This virus has been on my PC for about 3 weeks. First logged by Spybot S&D on 2/7. I've been using spybot for years, for almost every virus I've encountered, this program does a great job getting rid of stuff. However, for this specific problem it will say the file is cleaned but the virus still shows up on the next scan. This weekend, i took some time to try and intensively kill the virus. Desperate, I downloaded S!ri's smitfraudfix.exe file but can't seem to get the program to work properly.
How virus was obtained
Assume by clicking on a diseased website/link due to family's facebook habits and interest in random sites
Symptoms
Virus itself causes browser navigation issues. Anytime you click on a link or address there is a random chance ~30% you will be redirected to a random ad site (no pattern as to what causes it or where it goes). No other obvious symptoms
When using spybot, location of virus appears as such:
Smitfraud-C.generic
(SBI $5926A588) Executable
C:\Windows\svchost.exe
Attempted Removal Techniques
1) After trying to use Spybot S&D several times and encountering the same thing (says the virus is clean but upon rescanning it's found again) i decided to try other techniques. Reading different forums i found a recommendation for running ESET's free online scanner. It found about 60 potential issues over the course of a 3 hour scan. Cleaned those files, no luck.
2) Finally, today, I decided to try S!ri's smitfraudfix. I was running as admin in safe mode with both windows defender and spybot's tea-timer set to disabled. When i run the program the blue screen with options comes up. I ran option 1: search - it generates a log file which works fine. However when I click option 2: search it opens a new window and says killing processes followed by several dozen strings of "access is denied" and then the program just dissapears, after which I'm left with a blank safe mode screen. Only way to recover from this is to ctrl+alt+delete and restart from that screen.
Desired End State
A computer free from this annoying virus. A better way to protect from future infections. Any help provided by the forum would be great!
OTL.txt File
OTL logfile created on: 2/27/2012 12:53:49 - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Tom\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
4.00 Gb Total Physical Memory | 2.78 Gb Available Physical Memory | 69.52% Memory free
8.00 Gb Paging File | 6.56 Gb Available in Paging File | 82.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 839.77 Gb Free Space | 90.16% Space Free | Partition Type: NTFS
Computer Name: SR-71 | User Name: Tom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/02/27 12:53:23 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
PRC - [2012/02/27 12:20:49 | 000,170,496 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\F0087\8CAE3.exe
PRC - [2012/02/26 14:13:22 | 000,187,392 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\87FDB\lvvm.exe
PRC - [2012/02/22 11:12:17 | 000,282,624 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Microsoft\F5AF\067.exe
PRC - [2012/02/16 06:40:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PRC - [2009/07/13 17:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 17:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 17:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 17:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 17:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 17:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
========== Modules (No Company Name) ==========
MOD - [2012/02/27 12:20:49 | 000,170,496 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\F0087\8CAE3.exe
MOD - [2012/02/26 14:13:22 | 000,187,392 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\87FDB\lvvm.exe
MOD - [2012/02/25 17:57:49 | 008,527,008 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2012/02/22 11:12:17 | 000,282,624 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\Microsoft\F5AF\067.exe
MOD - [2012/02/16 06:40:41 | 001,911,768 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
========== Win32 Services (SafeList) ==========
SRV:64bit: - [2011/04/20 01:04:20 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/11/11 13:00:32 | 000,467,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV:64bit: - [2010/11/11 13:00:32 | 000,306,416 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV:64bit: - [2010/11/11 12:59:36 | 008,251,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/05/20 14:26:28 | 000,199,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)
SRV - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/09/02 13:21:53 | 000,131,912 | ---- | M] (Desura Pty Ltd) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Desura\desura_service.exe -- (Desura Install Service)
SRV - [2011/08/04 13:34:48 | 002,329,480 | ---- | M] (LogMeIn Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/05/29 11:58:15 | 000,403,240 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2011/10/01 08:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 08:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 08:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 08:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/04/20 01:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/20 00:22:34 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/04/01 04:07:54 | 004,184,672 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam Pro 9000(UVC)
DRV:64bit: - [2011/03/10 22:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 22:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 05:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 03:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/09/23 00:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/07/01 17:52:18 | 000,051,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
DRV:64bit: - [2010/05/20 14:26:30 | 002,060,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VX3000.sys -- (VX3000)
DRV:64bit: - [2010/03/08 22:49:48 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV:64bit: - [2010/03/04 20:43:00 | 000,346,144 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/02/10 23:35:05 | 000,014,136 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BIOS64.sys -- (BIOS)
DRV:64bit: - [2009/12/22 01:26:36 | 000,038,456 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2009/11/18 15:30:56 | 000,123,408 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 12:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/29 12:48:22 | 000,013,360 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BS_TPIO64.sys -- (BS_TPIO)
DRV:64bit: - [2009/03/18 16:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)
DRV:64bit: - [2007/05/14 15:06:18 | 000,027,520 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2006/12/28 16:56:32 | 000,026,472 | ---- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BS_I2cIo.sys -- (BS_I2cIo)
DRV - [2010/02/10 23:35:05 | 000,014,136 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\BIOS64.sys -- (BIOS)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2008/06/16 08:02:34 | 000,017,024 | ---- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\BS_I2cIo.sys -- (BS_I2cIo)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D2 A3 2A 0D B8 1A CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:64222
========== FireFox ==========
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 64222
FF - prefs.js..network.proxy.type: 1
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Tom\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Tom\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Tom\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Tom\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/25 17:41:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
[2012/02/25 17:42:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tom\AppData\Roaming\Mozilla\Extensions
[2012/02/25 17:41:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/02/16 06:40:42 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/02/16 02:42:53 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/02/16 02:42:53 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
O1 HOSTS File: ([2012/02/13 11:01:10 | 000,001,398 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 108.163.215.51 www.google-analytics.com.
O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
O1 - Hosts: 108.163.215.51 www.statcounter.com.
O1 - Hosts: 67.215.245.19 www.google-analytics.com.
O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
O1 - Hosts: 67.215.245.19 www.statcounter.com.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [067.exe] C:\Program Files (x86)\LP\F5AF\067.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [067.exe] C:\Users\Tom\AppData\Roaming\Microsoft\F5AF\067.exe ()
O4 - HKCU..\Run: [Desura] C:\Program Files (x86)\Desura\desura.exe (Desura Pty Ltd)
O4 - HKCU..\Run: [RegistryBooster] "C:\Program Files (x86)\Uniblue\RegistryBooster\launcher.exe" delay 20000 File not found
F3:64bit: - HKCU WinNT: Load - (C:\Users\Tom\AppData\Roaming\87FDB\lvvm.exe) - C:\Users\Tom\AppData\Roaming\87FDB\lvvm.exe ()
F3 - HKCU WinNT: Load - (C:\Users\Tom\AppData\Roaming\87FDB\lvvm.exe) - C:\Users\Tom\AppData\Roaming\87FDB\lvvm.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: freetoolsassociation.com ([activegs] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: ActiveGS.cab http://activegs.free...om/ActiveGS.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{128EA0F4-EBB9-4075-85BF-D45381370458}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\Tom\AppData\Roaming\F0087\8CAE3.exe) - C:\Users\Tom\AppData\Roaming\F0087\8CAE3.exe ()
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2012/02/27 12:53:21 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
[2012/02/27 12:22:16 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe
[2012/02/27 12:22:16 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe
[2012/02/27 12:22:16 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe
[2012/02/27 12:22:16 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe
[2012/02/27 12:22:16 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe
[2012/02/27 12:22:16 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe
[2012/02/27 12:22:16 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe
[2012/02/27 12:22:16 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe
[2012/02/27 12:22:16 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe
[2012/02/27 12:22:16 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe
[2012/02/27 12:22:16 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe
[2012/02/27 12:22:15 | 000,000,000 | ---D | C] -- C:\Users\Tom\Desktop\SmitfraudFix
[2012/02/25 17:41:52 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\Mozilla
[2012/02/25 17:41:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2012/02/25 17:04:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/02/25 16:03:37 | 000,000,000 | ---D | C] -- C:\Users\Tom\Desktop\Finances
[2012/02/25 15:15:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/02/21 20:18:37 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\{2296BA15-0DEF-4BDB-8CA2-0D80E1942967}
[2012/02/21 20:12:12 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\{61A64E83-E95F-44E0-B2B4-DD8C4E6DCBEB}
[2012/02/16 17:53:40 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\{12BC75D3-6764-4725-8554-EC14E8733BD4}
[2012/02/16 17:53:38 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\{56401566-D91C-4D0D-B1AE-A22B4D8051DA}
[2012/02/15 08:00:55 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\87FDB
[2012/02/15 08:00:18 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\F0087
[2012/02/13 10:30:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\87FDB
[2012/02/13 10:29:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LP
[2012/02/09 15:34:12 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\{C0D02B51-C076-48F5-BB63-F2A76817E344}
[2012/02/09 15:33:38 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\{5AEA5E76-4B9A-41EB-A9AE-7F20D17396A8}
[2012/02/03 11:06:31 | 000,000,000 | ---D | C] -- C:\Windows\Sun
========== Files - Modified Within 30 Days ==========
[2012/02/27 12:53:48 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/27 12:53:48 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/27 12:53:23 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
[2012/02/27 12:37:21 | 000,727,310 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/27 12:37:21 | 000,624,606 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/27 12:37:21 | 000,106,724 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/27 12:33:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/27 12:32:57 | 3220,676,608 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/27 12:31:49 | 000,000,691 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\GetValue.vbs
[2012/02/27 12:31:49 | 000,000,035 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\SetValue.bat
[2012/02/27 12:31:48 | 000,001,650 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg
[2012/02/27 12:11:04 | 001,872,472 | ---- | M] () -- C:\Users\Tom\Desktop\SmitfraudFix(1).exe
[2012/02/27 11:46:35 | 000,001,441 | ---- | M] () -- C:\Users\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/02/27 11:43:37 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/02/27 11:43:36 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2012/02/27 11:35:16 | 000,000,373 | ---- | M] () -- C:\Windows\wininit.ini
[2012/02/26 22:57:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3935951555-2983364618-1171424198-1000UA.job
[2012/02/26 18:57:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3935951555-2983364618-1171424198-1000Core.job
[2012/02/25 18:03:09 | 000,282,624 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\firefox.exe
[2012/02/25 17:47:05 | 000,282,624 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\iexplore.exe
[2012/02/25 17:41:36 | 000,001,134 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/22 17:12:47 | 000,282,624 | ---- | M] () -- C:\Users\Tom\AppData\Roaming\java.exe
[2012/02/15 07:59:04 | 000,414,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/15 03:03:20 | 000,743,066 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/15 03:02:32 | 000,000,208 | ---- | M] () -- C:\Windows\SysNative\MRT.INI
[2012/02/13 11:01:10 | 000,001,398 | RHS- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
========== Files Created - No Company Name ==========
[2012/02/27 12:22:55 | 000,001,650 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg
[2012/02/27 12:22:55 | 000,000,691 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\GetValue.vbs
[2012/02/27 12:22:55 | 000,000,035 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\SetValue.bat
[2012/02/27 12:22:16 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe
[2012/02/27 12:22:16 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe
[2012/02/27 12:22:16 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe
[2012/02/27 12:11:02 | 001,872,472 | ---- | C] () -- C:\Users\Tom\Desktop\SmitfraudFix(1).exe
[2012/02/27 11:43:37 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/02/27 11:43:36 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2012/02/25 18:03:09 | 000,282,624 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\firefox.exe
[2012/02/25 17:41:36 | 000,001,146 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/25 17:41:36 | 000,001,134 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/15 14:00:19 | 000,282,624 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\java.exe
[2012/02/15 08:09:11 | 000,282,624 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\iexplore.exe
[2012/02/15 03:02:32 | 000,000,208 | ---- | C] () -- C:\Windows\SysNative\MRT.INI
[2012/02/07 18:34:37 | 000,000,373 | ---- | C] () -- C:\Windows\wininit.ini
[2011/06/19 10:18:25 | 000,012,050 | -HS- | C] () -- C:\Users\Tom\AppData\Local\uo6g70ger150gv8y5a8ec20r263037
[2011/06/19 10:18:25 | 000,012,050 | -HS- | C] () -- C:\ProgramData\uo6g70ger150gv8y5a8ec20r263037
[2011/04/01 04:07:02 | 010,877,272 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2011/04/01 04:07:02 | 000,102,744 | ---- | C] () -- C:\Windows\SysWow64\LogiDPPApp.exe
[2011/04/01 04:06:56 | 000,331,608 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2011/03/17 16:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2010/11/07 05:32:47 | 000,013,807 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\.minecraft - Shortcut (2).lnk
[2010/11/07 05:32:22 | 000,013,807 | ---- | C] () -- C:\Users\Tom\AppData\Roaming\.minecraft - Shortcut.lnk
[2010/07/03 07:25:07 | 000,743,066 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/07/03 05:54:23 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
========== LOP Check ==========
[2011/08/19 16:10:44 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\.minecraft
[2012/02/26 14:13:22 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\87FDB
[2010/08/02 19:48:34 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\acccore
[2010/07/03 05:48:01 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Bump Technologies, Inc
[2011/02/16 15:55:42 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Eye-Fi
[2012/02/27 12:20:49 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\F0087
[2011/01/15 05:54:59 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\fi.eye.center.E430518E652B889A80EC0E8A6E532C09FF36DF62.1
[2010/07/23 12:04:05 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\LucasArts
[2012/02/27 12:15:56 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\SoftGrid Client
[2010/07/03 07:26:38 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\TP
[2010/08/29 20:50:11 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Uniblue
[2010/12/10 00:21:51 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\Windows Live Writer
[2011/11/13 16:02:59 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
< End of report >