Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

bluekai redirect from ebay [Solved]


  • This topic is locked This topic is locked

#1
averageguy

averageguy

    Member

  • Member
  • PipPip
  • 11 posts
Hello,

Over the last few weeks I thought that my palm was touching the touchpad on my laptop and clicked a link when I was loading a page.

On twitch.tv a separate tab would open in firefox and just display a small facebook logo like button image. It happened twice about a week apart so I thought nothing of it but ran scans on malwarebytes and Norton internet security. Nothing was found.

Nothing else opened or redirected for at least a week until I opened mibbit.com 2 days ago and a separate tab opened to an ad that was currently being displayed at the top of the page. I again thought that my palm had touched the touchpad and that clicked the link. I again ran malwarebytes and norton and nothing was found.

Then earlier tonight I went into my ebay page and it opened up a new window for tags.bluekai.com (WOT blocked the page due to its bad ratings) and I know there are no links for that on ebay so I did a Google search for that and found out it was an issue. Again, the scans showed nothing.

I have not downloaded anything in the time period or clicked on any links in emails. My father who also uses the laptop on another profile says he has not although he might have. I have firefox with scriptblocker, adblocker, WOT (Web of Trust) and norton toolbar on both profiles.

Thank you for any help you can provide.

Here is the OTL log:
OTL logfile created on: 29/01/2013 12:32:01 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Eric\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.93 Gb Total Physical Memory | 0.93 Gb Available Physical Memory | 31.86% Memory free
5.86 Gb Paging File | 3.24 Gb Available in Paging File | 55.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 285.30 Gb Total Space | 169.15 Gb Free Space | 59.29% Space Free | Partition Type: NTFS

Computer Name: ERIC-PC | User Name: Eric | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/29 00:31:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Eric\Desktop\OTL.exe
PRC - [2013/01/18 21:17:54 | 000,541,608 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2013/01/18 15:38:06 | 000,917,400 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2013/01/09 03:45:03 | 001,808,392 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe
PRC - [2012/12/28 16:02:24 | 028,539,392 | ---- | M] (Dropbox, Inc.) -- C:\Users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/12/14 11:40:12 | 000,064,728 | ---- | M] (Raptr, Inc) -- C:\Program Files (x86)\Raptr\raptr.exe
PRC - [2012/12/14 11:40:12 | 000,046,296 | ---- | M] (Raptr, Inc) -- C:\Program Files (x86)\Raptr\raptr_im.exe
PRC - [2012/12/05 20:59:50 | 001,354,736 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2012/06/15 19:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccsvchst.exe
PRC - [2011/01/23 19:00:23 | 000,148,280 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\ezprint.exe
PRC - [2011/01/23 19:00:20 | 000,770,728 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe
PRC - [2010/03/08 16:58:24 | 000,250,368 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
PRC - [2010/03/08 16:55:42 | 000,252,928 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
PRC - [2010/01/28 16:27:36 | 000,243,232 | ---- | M] (Acer Group) -- C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
PRC - [2010/01/14 09:06:26 | 001,541,472 | ---- | M] (Suyin) -- C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe
PRC - [2010/01/13 09:47:44 | 000,206,208 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2009/11/01 16:39:48 | 001,094,736 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LManager.exe
PRC - [2009/08/28 02:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
PRC - [2009/06/04 18:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/06/03 19:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/04/15 22:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2008/04/23 02:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2006/05/16 22:12:59 | 000,075,376 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/18 21:18:48 | 000,647,168 | ---- | M] () -- C:\Program Files (x86)\Steam\sdl.dll
MOD - [2013/01/18 21:17:52 | 020,320,240 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
MOD - [2013/01/18 21:17:49 | 001,100,800 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-53.dll
MOD - [2013/01/18 21:17:49 | 000,969,640 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
MOD - [2013/01/18 21:17:49 | 000,192,000 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-53.dll
MOD - [2013/01/18 21:17:49 | 000,124,416 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-51.dll
MOD - [2013/01/18 15:38:04 | 003,022,232 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2013/01/09 03:45:02 | 014,586,888 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
MOD - [2012/10/27 00:53:18 | 002,717,595 | ---- | M] () -- C:\Program Files (x86)\Raptr\heliotrope._purple.pyd
MOD - [2012/06/22 14:59:52 | 000,313,856 | ---- | M] () -- C:\Program Files (x86)\Raptr\PyQt4.QtWebKit.pyd
MOD - [2012/06/22 14:55:58 | 000,494,592 | ---- | M] () -- C:\Program Files (x86)\Raptr\PyQt4.QtNetwork.pyd
MOD - [2012/06/22 14:53:22 | 005,812,736 | ---- | M] () -- C:\Program Files (x86)\Raptr\PyQt4.QtGui.pyd
MOD - [2012/06/22 14:39:06 | 001,662,464 | ---- | M] () -- C:\Program Files (x86)\Raptr\PyQt4.QtCore.pyd
MOD - [2012/06/22 14:24:28 | 000,067,584 | ---- | M] () -- C:\Program Files (x86)\Raptr\sip.pyd
MOD - [2012/02/06 13:28:48 | 000,011,264 | ---- | M] () -- C:\Program Files (x86)\Raptr\Crypto.Util._counter.pyd
MOD - [2012/02/06 13:28:42 | 000,031,744 | ---- | M] () -- C:\Program Files (x86)\Raptr\Crypto.Cipher.AES.pyd
MOD - [2012/02/06 13:28:34 | 000,010,752 | ---- | M] () -- C:\Program Files (x86)\Raptr\Crypto.Random.OSRNG.winrandom.pyd
MOD - [2011/09/08 16:47:40 | 001,183,699 | ---- | M] () -- C:\Program Files (x86)\Raptr\liboscar.dll
MOD - [2011/09/08 16:47:36 | 001,640,221 | ---- | M] () -- C:\Program Files (x86)\Raptr\libjabber.dll
MOD - [2011/09/08 16:47:32 | 001,052,194 | ---- | M] () -- C:\Program Files (x86)\Raptr\libymsg.dll
MOD - [2011/09/08 16:47:22 | 000,495,680 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libaim.dll
MOD - [2011/09/08 16:47:22 | 000,483,306 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libicq.dll
MOD - [2011/09/08 16:47:16 | 000,655,356 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libirc.dll
MOD - [2011/09/08 16:47:16 | 000,603,326 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\ssl-nss.dll
MOD - [2011/09/08 16:47:14 | 000,497,782 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libyahoojp.dll
MOD - [2011/09/08 16:47:14 | 000,474,199 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\ssl.dll
MOD - [2011/09/08 16:47:10 | 001,306,387 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libmsn.dll
MOD - [2011/09/08 16:47:04 | 000,565,461 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libxmpp.dll
MOD - [2011/09/08 16:46:56 | 000,506,276 | ---- | M] () -- C:\Program Files (x86)\Raptr\plugins\libyahoo.dll
MOD - [2011/05/10 12:01:42 | 000,030,208 | ---- | M] () -- C:\Program Files (x86)\Raptr\simplejson._speedups.pyd
MOD - [2011/02/15 11:17:28 | 001,213,633 | ---- | M] () -- C:\Program Files (x86)\Raptr\libxml2-2.dll
MOD - [2011/02/15 11:17:28 | 000,417,501 | ---- | M] () -- C:\Program Files (x86)\Raptr\sqlite3.dll
MOD - [2011/01/23 19:00:23 | 000,148,280 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\ezprint.exe
MOD - [2011/01/23 19:00:20 | 000,770,728 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe
MOD - [2010/11/22 16:06:22 | 000,055,808 | ---- | M] () -- C:\Program Files (x86)\Raptr\zlib1.dll
MOD - [2010/11/22 15:57:34 | 000,167,936 | ---- | M] () -- C:\Program Files (x86)\Raptr\win32gui.pyd
MOD - [2010/11/22 15:57:34 | 000,111,104 | ---- | M] () -- C:\Program Files (x86)\Raptr\win32file.pyd
MOD - [2010/11/22 15:57:34 | 000,096,256 | ---- | M] () -- C:\Program Files (x86)\Raptr\win32api.pyd
MOD - [2010/11/22 15:57:34 | 000,036,352 | ---- | M] () -- C:\Program Files (x86)\Raptr\win32process.pyd
MOD - [2010/11/22 15:57:18 | 000,141,312 | ---- | M] () -- C:\Program Files (x86)\Raptr\gobject._gobject.pyd
MOD - [2010/11/22 15:56:56 | 000,110,592 | ---- | M] () -- C:\Program Files (x86)\Raptr\pywintypes26.dll
MOD - [2010/11/22 15:56:26 | 000,324,608 | ---- | M] () -- C:\Program Files (x86)\Raptr\PIL._imaging.pyd
MOD - [2010/11/22 15:56:02 | 000,805,376 | ---- | M] () -- C:\Program Files (x86)\Raptr\_ssl.pyd
MOD - [2010/11/22 15:56:02 | 000,583,680 | ---- | M] () -- C:\Program Files (x86)\Raptr\unicodedata.pyd
MOD - [2010/11/22 15:56:02 | 000,356,864 | ---- | M] () -- C:\Program Files (x86)\Raptr\_hashlib.pyd
MOD - [2010/11/22 15:56:02 | 000,127,488 | ---- | M] () -- C:\Program Files (x86)\Raptr\pyexpat.pyd
MOD - [2010/11/22 15:56:02 | 000,124,928 | ---- | M] () -- C:\Program Files (x86)\Raptr\_elementtree.pyd
MOD - [2010/11/22 15:56:02 | 000,087,040 | ---- | M] () -- C:\Program Files (x86)\Raptr\_ctypes.pyd
MOD - [2010/11/22 15:56:02 | 000,044,544 | ---- | M] () -- C:\Program Files (x86)\Raptr\_sqlite3.pyd
MOD - [2010/11/22 15:56:02 | 000,043,008 | ---- | M] () -- C:\Program Files (x86)\Raptr\_socket.pyd
MOD - [2010/11/22 15:56:02 | 000,009,216 | ---- | M] () -- C:\Program Files (x86)\Raptr\winsound.pyd
MOD - [2010/04/05 04:56:20 | 000,094,359 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\epoemdll.dll
MOD - [2010/04/05 04:56:19 | 000,045,221 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\epstring.dll
MOD - [2010/04/05 04:56:17 | 002,203,803 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\epwizres.dll
MOD - [2010/04/05 04:56:07 | 000,716,954 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\epwizard.dll
MOD - [2010/04/05 04:55:15 | 000,159,890 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\customui.dll
MOD - [2010/04/05 04:55:04 | 000,061,604 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\epfunct.dll
MOD - [2010/04/05 04:54:59 | 000,123,033 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\eputil.dll
MOD - [2010/04/05 04:54:52 | 000,143,502 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\imagutil.dll
MOD - [2010/04/01 11:24:28 | 001,159,168 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebdrs.dll
MOD - [2010/04/01 11:23:27 | 000,389,120 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebscw.dll
MOD - [2010/03/08 17:18:10 | 000,465,576 | ---- | M] () -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\sqlite3.dll
MOD - [2010/01/14 09:06:28 | 000,038,136 | ---- | M] () -- C:\Program Files (x86)\VideoWebCamera\VWC_ENG.dll
MOD - [2010/01/14 09:06:24 | 000,046,328 | ---- | M] () -- C:\Program Files (x86)\VideoWebCamera\sy_Utility.dll
MOD - [2010/01/14 09:06:18 | 000,632,056 | ---- | M] () -- C:\Program Files (x86)\VideoWebCamera\Image.dll
MOD - [2010/01/13 09:47:44 | 000,206,208 | ---- | M] () -- C:\Windows\PLFSetI.exe
MOD - [2009/06/03 19:59:14 | 000,013,096 | ---- | M] () -- c:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/06/03 19:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2009/05/27 06:16:50 | 000,192,512 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebdatr.dll
MOD - [2009/04/07 13:25:27 | 000,409,600 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\iptk.dll
MOD - [2009/03/09 23:43:49 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebcaps.dll
MOD - [2009/03/02 08:25:47 | 000,151,552 | ---- | M] () -- C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebptp.dll
MOD - [2009/02/20 02:48:43 | 000,023,552 | ---- | M] () -- C:\Windows\SysWOW64\LXEBsmr.dll
MOD - [2009/02/20 02:48:03 | 000,299,008 | ---- | M] () -- C:\Windows\SysWOW64\LXEBsm.dll


========== Services (SafeList) ==========

SRV:64bit: - [2010/04/14 13:56:23 | 001,052,328 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\lxebcoms.exe -- (lxeb_device)
SRV:64bit: - [2010/04/14 13:56:13 | 000,045,736 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\spool\DRIVERS\x64\3\\lxebserv.exe -- (lxebCATSCustConnectService)
SRV:64bit: - [2010/01/28 16:27:36 | 000,243,232 | ---- | M] (Acer Group) [Auto | Running] -- C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe -- (Updater Service)
SRV:64bit: - [2009/10/02 15:57:58 | 000,788,000 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/01/18 21:17:54 | 000,541,608 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2013/01/18 15:38:06 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/06/15 19:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe -- (NIS)
SRV - [2010/04/14 13:56:13 | 000,045,736 | ---- | M] () [Auto | Stopped] -- C:\Windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe -- (lxebCATSCustConnectService)
SRV - [2010/04/14 13:56:01 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysWOW64\lxebcoms.exe -- (lxeb_device)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/08 16:58:24 | 000,250,368 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2009/10/09 19:59:08 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/08/28 02:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe -- (Greg_Service)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/10 14:15:04 | 000,436,736 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\XAudio64.dll -- (HsfXAudioService)
SRV - [2009/06/04 18:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/08/23 07:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012/08/23 07:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2012/08/05 08:34:41 | 000,175,736 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2012/07/05 19:17:58 | 000,037,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2012/07/05 19:17:57 | 000,737,952 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2012/06/26 20:38:30 | 000,046,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2012/06/24 21:24:48 | 000,052,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
DRV:64bit: - [2012/06/06 21:43:38 | 000,167,072 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\ccsetx64.sys -- (ccSet_NIS)
DRV:64bit: - [2012/05/21 18:37:12 | 001,129,120 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\symefa64.sys -- (SymEFA)
DRV:64bit: - [2012/04/17 19:13:32 | 000,405,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\symnets.sys -- (SymNetS)
DRV:64bit: - [2012/04/17 18:42:14 | 000,190,072 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\ironx64.sys -- (SymIRON)
DRV:64bit: - [2012/03/28 23:28:25 | 000,451,192 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\symds64.sys -- (SymDS)
DRV:64bit: - [2012/02/29 23:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 06:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/01/13 15:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64)
DRV:64bit: - [2009/10/02 15:30:10 | 001,240,064 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV:64bit: - [2009/09/17 21:12:06 | 000,292,912 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/09/02 17:54:20 | 007,369,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 17:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/07/10 07:45:12 | 000,139,264 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2009/06/20 04:35:00 | 000,317,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a)
DRV:64bit: - [2009/06/19 19:09:57 | 000,054,272 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\L1E62x64.sys -- (L1E)
DRV:64bit: - [2009/06/10 14:15:04 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV:64bit: - [2009/06/10 14:15:04 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2009/06/10 14:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 14:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 14:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 13:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009/06/10 13:34:38 | 001,311,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/04 19:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/06/04 17:46:50 | 000,216,064 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2009/05/05 16:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV:64bit: - [2009/05/05 16:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)
DRV:64bit: - [2009/02/12 23:24:56 | 001,485,824 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2009/02/12 23:20:56 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2009/02/12 23:19:34 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV - [2013/01/19 02:42:04 | 002,087,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\VirusDefs\20130128.017\ex64.sys -- (NAVEX15)
DRV - [2013/01/19 02:42:04 | 000,126,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\VirusDefs\20130128.017\eng64.sys -- (NAVENG)
DRV - [2013/01/15 19:51:11 | 001,388,120 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\BASHDefs\20130116.013\BHDrvx64.sys -- (BHDrvx64)
DRV - [2013/01/08 15:00:34 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2012/09/06 03:54:30 | 000,513,184 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\IPSDefs\20130126.002\IDSviA64.sys -- (IDSVia64)
DRV - [2012/08/11 18:19:04 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...40z105a47i1t23p
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...40z105a47i1t23p
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...40z105a47i1t23p
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...40z105a47i1t23p
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...ng}&rlz=1I7ACGW
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...40z105a47i1t23p
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...40z105a47i1t23p
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...1I7ACGW_enCA495
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledAddons: john%40velvetcache.org:1.3.7
FF - prefs.js..extensions.enabledAddons: %7B4DC70064-89E2-4a55-8FC6-E8CDEAE3618C%7D:0.7.7
FF - prefs.js..extensions.enabledAddons: %7B81328583-3CA7-4809-B4BA-570A85818FBB%7D:0.9
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.4.3
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130116
FF - prefs.js..extensions.enabledAddons: %7Bbee6eb20-01e0-ebd1-da83-080329fb9a3a%7D:1.26
FF - prefs.js..extensions.enabledAddons: %7BBBDA0591-3099-440a-AA10-41764D9DB4DB%7D:11.1.1.5%20-%202
FF - prefs.js..extensions.enabledAddons: %7B2D3F3651-74B9-4795-BDEC-6DA2F431CB62%7D:2012.5.10.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3505.0912: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\IPSFFPlgn\ [2012/08/05 08:39:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\coFFPlgn\ [2013/01/27 01:37:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/18 15:38:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/18 15:38:07 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/08/05 15:45:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Eric\AppData\Roaming\Mozilla\Extensions
[2013/01/26 22:52:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions
[2013/01/24 17:16:16 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013/01/26 22:52:21 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2012/08/06 20:26:40 | 000,017,677 | ---- | M] () (No name found) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\[email protected]
[2012/11/09 23:27:56 | 000,013,345 | ---- | M] () (No name found) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3618C}.xpi
[2013/01/22 10:44:33 | 000,533,221 | ---- | M] () (No name found) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012/12/18 18:30:07 | 000,043,390 | ---- | M] () (No name found) -- C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\{81328583-3CA7-4809-B4BA-570A85818FBB}.xpi
[2013/01/18 15:37:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2013/01/27 01:37:20 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\COFFPLGN
[2012/08/05 08:39:50 | 000,000,000 | ---D | M] (Norton Vulnerability Protection) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\IPSFFPLGN
[2013/01/18 15:38:07 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/08/24 19:00:22 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/10/13 20:22:31 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ips\ipsbho.dll (Symantec Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerTrayLauncher.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [EzPrint] C:\Program Files (x86)\Lexmark Pro200-S500 Series\ezprint.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft Device Center\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [IntelliType Pro] c:\Program Files\Microsoft Device Center\itype.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [lxebmon.exe] C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe ()
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4:64bit: - HKLM..\Run: [VIAAUD] C:\Program Files (x86)\VIA\VIAudioi\VDeck\viaaud.exe (VIA)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [CLMLServer] c:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Symantec Corporation)
O4 - HKLM..\Run: [RemoteControl8] c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [VideoWebCamera] C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe (Suyin)
O4 - HKCU..\Run: [Raptr] C:\Program Files (x86)\Raptr\raptrstub.exe (Raptr, Inc)
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [updateMgr] C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E3408A6B-2102-4AD3-B8EA-85566C1C9F69}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EF0A1DCD-3686-43D4-BAFE-21AC945420DA}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/29 00:31:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Eric\Desktop\OTL.exe
[2013/01/18 15:37:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013/01/15 01:15:13 | 000,000,000 | ---D | C] -- C:\Users\Eric\AppData\Roaming\AdobeUM
[2013/01/15 01:14:12 | 000,000,000 | ---D | C] -- C:\Users\Eric\Documents\Updater
[2013/01/15 01:02:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe Systems Shared
[2013/01/15 01:02:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe
[2013/01/15 00:57:33 | 000,000,000 | ---D | C] -- C:\PhSp_CS2_UE_Ret
[2013/01/14 22:39:44 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\spool
[2013/01/14 22:39:44 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Adobe PDF
[2013/01/10 18:45:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox.bak
[2013/01/09 14:23:47 | 000,000,000 | ---D | C] -- C:\Users\Eric\AppData\Local\Programs
[2013/01/04 13:54:22 | 000,000,000 | R--D | C] -- C:\Users\Eric\Dropbox
[2013/01/04 13:53:22 | 000,000,000 | ---D | C] -- C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2013/01/04 13:52:39 | 000,000,000 | ---D | C] -- C:\Users\Eric\AppData\Roaming\Dropbox
[2013/01/02 11:16:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Media Player
[2013/01/02 11:15:55 | 000,000,000 | ---D | C] -- C:\Windows\ehome
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/29 00:31:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Eric\Desktop\OTL.exe
[2013/01/28 21:45:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/01/27 01:44:01 | 000,017,600 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/27 01:44:01 | 000,017,600 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/27 01:35:46 | 2360,025,088 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/25 22:51:42 | 006,176,432 | ---- | M] () -- C:\Users\Eric\Documents\Techniques_of_Safecracking__1990__By_Wayne_B_Yeager__Loompan.pdf
[2013/01/22 18:39:49 | 000,012,863 | ---- | M] () -- C:\Users\Eric\Documents\MBI sales trades.odt
[2013/01/15 01:58:42 | 000,360,968 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/01/15 01:54:57 | 000,001,502 | ---- | M] () -- C:\Users\Public\Documents\AcStd7_1_0.ini
[2013/01/15 01:53:39 | 000,000,091 | ---- | M] () -- C:\Users\Public\Documents\AcStd7_1_0.sta
[2013/01/15 01:52:37 | 000,002,453 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2013/01/15 01:13:01 | 000,002,052 | ---- | M] () -- C:\Users\Eric\Desktop\Adobe Photoshop CS2.lnk
[2013/01/15 01:02:45 | 000,001,392 | ---- | M] () -- C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
[2013/01/14 22:40:11 | 000,002,044 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat 7.0 Standard.lnk
[2013/01/14 00:43:36 | 000,009,464 | ---- | M] () -- C:\Users\Eric\Documents\DONS credit towards prison lock.odt
[2013/01/09 14:24:22 | 000,001,120 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/01/09 03:09:48 | 000,732,070 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/01/09 03:09:48 | 000,616,008 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/01/09 03:09:48 | 000,106,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/01/04 13:54:22 | 000,001,045 | ---- | M] () -- C:\Users\Eric\Desktop\Dropbox.lnk
[2013/01/04 13:53:34 | 000,001,055 | ---- | M] () -- C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[5 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/25 22:51:41 | 006,176,432 | ---- | C] () -- C:\Users\Eric\Documents\Techniques_of_Safecracking__1990__By_Wayne_B_Yeager__Loompan.pdf
[2013/01/15 01:54:58 | 000,001,502 | ---- | C] () -- C:\Users\Public\Documents\AcStd7_1_0.ini
[2013/01/15 01:54:58 | 000,000,091 | ---- | C] () -- C:\Users\Public\Documents\AcStd7_1_0.sta
[2013/01/15 01:13:01 | 000,002,052 | ---- | C] () -- C:\Users\Eric\Desktop\Adobe Photoshop CS2.lnk
[2013/01/15 01:05:17 | 000,002,096 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help Center.lnk
[2013/01/15 01:02:45 | 000,001,392 | ---- | C] () -- C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
[2013/01/15 01:02:18 | 000,002,078 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge.lnk
[2013/01/15 01:01:36 | 000,002,052 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS2.lnk
[2013/01/15 01:01:36 | 000,002,049 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ImageReady CS2.lnk
[2013/01/14 22:40:10 | 000,002,044 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Acrobat 7.0 Standard.lnk
[2013/01/14 22:40:09 | 000,002,459 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Distiller 7.0.lnk
[2013/01/14 22:40:09 | 000,002,453 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2013/01/14 22:40:08 | 000,002,501 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat 7.0 Standard.lnk
[2013/01/04 13:54:22 | 000,001,045 | ---- | C] () -- C:\Users\Eric\Desktop\Dropbox.lnk
[2013/01/04 13:53:34 | 000,001,055 | ---- | C] () -- C:\Users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013/01/03 23:09:15 | 000,012,863 | ---- | C] () -- C:\Users\Eric\Documents\MBI sales trades.odt
[2013/01/02 11:17:10 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2013/01/02 11:17:07 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/12/24 18:52:31 | 000,000,766 | ---- | C] () -- C:\Windows\gcode.INI
[2012/12/24 12:24:16 | 000,007,680 | ---- | C] () -- C:\Users\Eric\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/07 22:34:56 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebinpa.dll
[2012/08/07 22:34:56 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\lxebcomx.dll
[2012/08/07 22:34:56 | 000,344,064 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebiesc.dll
[2012/08/07 22:34:56 | 000,331,776 | ---- | C] () -- C:\Windows\SysWow64\LXEBinst.dll
[2012/08/07 22:34:55 | 001,048,576 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebserv.dll
[2012/08/07 22:34:55 | 000,847,872 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebusb1.dll
[2012/08/07 22:34:55 | 000,802,816 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebcomc.dll
[2012/08/07 22:34:55 | 000,688,128 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebhbn3.dll
[2012/08/07 22:34:55 | 000,643,072 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebpmui.dll
[2012/08/07 22:34:55 | 000,598,696 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebcoms.exe
[2012/08/07 22:34:55 | 000,577,536 | ---- | C] ( ) -- C:\Windows\SysWow64\lxeblmpm.dll
[2012/08/07 22:34:55 | 000,373,416 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebcfg.exe
[2012/08/07 22:34:55 | 000,372,736 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebcomm.dll
[2012/08/07 22:34:55 | 000,324,264 | ---- | C] ( ) -- C:\Windows\SysWow64\lxebih.exe
[2012/08/07 22:34:55 | 000,323,584 | ---- | C] () -- C:\Windows\SysWow64\lxebins.dll
[2012/08/07 22:34:55 | 000,262,144 | ---- | C] () -- C:\Windows\SysWow64\lxebinsb.dll
[2012/08/07 22:34:55 | 000,253,952 | ---- | C] () -- C:\Windows\SysWow64\lxebcu.dll
[2012/08/07 22:34:55 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\lxebinsr.dll
[2012/08/07 22:34:55 | 000,090,112 | ---- | C] () -- C:\Windows\SysWow64\lxebcub.dll
[2012/08/07 22:34:55 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\lxebjswr.dll
[2012/08/07 22:34:55 | 000,036,864 | ---- | C] () -- C:\Windows\SysWow64\lxebcur.dll
[2012/08/07 22:34:36 | 000,299,008 | ---- | C] () -- C:\Windows\SysWow64\LXEBsm.dll
[2012/08/07 22:34:36 | 000,023,552 | ---- | C] () -- C:\Windows\SysWow64\LXEBsmr.dll
[2012/08/05 05:00:43 | 000,134,592 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2012/08/05 05:00:17 | 000,001,612 | ---- | C] () -- C:\Windows\WPatchProgress.ini
[2012/08/05 03:24:44 | 000,206,208 | ---- | C] () -- C:\Windows\PLFSetI.exe
[2012/08/05 03:24:44 | 000,049,464 | ---- | C] ( ) -- C:\Windows\AutosetFrequency.exe
[2012/08/05 03:24:44 | 000,000,637 | ---- | C] () -- C:\Windows\AutoSetFrequency.ini
[2012/08/05 03:24:44 | 000,000,378 | ---- | C] () -- C:\Windows\PidList.ini

========== ZeroAccess Check ==========

[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 22:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 21:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 05:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/08/18 16:45:57 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\.minecraft
[2013/01/27 01:38:32 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\Dropbox
[2012/08/12 04:12:37 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\Mumble
[2012/08/05 22:47:37 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\OpenOffice.org
[2013/01/29 00:07:57 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\Raptr
[2012/10/23 16:13:05 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\RotMG.Production
[2012/12/06 03:41:16 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\Shark007
[2012/11/23 21:56:00 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\SystemRequirementsLab
[2012/08/29 11:23:32 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\Tibia
[2012/12/03 02:50:08 | 000,000,000 | ---D | M] -- C:\Users\Eric\AppData\Roaming\WildTangent

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#3
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Gringo,

Thank you for your help. Here are the reports.

SECURITY CHECK

Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Adobe Flash Player 11.5.502.146
Adobe Reader 10.1.5 Adobe Reader out of Date!
Mozilla Firefox (18.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````






ADW CLEANER

# AdwCleaner v2.109 - Logfile created 01/29/2013 at 23:48:15
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Eric - ERIC-PC
# Boot Mode : Normal
# Running from : C:\Users\Eric\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Eric\AppData\Local\Temp\boost_interprocess
Folder Deleted : C:\Users\Rod\AppData\Local\Temp\boost_interprocess
Folder Deleted : C:\Users\Rod\AppData\Roaming\Mozilla\Firefox\Profiles\vzi3edjq.default\extensions\staged

***** [Registry] *****

Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\prefs.js

[OK] File is clean.

File : C:\Users\Rod\AppData\Roaming\Mozilla\Firefox\Profiles\vzi3edjq.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1335 octets] - [29/01/2013 23:48:15]

########## EOF - C:\AdwCleaner[S1].txt - [1395 octets] ##########




ROGUE KILLER

RogueKiller V8.4.3 [Jan 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Eric [Admin rights]
Mode : Scan -- Date : 01/29/2013 23:54:18
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 +++++
--- User ---
[MBR] 2fe29421049a889dfb3842c5dcff3c69
[BSP] ae67ababae30642f1826237f610dbbe7 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26830848 | Size: 292143 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01292013_02d2354.txt >>
RKreport[1]_S_01292013_02d2354.txt
  • 0

#4
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#5
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
AWD Cleaner

# AdwCleaner v2.109 - Logfile created 01/30/2013 at 20:41:21
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Eric - ERIC-PC
# Boot Mode : Normal
# Running from : C:\Users\Eric\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Eric\AppData\Local\Temp\boost_interprocess
Folder Deleted : C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\extensions\staged
Folder Deleted : C:\Users\Rod\AppData\Local\Temp\boost_interprocess

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\prefs.js

[OK] File is clean.

File : C:\Users\Rod\AppData\Roaming\Mozilla\Firefox\Profiles\vzi3edjq.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1462 octets] - [29/01/2013 23:48:15]
AdwCleaner[S2].txt - [1085 octets] - [30/01/2013 20:41:21]

########## EOF - C:\AdwCleaner[S2].txt - [1145 octets] ##########
  • 0

#6
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Rogue Killer

RogueKiller V8.4.3 [Jan 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Eric [Admin rights]
Mode : Remove -- Date : 01/30/2013 20:48:04
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 +++++
--- User ---
[MBR] 2fe29421049a889dfb3842c5dcff3c69
[BSP] ae67ababae30642f1826237f610dbbe7 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26830848 | Size: 292143 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01302013_02d2048.txt >>
RKreport[1]_S_01302013_02d2047.txt ; RKreport[2]_D_01302013_02d2048.txt
  • 0

#7
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#8
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Gringo,

I noticed this morning that there was Eric and Computer shortcuts on my desktop and I did not put them there. There is also a RK_QUARANTINE file on my desktop.

I ran combofix and it found 1 infected file and took care of it. It rebooted after that. When I tried to start firefox it popped up with one of the illegal operations flags you mentioned I clicked ok and it asked me if I wanted to remove it and I selected no as I was unsure what to do then I restarted. Logged back on and it started fine after that although it asked if I wanted to make it my default browser again.


Here is the combofix log:


ComboFix 13-01-31.03 - Eric 31/01/2013 16:35:27.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3001.1874 [GMT -7:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Java\Java Update\jusched.exe
c:\programdata\SPL1540.tmp
c:\programdata\SPL1D01.tmp
c:\programdata\SPL35AB.tmp
c:\programdata\SPL96F2.tmp
c:\programdata\SPLEC92.tmp
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-31 )))))))))))))))))))))))))))))))
.
.
2013-01-31 23:44 . 2013-01-31 23:44 -------- d-----w- c:\users\Rod\AppData\Local\temp
2013-01-31 23:44 . 2013-01-31 23:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-31 23:31 . 2013-01-31 23:46 -------- d-----w- C:\32788R22FWJFW
2013-01-15 08:15 . 2013-01-15 08:15 -------- d-----w- c:\users\Eric\AppData\Roaming\AdobeUM
2013-01-15 08:02 . 2013-01-15 08:02 -------- d-----w- c:\program files (x86)\Common Files\Adobe Systems Shared
2013-01-15 07:57 . 2013-01-15 07:58 -------- d-----w- C:\PhSp_CS2_UE_Ret
2013-01-15 05:39 . 2013-01-15 05:39 -------- d-----w- c:\windows\SysWow64\spool
2013-01-09 21:23 . 2013-01-09 21:23 -------- d-----w- c:\users\Eric\AppData\Local\Programs
2013-01-09 03:10 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 03:10 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 03:08 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-01-04 20:54 . 2013-01-31 03:46 -------- d-----r- c:\users\Eric\Dropbox
2013-01-04 20:52 . 2013-01-31 03:46 -------- d-----w- c:\users\Eric\AppData\Roaming\Dropbox
2013-01-02 18:15 . 2013-01-02 18:16 -------- d-----w- c:\windows\ehome
2013-01-02 18:15 . 2013-01-02 18:15 -------- d-----w- c:\users\Default\AppData\Roaming\Media Center Programs
2013-01-02 18:15 . 2013-01-02 18:15 -------- d-----r- c:\users\Public\Recorded TV
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 10:45 . 2012-09-03 04:35 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 10:45 . 2012-09-03 04:35 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 10:04 . 2012-08-05 15:17 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-12-16 17:11 . 2012-12-21 10:00 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 10:00 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-14 23:49 . 2012-08-06 06:40 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-30 04:45 . 2013-01-09 03:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-27 12:58 . 2012-12-06 10:40 4282368 ----a-w- c:\windows\system32\x264vfw.dll
2012-11-25 17:00 . 2012-12-06 10:40 1921024 ----a-w- c:\windows\system32\VSFilter.dll
2012-11-15 22:13 . 2012-08-05 10:26 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll
2012-11-14 07:06 . 2012-12-12 03:22 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-12 03:22 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-12 03:22 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-12 03:22 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-12 03:22 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-12 03:22 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-12 03:22 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-12 03:22 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-12 03:22 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-12 03:22 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-12 03:22 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-12 03:22 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-12 03:22 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-12 03:22 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-12 03:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-12 03:22 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-12 03:22 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-12 03:22 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 03:22 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-12 03:22 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 03:22 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-12 03:22 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-09 05:45 . 2012-12-12 01:36 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-12 01:36 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-06 1354736]
"updateMgr"="c:\program files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2010-03-08 252928]
"VideoWebCamera"="c:\program files (x86)\VideoWebCamera\VideoWebCamera.exe" [2010-01-14 1541472]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Acrobat Assistant 7.0"="c:\program files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
.
c:\users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dropbox.lnk - c:\users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2013-1-14 25214]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe [2010-04-14 45736]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-05 216064]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-05 1255736]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309000.009\SYMDS64.SYS [2012-03-29 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\BASHDefs\20130116.013\BHDrvx64.sys [2013-01-16 1388120]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309000.009\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\IPSDefs\20130130.001\IDSvia64.sys [2012-09-06 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309000.009\Ironx64.SYS [2012-04-18 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS [2012-04-18 405624]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway PowerSave Solution\ePowerSvc.exe [2009-10-02 788000]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe [2010-04-14 1052328]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [2012-06-16 138272]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-03-08 250368]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-25 52320]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-12 138912]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 139264]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-02 1240064]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"VIAAUD"="c:\program files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe" [2009-10-07 563200]
"PLFSetI"="c:\windows\PLFSetI.exe" [2010-01-13 206208]
"Acer ePower Management"="c:\program files\Gateway\Gateway PowerSave Solution\ePowerTrayLauncher.exe" [2009-10-02 496160]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-27 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-27 2004584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-03 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-03 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-03 358912]
"lxebmon.exe"="c:\program files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files (x86)\Lexmark Pro200-S500 Series\ezprint.exe" [2011-01-24 148280]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=id58_series&r=2736081213b6l0440z105a47i1t23p
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=id58_series&r=2736081213b6l0440z105a47i1t23p
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=id58_series&r=2736081213b6l0440z105a47i1t23p
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\NORTON INTERNET SECURITY\ENGINE\19.9.0.9\cltLMH.exe
.
**************************************************************************
.
Completion time: 2013-01-31 16:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-31 23:51
.
Pre-Run: 183,606,415,360 bytes free
Post-Run: 183,461,765,120 bytes free
.
- - End Of File - - 2E52AC2B49F64F72456E0285D5C52DD9
  • 0

#9
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

#10
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello,

It ran the same scan and found an infected file in the same place. This was during part/scan 50.

Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache86\userinit.exe

And I cannot tell if it is doing any different yet as it would only redirect to a new page 1 time a week or so :/


Combofix log

ComboFix 13-01-31.03 - Eric 31/01/2013 19:59:52.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3001.1508 [GMT -7:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
Command switches used :: c:\users\Eric\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache86\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-01-01 to 2013-02-01 )))))))))))))))))))))))))))))))
.
.
2013-02-01 03:08 . 2013-02-01 03:08 -------- d-----w- c:\users\Rod\AppData\Local\temp
2013-02-01 03:08 . 2013-02-01 03:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-01 03:08 . 2013-02-01 03:08 -------- d-----w- c:\users\cris\AppData\Local\temp
2013-01-15 08:15 . 2013-01-15 08:15 -------- d-----w- c:\users\Eric\AppData\Roaming\AdobeUM
2013-01-15 08:02 . 2013-01-15 08:02 -------- d-----w- c:\program files (x86)\Common Files\Adobe Systems Shared
2013-01-15 07:57 . 2013-01-15 07:58 -------- d-----w- C:\PhSp_CS2_UE_Ret
2013-01-15 05:39 . 2013-01-15 05:39 -------- d-----w- c:\windows\SysWow64\spool
2013-01-09 21:23 . 2013-01-09 21:23 -------- d-----w- c:\users\Eric\AppData\Local\Programs
2013-01-09 03:10 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 03:10 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 03:08 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-01-04 20:54 . 2013-02-01 00:00 -------- d-----r- c:\users\Eric\Dropbox
2013-01-04 20:52 . 2013-02-01 00:00 -------- d-----w- c:\users\Eric\AppData\Roaming\Dropbox
2013-01-02 18:15 . 2013-01-02 18:16 -------- d-----w- c:\windows\ehome
2013-01-02 18:15 . 2013-01-02 18:15 -------- d-----w- c:\users\Default\AppData\Roaming\Media Center Programs
2013-01-02 18:15 . 2013-01-02 18:15 -------- d-----r- c:\users\Public\Recorded TV
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 10:45 . 2012-09-03 04:35 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 10:45 . 2012-09-03 04:35 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 10:04 . 2012-08-05 15:17 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-12-16 17:11 . 2012-12-21 10:00 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 10:00 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-14 23:49 . 2012-08-06 06:40 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-30 04:45 . 2013-01-09 03:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-27 12:58 . 2012-12-06 10:40 4282368 ----a-w- c:\windows\system32\x264vfw.dll
2012-11-25 17:00 . 2012-12-06 10:40 1921024 ----a-w- c:\windows\system32\VSFilter.dll
2012-11-15 22:13 . 2012-08-05 10:26 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll
2012-11-14 07:06 . 2012-12-12 03:22 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-12 03:22 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-12 03:22 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-12 03:22 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-12 03:22 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-12 03:22 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-12 03:22 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-12 03:22 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-12 03:22 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-12 03:22 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-12 03:22 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-12 03:22 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-12 03:22 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-12 03:22 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-12 03:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-12 03:22 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-12 03:22 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-12 03:22 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 03:22 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-12 03:22 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 03:22 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-12 03:22 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-09 05:45 . 2012-12-12 01:36 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-12 01:36 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-06 1354736]
"updateMgr"="c:\program files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2010-03-08 252928]
"VideoWebCamera"="c:\program files (x86)\VideoWebCamera\VideoWebCamera.exe" [2010-01-14 1541472]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-11-01 1094736]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Acrobat Assistant 7.0"="c:\program files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
.
c:\users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dropbox.lnk - c:\users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2013-1-14 25214]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe [2010-04-14 45736]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-05 216064]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-05 1255736]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309000.009\SYMDS64.SYS [2012-03-29 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\BASHDefs\20130116.013\BHDrvx64.sys [2013-01-16 1388120]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309000.009\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Definitions\IPSDefs\20130130.001\IDSvia64.sys [2012-09-06 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309000.009\Ironx64.SYS [2012-04-18 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS [2012-04-18 405624]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway PowerSave Solution\ePowerSvc.exe [2009-10-02 788000]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe [2010-04-14 1052328]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [2012-06-16 138272]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-03-08 250368]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-25 52320]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-12 138912]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 139264]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-02 1240064]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\Eric\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"VIAAUD"="c:\program files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe" [2009-10-07 563200]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"PLFSetI"="c:\windows\PLFSetI.exe" [2010-01-13 206208]
"Acer ePower Management"="c:\program files\Gateway\Gateway PowerSave Solution\ePowerTrayLauncher.exe" [2009-10-02 496160]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-27 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-27 2004584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-03 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-03 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-03 358912]
"lxebmon.exe"="c:\program files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files (x86)\Lexmark Pro200-S500 Series\ezprint.exe" [2011-01-24 148280]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=id58_series&r=2736081213b6l0440z105a47i1t23p
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=id58_series&r=2736081213b6l0440z105a47i1t23p
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=id58_series&r=2736081213b6l0440z105a47i1t23p
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\7e56wv4j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2013-01-31 20:13:12 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-01 03:13
ComboFix2.txt 2013-01-31 23:51
.
Pre-Run: 183,185,850,368 bytes free
Post-Run: 183,110,381,568 bytes free
.
- - End Of File - - 00C6E7D4D7418E10B264CB22CEF4C1A7
  • 0

Advertisements


#11
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
  • 0

#12
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello,

The last 2 reports are what popped up after combofix finished.

And here is the one you wanted.

7-Zip 9.20
Acrobat.com
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 11 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader X (10.1.5)
Adobe Stock Photos 1.0
Backup Manager Basic
Bejeweled 2 Deluxe
Blackhawk Striker 2
Bob the Builder Can-Do-Zoo
Build-a-lot 2
ChairGun4 4.0.1
Compatibility Pack for the 2007 Office system
CyberLink Power2Go
CyberLink PowerDVD 8
D3DX10
Don't Starve
Dropbox
Escape Rosecliff Island
Faerie Solitaire
FATE - The Traitor Soul
FTL: Faster Than Light
Gateway Game Console
Gateway Games
Gateway InfoCentre
Gateway MyBackup
Gateway PowerSave Solution
Gateway Recovery Management
Gateway Registration
Gateway ScreenSaver
Gateway Updater
Hawke ChairGun Pro 1.0.5b
Identity Card
Jewel Quest Solitaire 3
Launch Manager
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works
Monopoly
Movie Maker
Mozilla Firefox 18.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT110
Mystery P.I. - Lost in Los Angeles
Norton Internet Security
Norton Online Backup
OpenOffice.org 3.4
Penguins!
Photo Common
Photo Gallery
Plants vs. Zombies
Platform
Polar Bowler
Polar Golfer
Realm of the Mad God
Realtek USB 2.0 Card Reader
Scrabble Plus
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Steam
The Price is Right
Tibia
Torchlight II
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VIA Platform Device Manager
Video Web Camera
Virtual Families
Virtual Villagers - A New Home
VLC media player 2.0.3
Welcome Center
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media DRM Reset
Yahtzee
Zuma Deluxe
  • 0

#13
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. default settings are fine
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

  • 0

#14
averageguy

averageguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Gringo,

I actually have Ccleaner installed as well.

When doing the MBAM the option "Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected." was never shown. Does this only appear when there is an issue?

Here is the report:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.01.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Eric :: ERIC-PC [administrator]

31/01/2013 9:41:14 PM
mbam-log-2013-01-31 (21-41-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253421
Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:55:22 PM, on 31/01/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16457)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\PLFSetI.exe
C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe
C:\Program Files (x86)\Lexmark Pro200-S500 Series\ezprint.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe
C:\Users\Eric\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...40z105a47i1t23p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...40z105a47i1t23p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...40z105a47i1t23p
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\IPS\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coIEPlg.dll
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [VideoWebCamera] "C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe" -a
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [CLMLServer] "c:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcStd7_1_0 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dropbox.lnk = Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe
O23 - Service: lxeb_device - - C:\Windows\system32\lxebcoms.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer Group - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9588 bytes
  • 0

#15
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
      O4 - HKLM\..\Run: [VideoWebCamera] "C:\Program Files (x86)\VideoWebCamera\VideoWebCamera.exe" -a
      O4 - HKLM\..\Run: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
      O4 - HKLM\..\Run: [CLMLServer] "c:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
      O4 - HKCU\..\Run: [updateMgr] C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcStd7_1_0 -reboot 1
      O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Startup: Dropbox.lnk = Eric\AppData\Roaming\Dropbox\bin\Dropbox.exe
      O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here

Gringo
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP