Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus on my computer opens new browser windows randomly and adds links

Started by scmba , Jan 29 2014 11:20 AM

  • This topic is locked This topic is locked

#1
scmba
Posted 29 January 2014 - 11:20 AM

scmba

    Member

  • Member
  • PipPipPip
  • 109 posts
Hi

My kids were searching for stuff and hit a virus somewhere: started by opening random IE windows to weird websites and added links/favorites to my IE and firefox browsers. So I'm not sure if its malware, trojan or what but there is something on my computer. The URL that comes up is: https://web.winstat.us/cc7ml1/. It says that I need to update my IE explorer - Outdated Browser Detected. Thanks soooo much for your help. Here is my OTL:

OTL logfile created on: 1/29/2014 9:00:04 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kids\Contacts\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16736)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.49 Gb Total Physical Memory | 3.79 Gb Available Physical Memory | 69.00% Memory free
10.99 Gb Paging File | 8.90 Gb Available in Paging File | 81.05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 440.59 Gb Total Space | 383.17 Gb Free Space | 86.97% Space Free | Partition Type: NTFS
Drive D: | 702.82 Mb Total Space | 693.37 Mb Free Space | 98.66% Space Free | Partition Type: UDF

Computer Name: MISTERMAGIC | User Name: Kids | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/01/29 08:58:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kids\Contacts\Desktop\OTL.exe
PRC - [2014/01/02 16:46:10 | 030,714,328 | ---- | M] (Dropbox, Inc.) -- C:\Users\Kids\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2013/12/20 22:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/11/15 16:31:46 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2013/10/08 18:42:20 | 001,862,536 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
PRC - [2013/09/04 05:36:29 | 000,084,024 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2013/09/04 05:35:51 | 000,108,088 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2013/09/04 05:35:50 | 000,347,192 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2013/08/13 10:07:34 | 000,953,344 | ---- | M] (Torling Company) -- C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe
PRC - [2013/08/10 09:26:50 | 000,071,168 | ---- | M] () -- C:\ProgramData\GorillaPrice\watgorp.exe
PRC - [2011/06/08 07:41:42 | 000,118,784 | ---- | M] (Lenovo) -- C:\Windows\jmesoft\hotkey.exe
PRC - [2011/05/17 12:54:44 | 000,024,576 | ---- | M] () -- C:\Windows\jmesoft\JME_LOAD.exe
PRC - [2011/03/15 19:47:40 | 000,032,768 | ---- | M] () -- C:\Windows\jmesoft\Service.exe
PRC - [2009/12/04 15:59:28 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe
PRC - [2009/08/21 15:44:52 | 002,281,488 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\UI.exe


========== Modules (No Company Name) ==========

MOD - [2014/01/02 16:45:04 | 003,558,400 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
MOD - [2013/11/15 16:31:46 | 003,363,952 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2013/10/18 15:55:02 | 025,100,288 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Dropbox\bin\libcef.dll
MOD - [2013/10/08 18:42:20 | 016,233,864 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
MOD - [2009/12/04 16:04:32 | 000,013,096 | ---- | M] () -- C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvcPS.dll
MOD - [2009/12/04 15:59:54 | 000,619,816 | ---- | M] () -- C:\Program Files (x86)\Lenovo\Power2Go\CLMediaLibrary.dll
MOD - [2009/08/21 15:44:52 | 002,281,488 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\UI.exe
MOD - [2009/04/06 15:27:32 | 000,032,768 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\dllMultiLanguage.dll
MOD - [2009/04/06 15:27:26 | 000,098,304 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\dllPublicFunc.dll
MOD - [2009/01/05 20:12:12 | 000,159,744 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\dllCommonCtrl.dll
MOD - [2007/12/06 10:24:26 | 001,167,360 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\acAuth.dll


========== Services (SafeList) ==========

SRV:64bit: - [2013/05/26 21:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2011/08/18 15:44:02 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2011/08/10 00:45:54 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV - [2013/12/20 22:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/11/15 16:31:46 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/10/08 18:42:20 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/09/04 05:36:29 | 000,084,024 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013/09/04 05:35:51 | 000,108,088 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2013/08/10 09:26:50 | 000,071,168 | ---- | M] () [Auto | Running] -- C:\ProgramData\GorillaPrice\watgorp.exe -- (WatGorp)
SRV - [2011/03/15 19:47:40 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\Windows\jmesoft\Service.exe -- (JME Keyboard)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/09/04 05:36:40 | 000,132,088 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2013/09/04 05:36:40 | 000,105,344 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2013/03/29 15:41:18 | 000,028,600 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2012/04/24 11:10:30 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2012/04/24 11:10:30 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2012/02/29 22:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/08/10 01:43:24 | 010,201,600 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2011/08/10 01:43:24 | 010,201,600 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/08/10 00:07:10 | 000,310,784 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/06/06 02:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011/05/16 06:55:28 | 000,533,096 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/11/20 19:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 19:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 19:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/07/20 01:43:22 | 000,247,400 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/02/18 08:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2009/07/21 13:20:06 | 000,121,840 | ---- | M] (CyberLink) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wsvd.sys -- (wsvd)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 12:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/03/03 14:24:28 | 000,870,400 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28ux.sys -- (netr28ux)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {41BC76BF-A631-435A-B120-A90B7664DA1A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=LEND&bmod=LEND
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/...Date=15/09/2013
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...ng}&rlz=1I7LEND
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.defaultthis.engineName: "xvidly3 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://finance.yahoo.com/"
FF - prefs.js..extensions.enabledAddons: %7Ba131ab52-77f3-4bd7-acc7-e2dfdfd298f0%7D:1.0
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0.1
FF - prefs.js..keyword.URL: "http://feed.snap.do/...=15/09/2013&q="


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_9_900_117.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}: C:\Program Files (x86)\Mozilla Firefox\extensions\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}.xpi [2013/08/05 04:17:58 | 000,003,989 | ---- | M] ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/10/14 11:51:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kids\AppData\Roaming\Mozilla\Extensions
[2013/09/26 15:27:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\zalxh0au.default\extensions
[2013/08/13 16:58:21 | 000,000,000 | ---D | M] (LyricsShow) -- C:\Users\Kids\AppData\Roaming\Mozilla\Firefox\Profiles\zalxh0au.default\extensions\126
[2013/11/15 16:31:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2013/11/15 16:31:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2013/11/15 16:31:46 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/11/15 16:31:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\distribution\extensions
[2013/11/15 16:31:43 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2013/08/05 04:17:58 | 000,003,989 | ---- | M] () (No name found) -- C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\EXTENSIONS\{A131AB52-77F3-4BD7-ACC7-E2DFDFD298F0}.XPI

========== Chrome ==========

CHR - default_search_provider: Delta Search (Enabled)
CHR - default_search_provider: search_url = http://www1.delta-se..._Dmntr&tsp=4974
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://feed.snap.do/...Date=15/09/2013
CHR - plugin: First user (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Error reading preferences file
CHR - Extension: QuickShare Widget = C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl\1.4_0\
CHR - Extension: xvidly3 = C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\kimdndlhnimhdcchmglaendkednpejjn\10.16.100.4_0\
CHR - Extension: Chrome In-App Payments service = C:\Users\Kids\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0\

O1 HOSTS File: ([2009/06/10 13:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121015090325.dll File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121015090325.dll File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [GorillaPrice] C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe (Torling Company)
O4 - HKLM..\Run: [jmekey] C:\Windows\jmesoft\hotkey.exe (Lenovo)
O4 - HKLM..\Run: [jmesoft] C:\Windows\jmesoft\ServiceLoader.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePRCShortCut] C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [GorillaPrice] C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe (Torling Company)
O4 - HKCU..\Run: [Medialink Utilty] C:\Program Files (x86)\Medialink\MWN-USB150N\UI.exe ()
O4 - HKCU..\Run: [MPOptimizer] "C:\Program Files\MaxPerforma Optimizer\MaxPerforma.exe" /scan File not found
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_117_Plugin.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Kids\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C55B70B6-81CD-4D1C-B948-3EE882D310EA}: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E0A66E06-343B-4876-8458-EAFC05969EE4}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/01/29 08:58:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kids\Contacts\Desktop\OTL.exe
[2014/01/29 08:00:28 | 000,030,208 | ---- | C] (Meetinghouse Data Communications) -- C:\windows\SysNative\drivers\AegisP.sys
[2014/01/29 08:00:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Medialink
[2014/01/29 08:00:20 | 000,870,400 | ---- | C] (Ralink Technology Corp.) -- C:\windows\SysNative\drivers\netr28ux.sys
[2014/01/29 08:00:19 | 000,303,616 | ---- | C] (Ralink Technology, Inc.) -- C:\windows\SysNative\RaCoInstx.dll
[2014/01/29 08:00:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Medialink
[2014/01/29 08:00:04 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Roaming\InstallShield
[2014/01/20 12:31:32 | 000,000,000 | ---D | C] -- C:\Users\Kids\AppData\Local\Diagnostics
[2012/04/24 11:26:55 | 001,914,000 | ---- | C] (Adobe Systems Incorporated) -- C:\ProgramData\flashax10.exe

========== Files - Modified Within 30 Days ==========

[2014/01/29 08:58:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kids\Contacts\Desktop\OTL.exe
[2014/01/29 08:56:20 | 000,000,912 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/29 08:56:00 | 000,000,908 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/29 08:42:00 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2014/01/29 08:35:57 | 000,020,688 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/01/29 08:35:57 | 000,020,688 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/01/29 08:34:26 | 000,001,051 | ---- | M] () -- C:\Users\Kids\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2014/01/29 08:34:01 | 000,001,023 | ---- | M] () -- C:\Users\Kids\Contacts\Desktop\Dropbox.lnk
[2014/01/29 08:33:48 | 000,726,316 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2014/01/29 08:33:48 | 000,623,940 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2014/01/29 08:33:48 | 000,106,316 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2014/01/29 08:28:02 | 000,030,208 | ---- | M] (Meetinghouse Data Communications) -- C:\windows\SysNative\drivers\AegisP.sys
[2014/01/29 08:27:31 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2014/01/29 08:26:55 | 129,511,423 | -HS- | M] () -- C:\hiberfil.sys
[2014/01/29 08:21:07 | 000,001,000 | ---- | M] () -- C:\Users\Kids\AppData\Local\RT2870_{C55B70B6-81CD-4D1C-B948-3EE882D310EA}_wsc
[2014/01/29 08:17:21 | 000,000,838 | ---- | M] () -- C:\Users\Kids\AppData\Local\RT2870_{C55B70B6-81CD-4D1C-B948-3EE882D310EA}_sta
[2014/01/29 08:17:21 | 000,000,834 | ---- | M] () -- C:\Users\Kids\AppData\Local\RT2870_{C55B70B6-81CD-4D1C-B948-3EE882D310EA}_prof
[2014/01/29 08:00:26 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\MWN-USB150N.lnk

========== Files Created - No Company Name ==========

[2014/01/29 08:21:07 | 000,001,000 | ---- | C] () -- C:\Users\Kids\AppData\Local\RT2870_{C55B70B6-81CD-4D1C-B948-3EE882D310EA}_wsc
[2014/01/29 08:17:20 | 000,000,838 | ---- | C] () -- C:\Users\Kids\AppData\Local\RT2870_{C55B70B6-81CD-4D1C-B948-3EE882D310EA}_sta
[2014/01/29 08:17:20 | 000,000,834 | ---- | C] () -- C:\Users\Kids\AppData\Local\RT2870_{C55B70B6-81CD-4D1C-B948-3EE882D310EA}_prof
[2014/01/29 08:00:27 | 000,013,931 | ---- | C] () -- C:\windows\SysWow64\RaCoInst.dat
[2014/01/29 08:00:27 | 000,013,931 | ---- | C] () -- C:\windows\SysWow64\drivers\RaCoInst.dat
[2014/01/29 08:00:27 | 000,013,931 | ---- | C] () -- C:\windows\SysNative\RaCoInst.dat
[2014/01/29 08:00:27 | 000,013,931 | ---- | C] () -- C:\windows\SysNative\drivers\RaCoInst.dat
[2014/01/29 08:00:26 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\MWN-USB150N.lnk
[2013/07/20 09:02:19 | 000,017,920 | ---- | C] () -- C:\Users\Kids\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/07/20 09:02:04 | 001,229,097 | ---- | C] () -- C:\windows\unins000.exe
[2013/07/20 09:02:04 | 000,216,064 | ---- | C] ( ) -- C:\windows\SysWow64\Lagarith.dll
[2013/07/20 09:02:04 | 000,076,332 | ---- | C] () -- C:\windows\unins000.dat
[2012/04/24 11:23:04 | 000,201,728 | ---- | C] () -- C:\windows\SetDrive.exe
[2012/04/24 11:23:04 | 000,036,864 | ---- | C] () -- C:\windows\WinWait.exe

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/07/25 18:24:57 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/25 17:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 19:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Files - Unicode (All) ==========
[2013/09/07 12:49:04 | 096,533,415 | ---- | M] ()(C:\windows\SysWow64\????) -- C:\windows\SysWow64\㓱ﳚᵌ™
[2013/09/07 12:49:04 | 096,533,415 | ---- | C] ()(C:\windows\SysWow64\????) -- C:\windows\SysWow64\㓱ﳚᵌ™

< End of report >
  • 0

Advertisements

#2
scmba
Posted 29 January 2014 - 11:29 AM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Also, there were all these programs like "gorilla price" added to my computer, which I removed. One I can't remove is something called, "Quickshare" by a company called Linkury Inc, everytime I try to remove that program, some other popup comes up and then cancels the remove.
  • 0

#3
Biscuithd
Posted 29 January 2014 - 11:31 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Hello Scmba and Posted Image:

My name is Biscuithd and I am going to be helping you with your malware removal. Please note that, I am currently still in training, so all of my posts have to be reviewed by my instructor prior to me posting them.

Before we continue, please note,

  • If you do not understand any of my instructions, then feel free to ask me and I will explain in further detail.
  • Some of my instructions might need to be carried out in safe mode (or be lengthy), where you will not have access to GeeksToGo, I suggest you save or print my instructions for later reference.
  • Please do NOT use any other tools, fixes or scripts unless instructed to do so. Not only could this damage your system, but it will make it harder to fix your issue.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
  • If I have not responded in three (3) days, feel free to PM me.
There should be another log called Extras.txt that was produced from your initial run of OTL. It will be located in the same place as where you ran OTL from, in this case on you Desktop. Please post that log in your next reply. I'm currently working on a fix for your machine and will post when it is approved. Posted Image
  • 0

#4
Biscuithd
Posted 29 January 2014 - 11:37 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Also, there were all these programs like "gorilla price" added to my computer, which I removed. One I can't remove is something called, "Quickshare" by a company called Linkury Inc, everytime I try to remove that program, some other popup comes up and then cancels the remove.

Yes, just on a quick look of your log I saw that. Don't try and remove any more and if you can avoid using the machine, please do so.Gorilla Price is actually a back door.

Backdoor Trojans, IRCBots, keyloggers and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

  • All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
  • Banking and credit card institutions should be notified of the possible security breach.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I'll do a full analysis of the machine, let you know what all I see and then you can decide if you want to clean the machine or do a reinstall. Sound good?
  • 0

#5
scmba
Posted 29 January 2014 - 12:19 PM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Yes, sounds good. Do you guide me thru the reinstall?
  • 0

#6
Biscuithd
Posted 29 January 2014 - 12:22 PM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Yes, but hang on before we start to reinstall. Post your Extras.txt first and let me run my full analysis by my instructor.

I've got the OTL.txt analyzed and he may tell me that things are not as dire as I first suspected.
  • 0

#7
scmba
Posted 30 January 2014 - 09:15 AM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
where do I get the extras.txt?
  • 0

#8
Biscuithd
Posted 30 January 2014 - 09:17 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

It will be located in the same place as where you ran OTL from, in this case on you Desktop.

This was in Post #3, but I wrote so much in there that you problem missed it. Sorry,

In any case, based on where you ran OTL from, it should be on your Desktop.
  • 0

#9
scmba
Posted 30 January 2014 - 09:35 AM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Ok, found Extras.txt:

OTL Extras logfile created on: 1/29/2014 9:00:04 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kids\Contacts\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16736)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.49 Gb Total Physical Memory | 3.79 Gb Available Physical Memory | 69.00% Memory free
10.99 Gb Paging File | 8.90 Gb Available in Paging File | 81.05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 440.59 Gb Total Space | 383.17 Gb Free Space | 86.97% Space Free | Partition Type: NTFS
Drive D: | 702.82 Mb Total Space | 693.37 Mb Free Space | 98.66% Space Free | Partition Type: UDF

Computer Name: MISTERMAGIC | User Name: Kids | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{028591EB-C1DB-49A1-B38F-DF7BCCCF24B1}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{0398E7CB-2D3F-4BB5-AAC3-FD69B0D5830A}" = lport=139 | protocol=6 | dir=in | app=system |
"{069E239A-9805-4847-AA53-52653FECA2B3}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{0AF843FC-BA5B-459D-B06D-63D616501ABB}" = rport=137 | protocol=17 | dir=out | app=system |
"{2FAA3840-AEA8-4212-8688-82FB0DF46F70}" = lport=10243 | protocol=6 | dir=in | app=system |
"{347BA453-12E7-43FD-9BD3-63984E768922}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3CB6B099-3488-4C5E-BA34-299D962FFA96}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |
"{47929F29-719E-4085-8BAF-3CF035E3CB67}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5638141B-A799-46CF-BE09-621D01DCC6A7}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{59AB35D0-3E15-42DC-88EA-C9D4F2D9DA2A}" = rport=10243 | protocol=6 | dir=out | app=system |
"{5A01D03C-7665-4F42-A383-CDFC66B7470F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{60A64FF9-9E85-4CB4-81CD-61D2CC1D8041}" = lport=138 | protocol=17 | dir=in | app=system |
"{6126C1E8-F576-4992-88E4-67AC8ED5C6C8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{66CCB91E-D785-4809-BBCF-585967D778B2}" = rport=139 | protocol=6 | dir=out | app=system |
"{6C95647F-42BB-4E87-A433-A354A8ACCC5E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{72FEC946-BF6B-4EA5-A509-D1CA78B1B495}" = lport=2869 | protocol=6 | dir=in | app=system |
"{74397592-BECD-4FBD-8E22-9886EA708549}" = rport=138 | protocol=17 | dir=out | app=system |
"{8ABC2225-1B51-404A-B3BB-4EECE5F012B7}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{90A0AEA8-F720-4AA7-80FA-F7902AE5A6CA}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{988C76FD-1278-4A00-9FF7-25F8D0362DF6}" = rport=445 | protocol=6 | dir=out | app=system |
"{A53FF1B7-CCA5-4A93-98B8-3227C5561549}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe |
"{C68B6575-B0E3-461A-B9E2-2842E8D5F25C}" = lport=137 | protocol=17 | dir=in | app=system |
"{DBD96B84-3DC6-4A12-8B15-793EBC30AD80}" = lport=445 | protocol=6 | dir=in | app=system |
"{F0E1E06C-FB8B-4047-B8FC-BCE89F8215C6}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0F2E9633-08C7-4959-A4CA-D706D12BFB7A}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{10A9BE87-BBB7-4741-A75F-E997B1C06AAF}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{31FAFF04-F498-408D-A53B-3863A4269145}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{3DD87C4A-CA19-46FB-AEB4-2B802B17930C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{49CAA084-FCC7-4778-BBFA-A11406B73C45}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4AB8DAF0-1FC9-4369-B7A7-499945777465}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{54EBD8C3-3DA0-40AF-B3E2-1ABBF351ADA5}" = protocol=6 | dir=out | app=system |
"{584287A8-6A12-4245-B2BC-AC0E379E6DB0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{687D948C-796C-4C7D-947C-DF353AA218D6}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{6CB7C06C-290A-40F1-A525-80671B9CA186}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{6ED9BDA5-744B-42DE-BF74-AFA9716AED3B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{80B59CD9-E13D-49DF-ACE8-DA13A5BC82E2}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"{89537C38-40EC-447A-AD30-58DF7F668153}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{98CB6D8B-DB8C-446C-BD88-9988BA827108}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{A0810B93-018C-4FC7-ABEF-1E732EB8BE17}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{ADA73739-86DD-4BE4-AD4A-231D8B43105D}" = protocol=17 | dir=in | app=c:\users\kids\appdata\roaming\dropbox\bin\dropbox.exe |
"{B9E4A9CE-CC95-4982-BAA9-40B43EF2B4E6}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
"{CCEE7C30-679E-4B3A-9746-A48327FE0BE0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CDBC83DD-7158-4451-BDDE-29DA9AAEA0A7}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{D3B211AD-D6A4-4244-B9E1-58A108F3B246}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{D52F46A0-3D0F-4955-B872-A0B9894C2342}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{DA1613B0-BE17-4DB5-8B33-1F0096F1FC4C}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EE486E89-6049-46F5-BE4F-56C8CDE5DA6A}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{F320CF22-1D3A-4638-891E-BBB427111A8B}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{F51BC051-C680-4AA1-96EF-2547D3488773}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7BC466D-200D-4617-8B0F-602CCB1952EB}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F7D7D3D0-4E89-4296-B196-AC53A0641E88}" = protocol=6 | dir=in | app=c:\users\kids\appdata\roaming\dropbox\bin\dropbox.exe |
"{FF5D4BDC-1F2B-4416-949B-D06F8CD9CF34}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"TCP Query User{7DDC119A-D4B7-47E2-A7C9-04836F302B60}C:\users\kids\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\kids\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{8BC81107-B50D-4433-8883-33AD11C90073}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"TCP Query User{9FC835A9-00B1-4BD6-AC2A-64858E637E90}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{28717F9D-6D81-4E0D-BD53-F8EEAD45C236}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{3B0F5EE4-59E9-41A7-92E3-DF66D2D5306E}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{CA8F0D62-A712-443C-8577-058A1E1274B5}C:\users\kids\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\kids\appdata\roaming\dropbox\bin\dropbox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{39034D33-0958-DD8C-FCD1-DDA486337783}" = AMD Fuel
"{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo Rescue System
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{AD2C4469-ACD9-4E78-91DE-A6BF6459959A}" = AMD Catalyst Install Manager
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{EF79C448-6946-4D71-8134-03407888C054}" = Shared C Run-time for x64
"{F1CA9ADD-FFD9-60AA-F402-B0052BC5F732}" = ccc-utility64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"219D5BE6B14468E687B5EFF7979E68AA355A5299" = Windows Driver Package - Advanced Micro Devices, Inc System (04/15/2010 5.12.0.13)
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{066EE402-9516-8143-515B-E87DFFB8A56D}" = CCC Help Finnish
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{16355B96-CCB3-9152-30C4-8EAA52829AED}" = CCC Help Chinese Standard
"{16ECB752-AE5E-D1A8-AF16-FE8EB7F7F1B2}" = Catalyst Control Center Profiles Desktop
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1A29BCED-DC6E-C78C-9F9D-07F09B76DC55}" = CCC Help Norwegian
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34E93A7F-599F-4BBB-B2A1-4FCE77971AB9}" = Medialink MWN-USB150N
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Lenovo Power2Go
"{45970CD1-D599-47D4-938F-3E9800D54ED1}" = Lenovo Driver and Application Installation
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5077B5AF-717B-45AB-0C4F-18A0C5EEDD02}" = CCC Help Italian
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{698E98F3-025D-3060-C22A-16AEF07D00F6}" = CCC Help Polish
"{6AF4EC30-E792-F128-7AD1-5009174C3366}" = CCC Help Thai
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74D06BD4-573A-1B29-20BA-0195E111772F}" = CCC Help Czech
"{74E30182-0275-7F33-4ABD-53AAF78F7508}" = CCC Help German
"{7659C8B6-F431-E891-295D-C102920119EF}" = CCC Help English
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{87F307D7-0733-F7AD-3DB8-F830A58BA530}" = CCC Help Chinese Traditional
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{9093D02B-1C31-97B9-FA4D-D8AB2D729543}" = CCC Help Hungarian
"{91FA36B7-8B5E-10F6-2623-3278A23EEE91}" = CCC Help Japanese
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{9B20F3F2-3216-FEC9-F206-E49C41372902}" = CCC Help French
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9E34BCAF-C55F-70A0-F719-44ACC9C9392A}" = CCC Help Danish
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.06)
"{ADA70EFC-2E27-C8EC-9588-381103DEEB15}" = CCC Help Greek
"{B266E062-D6C5-485B-B426-51B152B041A6}" = Lenovo Blacksilk USB Keyboard Driver
"{B6CF6F09-5455-4AE0-B2ED-5728151388B8}" = Catalyst Control Center - Branding
"{B9B2E538-E347-E65B-AA42-D938D5A49A82}" = CCC Help Swedish
"{BB6031F1-5C36-797B-3944-E2915DE2C259}" = Catalyst Control Center Localization All
"{BC619F7C-84C0-FE3E-01A5-2354F8B94EFF}" = Catalyst Control Center InstallProxy
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C807D0F8-665F-F562-9700-309047E2186B}" = CCC Help Russian
"{CC1C2EE8-8E03-4D79-9758-C208D4438A3E}" = QuickShare
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D3063097-EC84-4D21-84A4-9D852E974355}" = LVT
"{D4336DF5-78C4-CC6E-542F-E70B831E0FBF}" = CCC Help Korean
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DEF6DC54-76A2-2D34-12A0-F3507678C991}" = CCC Help Spanish
"{DF3BB6E5-97BF-903E-8056-47C5CB39ACBF}" = CCC Help Dutch
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E32B1F33-52A2-802A-231E-8E779A0B2F2B}" = AMD VISION Engine Control Center
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4166D74-900F-52A9-F77C-F85CBF316309}" = CCC Help Portuguese
"{F96D619D-99D6-4C9C-A393-0CD22DE1CA66}_is1" = Ezvid
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FED4BE59-DF2F-FCE9-C65A-38D540C6082F}" = CCC Help Turkish
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"Debut" = Debut Video Capture Software
"Google Chrome" = Google Chrome
"GorillaPrice" = GorillaPrice
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Lenovo Power2Go
"InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo Rescue System
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Mozilla Firefox 25.0.1 (x86 en-US)" = Mozilla Firefox 25.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.SingleImage" = Microsoft Office Home and Student 2010
"VideoPad" = VideoPad Video Editor
"WinLiveSuite" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 10/9/2013 10:51:08 AM | Computer Name = MisterMagic | Source = Windows Search Service | ID = 3029
Description =

Error - 10/9/2013 10:51:08 AM | Computer Name = MisterMagic | Source = Windows Search Service | ID = 3028
Description =

Error - 10/9/2013 10:51:08 AM | Computer Name = MisterMagic | Source = Windows Search Service | ID = 3058
Description =

Error - 10/9/2013 10:51:08 AM | Computer Name = MisterMagic | Source = Windows Search Service | ID = 7010
Description =

Error - 10/9/2013 10:51:14 AM | Computer Name = MisterMagic | Source = WinMgmt | ID = 10
Description =

Error - 10/13/2013 10:02:12 AM | Computer Name = MisterMagic | Source = WinMgmt | ID = 10
Description =

Error - 10/20/2013 11:29:05 AM | Computer Name = MisterMagic | Source = Application Error | ID = 1000
Description = Faulting application name: avnotify.exe, version: 13.6.20.2100, time
stamp: 0x51e6b921 Faulting module name: avnotify.exe, version: 13.6.20.2100, time
stamp: 0x51e6b921 Exception code: 0xc0000005 Fault offset: 0x00001487 Faulting process
id: 0xd7c Faulting application start time: 0x01cecda90a9519c2 Faulting application
path: C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe Faulting module
path: C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe Report Id: 5a4062fe-399c-11e3-9130-8c89a5d636b8

Error - 10/20/2013 11:29:32 AM | Computer Name = MisterMagic | Source = WinMgmt | ID = 10
Description =

Error - 10/28/2013 10:01:27 PM | Computer Name = MisterMagic | Source = Application Error | ID = 1000
Description = Faulting application name: avnotify.exe, version: 13.6.20.2100, time
stamp: 0x51e6b921 Faulting module name: avnotify.exe, version: 13.6.20.2100, time
stamp: 0x51e6b921 Exception code: 0xc0000005 Fault offset: 0x00001487 Faulting process
id: 0xb0c Faulting application start time: 0x01ced44abcf23b4f Faulting application
path: C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe Faulting module
path: C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe Report Id: 049881d0-403e-11e3-b847-8c89a5d636b8

Error - 10/28/2013 10:02:13 PM | Computer Name = MisterMagic | Source = WinMgmt | ID = 10
Description =

Error - 10/31/2013 6:39:00 PM | Computer Name = MisterMagic | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 6/20/2013 8:43:51 PM | Computer Name = MisterMagic | Source = WMPNetworkSvc | ID = 866300
Description =

Error - 6/20/2013 8:45:37 PM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/20/2013 11:49:48 PM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/25/2013 1:12:28 AM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/26/2013 1:03:20 AM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/27/2013 1:16:37 AM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/27/2013 10:05:12 AM | Computer Name = MisterMagic | Source = WMPNetworkSvc | ID = 866300
Description =

Error - 6/27/2013 12:41:56 PM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/28/2013 1:20:35 AM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =

Error - 6/29/2013 12:38:28 AM | Computer Name = MisterMagic | Source = DCOM | ID = 10010
Description =


< End of report >
  • 0

#10
Biscuithd
Posted 01 February 2014 - 10:08 AM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Topic is here.

Hi scmba,

We need to do some uninstalls before the fix, then we'll see how the machine looks.

Uninstall Software

  • Click on the Start Posted Image button and select Control Panel
  • Click on Uninstall a program or Programs and Features
  • You will now see a list of your installed software, double click on the following to uninstall it:
GorillaPrice

Once you have done this, reboot your computer


OTL Fix

  • Run OTL as you did before.
  • Copy the text in the quote box below (do not copy the word "quote") and paste in the in the box marked Custom Scans/Fixes as shown in the graphic below.

Posted Image

:Commands
[createrestorepoint]

:OTL
PRC - [2013/08/13 10:07:34 | 000,953,344 | ---- | M] (Torling Company) -- C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe
PRC - [2013/08/10 09:26:50 | 000,071,168 | ---- | M] () -- C:\ProgramData\GorillaPrice\watgorp.exe
SRV - [2013/08/10 09:26:50 | 000,071,168 | ---- | M] () [Auto | Running] -- C:\ProgramData\GorillaPrice\watgorp.exe -- (WatGorp)
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/...Date=15/09/2013
FF - prefs.js..browser.search.defaultthis.engineName: "xvidly3 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..extensions.enabledAddons: %7Ba131ab52-77f3-4bd7-acc7-e2dfdfd298f0%7D:1.0
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}: C:\Program Files (x86)\Mozilla Firefox\extensions\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}.xpi [2013/08/05 04:17:58 | 000,003,989 | ---- | M] ()
[2013/08/05 04:17:58 | 000,003,989 | ---- | M] () (No name found) -- C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\EXTENSIONS\{A131AB52-77F3-4BD7-ACC7-E2DFDFD298F0}.XPI
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121015090325.dll File not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121015090325.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [GorillaPrice] C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe (Torling Company)
O4 - HKCU..\Run: [GorillaPrice] C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe (Torling Company)
[2013/07/20 09:02:19 | 000,017,920 | ---- | C] () -- C:\Users\Kids\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/09/07 12:49:04 | 096,533,415 | ---- | M] ()(C:\windows\SysWow64\????) -- C:\windows\SysWow64\㓱ﳚᵌ™
[2013/09/07 12:49:04 | 096,533,415 | ---- | C] ()(C:\windows\SysWow64\????) -- C:\windows\SysWow64\㓱ﳚᵌ™
:Commands
[emptytemp]


Your computer will reboot. If it does not, please manually reboot.

AdwCleaner

Download AdwCleaner. Click here and then click the Download button. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • Right click the AdwCleaner icon Posted Image on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

    Posted Image
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above the progress bar you will see Pending. Please uncheck elements you don't want to remove. Do Not delete anything at this time.
  • Click the Report button to get the log.
  • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.
  • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.
Re-Run OTL

Run OTL again and click Quick Scan.

Copy and paste the contents of the log that it produces into your next post back to me.

Also, post the contents of the adwCleaner log back to me.
  • 0

Advertisements

#11
scmba
Posted 01 February 2014 - 01:49 PM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Ok, it won't let me uninstall because this is what I get with no other options:

an app pops up from a web browser saying if I want to download "Gorilla Uninstallers" the only options are: Save File or Cancel. I think i did this before and it put more virus' on my computer.
  • 0

#12
Biscuithd
Posted 01 February 2014 - 01:54 PM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
ok, forget the uninstall and go ahead with the OTL fix and adwCleaner and let me know how that goes.
  • 0

#13
scmba
Posted 01 February 2014 - 02:48 PM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Ok, I'm not clear in the order you put to do things:

Do I copy and paste the text in the quote box, then click "Run Scan" Or, per your instructions, click "Run Scan" then copy and paste the quote in?
  • 0

#14
scmba
Posted 01 February 2014 - 02:49 PM

scmba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Also, do I click "Run Scan" or "Run Fix" (highlighted in Red)?
  • 0

#15
Biscuithd
Posted 01 February 2014 - 02:53 PM

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts
Sorry it wasn't clearer. I assume you're working on the Fix part?

So, you highlight and copy the part in the text box...this stuff.

:Commands
[createrestorepoint]

:OTL
PRC - [2013/08/13 10:07:34 | 000,953,344 | ---- | M] (Torling Company) -- C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe
PRC - [2013/08/10 09:26:50 | 000,071,168 | ---- | M] () -- C:\ProgramData\GorillaPrice\watgorp.exe
SRV - [2013/08/10 09:26:50 | 000,071,168 | ---- | M] () [Auto | Running] -- C:\ProgramData\GorillaPrice\watgorp.exe -- (WatGorp)
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/...Date=15/09/2013
FF - prefs.js..browser.search.defaultthis.engineName: "xvidly3 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Web Search"
FF - prefs.js..extensions.enabledAddons: %7Ba131ab52-77f3-4bd7-acc7-e2dfdfd298f0%7D:1.0
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}: C:\Program Files (x86)\Mozilla Firefox\extensions\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}.xpi [2013/08/05 04:17:58 | 000,003,989 | ---- | M] ()
[2013/08/05 04:17:58 | 000,003,989 | ---- | M] () (No name found) -- C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\EXTENSIONS\{A131AB52-77F3-4BD7-ACC7-E2DFDFD298F0}.XPI
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121015090325.dll File not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121015090325.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [GorillaPrice] C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe (Torling Company)
O4 - HKCU..\Run: [GorillaPrice] C:\Program Files (x86)\GorillaPrice\GorillaPrice.exe (Torling Company)
[2013/07/20 09:02:19 | 000,017,920 | ---- | C] () -- C:\Users\Kids\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/09/07 12:49:04 | 096,533,415 | ---- | M] ()(C:\windows\SysWow64\????) -- C:\windows\SysWow64\㓱ﳚᵌ™
[2013/09/07 12:49:04 | 096,533,415 | ---- | C] ()(C:\windows\SysWow64\????) -- C:\windows\SysWow64\㓱ﳚᵌ™
:Commands
[emptytemp]

And paste it into OTL, into the area with the Red box around it in the example (Custom Scan/Fix), then press Run Fix.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP