Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Mixi.Dj toolbar


  • Please log in to reply

#1
Ian7

Ian7

    New Member

  • Member
  • Pip
  • 3 posts
Hi Got the mixi.dj toolbar installed while downloading another software. It seems to be messing with my browsers. Not sure what else.

I think it came in with Power2Go. I needed a CD burner to write a disk image. I got lazy during the install and in hind sight remember 'blind clicking' ACCEPT a few times. Bad me.

I have uninstalled Mixi.DJ, cleaned out IE and Chrome extensions, settings, home page etc. Not sure if it is really gone or what else it did. I read that it may log internet activity and password entry including financial sites.... is this true?

I am now running mbam to see what it finds.

Since this forum helped me with some of the work I had done so far, I thought I would post because the next steps in the forum involve a lot of malware removal tools and reading logs generated by them. Not my day job!

Any help would be appreciated.

OK, reread how to post here. Ran OTL. Will Post the log and log from MBAM that just finished!

Gotta Reboot now to finish MBAM removal of a file.

Thanks

Ian


OTL logfile created on: 21/03/2013 10:52:30 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\User\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.50 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 31.87% Memory free
7.00 Gb Paging File | 4.04 Gb Available in Paging File | 57.76% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931.41 Gb Total Space | 803.21 Gb Free Space | 86.24% Space Free | Partition Type: NTFS
Drive E: | 3.74 Gb Total Space | 3.61 Gb Free Space | 96.58% Space Free | Partition Type: FAT32
Drive F: | 465.76 Gb Total Space | 198.28 Gb Free Space | 42.57% Space Free | Partition Type: NTFS

Computer Name: MARSH | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/03/21 22:51:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\User\Downloads\OTL.exe
PRC - [2013/02/19 08:32:30 | 000,213,384 | ---- | M] (Google Inc.) -- C:\Users\User\AppData\Local\Google\Update\1.3.21.135\GoogleCrashHandler.exe
PRC - [2013/01/29 19:56:36 | 000,069,120 | ---- | M] () -- C:\Program Files\Canon\ImageBrowser EX\MFManager.exe
PRC - [2012/12/18 10:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/12/14 16:49:28 | 000,824,232 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/12/14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/11/22 22:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/10/10 22:15:04 | 001,258,856 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012/10/02 15:29:14 | 000,864,616 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2012/10/02 15:28:55 | 001,820,520 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
PRC - [2012/10/02 14:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2012/09/28 15:42:08 | 000,298,376 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2012/09/28 15:19:16 | 007,392,648 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2012/08/23 00:09:24 | 001,707,632 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\Power2Go8\Power2GoExpress8.exe
PRC - [2012/06/15 22:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.9.1.14\ccsvchst.exe
PRC - [2012/06/07 23:34:06 | 000,111,120 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 08:16:54 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
PRC - [2009/08/28 05:43:14 | 001,486,848 | R--- | M] (VIA) -- C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
PRC - [2009/07/13 21:14:41 | 000,354,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\StikyNot.exe
PRC - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxblcoms.exe


========== Modules (No Company Name) ==========

MOD - [2013/03/10 20:22:06 | 000,459,728 | ---- | M] () -- C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\ppgooglenaclpluginchrome.dll
MOD - [2013/03/10 20:22:05 | 012,662,224 | ---- | M] () -- C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\PepperFlash\pepflashplayer.dll
MOD - [2013/03/10 20:22:04 | 004,050,896 | ---- | M] () -- C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\pdf.dll
MOD - [2013/03/10 20:21:18 | 000,596,944 | ---- | M] () -- C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\libglesv2.dll
MOD - [2013/03/10 20:21:18 | 000,124,368 | ---- | M] () -- C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\libegl.dll
MOD - [2013/03/10 20:21:16 | 001,552,848 | ---- | M] () -- C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\ffmpegsumo.dll
MOD - [2013/02/14 21:41:49 | 013,199,360 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\806c4ba7d696ab586ffd774a31f1a66b\System.Windows.Forms.ni.dll
MOD - [2013/01/29 19:56:36 | 000,069,120 | ---- | M] () -- C:\Program Files\Canon\ImageBrowser EX\MFManager.exe
MOD - [2013/01/29 19:45:00 | 000,112,128 | ---- | M] () -- C:\Program Files\Canon\ImageBrowser EX\MFMFileSystemWatcher.dll
MOD - [2013/01/10 20:24:45 | 000,762,880 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\905d0fe3e43b186b139b93d8ed082208\System.Runtime.Remoting.ni.dll
MOD - [2013/01/09 22:24:00 | 001,667,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\b83993cc955262507c8ead67567c8060\System.Drawing.ni.dll
MOD - [2013/01/09 22:23:54 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d884c684ee3f738a60e3c50dd5d88caa\System.Xml.ni.dll
MOD - [2013/01/09 22:23:51 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\cb72ac8478a5ea7e2d570bb710ecb1c1\System.Configuration.ni.dll
MOD - [2013/01/09 22:23:50 | 009,094,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\df418085cedae9fa2efee87e20a419a4\System.ni.dll
MOD - [2013/01/09 22:23:46 | 014,413,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\60c214b6ad5691e368a16ec65d127c27\mscorlib.ni.dll
MOD - [2012/08/27 23:18:11 | 000,176,656 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\CLVistaAudioMixer.dll
MOD - [2012/08/27 23:17:41 | 000,303,120 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\runtime\authoring\EditingMgrWrapperU.dll
MOD - [2012/08/27 23:17:27 | 001,694,736 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\runtime\authoring\AuroraU.dll
MOD - [2012/08/27 23:17:21 | 000,807,440 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\UNO.dll
MOD - [2012/08/01 06:47:06 | 001,319,024 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\Language\Enu\P2GRC.dll
MOD - [2012/06/08 11:34:06 | 000,016,400 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\CLMLSvcPS.dll
MOD - [2012/06/07 23:34:06 | 000,627,216 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\CLMediaLibrary.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/01 08:45:35 | 000,770,856 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go8\runtime\mediacache\MediaObj.dll
MOD - [2009/08/27 23:31:08 | 047,628,288 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\skin.dll
MOD - [2009/05/07 04:53:18 | 000,106,496 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\Dts2ApoApi.dll
MOD - [2009/05/07 04:50:46 | 000,073,728 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\QsApoApi.dll
MOD - [2008/02/14 01:57:00 | 000,094,208 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\VMicApi.dll


========== Services (SafeList) ==========

SRV - [2013/03/16 19:04:25 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/18 10:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/10/10 22:15:04 | 001,258,856 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/10/02 14:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012/09/28 15:19:16 | 007,392,648 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2012/06/15 22:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\Engine\19.9.1.14\ccSvcHst.exe -- (NAV)
SRV - [2010/12/28 17:46:00 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxblcoms.exe -- (lxbl_device)


========== Driver Services (SafeList) ==========

DRV - [2013/03/21 21:52:15 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/01/16 21:12:08 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\VirusDefs\20130321.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/01/16 21:12:08 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\VirusDefs\20130321.017\NAVENG.SYS -- (NAVENG)
DRV - [2013/01/15 22:51:12 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\BASHDefs\20130301.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/10/10 22:14:28 | 010,837,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2012/09/28 15:14:58 | 000,033,792 | ---- | M] (Belcarra Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btblan.sys -- (Leapfrog-USBLAN)
DRV - [2012/08/31 20:27:25 | 000,386,720 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\Definitions\IPSDefs\20130321.001\IDSvix86.sys -- (IDSVix86)
DRV - [2012/08/09 21:01:05 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/09 21:01:05 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/05 22:17:57 | 000,574,112 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\srtsp.sys -- (SRTSP)
DRV - [2012/07/05 22:17:57 | 000,032,928 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\srtspx.sys -- (SRTSPX)
DRV - [2012/06/07 00:43:43 | 000,132,768 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\ccsetx86.sys -- (ccSet_NAV)
DRV - [2012/05/21 21:37:12 | 000,924,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\symefa.sys -- (SymEFA)
DRV - [2012/04/17 22:13:32 | 000,318,584 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\symnets.sys -- (SymNetS)
DRV - [2012/04/17 21:42:14 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\ironx86.sys -- (SymIRON)
DRV - [2012/03/23 13:33:50 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/16 02:51:40 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\NAV\1309010.00E\symds.sys -- (SymDS)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/08/23 01:06:38 | 000,048,640 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1E62x86.sys -- (L1E)
DRV - [2009/08/17 07:17:44 | 001,077,760 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2009/07/15 23:36:30 | 000,013,216 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {034429BA-9141-4B77-9C03-BAA7B87BA8B5}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?l...en-ca&OCID=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8B E7 F1 E5 F2 45 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.5.1.2\IPSFFPlgn\ [2012/03/18 20:05:52 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://search.condui...2651000527&UM=2
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\25.0.1364.172\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL
CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Google Update (Enabled) = C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Gmail = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.9.1.14\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CLMLServer_For_P2G8] C:\Program Files\CyberLink\Power2Go8\CLMLSvc_P2G8.exe (CyberLink)
O4 - HKLM..\Run: [CLVirtualDrive] C:\Program Files\CyberLink\Power2Go8\VirtualDrive.exe (CyberLink Corp.)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKCU..\Run: [Power2GoExpress8] C:\Program Files\CyberLink\Power2Go8\Power2GoExpress8.exe (CyberLink Corp.)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DCA48D31-8950-4BD9-A04B-170CA61F0AF6}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\intu-tt2010 {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2011 {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2012 {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/03/21 21:50:52 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2013/03/21 21:50:52 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Malwarebytes
[2013/03/21 21:50:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/03/21 21:50:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/03/21 21:50:41 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/03/21 21:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/03/21 21:50:24 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Programs
[2013/03/21 20:32:34 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{946ABC37-5A20-4D69-97FC-C80DD405ECBA}
[2013/03/20 19:46:19 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{6A9A7EE6-400B-4B4B-8BD9-FEB036DA6C4E}
[2013/03/19 19:38:33 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{4DF8D8F2-A64D-4986-9864-F39D5ABAC36D}
[2013/03/18 13:40:42 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{A71A2F8F-7F55-421C-8D83-D181E1619C78}
[2013/03/18 01:40:02 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{9D1AB599-EFCC-4375-9933-9DF78770E62F}
[2013/03/17 21:43:11 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\NVIDIA
[2013/03/17 21:42:39 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Power2Go8
[2013/03/17 21:37:29 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\CyberLink
[2013/03/17 21:37:29 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\CyberLink
[2013/03/17 21:33:16 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink WaveEditor 2
[2013/03/17 21:32:21 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink Power2Go 8
[2013/03/17 21:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CyberLink
[2013/03/17 21:31:10 | 000,000,000 | ---D | C] -- C:\Program Files\CyberLink
[2013/03/17 21:28:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Temp
[2013/03/17 21:28:10 | 000,000,000 | ---D | C] -- C:\ProgramData\install_clap
[2013/03/17 21:24:07 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2013/03/17 21:23:54 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Conduit
[2013/03/17 21:23:17 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\SearchProtect
[2013/03/17 21:23:15 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\CRE
[2013/03/17 21:23:12 | 000,000,000 | ---D | C] -- C:\ProgramData\CyberLink
[2013/03/17 13:39:09 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{06154FA9-82BD-4C93-BEB0-934D54C04A91}
[2013/03/16 19:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/03/16 19:09:43 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2013/03/16 18:58:51 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{64B8A795-80E5-4251-BA4E-7343C4D7732B}
[2013/03/14 20:25:05 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{F63B7AA9-D885-4DD4-B841-FD5E4964FAE8}
[2013/03/11 20:02:01 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{6667E7AB-71F9-4EF7-8C82-D4D95353A93A}
[2013/03/10 12:41:42 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{EF05A093-C3A7-4531-AA2E-AF6F854A991C}
[2013/03/09 21:15:53 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{8A9B709F-371F-46D0-9462-65D8545D0BED}
[2013/03/09 09:15:13 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{A263D73C-3C23-4318-98AC-1C8D9703FEBC}
[2013/03/08 21:14:33 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{B614314F-1778-4C67-9FDC-1CDAC71F942B}
[2013/03/07 20:52:05 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{1D068A03-6520-4459-9FD3-7563DC3D7594}
[2013/03/06 19:11:26 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{86AC68A9-6E24-4091-9FEF-B01340C1AA5B}
[2013/03/05 21:20:49 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{CB417C1D-9A00-4DB8-9F05-2F008E71BB56}
[2013/03/04 20:54:06 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{783D8AF6-A019-4D24-81C3-4FB7B5465B4C}
[2013/03/03 22:26:28 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{E277DCDF-2293-4EAA-9E9C-EFF3FECA5327}
[2013/03/03 10:25:49 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{357D6067-53C7-4F2D-9F8E-2B672B42B66C}
[2013/03/02 14:43:43 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{4461B04A-53A1-48F1-B1BD-ECB584A92564}
[2013/03/01 21:44:16 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{A6CBB768-D039-45F9-A1CF-D40A2955257A}
[2013/02/28 20:49:02 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{FBEABAB9-38A1-4508-A880-2277F7B9B930}
[2013/02/27 21:43:12 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{2BD92E5F-9768-445F-B1C8-162E0837C231}
[2013/02/26 20:34:37 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{6792BB9C-A17F-4CBA-9494-028E2E696ADF}
[2013/02/25 20:15:15 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{DF485855-2228-4796-A0A0-09198F308B5F}
[2013/02/24 22:17:59 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{240B945A-2004-4952-9E0B-AA7BC2A954FF}
[2013/02/24 10:17:19 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{0B862DB7-F77F-4C38-92FC-087BF1BA1A29}
[2013/02/23 12:22:54 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{92D6B14B-4012-4474-AD6A-DE99BF72751C}
[2013/02/22 13:56:35 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{72B47266-9BD3-4F75-8B33-98DCD3076B99}
[2013/02/20 08:51:25 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\{56285099-426B-44A1-A004-1B48347D0B6E}
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/03/21 22:37:05 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4215553431-3862215306-3237111303-1000UA.job
[2013/03/21 22:04:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/03/21 21:52:15 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2013/03/21 21:50:44 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/21 20:38:50 | 000,015,008 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/03/21 20:38:50 | 000,015,008 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/03/21 20:35:58 | 000,628,414 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/03/21 20:35:58 | 000,110,598 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/03/21 20:31:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/03/21 20:31:24 | 2817,925,120 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/18 07:37:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4215553431-3862215306-3237111303-1000Core.job
[2013/03/17 22:07:52 | 000,007,600 | ---- | M] () -- C:\Users\User\AppData\Local\Resmon.ResmonCfg
[2013/03/17 21:33:16 | 000,002,145 | ---- | M] () -- C:\Users\Public\Desktop\WaveEditor.lnk
[2013/03/17 21:32:21 | 000,002,127 | ---- | M] () -- C:\Users\Public\Desktop\CyberLink Power2Go 8.lnk
[2013/03/17 21:24:38 | 000,000,009 | ---- | M] () -- C:\END
[2013/03/17 21:23:11 | 000,000,836 | ---- | M] () -- C:\Users\User\Desktop\CyberLink_Power2Go_Downloader.lnk
[2013/03/17 15:14:34 | 011,077,632 | ---- | M] () -- C:\Users\User\Desktop\dban-2.2.7_i586.iso
[2013/03/14 20:39:16 | 000,002,360 | ---- | M] () -- C:\Users\User\Desktop\Google Chrome.lnk
[2013/03/04 22:24:43 | 000,185,003 | ---- | M] () -- C:\Users\User\Documents\Payment Successful.pdf
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/03/21 21:50:43 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/03/17 21:33:15 | 000,002,145 | ---- | C] () -- C:\Users\Public\Desktop\WaveEditor.lnk
[2013/03/17 21:32:20 | 000,002,127 | ---- | C] () -- C:\Users\Public\Desktop\CyberLink Power2Go 8.lnk
[2013/03/17 21:23:11 | 000,000,836 | ---- | C] () -- C:\Users\User\Desktop\CyberLink_Power2Go_Downloader.lnk
[2013/03/17 21:23:08 | 000,000,009 | ---- | C] () -- C:\END
[2013/03/17 21:06:32 | 011,077,632 | ---- | C] () -- C:\Users\User\Desktop\dban-2.2.7_i586.iso
[2013/03/04 22:24:15 | 000,185,003 | ---- | C] () -- C:\Users\User\Documents\Payment Successful.pdf
[2011/12/29 11:58:30 | 000,000,287 | ---- | C] () -- C:\Windows\PowerReg.dat
[2011/06/18 09:41:46 | 000,027,650 | ---- | C] () -- C:\Windows\System32\icnotli.dll
[2011/06/18 09:41:46 | 000,020,482 | ---- | C] () -- C:\Windows\System32\eytauni.dll
[2011/04/19 00:02:35 | 000,007,600 | ---- | C] () -- C:\Users\User\AppData\Local\Resmon.ResmonCfg
[2011/01/08 12:05:24 | 001,760,039 | ---- | C] () -- C:\Users\User\IMG_3553.JPG
[2011/01/08 12:05:24 | 001,584,105 | ---- | C] () -- C:\Users\User\IMG_3554.JPG
[2011/01/08 12:05:24 | 000,153,600 | ---- | C] () -- C:\Users\User\01149946.dot
[2011/01/08 11:17:47 | 000,018,591 | ---- | C] () -- C:\Users\User\Re_ Potential role with our client Everest.eml

========== ZeroAccess Check ==========

[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 00:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/07/14 10:27:22 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\canon
[2012/07/14 10:38:29 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Canon_Inc_IC
[2011/04/21 08:37:39 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\OpenCandy
[2013/03/17 21:23:17 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\SearchProtect

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 836 bytes -> C:\Users\User\Re_ Potential role with our client Everest.eml:OECustomProperty

< End of report >

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.22.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
User :: MARSH [administrator]

Protection: Enabled

21/03/2013 9:52:50 PM
MBAM-log-2013-03-21 (22-56-13).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 393809
Time elapsed: 1 hour(s), 3 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\User\Downloads\setup.exe (PUP.BundleInstaller.VG) -> No action taken.

(end)

Edited by Ian7, 21 March 2013 - 09:07 PM.

  • 0

Advertisements


#2
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
A belated welcome to Geeks2Go Ian7,

One adware search hijacker change showing, but not much more than that. Please post back if you still need assistance, and we will take up from there.
  • 0

#3
Ian7

Ian7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Jintan, thanks for looking at this. Good that there is only one item. What is it and how do I remove it? If it is PUP.BundleInstaller.VG The software prompted me to remove it. Not sure if it was able to or not as it still shows.

Thanks.

Ian
  • 0

#4
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
That PUP was an adware bundled installer, though not sure what it installed. Just need to run some specialty scans, then follow up with a finishing scan.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.



Download RogueKiller from here to your desktop.

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
Wen RogueKiller finises it's opening scan, press the Scan button..
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
Wen RogueKiller finises it's opening scan, press the Scan button..
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.

---------

Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

  • 0

#5
Ian7

Ian7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
JIntan here is rogue killer report. I will do the other one tonight.

Ian


RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Remove -- Date : 04/04/2013 07:10:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82CDFB8B -> HOOKED (Unknown @ 0x87249070)
SSDT[14] : NtAlertThread @ 0x82C32BB0 -> HOOKED (Unknown @ 0x87249150)
SSDT[19] : NtAllocateVirtualMemory @ 0x82C2BBBC -> HOOKED (Unknown @ 0x87249AC8)
SSDT[22] : NtAlpcConnectPort @ 0x82C7737E -> HOOKED (Unknown @ 0x86B20158)
SSDT[43] : NtAssignProcessToJobObject @ 0x82C00FEC -> HOOKED (Unknown @ 0x87248818)
SSDT[74] : NtCreateMutant @ 0x82C1227A -> HOOKED (Unknown @ 0x87248DC0)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x82C038F4 -> HOOKED (Unknown @ 0x87248538)
SSDT[87] : NtCreateThread @ 0x82CDDDC6 -> HOOKED (Unknown @ 0x87249FB0)
SSDT[88] : NtCreateThreadEx @ 0x82C722AB -> HOOKED (Unknown @ 0x87248628)
SSDT[96] : NtDebugActiveProcess @ 0x82CAFCBA -> HOOKED (Unknown @ 0x872488F8)
SSDT[111] : NtDuplicateObject @ 0x82C3364A -> HOOKED (Unknown @ 0x87249C98)
SSDT[131] : NtFreeVirtualMemory @ 0x82ABA7FC -> HOOKED (Unknown @ 0x87249880)
SSDT[145] : NtImpersonateAnonymousToken @ 0x82BF78DE -> HOOKED (Unknown @ 0x87248EB0)
SSDT[147] : NtImpersonateThread @ 0x82C7B772 -> HOOKED (Unknown @ 0x87248F90)
SSDT[155] : NtLoadDriver @ 0x82BC7C14 -> HOOKED (Unknown @ 0x86B73138)
SSDT[168] : NtMapViewOfSection @ 0x82C484D9 -> HOOKED (Unknown @ 0x87249780)
SSDT[177] : NtOpenEvent @ 0x82C11C76 -> HOOKED (Unknown @ 0x87248CE0)
SSDT[190] : NtOpenProcess @ 0x82C13AC1 -> HOOKED (Unknown @ 0x87249E78)
SSDT[191] : NtOpenProcessToken @ 0x82C6617F -> HOOKED (Unknown @ 0x87249BB8)
SSDT[194] : NtOpenSection @ 0x82C6B7FB -> HOOKED (Unknown @ 0x87248B20)
SSDT[198] : NtOpenThread @ 0x82C5FF05 -> HOOKED (Unknown @ 0x87249D88)
SSDT[215] : NtProtectVirtualMemory @ 0x82C44539 -> HOOKED (Unknown @ 0x87248728)
SSDT[304] : NtResumeThread @ 0x82C724D2 -> HOOKED (Unknown @ 0x87249230)
SSDT[316] : NtSetContextThread @ 0x82CDF637 -> HOOKED (Unknown @ 0x872494D0)
SSDT[333] : NtSetInformationProcess @ 0x82C3A75D -> HOOKED (Unknown @ 0x872495B0)
SSDT[350] : NtSetSystemInformation @ 0x82C5023C -> HOOKED (Unknown @ 0x872489D8)
SSDT[366] : NtSuspendProcess @ 0x82CDFAC7 -> HOOKED (Unknown @ 0x87248C00)
SSDT[367] : NtSuspendThread @ 0x82C96FAB -> HOOKED (Unknown @ 0x87249310)
SSDT[370] : NtTerminateProcess @ 0x82C5CB9D -> HOOKED (Unknown @ 0x87246380)
SSDT[371] : NtTerminateThread @ 0x82C7A4AB -> HOOKED (Unknown @ 0x872493F0)
SSDT[385] : NtUnmapViewOfSection @ 0x82C667BA -> HOOKED (Unknown @ 0x872496A0)
SSDT[399] : NtWriteVirtualMemory @ 0x82C6189A -> HOOKED (Unknown @ 0x87249970)
S_SSDT[318] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87ACF4C8)
S_SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87AB6410)
S_SSDT[434] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x87AD25F0)
S_SSDT[436] : NtUserGetKeyState -> HOOKED (Unknown @ 0x87A41A90)
S_SSDT[448] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x87797128)
S_SSDT[490] : NtUserMessageCall -> HOOKED (Unknown @ 0x877B7128)
S_SSDT[508] : NtUserPostMessage -> HOOKED (Unknown @ 0x877AB128)
S_SSDT[509] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x877B1128)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x87ACC4A0)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87A3C0F0)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] 9a7c6f5f41892b710a438c04e0772502
[BSP] 1af0b864820674c65070a4890eb04ba5 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDP725050GLA360 USB Device +++++
--- User ---
[MBR] 88eba3f88babdcf2801dfe2b67531517
[BSP] 8f3f21d15bfe0b2d7418c6e43969e656 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_04042013_02d0710.txt >>
RKreport[1]_S_04032013_02d2018.txt ; RKreport[2]_D_04042013_02d0710.txt
  • 0

#6
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
RogueKiller suggests rootkit activity, but it could just be Norton. Does RogueKiller show any blinking red warning, such as a warning about ZAccess? Post the other log when ready.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP