Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Search engine being redirected [Solved]


  • This topic is locked This topic is locked

#1
fnh

fnh

    Member

  • Member
  • PipPip
  • 20 posts
Hello, all search engines are being redirected on my laptop. I was originally getting the fake MS Security 2012 virus but I was able to clear that with Malwarebytes. Now, when I click on a link after a search on Yahoo, it redirects me. Here is my OTL report:

OTL logfile created on: 1/1/2012 10:48:31 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\jiveyang\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 58.09% Memory free
6.17 Gb Paging File | 5.00 Gb Available in Paging File | 81.05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.87 Gb Total Space | 107.23 Gb Free Space | 48.55% Space Free | Partition Type: NTFS
Drive D: | 12.01 Gb Total Space | 1.89 Gb Free Space | 15.77% Space Free | Partition Type: NTFS

Computer Name: JIVEYANG-PC | User Name: jiveyang | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/01 22:48:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\jiveyang\Desktop\OTL.exe
PRC - [2010/04/06 20:36:13 | 002,938,552 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2009/10/30 03:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2008/10/28 22:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/15 00:29:10 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/08/17 05:27:00 | 004,702,208 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/07/24 22:02:44 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/11/02 01:45:32 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PING.EXE


========== Modules (No Company Name) ==========

MOD - [2010/04/06 20:36:13 | 002,938,552 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
MOD - [2007/09/30 19:33:32 | 000,066,856 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll
MOD - [2006/11/02 01:46:10 | 000,227,328 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/08 18:19:01 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/12 09:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2007/07/24 22:02:44 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/03/05 10:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)


========== Driver Services (SafeList) ==========

DRV - [2009/11/17 13:12:06 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/10/03 03:02:06 | 009,905,096 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/17 15:17:36 | 000,098,816 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/07/11 10:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/06/28 07:09:56 | 002,222,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/03/21 22:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 14:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 16:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/01/17 05:38:52 | 000,983,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2005/04/12 16:21:32 | 000,022,240 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2005/04/12 16:21:28 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2005/04/12 16:21:28 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2005/04/12 16:21:26 | 000,045,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WmXlCore.sys -- (WmXlCore)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\jiveyang\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/27 14:48:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/25 01:58:00 | 000,000,000 | ---D | M]

[2010/05/27 14:49:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jiveyang\AppData\Roaming\Mozilla\Extensions
[2011/12/14 21:41:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jiveyang\AppData\Roaming\Mozilla\Firefox\Profiles\20waqr7u.default\extensions
[2010/05/28 04:03:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\jiveyang\AppData\Roaming\Mozilla\Firefox\Profiles\20waqr7u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/27 14:48:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\gcswf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: WildTangent Games App Presence Detector (Enabled) = C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\jiveyang\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\jiveyang\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\jiveyang\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Users\jiveyang\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Print Clips) - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! ¤u¨ă¦C) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\pnrpnsp.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.sy...eqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FA4CC8CB-B5C9-47E5-85F8-BB530C441951}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\jiveyang\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\jiveyang\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/25 20:52:25 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 07:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{196ec06a-d3be-11de-936a-001e6820c5ae}\Shell - "" = AutoRun
O33 - MountPoints2\{196ec06a-d3be-11de-936a-001e6820c5ae}\Shell\AutoRun\command - "" = F:\autorun.exe -auto
O33 - MountPoints2\{3ecbdc29-6d2a-11dd-8dc1-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
O33 - MountPoints2\{5706aa08-cd7a-11dd-b530-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
O33 - MountPoints2\{5706aa0e-cd7a-11dd-b530-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
O33 - MountPoints2\{8e1e76e6-a265-11dd-a061-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
O33 - MountPoints2\{9909cdd9-e6bb-11e0-aea3-001e6820c5ae}\Shell\AutoRun\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
O33 - MountPoints2\{9909cdd9-e6bb-11e0-aea3-001e6820c5ae}\Shell\open\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
O33 - MountPoints2\{b4bbab1a-3aac-11e0-8958-001e6820c5ae}\Shell\AutoRun\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
O33 - MountPoints2\{b4bbab1a-3aac-11e0-8958-001e6820c5ae}\Shell\open\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
O33 - MountPoints2\{d15d309f-30b5-11dd-aa2f-001e6820c5ae}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe
O33 - MountPoints2\{d9e61d18-4e5a-11dd-9d02-eb88cd1f5d8d}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
O33 - MountPoints2\{efe7a89d-306a-11dd-8fdf-001e6820c5ae}\Shell\AutoRun\command - "" = WD_Windows_Tools\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/01/01 22:48:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\jiveyang\Desktop\OTL.exe
[2011/12/14 22:07:05 | 000,000,000 | ---D | C] -- C:\ProgramData\RegCure
[2011/12/14 21:34:30 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2011/12/14 21:33:24 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools

========== Files - Modified Within 30 Days ==========

[2012/01/01 22:48:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\jiveyang\Desktop\OTL.exe
[2012/01/01 22:43:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/01 22:39:15 | 000,381,212 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/01 22:39:15 | 000,333,786 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/01 22:31:45 | 000,077,972 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/01/01 22:31:41 | 000,077,972 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/01/01 22:31:38 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/01 22:30:37 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/01 22:30:37 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/01 22:30:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/01 22:30:32 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/01 22:21:55 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At46.job
[2012/01/01 22:20:14 | 000,008,818 | -HS- | M] () -- C:\Users\jiveyang\AppData\Local\8hg05m6im1
[2012/01/01 22:20:14 | 000,008,818 | -HS- | M] () -- C:\ProgramData\8hg05m6im1
[2012/01/01 22:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012/01/01 21:45:21 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012/01/01 21:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At44.job
[2012/01/01 20:28:21 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At42.job
[2012/01/01 20:27:38 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012/01/01 19:22:55 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 15:15:45 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At32.job
[2011/12/30 15:15:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At31.job
[2011/12/30 14:24:11 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At29.job
[2011/12/30 14:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At30.job
[2011/12/30 13:16:30 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At27.job
[2011/12/30 13:15:45 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At28.job
[2011/12/30 12:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At26.job
[2011/12/30 12:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At25.job
[2011/12/30 11:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At24.job
[2011/12/30 11:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At23.job
[2011/12/30 10:16:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At22.job
[2011/12/30 10:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At21.job
[2011/12/30 09:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At20.job
[2011/12/30 09:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At19.job
[2011/12/30 08:30:43 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At17.job
[2011/12/30 08:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At18.job
[2011/12/30 07:15:45 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At16.job
[2011/12/30 07:14:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At15.job
[2011/12/29 18:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At38.job
[2011/12/29 18:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At37.job
[2011/12/29 17:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At36.job
[2011/12/29 17:15:24 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At35.job
[2011/12/29 16:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At34.job
[2011/12/29 16:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At33.job
[2011/12/29 01:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At3.job
[2011/12/29 01:15:24 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At4.job
[2011/12/29 00:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/12/29 00:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At1.job
[2011/12/28 23:36:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At48.job
[2011/12/28 23:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At47.job
[2011/12/28 20:23:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\ABee0GxD.com.b
[2011/12/27 06:18:24 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At13.job
[2011/12/27 06:15:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At14.job
[2011/12/27 05:18:50 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At11.job
[2011/12/27 05:15:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At12.job
[2011/12/27 04:15:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At10.job
[2011/12/27 04:15:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At9.job
[2011/12/24 09:25:26 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At8.job
[2011/12/24 09:25:26 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At6.job
[2011/12/24 09:25:26 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At40.job
[2011/12/24 09:25:26 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At7.job
[2011/12/24 09:25:26 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At5.job
[2011/12/24 09:25:26 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At39.job
[2011/12/24 07:29:09 | 000,000,000 | ---- | M] () -- C:\ProgramData\QMsoSDK.dat
[2011/12/23 00:18:02 | 305,395,909 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/21 21:39:06 | 000,010,824 | -HS- | M] () -- C:\Users\jiveyang\AppData\Local\3w81ni7k86o726
[2011/12/21 21:39:06 | 000,010,824 | -HS- | M] () -- C:\ProgramData\3w81ni7k86o726
[2011/12/17 00:43:20 | 000,002,234 | ---- | M] () -- C:\Users\Public\Desktop\WildTangent Games App - hp.lnk
[2011/12/15 07:46:12 | 000,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/12/14 22:17:37 | 000,314,928 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/14 21:33:09 | 000,000,140 | ---- | M] () -- C:\Users\jiveyang\Desktop\script.reg
[2011/12/14 21:26:14 | 000,008,290 | -HS- | M] () -- C:\Users\jiveyang\AppData\Local\2t26jd3b40h735
[2011/12/14 21:26:14 | 000,008,290 | -HS- | M] () -- C:\ProgramData\2t26jd3b40h735
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/01/01 19:22:55 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 15:35:39 | 000,008,818 | -HS- | C] () -- C:\Users\jiveyang\AppData\Local\8hg05m6im1
[2011/12/30 15:35:39 | 000,008,818 | -HS- | C] () -- C:\ProgramData\8hg05m6im1
[2011/12/28 20:23:13 | 000,000,000 | ---- | C] () -- C:\Windows\System32\ABee0GxD.com.b
[2011/12/24 07:29:09 | 000,000,000 | ---- | C] () -- C:\ProgramData\QMsoSDK.dat
[2011/12/24 07:29:08 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At48.job
[2011/12/24 07:29:08 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At46.job
[2011/12/24 07:29:08 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At44.job
[2011/12/24 07:29:08 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At47.job
[2011/12/24 07:29:08 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At45.job
[2011/12/24 07:29:08 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At43.job
[2011/12/24 07:29:07 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At42.job
[2011/12/24 07:29:07 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At40.job
[2011/12/24 07:29:07 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At38.job
[2011/12/24 07:29:07 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At36.job
[2011/12/24 07:29:07 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At41.job
[2011/12/24 07:29:07 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At39.job
[2011/12/24 07:29:07 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At37.job
[2011/12/24 07:29:06 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At34.job
[2011/12/24 07:29:06 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At32.job
[2011/12/24 07:29:06 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At35.job
[2011/12/24 07:29:06 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At33.job
[2011/12/24 07:29:06 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At31.job
[2011/12/24 07:29:05 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At30.job
[2011/12/24 07:29:05 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At28.job
[2011/12/24 07:29:05 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At26.job
[2011/12/24 07:29:05 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At24.job
[2011/12/24 07:29:05 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At29.job
[2011/12/24 07:29:05 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At27.job
[2011/12/24 07:29:05 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At25.job
[2011/12/24 07:29:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At22.job
[2011/12/24 07:29:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At20.job
[2011/12/24 07:29:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At18.job
[2011/12/24 07:29:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At16.job
[2011/12/24 07:29:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At14.job
[2011/12/24 07:29:04 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At23.job
[2011/12/24 07:29:04 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At21.job
[2011/12/24 07:29:04 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At19.job
[2011/12/24 07:29:04 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At17.job
[2011/12/24 07:29:04 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At15.job
[2011/12/24 07:29:03 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At8.job
[2011/12/24 07:29:03 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At12.job
[2011/12/24 07:29:03 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At10.job
[2011/12/24 07:29:03 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At9.job
[2011/12/24 07:29:03 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At13.job
[2011/12/24 07:29:03 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At11.job
[2011/12/24 07:29:02 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At6.job
[2011/12/24 07:29:02 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At4.job
[2011/12/24 07:29:02 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At7.job
[2011/12/24 07:29:02 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At5.job
[2011/12/24 07:29:02 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At3.job
[2011/12/24 07:29:01 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At2.job
[2011/12/24 07:28:59 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At1.job
[2011/12/22 02:04:06 | 3219,578,880 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/21 21:30:57 | 000,010,824 | -HS- | C] () -- C:\Users\jiveyang\AppData\Local\3w81ni7k86o726
[2011/12/21 21:30:57 | 000,010,824 | -HS- | C] () -- C:\ProgramData\3w81ni7k86o726
[2011/12/14 21:33:09 | 000,000,140 | ---- | C] () -- C:\Users\jiveyang\Desktop\script.reg
[2011/12/14 19:25:41 | 000,008,290 | -HS- | C] () -- C:\Users\jiveyang\AppData\Local\2t26jd3b40h735
[2011/12/14 19:25:41 | 000,008,290 | -HS- | C] () -- C:\ProgramData\2t26jd3b40h735
[2010/05/27 14:48:52 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/12/05 20:54:24 | 000,077,972 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/05 20:54:23 | 000,077,972 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/11/17 13:40:32 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2009/03/20 16:08:05 | 001,048,642 | ---- | C] () -- C:\ProgramData\LuUninstall.LiveUpdate
[2008/10/07 07:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 07:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/07/28 05:53:16 | 000,008,277 | ---- | C] () -- C:\Windows\checkip.dat
[2008/05/18 12:59:42 | 000,000,680 | ---- | C] () -- C:\Users\jiveyang\AppData\Local\d3d9caps.dat
[2008/03/24 12:59:32 | 000,039,424 | ---- | C] () -- C:\Users\jiveyang\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/24 07:47:42 | 000,027,620 | ---- | C] () -- C:\Users\jiveyang\AppData\Roaming\nvModes.001
[2008/03/24 06:36:02 | 000,027,620 | ---- | C] () -- C:\Users\jiveyang\AppData\Roaming\nvModes.dat
[2008/02/26 13:00:35 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/02/26 13:00:35 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/02/26 13:00:01 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/11/25 21:08:03 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2006/11/02 04:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:47:37 | 000,314,928 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 04:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:33:01 | 000,381,212 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 02:33:01 | 000,333,786 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 02:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 02:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 02:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 02:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 00:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/01 23:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/01 23:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/01 23:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/03/09 14:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/11/17 13:16:38 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\DAEMON Tools Lite
[2009/11/04 19:41:14 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\GetRightToGo
[2008/04/27 08:28:41 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\Magic Academy
[2009/09/23 08:41:18 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\MSNInstaller
[2010/04/07 20:40:51 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\NeopleLauncherDFO
[2010/09/02 10:35:08 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\PlayFirst
[2011/12/29 00:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2011/12/27 04:15:00 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At10.job
[2011/12/27 05:18:50 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2011/12/27 05:15:00 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At12.job
[2011/12/27 06:18:24 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2011/12/27 06:15:00 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At14.job
[2011/12/30 07:14:59 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2011/12/30 07:15:45 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At16.job
[2011/12/30 08:30:43 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2011/12/30 08:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At18.job
[2011/12/30 09:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2011/12/29 00:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2011/12/30 09:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At20.job
[2011/12/30 10:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At21.job
[2011/12/30 10:16:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At22.job
[2011/12/30 11:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At23.job
[2011/12/30 11:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At24.job
[2011/12/30 12:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At25.job
[2011/12/30 12:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At26.job
[2011/12/30 13:16:30 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At27.job
[2011/12/30 13:15:45 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At28.job
[2011/12/30 14:24:11 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At29.job
[2011/12/29 01:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2011/12/30 14:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At30.job
[2011/12/30 15:15:00 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At31.job
[2011/12/30 15:15:45 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At32.job
[2011/12/29 16:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At33.job
[2011/12/29 16:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At34.job
[2011/12/29 17:15:24 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At35.job
[2011/12/29 17:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At36.job
[2011/12/29 18:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At37.job
[2011/12/29 18:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At38.job
[2011/12/24 09:25:26 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At39.job
[2011/12/29 01:15:24 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2011/12/24 09:25:26 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At40.job
[2012/01/01 20:27:38 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At41.job
[2012/01/01 20:28:21 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At42.job
[2012/01/01 21:45:21 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At43.job
[2012/01/01 21:15:25 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At44.job
[2012/01/01 22:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At45.job
[2012/01/01 22:21:55 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At46.job
[2011/12/28 23:15:25 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At47.job
[2011/12/28 23:36:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At48.job
[2011/12/24 09:25:26 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2011/12/24 09:25:26 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At6.job
[2011/12/24 09:25:26 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2011/12/24 09:25:26 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At8.job
[2011/12/27 04:15:00 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At9.job
[2012/01/01 22:29:20 | 000,032,592 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets get you tidied up

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O33 - MountPoints2\{3ecbdc29-6d2a-11dd-8dc1-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
    O33 - MountPoints2\{5706aa08-cd7a-11dd-b530-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
    O33 - MountPoints2\{5706aa0e-cd7a-11dd-b530-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
    O33 - MountPoints2\{8e1e76e6-a265-11dd-a061-001e6820c5ae}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
    O33 - MountPoints2\{9909cdd9-e6bb-11e0-aea3-001e6820c5ae}\Shell\AutoRun\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
    O33 - MountPoints2\{9909cdd9-e6bb-11e0-aea3-001e6820c5ae}\Shell\open\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
    O33 - MountPoints2\{b4bbab1a-3aac-11e0-8958-001e6820c5ae}\Shell\AutoRun\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
    O33 - MountPoints2\{b4bbab1a-3aac-11e0-8958-001e6820c5ae}\Shell\open\command - "" = G:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe
    O33 - MountPoints2\{d9e61d18-4e5a-11dd-9d02-eb88cd1f5d8d}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
    [2012/01/01 22:20:14 | 000,008,818 | -HS- | M] () -- C:\Users\jiveyang\AppData\Local\8hg05m6im1
    [2012/01/01 22:20:14 | 000,008,818 | -HS- | M] () -- C:\ProgramData\8hg05m6im1
    [2011/12/28 20:23:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\ABee0GxD.com.b
    [2011/12/24 07:29:09 | 000,000,000 | ---- | M] () -- C:\ProgramData\QMsoSDK.dat
    [2011/12/21 21:39:06 | 000,010,824 | -HS- | M] () -- C:\Users\jiveyang\AppData\Local\3w81ni7k86o726
    [2011/12/21 21:39:06 | 000,010,824 | -HS- | M] () -- C:\ProgramData\3w81ni7k86o726
    [2011/12/14 19:25:41 | 000,008,290 | -HS- | C] () -- C:\Users\jiveyang\AppData\Local\2t26jd3b40h735
    [2011/12/14 19:25:41 | 000,008,290 | -HS- | C] () -- C:\ProgramData\2t26jd3b40h735

    :Files
    ipconfig /flushdns /c
    C:\Windows\tasks\At*.job

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
fnh

fnh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks. Everything seems to be working now. Here are the logs:

OTL:

OTL logfile created on: 1/2/2012 4:59:03 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\jiveyang\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.28 Gb Available Physical Memory | 75.94% Memory free
6.17 Gb Paging File | 5.52 Gb Available in Paging File | 89.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.87 Gb Total Space | 131.70 Gb Free Space | 59.63% Space Free | Partition Type: NTFS
Drive D: | 12.01 Gb Total Space | 1.89 Gb Free Space | 15.77% Space Free | Partition Type: NTFS

Computer Name: JIVEYANG-PC | User Name: jiveyang | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/01 22:48:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\jiveyang\Desktop\OTL.exe
PRC - [2010/04/06 20:36:13 | 002,938,552 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2009/10/30 03:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2008/10/28 22:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/15 00:29:10 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/08/17 05:27:00 | 004,702,208 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/07/24 22:02:44 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe


========== Modules (No Company Name) ==========

MOD - [2010/04/06 20:36:13 | 002,938,552 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
MOD - [2007/09/30 19:33:32 | 000,066,856 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll
MOD - [2006/11/02 01:46:10 | 000,227,328 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/08 18:19:01 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/12 09:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2007/07/24 22:02:44 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/03/05 10:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)


========== Driver Services (SafeList) ==========

DRV - [2009/11/17 13:12:06 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/10/03 03:02:06 | 009,905,096 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/17 15:17:36 | 000,098,816 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/07/11 10:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/06/28 07:09:56 | 002,222,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/03/21 22:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 14:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 16:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/01/17 05:38:52 | 000,983,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2005/04/12 16:21:32 | 000,022,240 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2005/04/12 16:21:28 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2005/04/12 16:21:28 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2005/04/12 16:21:26 | 000,045,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WmXlCore.sys -- (WmXlCore)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\jiveyang\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/27 14:48:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/25 01:58:00 | 000,000,000 | ---D | M]

[2010/05/27 14:49:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jiveyang\AppData\Roaming\Mozilla\Extensions
[2011/12/14 21:41:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jiveyang\AppData\Roaming\Mozilla\Firefox\Profiles\20waqr7u.default\extensions
[2010/05/28 04:03:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\jiveyang\AppData\Roaming\Mozilla\Firefox\Profiles\20waqr7u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/27 14:48:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\gcswf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: WildTangent Games App Presence Detector (Enabled) = C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\jiveyang\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\jiveyang\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\jiveyang\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Users\jiveyang\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Print Clips) - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Yahoo! ¤u¨ă¦C) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\pnrpnsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\pnrpnsp.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.sy...eqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FA4CC8CB-B5C9-47E5-85F8-BB530C441951}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\jiveyang\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\jiveyang\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/25 20:52:25 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 07:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{196ec06a-d3be-11de-936a-001e6820c5ae}\Shell - "" = AutoRun
O33 - MountPoints2\{196ec06a-d3be-11de-936a-001e6820c5ae}\Shell\AutoRun\command - "" = F:\autorun.exe -auto
O33 - MountPoints2\{d15d309f-30b5-11dd-aa2f-001e6820c5ae}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe
O33 - MountPoints2\{efe7a89d-306a-11dd-8fdf-001e6820c5ae}\Shell\AutoRun\command - "" = WD_Windows_Tools\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/01/02 16:42:23 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/01 22:48:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\jiveyang\Desktop\OTL.exe
[2011/12/14 22:07:05 | 000,000,000 | ---D | C] -- C:\ProgramData\RegCure
[2011/12/14 21:34:30 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2011/12/14 21:33:24 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools

========== Files - Modified Within 30 Days ==========

[2012/01/02 16:58:29 | 000,077,972 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/01/02 16:58:24 | 000,077,972 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/01/02 16:58:22 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/02 16:58:04 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/02 16:58:03 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/02 16:57:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/02 16:57:55 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/02 16:43:27 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/02 16:42:00 | 000,394,608 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/02 16:42:00 | 000,338,584 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/01 22:48:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\jiveyang\Desktop\OTL.exe
[2012/01/01 19:22:55 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/23 00:18:02 | 305,395,909 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/17 00:43:20 | 000,002,234 | ---- | M] () -- C:\Users\Public\Desktop\WildTangent Games App - hp.lnk
[2011/12/15 07:46:12 | 000,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/12/14 22:17:37 | 000,314,928 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/14 21:33:09 | 000,000,140 | ---- | M] () -- C:\Users\jiveyang\Desktop\script.reg
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/01/01 19:22:55 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/22 02:04:06 | 3219,578,880 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/14 21:33:09 | 000,000,140 | ---- | C] () -- C:\Users\jiveyang\Desktop\script.reg
[2010/05/27 14:48:52 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/12/05 20:54:24 | 000,077,972 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/05 20:54:23 | 000,077,972 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/11/17 13:40:32 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2009/03/20 16:08:05 | 001,048,642 | ---- | C] () -- C:\ProgramData\LuUninstall.LiveUpdate
[2008/10/07 07:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 07:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 07:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/07/28 05:53:16 | 000,008,277 | ---- | C] () -- C:\Windows\checkip.dat
[2008/05/18 12:59:42 | 000,000,680 | ---- | C] () -- C:\Users\jiveyang\AppData\Local\d3d9caps.dat
[2008/03/24 12:59:32 | 000,039,424 | ---- | C] () -- C:\Users\jiveyang\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/24 07:47:42 | 000,027,620 | ---- | C] () -- C:\Users\jiveyang\AppData\Roaming\nvModes.001
[2008/03/24 06:36:02 | 000,027,620 | ---- | C] () -- C:\Users\jiveyang\AppData\Roaming\nvModes.dat
[2008/02/26 13:00:35 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/02/26 13:00:35 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/02/26 13:00:01 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/11/25 21:08:03 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2006/11/02 04:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:47:37 | 000,314,928 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 04:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:33:01 | 000,394,608 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 02:33:01 | 000,338,584 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 02:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 02:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 02:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 02:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 00:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/01 23:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/01 23:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/01 23:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/03/09 14:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/11/17 13:16:38 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\DAEMON Tools Lite
[2009/11/04 19:41:14 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\GetRightToGo
[2008/04/27 08:28:41 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\Magic Academy
[2009/09/23 08:41:18 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\MSNInstaller
[2010/04/07 20:40:51 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\NeopleLauncherDFO
[2010/09/02 10:35:08 | 000,000,000 | ---D | M] -- C:\Users\jiveyang\AppData\Roaming\PlayFirst
[2012/01/02 16:56:45 | 000,032,592 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

Combofix:

ComboFix 12-01-02.02 - jiveyang 01/02/2012 17:23:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.2113 [GMT -8:00]
Running from: c:\users\jiveyang\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB62280$
c:\windows\$NtUninstallKB62280$\3981035746
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\qnbwvoto
c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\system32\KBL.LOG
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 01:35 . 2012-01-03 01:37 -------- d-----w- c:\users\jiveyang\AppData\Local\temp
2012-01-03 00:42 . 2012-01-03 00:42 -------- d-----w- C:\_OTL
2011-12-15 06:07 . 2011-12-15 06:13 -------- d-----w- c:\programdata\RegCure
2011-12-15 05:33 . 2011-12-15 06:06 -------- d-----w- c:\programdata\PC Tools
2011-12-14 22:22 . 2011-12-14 22:22 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-13 07:39 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BBA6F82C-2B72-47A6-B81A-336F45FB4AD4}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 05:12 . 2011-10-09 08:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2009-10-21 02:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-07-30 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Steam"="c:\program files\steam\steam.exe" [2011-08-02 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-07 2938552]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^jiveyang^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\jiveyang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-07-25 06:02 174616 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 22:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-10-03 16:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-10-03 16:40 92776 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2009-10-03 16:40 887400 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-17 13:34 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2005-04-18 16:16 73728 ----a-w- c:\program files\Logitech\Profiler\LWEMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 12:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3040935506-392088455-102620315-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 136176]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 136176]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-17 691696]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 18:18]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 18:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\jiveyang\AppData\Roaming\Mozilla\Firefox\Profiles\20waqr7u.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-UnityWebPlayer - c:\users\jiveyang\AppData\Local\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 17:38
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2472)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\RtHDVCpl.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-01-02 17:46:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-03 01:45
.
Pre-Run: 141,027,905,536 bytes free
Post-Run: 140,976,005,120 bytes free
.
- - End Of File - - 7CB4A63542CA586E66F9244394AFBABC

aswMBR:

ComboFix 12-01-02.02 - jiveyang 01/02/2012 17:23:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.2113 [GMT -8:00]
Running from: c:\users\jiveyang\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB62280$
c:\windows\$NtUninstallKB62280$\3981035746
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\qnbwvoto
c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\$NtUninstallKB62280$\485945278\U\[email protected]
c:\windows\system32\KBL.LOG
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 01:35 . 2012-01-03 01:37 -------- d-----w- c:\users\jiveyang\AppData\Local\temp
2012-01-03 00:42 . 2012-01-03 00:42 -------- d-----w- C:\_OTL
2011-12-15 06:07 . 2011-12-15 06:13 -------- d-----w- c:\programdata\RegCure
2011-12-15 05:33 . 2011-12-15 06:06 -------- d-----w- c:\programdata\PC Tools
2011-12-14 22:22 . 2011-12-14 22:22 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-13 07:39 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BBA6F82C-2B72-47A6-B81A-336F45FB4AD4}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 05:12 . 2011-10-09 08:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2009-10-21 02:33 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-07-30 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Steam"="c:\program files\steam\steam.exe" [2011-08-02 1242448]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-07 2938552]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^jiveyang^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\jiveyang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-07-25 06:02 174616 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 22:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-10-03 16:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-10-03 16:40 92776 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2009-10-03 16:40 887400 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-17 13:34 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2005-04-18 16:16 73728 ----a-w- c:\program files\Logitech\Profiler\LWEMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 12:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 22:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3040935506-392088455-102620315-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 136176]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 136176]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-17 691696]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 18:18]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-04 18:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\jiveyang\AppData\Roaming\Mozilla\Firefox\Profiles\20waqr7u.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-UnityWebPlayer - c:\users\jiveyang\AppData\Local\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 17:38
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2472)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\RtHDVCpl.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-01-02 17:46:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-03 01:45
.
Pre-Run: 141,027,905,536 bytes free
Post-Run: 140,976,005,120 bytes free
.
- - End Of File - - 7CB4A63542CA586E66F9244394AFBABC
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ooops you double posted the combofix log and missed the aswMBR log :) Could you post the aswMBR log please

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#5
fnh

fnh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sorry. Here's the correct one:

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-02 17:53:59
-----------------------------
17:53:59.947 OS Version: Windows 6.0.6000
17:53:59.947 Number of processors: 2 586 0xF0D
17:53:59.947 ComputerName: JIVEYANG-PC UserName: jiveyang
17:54:10.867 Initialize success
17:54:19.893 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:54:19.893 Disk 0 Vendor: Hitachi_ BBFO Size: 238475MB BusType: 3
17:54:19.908 Disk 0 MBR read successfully
17:54:19.908 Disk 0 MBR scan
17:54:19.908 Disk 0 unknown MBR code
17:54:19.908 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 226172 MB offset 63
17:54:19.939 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12299 MB offset 463202145
17:54:19.971 Disk 0 scanning sectors +488392065
17:54:20.111 Disk 0 scanning C:\Windows\system32\drivers
17:54:26.959 Service scanning
17:54:28.660 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
17:54:29.237 Modules scanning
17:55:34.227 Disk 0 trace - called modules:
17:55:34.258 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys spck.sys >>UNKNOWN [0x850d5938]<<
17:55:34.273 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8623f4e8]
17:55:34.273 3 ntkrnlpa.exe[820b07e2] -> nt!IofCallDriver -> [0x851ee720]
17:55:34.289 5 acpi.sys[8044332a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x851cf030]
17:55:34.289 Scan finished successfully
17:56:49.075 Disk 0 MBR has been saved successfully to "C:\Users\jiveyang\Desktop\MBR.dat"
17:56:49.091 The log file has been saved successfully to "C:\Users\jiveyang\Desktop\aswMBR.txt"


Here is the MBAM log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.01.04

Windows Vista x86 NTFS
Internet Explorer 7.0.6000.17037
jiveyang :: JIVEYANG-PC [administrator]

1/3/2012 6:11:50 PM
mbam-log-2012-01-03 (18-11-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 170165
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Have the redirects ceased ? What problems remain
  • 0

#7
fnh

fnh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
It's hasn't redirected since the last reply. I think the issues gone. Thanks for the help
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP