error - 8/30/2010 7:47:24 PM | Computer Name = [myComputerName] | Source = EventLog | ID = 6008
Description = The previous system shutdown at 4:37:26 PM on ?8/?30/?2010 was unexpected.

Error - 8/31/2010 8:39:56 PM | Computer Name = [myComputerName] | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:37:11 PM on ?8/?31/?2010 was unexpected.

Error - 8/31/2010 9:41:58 PM | Computer Name = [myComputerName] | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:40:43 PM on ?8/?31/?2010 was unexpected.

Error - 9/7/2010 6:16:55 PM | Computer Name = [myComputerName] | Source = EventLog | ID = 6008
Description = The previous system shutdown at 6:12:46 PM on ?9/?7/?2010 was unexpected.

Error - 9/7/2010 7:45:54 PM | Computer Name = [myComputerName] | Source = EventLog | ID = 6008
Description = The previous system shutdown at 7:44:46 PM on ?9/?7/?2010 was unexpected.

< End of report >

#2
Rorschach112

Posted 13 September 2010 - 08:56 AM

Ralphie

Retired Staff
47,710 posts

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\OblivionLauncher.exe -- File not found
[2010/08/13 10:57:55 | 000,000,000 | ---- | M] () -- C:\Users\[myUserName]\AppData\Local\eqoyukejub.dll
[2010/08/12 18:35:33 | 000,000,024 | ---- | M] () -- C:\Users\[myUserName]\AppData\Roaming\bawuho.dat
@Alternate Data Stream - 198 bytes -> C:\Windows\System32\msln.exe:c317e2320d82a1b67c2c42859dc55526

:Services

:Reg

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download CKScanner from here

Important : Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Please download WVCheck by Artellos from one of the mirrors below;

Artellos.com (exe)
Artellos.com (zip)
After the download, run WVCheck.exe
As indicated by the prompt, This program can take a while depending on your hard drive space.
Once the program is done, copy the contents of the notepad file as a reply.

#3
rockshard

Posted 13 September 2010 - 02:55 PM

New Member

Topic Starter
Member
7 posts

ckfiles.txt results:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Windows version check:

Windows Validation Check
Version: 1.8.8.3
Log Created On: 1241_13-09-2010
------------------------

Windows Information
-----------------------
Windows Version: Windows 7
Windows Mode: Normal

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Do not download or install updates automatically.
------------------------------
Last Success Time for Update Detection: 2010-03-07 02:46:45
Last Success Time for Update Download: 2010-03-04 14:58:50
Last Success Time for Update Installation: 2010-03-04 16:35:09

WVCheck's File Dump
-------------------
WVCheck found no known bad files.

WVCheck's Dir Dump
-------------------
C:\Windows.old\Users\All Users\Application Data\Windows Genuine Advantage
Size: 0 bytes
Matched: *Genuine?Advantage*
------------------------------

WVCheck's Missing File Check
-------------------
WVCheck found no missing Windows files.

WVCheck's MBAM Quarantine Check
-------------------
There were no bad files quarantined by MBAM.

WVCheck's HOSTS File Check
-------------------
WVCheck found no bad lines in the hosts file.

WVCheck's MD5 Check
EXPERIMENTAL!!
-------------------
user32.dll - 34b7e222e81fafa885f0c5f2cfa56861

-------- End of File, program close at 1250_13-09-2010 ------

#4
Rorschach112

Posted 13 September 2010 - 03:06 PM

Ralphie

Retired Staff
47,710 posts

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#5
rockshard

Posted 13 September 2010 - 06:23 PM

New Member

Topic Starter
Member
7 posts

Hello again,
I posted the stuff during lunch break and then left again for work, but when I got back home again I found Panda Antivirus making my life difficult by finding my explorer.exe and some other file to be viruses. So a restart happened (I know.. I'm sorry) and now my "Windows Explorer has stopped working". Or so says this message and I'm screwed in more ways than just that annoying google redirect problem. Sorry to make your life that much more difficult but what should I do now? I can run programs like this firefox by using the task manager I opened with Ctrl+Sift+Esc and then making a new process. Here are the problem details provided to me by the lovely warning window:
Problem signature:
Problem Event Name: APPCRASH
Application Name: Explorer.EXE
Application Version: 6.1.7600.16450
Application Timestamp: 4aeba271
Fault Module Name: msvcrt.dll
Fault Module Version: 7.0.7600.16385
Fault Module Timestamp: 4a5bda6f
Exception Code: c0000005
Exception Offset: 00023e3d
OS Version: 6.1.7600.2.0.0.256.4
Locale ID: 1033
Additional Information 1: b338
Additional Information 2: b338547a389615f6ff273b7c8345b33d
Additional Information 3: c487
Additional Information 4: c487e86bc7913bc4dc70a8a1e925c9ed

Read our privacy statement online:
http://go.microsoft....88&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Edited by rockshard, 13 September 2010 - 06:24 PM.

#6
Rorschach112

Posted 13 September 2010 - 06:28 PM

Ralphie

Retired Staff
47,710 posts

can you post the combofix log ?

#7
rockshard

Posted 13 September 2010 - 07:18 PM

New Member

Topic Starter
Member
7 posts

I could have sworn I ran it from the desktop when I opened it with the task manager but it seems it ran from my download folder. Here it is:

ComboFix 10-09-13.01 - [myUserName] 09/13/2010 20:46:06.1.2 - x86
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3327.2527 [GMT -4:00]
Running from: c:\users\[myUserName]\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\[myUserName]\AppData\Local\Windows Server
c:\users\[myUserName]\AppData\Local\Windows Server\admin.txt
c:\users\[myUserName]\AppData\Local\Windows Server\flags.ini
c:\users\[myUserName]\AppData\Local\Windows Server\server.dat
c:\users\[myUserName]\AppData\Local\Windows Server\uses32.dat
c:\windows\system32\auditcfg.dll
c:\windows\system32\crt.dat
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\shimg.dll
c:\windows\wpe pro.INI

Infected copy of c:\windows\system32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
.

2010-09-14 00:58 . 2010-09-14 01:01 -------- d-----w- c:\users\[myUserName]\AppData\Local\temp
2010-09-14 00:58 . 2010-09-14 00:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-14 00:41 . 2010-09-14 00:41 -------- d-----r- C:\32788R22FWJFW
2010-09-13 16:20 . 2010-09-13 16:20 -------- d-----w- C:\_OTL
2010-09-12 23:37 . 2010-09-12 23:37 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\Malwarebytes
2010-09-12 23:36 . 2010-09-12 23:36 -------- d-----w- c:\programdata\Malwarebytes
2010-09-12 23:36 . 2010-09-14 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-11 02:14 . 2010-09-11 02:14 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-09-09 23:44 . 2010-09-09 23:44 0 ----a-w- c:\windows\nsreg.dat
2010-09-01 02:48 . 2010-09-01 02:50 -------- d-----w- c:\program files\SpeedFan
2010-08-24 02:45 . 2010-08-24 02:45 -------- d-----w- c:\program files\HxD
2010-08-23 00:12 . 2010-08-26 23:33 -------- d-----w- c:\program files\Cheat Engine
2010-08-23 00:12 . 2009-11-03 17:07 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-08-23 00:12 . 2009-11-03 17:07 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-08-21 11:38 . 2010-08-21 11:38 782 ---ha-w- C:\aaw7boot.cmd
2010-08-21 01:05 . 2010-08-21 01:05 -------- d-----w- c:\users\[myUserName]\AppData\Local\Sunbelt Software
2010-08-21 01:00 . 2010-08-21 11:40 -------- d-----w- c:\programdata\Lavasoft
2010-08-20 01:57 . 2010-09-14 02:52 -------- d-----w- c:\programdata\ResultDns
2010-08-15 18:20 . 2010-08-15 18:20 -------- d-----w- c:\program files\NVIDIA Corporation
2010-08-15 18:19 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-08-15 18:19 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-08-15 18:19 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-08-15 18:19 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-08-15 18:19 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-08-15 18:19 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-08-15 18:19 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-08-15 18:19 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 02:52 . 2009-12-09 22:01 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\Notepad++
2010-09-14 02:52 . 2009-11-22 15:56 -------- d-----w- c:\program files\QuickTime
2010-09-14 01:04 . 2010-07-24 15:01 -------- d-----w- c:\program files\PeerGuardian2
2010-09-14 01:00 . 2010-06-12 23:22 -------- d-----w- c:\program files\Steam
2010-09-14 01:00 . 2009-11-20 03:51 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\DNA
2010-09-14 01:00 . 2009-11-20 03:51 -------- d-----w- c:\program files\DNA
2010-09-14 00:59 . 2009-11-19 23:48 -------- d-----w- c:\program files\Common Files\Akamai
2010-09-11 14:22 . 2010-05-02 21:00 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\D985AA8207F98488EF5D865A40137A01
2010-08-27 12:02 . 2010-08-27 12:02 92816 ----a-w- c:\programdata\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2011 11.0.1.400\English\setup.exe
2010-08-27 11:29 . 2010-07-06 23:11 -------- d-----w- c:\program files\CCleaner
2010-08-21 01:03 . 2009-10-23 23:57 -------- d-----w- c:\program files\Google
2010-08-20 10:18 . 2010-07-26 20:50 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-19 19:37 . 2010-08-20 01:57 57608 ----a-w- c:\programdata\ResultDns\resultdns112.exe
2010-08-17 23:10 . 2010-07-27 07:10 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-08-15 18:21 . 2009-12-06 20:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-15 18:21 . 2009-12-06 20:07 -------- d-----w- c:\program files\AGEIA Technologies
2010-08-15 17:31 . 2010-01-22 16:40 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\uTorrent
2010-08-13 14:57 . 2010-08-13 14:57 0 ----a-w- c:\users\[myUserName]\AppData\Local\eqoyukejub.dll
2010-08-13 02:39 . 2010-08-13 02:39 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\Mael
2010-08-12 22:35 . 2010-08-12 22:35 24 ----a-w- c:\users\[myUserName]\AppData\Roaming\bawuho.dat
2010-08-11 23:26 . 2010-03-02 18:20 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\vlc
2010-08-11 21:38 . 2010-08-11 11:16 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\Amazon
2010-08-11 21:38 . 2010-08-11 11:14 -------- d-----w- c:\program files\Amazon
2010-08-11 11:03 . 2010-08-11 11:03 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-07 11:03 . 2009-11-20 00:49 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\.purple
2010-08-03 00:26 . 2010-07-04 21:20 -------- d-----w- c:\program files\IDA
2010-08-01 22:41 . 2010-08-01 22:32 -------- d-----w- c:\users\[myUserName]\AppData\Roaming\Wireshark
2010-08-01 22:14 . 2010-08-01 22:09 -------- d-----w- c:\program files\Wireshark
2010-08-01 22:09 . 2010-08-01 22:09 -------- d-----w- c:\program files\WinPcap
2010-07-29 13:49 . 2010-06-22 14:33 323824 ----a-w- c:\programdata\Panda Security\Panda Cloud Antivirus\Download\0x04015000\GlobalExe.exe
2010-07-24 14:52 . 2009-10-23 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 11:05 . 2010-01-27 00:09 -------- d-----w- c:\program files\Winamp Detect
2010-07-20 11:05 . 2010-07-20 03:27 -------- d-----w- c:\program files\Winamp
2010-07-16 11:40 . 2009-10-28 00:58 -------- d-----w- c:\program files\Microsoft.NET
2010-06-25 17:07 . 2010-06-25 17:07 96784 ----a-w- c:\windows\system32\Packet.dll
2010-06-25 17:07 . 2010-06-25 17:07 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-06-25 17:07 . 2010-06-25 17:07 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2010-06-25 17:03 . 2010-06-25 17:03 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-06-24 22:36 . 2010-06-24 22:36 230752 ----a-w- c:\windows\patchw32.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2010-02-15 17:37 . 2010-02-15 17:36 87552 --sha-w- c:\windows\System32\h4x0r.dll
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[7] 2009-07-14 . B5C5DCAD3899512020D135600129D665 . 96256 . . [6.1.7600.16385] . . c:\windows\System32\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-20 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"Google Update"="c:\users\[myUserName]\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-30 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-06 7772704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

c:\users\[myUserName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-27 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 135664]
R3 ALSysIO;ALSysIO;c:\users\[myUserName]\AppData\Local\Temp\ALSysIO.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-12-06 691696]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-05-04 125960]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-04-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-05-27 141384]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-04-30 99336]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-04-30 111112]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-05-12 111176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S4 PsBoot;Panda boot driver;c:\windows\system32\Drivers\PsBoot.sys [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
ftpsvc REG_MULTI_SZ ftpsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 01:01]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 01:01]

2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3411781321-375096597-3571137758-1000Core.job
- c:\users\[myUserName]\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-30 07:30]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3411781321-375096597-3571137758-1000UA.job
- c:\users\[myUserName]\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-30 07:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\users\[myUserName]\AppData\Roaming\Mozilla\Firefox\Profiles\jq9zx3mc.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\users\[myUserName]\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\[myUserName]\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\[myUserName]\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Winamp Detect - c:\program files\Winamp Detect\UninstWaDetect.exe

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4756)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\windows\System32\NLSData0009.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
.
**************************************************************************
.
Completion time: 2010-09-13 21:09:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-14 01:09

Pre-Run: 42,012,602,368 bytes free
Post-Run: 41,780,944,896 bytes free

- - End Of File - - 53DEB4A47516424683EF3A11563D7891

Edited by rockshard, 13 September 2010 - 07:26 PM.

#8
rockshard

Posted 14 September 2010 - 10:37 AM

New Member

Topic Starter
Member
7 posts

By the way, my explorer no longer crashes and I'm not getting redirected with google searches since last night... yet

What should I do now?

#9
Rorschach112

Posted 14 September 2010 - 04:46 PM

Ralphie

Retired Staff
47,710 posts

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
ipconfig /flushdns /c
C:\eqoyukejub.dll /s
C:\bawuho.dat /s

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#10
rockshard

Posted 15 September 2010 - 03:31 PM

New Member

Topic Starter
Member
7 posts

Hello,

Here it is as requested:

OTL Log:
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\myUserName\Desktop\cmd.bat deleted successfully.
C:\Users\myUserName\Desktop\cmd.txt deleted successfully.
LoadLibrary failed for C:\Users\myUserName\AppData\Local\eqoyukejub.dll
C:\Users\myUserName\AppData\Local\eqoyukejub.dll moved successfully.
C:\Users\myUserName\AppData\Roaming\bawuho.dat moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: myUserName
->Temp folder emptied: 752 bytes
->Temporary Internet Files folder emptied: 143967 bytes
->Java cache emptied: 6174720 bytes
->FireFox cache emptied: 90374579 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2746 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4314 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 92.00 mb

OTM by OldTimer - Version 3.1.16.0 log created on 09142010_193552

Files moved on Reboot...

Registry entries deleted on Reboot...

MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4617

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/14/2010 8:16:02 PM
mbam-log-2010-09-14 (20-16-02).txt

Scan type: Quick scan
Objects scanned: 143081
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\ResultDns\resultdns112.exe (Adware.ResultDns) -> Quarantined and deleted successfully.

Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 15, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 15, 2010 09:10:49
Records in database: 4213139
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 229846
Threats found: 6
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 04:42:32

File name / Threat / Threats count
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Qoobox\Quarantine\C\Windows\System32\auditcfg.dll.vir Infected: Backdoor.Win32.Papras.nj 1
C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.a 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip Infected: HackTool.Win32.Sniffer.WpePro.w 1
C:\Users\myUserName\Downloads\BorderlandsSteamv1.3Trainer.zip Infected: Trojan.Win32.Buzus.eblz 1
C:\Users\myUserName\Downloads\Kiki Engine 1.41.rar Infected: Trojan-PSW.Win32.Agent.rno 1

Selected area has been scanned.

#11
Rorschach112

Posted 15 September 2010 - 03:42 PM

Ralphie

Retired Staff
47,710 posts

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
ipconfig /flushdns /c
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip
C:\Users\myUserName\Downloads\BorderlandsSteamv1.3Trainer.zip
C:\Users\myUserName\Downloads\Kiki Engine 1.41.rar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Open OTL
Under the Custom Scans/Fixes box at the bottom, paste the following:
```
:Commands
[clearallrestorepoints]
```
Click the Run Fix button at the top
It might ask you to reboot, if so click YES

Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
Click on the CleanUp button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

#12
rockshard

Posted 15 September 2010 - 04:49 PM

New Member

Topic Starter
Member
7 posts

Hello,

I was unable to remove combofix, but maybe that's because the one I downloaded from the link above is just a standalone EXE? Thanks for sticking it out with me!

OTM Log:
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\myUserName\Desktop\cmd.bat deleted successfully.
C:\Users\myUserName\Desktop\cmd.txt deleted successfully.
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip moved successfully.
File/Folder C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip not found.
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip moved successfully.
File/Folder C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip not found.
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip moved successfully.
File/Folder C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip not found.
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip moved successfully.
File/Folder C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{29E203F4-AA1C-471B-A887-F4A34857FF9A}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{7F783AEC-0726-4D08-8B72-CE830EBDC865}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{8215F338-74FE-4C40-B037-CBCA30B013A9}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip not found.
File/Folder C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{9C6D0EE6-73B4-4F66-91F1-45295C9E952D}-wpepro09x.zip not found.
File/Folder C:\Users\myUserName\Downloads\BorderlandsSteamv1.3Trainer.zip not found.
File/Folder C:\Users\myUserName\Downloads\Kiki Engine 1.41.rar not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: myUserName
->Temp folder emptied: 110458599 bytes
->Temporary Internet Files folder emptied: 188950 bytes
->Java cache emptied: 128027 bytes
->FireFox cache emptied: 83894147 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1195 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
RecycleBin emptied: 60708 bytes

Total Files Cleaned = 186.00 mb

OTM by OldTimer - Version 3.1.16.0 log created on 09152010_183810

Files moved on Reboot...

Registry entries deleted on Reboot...

Edited by rockshard, 15 September 2010 - 04:52 PM.