Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser hijack, unknown cause

Started by Cornelius , Oct 17 2011 04:04 PM

  • Please log in to reply

#1
Cornelius
Posted 17 October 2011 - 04:04 PM

Cornelius

    Member

  • Member
  • PipPip
  • 43 posts
Hello,

I've had positive experiences at this site before. The folks here have helped me through several malware issues in the last seven years. I just want to say I appreciate that it is still active and still free.

I seem to have some malware which is redirecting my browser to unwanted sites when I click search engine links. I'm going to try to provide all the relevant background information below.

My operating system is Windows XP Professional, Version 5.1, with Service Pack 3. The Windows firewall is active.

About a week ago, a routine AVG scan found (and fixed) a problem. I've retrieved the information from that scan:
"";"C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\12\1187ad0c-73add705";"Trojan horse Java/Exploit.MP";"Moved to Virus Vault"

Yesterday, AVG found some more issues, which it also says it fixed.

"";"C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\7\5f6cb07-3319f1ec";"Trojan horse Dropper.Generic4.BKHN";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\56\4ca0d238-4eb1533d:\FAQ\Template.class";"Trojan horse Java/Exploit.IJ";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\56\4ca0d238-4eb1533d";"Trojan horse Java/Exploit.IJ";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Application Data\Fiko\peuv.exe";"Trojan horse Dropper.Generic4.BKHN";"Moved to Virus Vault"

"";"HKU\S-1-5-21-515967899-261478967-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\{9E028B75-6495-EA45-AB37-7F82C118E34A}";"Found registry key with reference to infected file C:\Documents and Settings\user\Application Data\Fiko\peuv.exe";"Moved to Virus Vault"

The redirects started to happen yesterday, sending me to sites like "Yokosearch" and a few others when I click links generated by search engines like Google. This is the only unusual behavior I've observed so far from my computer, and it happens in both Firefox and Chrome. I noticed this only after that last AVG scan I described above, although it is possible it was affecting my system prior to the scan but I simply didn't happen to visit any search engines at that point.

Yesterday, when I noticed the problem, I immediately updated AVG and Malwarebytes, then turned off my wireless internet hardware to prevent anything else from connecting. I ran both virus scans several times, first in a regular Windows boot, and then in safe mode (without networking). None of the scans found anything, but the symptoms remained. I reinstalled Firefox and it did not resolve the issue - in fact, it happens the same way in Chrome as well. I also tried starting Windows in safe mode with networking, and the browser redirects occurred even then.

I noticed two processes that seemed to be using more memory than I would normally expect - MotoConnect.exe and MotoConnectService.exe. I do have a Motorola phone and I've connected it to my computer before using the USB port (although not in the last several weeks) so these processes aren't totally unexpected, but they were using a lot of memory and I know they are not essential under normal circumstances, so I terminated them. They restarted immediately. I found files with those names in the following two directories (and related files in the windows prefetch directory):
C:\Program Files\Motorola\MotoConnectService
C:\Program Files\Motorola\MotoConnectService\InstallFile
I renamed all four main files by changing the extensions, and then rebooted the computer. The MotoConnect and MotoConnectService processes weren't running, but the browser redirect problem still happened.

That's about all the information I have right now. Sorry I couldn't be more specific. Any help that can be provided would be greatly appreciated.


Here's an OTL log. Incidentally, the log is correct that I have an outdated version of IE on my system, but the reason it hasn't been updated is that I never run IE for any reason.


OTL logfile created on: 10/17/2011 4:54:56 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\user\Desktop\Virus Protection
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 53.24% Memory free
3.78 Gb Paging File | 3.01 Gb Available in Paging File | 79.58% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 8.05 Gb Free Space | 7.21% Space Free | Partition Type: NTFS

Computer Name: USER-3614711912 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/17 16:54:04 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\Virus Protection\OTL.exe
PRC - [2011/09/29 02:53:40 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/09/23 06:31:50 | 002,404,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/09/21 19:53:12 | 000,973,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/09/13 06:32:40 | 001,227,616 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/09/12 06:23:46 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2010/10/19 15:25:18 | 000,866,576 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2010/10/19 15:16:10 | 000,966,656 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2010/10/19 15:02:42 | 000,477,456 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2010/10/14 20:26:06 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/09/24 16:03:58 | 000,475,220 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2009/07/17 09:32:00 | 003,576,320 | ---- | M] (Native Instruments GmbH) -- C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
PRC - [2009/05/21 20:48:38 | 000,128,368 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2009/05/21 20:48:18 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2009/04/14 19:51:38 | 000,015,136 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
PRC - [2009/03/13 17:32:48 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2009/02/02 18:04:10 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/13 18:36:26 | 008,522,400 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/29 02:53:40 | 001,833,944 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/04/28 10:32:28 | 000,060,928 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\3f4b032f69a5c5408ed124f73612b902\UIAutomationProvider.ni.dll
MOD - [2011/04/28 10:32:09 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\cfea0d1795b97fa4c067e202c768ad6c\System.Drawing.ni.dll
MOD - [2011/04/28 10:31:42 | 000,539,648 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\97bdd7f6ef0ca386f85cf2d526c58f03\PresentationFramework.Luna.ni.dll
MOD - [2011/04/28 10:31:41 | 000,224,768 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7c76a4167eaeb6a5d96134b6bb3afd8b\PresentationFramework.Classic.ni.dll
MOD - [2011/04/28 10:31:20 | 012,214,272 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\04dbceaaee0fe9a89406e3b648f18217\PresentationCore.ni.dll
MOD - [2011/04/28 10:31:07 | 003,323,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\ec836c78e45f1397dd529d1279f86e14\WindowsBase.ni.dll
MOD - [2011/04/28 10:30:59 | 007,949,824 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\bbdeb12988e827a4e9fa200ad16f4520\System.ni.dll
MOD - [2011/04/28 10:30:27 | 011,485,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\4b10d8196bb368996ec5d24fca777456\mscorlib.ni.dll
MOD - [2011/04/28 01:25:57 | 005,279,744 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
MOD - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
MOD - [2009/04/16 14:39:38 | 000,049,152 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRO.DLL
MOD - [2009/04/16 14:39:38 | 000,030,720 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2009/03/19 07:34:40 | 000,196,608 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (MotoConnect Service)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/09/12 06:23:46 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/10/19 15:25:18 | 000,866,576 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2010/10/19 15:16:10 | 000,966,656 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2010/10/19 15:02:42 | 000,477,456 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2009/09/24 16:03:58 | 000,475,220 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)
SRV - [2009/07/17 09:32:00 | 003,576,320 | ---- | M] (Native Instruments GmbH) [Auto | Running] -- C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe -- (NIHardwareService)
SRV - [2009/05/21 20:48:24 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2009/05/21 20:48:18 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2006/12/22 08:31:50 | 000,108,712 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)


========== Driver Services (SafeList) ==========

DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:30 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 01:13:46 | 000,229,840 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/05/22 15:42:52 | 000,017,296 | ---- | M] (Mobile Stream) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\easytthr.sys -- (easytether)
DRV - [2010/05/19 23:15:04 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2010/02/25 04:40:54 | 000,598,400 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2010/02/12 01:27:42 | 000,818,976 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2010/01/25 20:56:44 | 000,009,472 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motusbdevice.sys -- (motusbdevice)
DRV - [2009/07/13 16:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/04/03 12:18:06 | 001,347,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/05/12 18:04:04 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/02/15 19:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/02/08 10:46:36 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/07/30 12:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/30 11:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/12/21 13:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/21 13:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/21 13:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/30 17:38:24 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1209


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/10/05 17:40:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/16 18:40:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/10 14:22:33 | 000,000,000 | ---D | M]

[2010/12/30 18:34:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2011/09/30 12:22:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\bd3vc3l0.default\extensions
[2011/09/30 12:22:26 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\bd3vc3l0.default\extensions\[email protected]
[2011/10/16 18:40:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/30 10:53:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}-trash
[2011/05/10 14:22:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BD3VC3L0.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BD3VC3L0.DEFAULT\EXTENSIONS\[email protected]
[2011/10/05 17:40:23 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2011/09/29 02:53:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/10 14:22:17 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/28 20:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Disabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: AVG Safe Search = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\
CHR - Extension: AVG Safe Search = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1829_0\

O1 HOSTS File: ([2011/10/14 12:53:08 | 000,000,884 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.240.149 www.google.com
O1 - Hosts: 94.63.240.150 www.bing.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1293562978847 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8CBE0019-EF21-412E-89EF-6FECCF52C65A}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - (C:\Program Files\Lenovo\HOTKEY\notifyf2.dll) - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/12/28 14:23:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{178f918f-e3ab-11e0-9cb4-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{178f918f-e3ab-11e0-9cb4-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{178f918f-e3ab-11e0-9cb4-00197e92cada}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{35f54d76-1457-11e0-9bd9-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{35f54d76-1457-11e0-9bd9-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{35f54d76-1457-11e0-9bd9-00197e92cada}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{4c458803-12b2-11e0-9bcf-b4bf009f741d}\Shell\AutoRun\command - "" = E:\urDrive.exe
O33 - MountPoints2\{7c514f81-7a6c-11e0-9c31-00197e92cada}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{9b57eea7-80cb-11e0-9c38-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{9b57eea7-80cb-11e0-9c38-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9b57eea7-80cb-11e0-9c38-00197e92cada}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{bb8722b9-1796-11e0-9bef-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{bb8722b9-1796-11e0-9bef-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bb8722b9-1796-11e0-9bef-00197e92cada}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/16 20:37:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/10/16 17:40:35 | 000,000,000 | ---D | C] -- C:\Program Files\MALWAREBYTES ANTI-MALWARE
[2011/10/15 13:07:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Fiko
[2011/10/15 13:07:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Efrein
[2011/09/27 13:10:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
[2011/09/27 13:09:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\AVG2012
[2011/09/27 13:08:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/17 15:59:20 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/17 15:19:49 | 000,124,072 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/10/17 15:19:23 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/10/17 15:19:19 | 000,190,394 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/17 15:19:18 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/17 15:19:17 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/17 15:19:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/17 15:06:57 | 106,758,884 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/10/16 18:48:49 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/10/16 16:03:26 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/10/15 13:07:17 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\user\Application Data\fDh1dg6FFy7F
[2011/10/12 16:56:56 | 000,188,660 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2011/10/12 09:12:50 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/10/12 09:12:48 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/10 16:48:16 | 000,124,072 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/10/04 21:08:11 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2011/09/26 18:18:28 | 000,003,254 | ---- | M] () -- C:\WINDOWS\ENTPACK.INI
[2011/09/21 16:41:21 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Publisher 2007.lnk
[2011/09/20 22:01:00 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Word 2003.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/15 13:07:17 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\user\Application Data\fDh1dg6FFy7F
[2011/07/23 18:27:25 | 000,097,697 | ---- | C] () -- C:\WINDOWS\hpqins05.dat
[2011/06/24 20:24:18 | 000,003,254 | ---- | C] () -- C:\WINDOWS\ENTPACK.INI
[2011/06/16 23:02:42 | 000,118,784 | ---- | C] () -- C:\WINDOWS\dsdxirmv.exe
[2011/04/28 01:28:58 | 000,755,808 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/09 23:23:40 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/09 23:23:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/02/06 19:24:27 | 000,057,060 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/03 17:19:29 | 000,010,563 | R--- | C] () -- C:\WINDOWS\hpwscr19.dat
[2011/01/03 17:16:33 | 000,176,297 | ---- | C] () -- C:\WINDOWS\hpwins19.dat
[2011/01/03 17:16:33 | 000,000,997 | R--- | C] () -- C:\WINDOWS\hpwmdl19.dat
[2011/01/02 20:32:31 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/01/02 20:11:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2011/01/02 20:10:59 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2011/01/02 18:09:47 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2010/12/30 18:34:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/12/29 12:46:31 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010/12/29 12:46:31 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2010/12/29 12:46:31 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010/12/28 18:30:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/12/28 15:48:18 | 000,124,072 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/12/28 14:28:44 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/12/28 14:20:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/12/28 09:04:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/12/28 09:03:19 | 000,302,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/16 19:50:25 | 000,013,931 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2009/01/15 02:37:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/15 02:37:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/01/15 02:37:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/15 02:37:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2009/01/15 02:37:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/15 02:37:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/01/15 02:37:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/01/15 02:37:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/09/27 13:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/09/27 13:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/06/16 23:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cakewalk
[2011/06/15 00:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/19 02:28:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/12/30 18:06:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2011/10/17 15:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/06/16 23:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Native Instruments
[2011/06/16 23:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222}
[2010/12/30 19:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/06/16 23:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{D69A48BF-7653-4AA8-94BC-5847522A4573}
[2011/06/16 23:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
[2011/06/03 12:03:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\.minecraft
[2011/06/17 15:46:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\4Front
[2011/09/27 13:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVG2012
[2011/07/25 20:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Cakewalk
[2011/10/15 19:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Efrein
[2011/10/16 17:43:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Fiko
[2011/06/09 19:10:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\MPEG Streamclip
[2011/07/23 19:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\OpenOffice.org
[2011/01/02 18:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Opera
[2011/06/15 19:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\PyScripter
[2011/10/17 15:19:23 | 000,000,298 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
WhiteHat
Posted 17 October 2011 - 04:54 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hello Cornelius and welcome to GeeksToGo :)

I'm GLeobas and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
  • I am currently reviewing your logs.

Edited by GLeobas, 17 October 2011 - 04:55 PM.

  • 0

#3
WhiteHat
Posted 20 October 2011 - 12:13 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
# Step 1 #

Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

# Step 2 #

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
    Posted Image
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    ../../../misc/guide_icons/GMER_thumb.jpg
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in Gmer.txt or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOKIT entries


# Step 3 #

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
[2011/10/15 13:07:17 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\user\Application Data\fDh1dg6FFy7F

:Commands
[purity]
[resethosts]
[EMPTYTEMP]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#4
Cornelius
Posted 20 October 2011 - 06:39 PM

Cornelius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Hello GLeobas,

Thank you so much for your prompt replies. I appreciate your help.


Review of what I did:

I downloaded the three files you linked to a flash drive and transferred them to the infected computer.

I ran aswMBR.exe. It asked me to download the Avast definitions. Since I did not know where the program was expecting the definitions to be stored, I opted not to try to download them on another computer and transfer them. I turned on the wireless radio on the infected computer for ten minutes to download the definitions, and then turned it off again.

Once the definitions were downloaded, I closed the Avast antirootkit tool, executed it again, and then ran the requested scan. It scanned for a while and then Windows told me it had "encountered a problem and needed to close." The aswMBR window showed that it was in the process of scanning one of my regular documents folders. I ran quick AVG and Malwarebytes scans of that folder using the context menu, and neither one had an error. I reran the Avast tool and the same thing happened, but in a different documents folder (earlier in the scan order, if it matters). AVG and Malwarebytes also have no trouble with that second folder. So I ran the Avast tool for a third time, and this time I stopped it after it completed the scan of the system folders, so that I could at least give you a partial log.

Then I ran the GMER rootkit scanner as requested, with no problems. The log is below.

I ran the OTL Fix with the specifications you provided, allowed the computer to reboot, and found the log that was created of what it did. The log is pretty short, so I'm including it below even though you didn't specifically ask for it.

Finally, I reran OTL's quick scan. The log is below.

Thanks again, GLeobas!



Logs:



aswMBR partial log



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-20 16:23:36
-----------------------------
16:23:36.875 OS Version: Windows 5.1.2600 Service Pack 3
16:23:36.875 Number of processors: 2 586 0xF0A
16:23:36.875 ComputerName: USER-3614711912 UserName: user
16:23:37.687 Initialize success
16:23:41.453 AVAST engine defs: 11102002
16:23:44.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:23:44.359 Disk 0 Vendor: HITACHI_HTS541612J9SA00 SBDIC7JP Size: 114473MB BusType: 3
16:23:46.406 Disk 0 MBR read successfully
16:23:46.406 Disk 0 MBR scan
16:23:46.406 Disk 0 Windows XP default MBR code
16:23:46.421 Disk 0 scanning sectors +234435600
16:23:46.609 Disk 0 scanning C:\WINDOWS\system32\drivers
16:24:22.125 Service scanning
16:24:23.171 Modules scanning
16:25:05.562 Disk 0 trace - called modules:
16:25:05.593 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:25:05.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7c3ab8]
16:25:05.593 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000089[0x8a7c9908]
16:25:06.093 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a78b940]
16:25:06.875 AVAST engine scan C:\WINDOWS
16:25:55.062 AVAST engine scan C:\WINDOWS\system32
16:30:54.281 AVAST engine scan C:\WINDOWS\system32\drivers
16:32:03.062 AVAST engine scan C:\Documents and Settings\user
16:34:02.843 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
16:34:02.843 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"



GMER log



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-20 19:37:14
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_HTS541612J9SA00 rev.SBDIC7JP
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pwgyqaoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB551BF3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB551BFE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB551C080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB551C11C]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8E36360, 0x388D2D, 0xE8000020]
? C:\DOCUME~1\user\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----



OTL fix log



All processes killed
========== OTL ==========
C:\Documents and Settings\user\Application Data\fDh1dg6FFy7F moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: user
->Temp folder emptied: 357279071 bytes
->Temporary Internet Files folder emptied: 53590628 bytes
->Java cache emptied: 973580 bytes
->FireFox cache emptied: 673437779 bytes
->Google Chrome cache emptied: 39580998 bytes
->Flash cache emptied: 132545 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2568648 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 261359498 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 49465693 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 11525367 bytes

Total Files Cleaned = 1,383.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Unable to start service SrService!

OTL by OldTimer - Version 3.2.31.0 log created on 10202011_194536

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



OTL quick scan log



OTL logfile created on: 10/20/2011 8:02:17 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\user\Desktop\Oct 2011 Malware\GeeksToGo requested scans\software
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 70.71% Memory free
3.78 Gb Paging File | 3.35 Gb Available in Paging File | 88.46% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 9.32 Gb Free Space | 8.34% Space Free | Partition Type: NTFS

Computer Name: USER-3614711912 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/17 16:54:04 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\Oct 2011 Malware\GeeksToGo requested scans\software\OTL.exe
PRC - [2011/09/23 06:31:50 | 002,404,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/09/21 19:53:12 | 000,973,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/09/13 06:32:40 | 001,227,616 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/09/12 06:23:46 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2010/10/19 15:25:18 | 000,866,576 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2010/10/19 15:16:10 | 000,966,656 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2010/10/19 15:02:42 | 000,477,456 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2010/10/14 20:26:06 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/09/24 16:03:58 | 000,475,220 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2009/07/17 09:32:00 | 003,576,320 | ---- | M] (Native Instruments GmbH) -- C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
PRC - [2009/05/21 20:48:38 | 000,128,368 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2009/05/21 20:48:18 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2009/04/14 19:51:38 | 000,015,136 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
PRC - [2009/03/13 17:32:48 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2009/02/02 18:04:10 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/04/28 10:32:28 | 000,060,928 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\3f4b032f69a5c5408ed124f73612b902\UIAutomationProvider.ni.dll
MOD - [2011/04/28 10:32:09 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\cfea0d1795b97fa4c067e202c768ad6c\System.Drawing.ni.dll
MOD - [2011/04/28 10:31:42 | 000,539,648 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\97bdd7f6ef0ca386f85cf2d526c58f03\PresentationFramework.Luna.ni.dll
MOD - [2011/04/28 10:31:41 | 000,224,768 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7c76a4167eaeb6a5d96134b6bb3afd8b\PresentationFramework.Classic.ni.dll
MOD - [2011/04/28 10:31:20 | 012,214,272 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\04dbceaaee0fe9a89406e3b648f18217\PresentationCore.ni.dll
MOD - [2011/04/28 10:31:07 | 003,323,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\ec836c78e45f1397dd529d1279f86e14\WindowsBase.ni.dll
MOD - [2011/04/28 10:30:59 | 007,949,824 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\bbdeb12988e827a4e9fa200ad16f4520\System.ni.dll
MOD - [2011/04/28 10:30:27 | 011,485,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\4b10d8196bb368996ec5d24fca777456\mscorlib.ni.dll
MOD - [2011/04/28 01:25:57 | 005,279,744 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
MOD - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
MOD - [2009/04/16 14:39:38 | 000,049,152 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRO.DLL
MOD - [2009/04/16 14:39:38 | 000,030,720 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2009/03/19 07:34:40 | 000,196,608 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (MotoConnect Service)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/09/12 06:23:46 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/10/19 15:25:18 | 000,866,576 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2010/10/19 15:16:10 | 000,966,656 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2010/10/19 15:02:42 | 000,477,456 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2009/09/24 16:03:58 | 000,475,220 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)
SRV - [2009/07/17 09:32:00 | 003,576,320 | ---- | M] (Native Instruments GmbH) [Auto | Running] -- C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe -- (NIHardwareService)
SRV - [2009/05/21 20:48:24 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2009/05/21 20:48:18 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/04/16 14:41:28 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2006/12/22 08:31:50 | 000,108,712 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)


========== Driver Services (SafeList) ==========

DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:30 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 01:13:46 | 000,229,840 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/05/22 15:42:52 | 000,017,296 | ---- | M] (Mobile Stream) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\easytthr.sys -- (easytether)
DRV - [2010/05/19 23:15:04 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2010/02/25 04:40:54 | 000,598,400 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2010/02/12 01:27:42 | 000,818,976 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2010/01/25 20:56:44 | 000,009,472 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motusbdevice.sys -- (motusbdevice)
DRV - [2009/07/13 16:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/04/03 12:18:06 | 001,347,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/05/12 18:04:04 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/02/15 19:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/02/08 10:46:36 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/07/30 12:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/30 11:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/12/21 13:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/21 13:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/21 13:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/30 17:38:24 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1209


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/10/05 17:40:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/16 18:40:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/10 14:22:33 | 000,000,000 | ---D | M]

[2010/12/30 18:34:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2011/09/30 12:22:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\bd3vc3l0.default\extensions
[2011/09/30 12:22:26 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\bd3vc3l0.default\extensions\[email protected]
[2011/10/16 18:40:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/30 10:53:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}-trash
[2011/05/10 14:22:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BD3VC3L0.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BD3VC3L0.DEFAULT\EXTENSIONS\[email protected]
[2011/10/05 17:40:23 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2011/09/29 02:53:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/10 14:22:17 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/28 20:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\14.0.835.202\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Disabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: AVG Safe Search = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\
CHR - Extension: AVG Safe Search = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1829_0\

O1 HOSTS File: ([2011/10/20 19:45:40 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1293562978847 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - (C:\Program Files\Lenovo\HOTKEY\notifyf2.dll) - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/12/28 14:23:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{178f918f-e3ab-11e0-9cb4-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{178f918f-e3ab-11e0-9cb4-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{178f918f-e3ab-11e0-9cb4-00197e92cada}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{35f54d76-1457-11e0-9bd9-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{35f54d76-1457-11e0-9bd9-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{35f54d76-1457-11e0-9bd9-00197e92cada}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{4c458803-12b2-11e0-9bcf-b4bf009f741d}\Shell\AutoRun\command - "" = E:\urDrive.exe
O33 - MountPoints2\{7c514f81-7a6c-11e0-9c31-00197e92cada}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{9b57eea7-80cb-11e0-9c38-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{9b57eea7-80cb-11e0-9c38-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9b57eea7-80cb-11e0-9c38-00197e92cada}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{bb8722b9-1796-11e0-9bef-00197e92cada}\Shell - "" = AutoRun
O33 - MountPoints2\{bb8722b9-1796-11e0-9bef-00197e92cada}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bb8722b9-1796-11e0-9bef-00197e92cada}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/20 19:45:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/19 23:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Oct 2011 Malware
[2011/10/16 20:37:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/10/16 17:40:35 | 000,000,000 | ---D | C] -- C:\Program Files\MALWAREBYTES ANTI-MALWARE
[2011/10/15 13:07:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Fiko
[2011/10/15 13:07:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Efrein
[2011/09/27 13:10:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
[2011/09/27 13:09:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\AVG2012
[2011/09/27 13:08:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012

========== Files - Modified Within 30 Days ==========

[2011/10/20 19:59:05 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/20 19:54:39 | 000,167,496 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/10/20 19:53:57 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/10/20 19:53:47 | 000,190,394 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/20 19:53:15 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/20 19:53:13 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/20 19:52:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/20 19:45:40 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/10/20 14:55:36 | 106,949,643 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/10/19 14:37:02 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/10/17 21:44:21 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Word 2003.lnk
[2011/10/17 18:24:55 | 000,167,496 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/10/16 18:48:49 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/10/12 16:56:56 | 000,188,660 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2011/10/12 09:12:50 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/10/12 09:12:48 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/04 21:08:11 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2011/09/26 18:18:28 | 000,003,254 | ---- | M] () -- C:\WINDOWS\ENTPACK.INI
[2011/09/21 16:41:21 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Publisher 2007.lnk

========== Files Created - No Company Name ==========

[2011/07/23 18:27:25 | 000,097,697 | ---- | C] () -- C:\WINDOWS\hpqins05.dat
[2011/06/24 20:24:18 | 000,003,254 | ---- | C] () -- C:\WINDOWS\ENTPACK.INI
[2011/06/16 23:02:42 | 000,118,784 | ---- | C] () -- C:\WINDOWS\dsdxirmv.exe
[2011/04/28 01:28:58 | 000,755,808 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/09 23:23:40 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/09 23:23:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/02/06 19:24:27 | 000,057,060 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/03 17:19:29 | 000,010,563 | R--- | C] () -- C:\WINDOWS\hpwscr19.dat
[2011/01/03 17:16:33 | 000,176,297 | ---- | C] () -- C:\WINDOWS\hpwins19.dat
[2011/01/03 17:16:33 | 000,000,997 | R--- | C] () -- C:\WINDOWS\hpwmdl19.dat
[2011/01/02 20:32:31 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/01/02 20:11:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2011/01/02 20:10:59 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2011/01/02 18:09:47 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2010/12/30 18:34:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/12/29 12:46:31 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010/12/29 12:46:31 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2010/12/29 12:46:31 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010/12/28 18:30:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/12/28 15:48:18 | 000,167,496 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/12/28 14:28:44 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/12/28 14:20:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/12/28 09:04:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/12/28 09:03:19 | 000,302,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/16 19:50:25 | 000,013,931 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2009/01/15 02:37:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/15 02:37:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/01/15 02:37:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/15 02:37:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2009/01/15 02:37:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/15 02:37:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/01/15 02:37:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/01/15 02:37:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/09/27 13:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/09/27 13:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/06/16 23:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cakewalk
[2011/06/15 00:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/19 02:28:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/12/30 18:06:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2011/10/20 14:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/06/16 23:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Native Instruments
[2011/06/16 23:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222}
[2010/12/30 19:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/06/16 23:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{D69A48BF-7653-4AA8-94BC-5847522A4573}
[2011/06/16 23:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
[2011/06/03 12:03:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\.minecraft
[2011/06/17 15:46:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\4Front
[2011/09/27 13:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVG2012
[2011/07/25 20:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Cakewalk
[2011/10/15 19:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Efrein
[2011/10/16 17:43:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Fiko
[2011/06/09 19:10:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\MPEG Streamclip
[2011/07/23 19:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\OpenOffice.org
[2011/01/02 18:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Opera
[2011/06/15 19:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\PyScripter
[2011/10/20 19:53:57 | 000,000,298 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========



< End of report >

Edited by Cornelius, 20 October 2011 - 06:41 PM.

  • 0

#5
WhiteHat
Posted 24 October 2011 - 02:58 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Are you still getting redirected?

Disable your antivirus software
  • Do the scan according the image:

    Posted Image
  • At the end, check the box "Delete Quarantined files" and click in [FINISH]
  • It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
    PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
  • Post that log.

  • 0

#6
Cornelius
Posted 24 October 2011 - 10:17 PM

Cornelius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
After testing it in both browsers, I am pretty sure the search engine redirect issue isn't happening anymore. I wonder what the issue was, and why AVG and Malwarebytes didn't catch it.

I ran the scan you requested and it didn't find anything. Here's the log:


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=51377f6c95f3484998245b069e1c83bf
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-25 03:10:39
# local_time=2011-10-24 11:10:39 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 1432416 1432416 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=140769
# found=0
# cleaned=0
# scan_time=14742
  • 0

#7
WhiteHat
Posted 27 October 2011 - 10:04 AM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean ../../public/style_emoticons/default/thumbsup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the Posted Image button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe ../../public/style_emoticons/default/wavey.gif
  • 0

#8
Cornelius
Posted 27 October 2011 - 10:39 AM

Cornelius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Thanks for your help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP