Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect and Browser Setting Hijacker [Solved]

Started by t5403cg , Apr 16 2014 05:34 AM

  • This topic is locked This topic is locked

#1
t5403cg
Posted 16 April 2014 - 05:34 AM

t5403cg

    Member

  • Member
  • PipPip
  • 37 posts
When using google:
 
OS: Windows 7
 
> Periodic redirects to other searches when clicking a result link
> Large number of dllhost files are launched....causing memory issues when using IE
> IE browser seettings are changed periodically, particularly the history (changed to 0 days) and file download (changed to disabled)
 
I've run spybot, malwarebytes, adwCleaner, TDSS, CCleaner, MSErt....nothing gets rid of the problem permanately....although it does appear to be removed temporarily.
 
Lastly, Symantec does indicate that I have the W64.Viknok.B!inf infection attached to the cryptbase.dll (2/18/2014 creation date) found in windows\system32\sysprep folder...but it can't be removed.  I also notice in that folder a subfolder called Panther was created on the same day....not sure there is a correlation. 
 
 
>>>update:
 
process monitor software tells me that dllhost is attempting to connect to a TCP address....here's what Process Monitor records (xxxx hide sensitive info):
 
xxxxxx.com:60951 -> 5.45.65.142:http
 
C:\Users\xxxxx\AppData\Local\Temp\syncsvb\sxynbvq\wow.ini
 
 
wow.ini:
 
[main]
servers=fafad2.com;fffacd.com
aid=433
[clk]
 
in that foldeer is a wow.dll installed on 2/18....could this be the problem?
 
 
 
Hope you can assist.

OTL logfile created on: 4/16/2014 7:23:20 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\t5403cg\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.89 Gb Total Physical Memory | 1.65 Gb Available Physical Memory | 42.45% Memory free
7.77 Gb Paging File | 5.30 Gb Available in Paging File | 68.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149.05 Gb Total Space | 91.03 Gb Free Space | 61.07% Space Free | Partition Type: NTFS

Computer Name: CID-TDENZL403CG | User Name: T5403CG | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/04/16 07:22:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\t5403cg\Downloads\OTL.exe
PRC - [2014/03/07 00:44:22 | 010,311,968 | ---- | M] (Tanium Inc.) -- C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe
PRC - [2013/10/15 12:27:38 | 003,921,880 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2013/09/20 10:57:26 | 001,042,272 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2013/09/13 10:38:30 | 000,171,416 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2013/07/25 11:19:26 | 005,624,784 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
PRC - [2013/06/28 18:48:04 | 000,014,624 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2012/12/18 12:14:27 | 000,642,816 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2011/09/12 13:16:02 | 000,108,456 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2011/09/12 13:15:58 | 000,115,624 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
PRC - [2011/09/12 13:15:44 | 001,839,888 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2011/09/12 13:15:36 | 000,050,592 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
PRC - [2011/09/06 08:49:57 | 001,375,064 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
PRC - [2011/09/06 08:49:19 | 000,214,872 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Altiris\Altiris Agent\AeXAgentUIHost.exe
PRC - [2011/07/21 16:02:00 | 000,288,096 | ---- | M] (Lumension Security, Inc.) -- C:\Program Files (x86)\Lumension\Patch Agent\NotificationManager.exe
PRC - [2011/07/21 16:01:14 | 000,095,584 | ---- | M] (Lumension Security, Inc.) -- C:\Program Files (x86)\Lumension\Patch Agent\GravitixService.exe
PRC - [2011/04/28 23:46:34 | 003,411,968 | ---- | M] (IBM) -- C:\Notes\nsd.exe
PRC - [2011/01/06 11:57:26 | 000,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
PRC - [2011/01/06 11:56:06 | 001,104,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe
PRC - [2010/07/25 14:33:30 | 002,184,264 | ---- | M] (Winmagic Inc.) -- C:\Program Files (x86)\WinMagic\SecureDoc-NT\SDPin.exe
PRC - [2010/07/25 14:33:30 | 000,693,320 | ---- | M] (WinMagic Inc.) -- C:\Program Files (x86)\WinMagic\SecureDoc-NT\SDService.exe


========== Modules (No Company Name) ==========

MOD - [2013/10/23 11:59:24 | 014,340,096 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\bcf51dc88597d0835c819a2d5a755b74\PresentationFramework.ni.dll
MOD - [2013/10/23 11:59:11 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ef0a534be135cd8f0d99d938d8b1814a\System.Windows.Forms.ni.dll
MOD - [2013/10/23 11:59:05 | 012,238,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\51478a61dbd40488e320a0061e23c4df\PresentationCore.ni.dll
MOD - [2013/10/23 11:58:56 | 003,348,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\4eef5a3a4d0ed6d6fd882947a70df530\WindowsBase.ni.dll
MOD - [2013/10/23 11:58:51 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\29f3ae8d313e62b4daed1107ccd29f9f\System.Configuration.ni.dll
MOD - [2013/08/19 07:14:07 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5aa44bce7933e4de09d935848f868a4b\System.Drawing.ni.dll
MOD - [2013/08/19 07:13:45 | 005,464,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09db78d6068543df01862a023aca785a\System.Xml.ni.dll
MOD - [2013/08/19 07:13:37 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\5d22a30e587e2cac106b81fb351e7c08\System.ni.dll
MOD - [2013/07/15 08:59:51 | 011,499,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9a6c1b7af18b4d5a91dc7f8d6617522f\mscorlib.ni.dll
MOD - [2013/07/12 14:21:49 | 000,091,488 | ---- | M] () -- C:\Windows\assembly\GAC_32\Agent.ProtVista\7.0.0.551__dadec3a2d57dc0c0\Agent.ProtVista.dll
MOD - [2013/05/16 10:55:26 | 000,113,496 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2013/05/16 10:55:24 | 000,416,600 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2011/07/21 16:01:54 | 000,091,488 | ---- | M] () -- C:\Program Files (x86)\Lumension\Patch Agent\Content.Common.dll
MOD - [2010/12/07 15:14:36 | 000,297,520 | ---- | M] () -- C:\Program Files\Manufacturer\Endpoint Agent\prntm.dll
MOD - [2010/07/25 14:33:28 | 000,018,504 | ---- | M] () -- C:\Windows\SysWOW64\SDXML.dll
MOD - [2010/07/25 14:33:26 | 000,051,784 | ---- | M] () -- C:\Windows\SysWOW64\SDMigrate.dll
MOD - [2010/07/25 14:33:24 | 000,536,136 | ---- | M] () -- C:\Windows\SysWOW64\sdck.dll


========== Services (SafeList) ==========

SRV:64bit: - [2013/10/24 07:19:16 | 000,543,016 | ---- | M] (Aventail Corporation) [Auto | Running] -- C:\Windows\SysNative\ngvpnmgr.exe -- (NgVpnMgr)
SRV:64bit: - [2013/07/15 07:18:23 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2013/07/12 14:18:13 | 000,350,024 | ---- | M] (Lumension Security, Inc.) [Auto | Running] -- C:\Program Files\Lumension\LEMSSAgent\LMAgent.exe -- (LEMSS Agent)
SRV:64bit: - [2013/03/06 17:32:12 | 001,598,976 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\enstart64.exe -- (enstart64)
SRV:64bit: - [2012/04/05 19:48:54 | 000,158,208 | ---- | M] (Samsung Electronics) [On_Demand | Stopped] -- C:\Windows\SysNative\SUPDSvc2.exe -- (Samsung UPD Service2)
SRV:64bit: - [2010/12/07 15:14:00 | 000,302,128 | ---- | M] () [Auto | Running] -- C:\Program Files\Manufacturer\Endpoint Agent\wdp.exe -- (WDP)
SRV:64bit: - [2010/12/07 15:13:58 | 000,346,160 | ---- | M] () [Auto | Running] -- C:\Program Files\Manufacturer\Endpoint Agent\edpa.exe -- (EDPA)
SRV:64bit: - [2010/11/12 01:48:50 | 000,045,928 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Windows\SysNative\ibmpmsvc.exe -- (IBMPMSVC)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2014/03/07 00:44:22 | 010,311,968 | ---- | M] (Tanium Inc.) [Auto | Running] -- C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe -- (Tanium Client)
SRV - [2013/06/28 18:48:04 | 000,014,624 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2013/04/10 08:13:51 | 000,013,720 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\900\g2aservice.exe -- (GoToAssist)
SRV - [2013/03/08 21:38:05 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/09/12 13:16:02 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2011/09/12 13:16:02 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2011/09/12 13:15:50 | 000,428,960 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE -- (SNAC)
SRV - [2011/09/12 13:15:48 | 003,250,416 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2011/09/12 13:15:44 | 001,839,888 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2011/09/06 09:08:01 | 000,620,376 | ---- | M] (Altiris, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe -- (AltirisAgentProvider)
SRV - [2011/09/06 08:49:57 | 001,375,064 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe -- (AeXNSClient)
SRV - [2011/07/21 16:01:14 | 000,095,584 | ---- | M] (Lumension Security, Inc.) [On_Demand | Running] -- C:\Program Files (x86)\Lumension\Patch Agent\GravitixService.exe -- (Patch Agent)
SRV - [2011/04/28 23:46:34 | 003,411,968 | ---- | M] (IBM) [Auto | Running] -- C:\Notes\nsd.exe -- (Lotus Notes Diagnostics)
SRV - [2011/04/08 11:00:16 | 000,236,392 | ---- | M] () [On_Demand | Stopped] -- c:\Program Files (x86)\Altiris\Altiris Agent\Agents\Deployment\Agent\ConfigService.exe -- (ConfigService)
SRV - [2011/01/20 00:55:06 | 003,093,944 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2011/01/06 11:56:06 | 001,104,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe -- (NACAgent)
SRV - [2010/07/25 14:33:30 | 000,693,320 | ---- | M] (WinMagic Inc.) [Auto | Running] -- C:\Program Files (x86)\WinMagic\SecureDoc-NT\SDService.exe -- (WinMagic SecureDoc Service)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/10/24 00:59:08 | 000,103,496 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ngvpn.sys -- (NgVpn)
DRV:64bit: - [2013/10/24 00:59:08 | 000,031,304 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nglog.sys -- (NgLog)
DRV:64bit: - [2013/10/24 00:59:08 | 000,028,744 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ngwfp.sys -- (NgWfp)
DRV:64bit: - [2013/10/24 00:59:08 | 000,026,184 | ---- | M] (Aventail Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ngfilter.sys -- (NgFilter)
DRV:64bit: - [2013/09/10 16:40:10 | 000,173,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2013/07/12 14:17:53 | 000,084,080 | ---- | M] (Lumension Security, Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eps.sys -- (EPS)
DRV:64bit: - [2013/03/20 14:15:21 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2013/03/06 23:29:00 | 000,233,120 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wpshelper.sys -- (WpsHelper)
DRV:64bit: - [2013/03/06 17:32:12 | 000,075,392 | ---- | M] (Guidance Software Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\enstart64_.sys -- (enstart64_)
DRV:64bit: - [2011/09/12 13:16:10 | 000,054,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\WPSDRVnt.sys -- (WPS)
DRV:64bit: - [2011/09/12 13:16:04 | 000,482,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\srtspl64.sys -- (SRTSPL)
DRV:64bit: - [2011/09/12 13:16:04 | 000,453,240 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2011/09/12 13:16:04 | 000,032,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2011/09/12 13:15:52 | 000,064,152 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Teefer2.sys -- (Teefer2)
DRV:64bit: - [2010/12/20 16:08:48 | 008,505,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64)
DRV:64bit: - [2010/12/20 08:31:00 | 000,316,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2010/12/18 16:57:34 | 000,021,416 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
DRV:64bit: - [2010/12/18 16:57:32 | 000,162,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:64bit: - [2010/12/16 00:39:08 | 012,256,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/12/15 19:56:06 | 001,402,416 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/12/14 19:12:00 | 000,098,816 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\risdxc64.sys -- (risdxc)
DRV:64bit: - [2010/12/07 15:14:28 | 000,027,184 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vrtam.sys -- (vrtam)
DRV:64bit: - [2010/12/07 15:14:26 | 000,058,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdifd11.sys -- (tdifd11)
DRV:64bit: - [2010/12/07 15:14:24 | 000,065,072 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\vfsmfd.sys -- (vfsmfd)
DRV:64bit: - [2010/12/07 15:14:24 | 000,055,344 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SFsCtrx.sys -- (SFsCtrx)
DRV:64bit: - [2010/12/03 13:56:26 | 000,167,680 | ---- | M] (Ricoh co.,Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\5U877.sys -- (5U877)
DRV:64bit: - [2010/11/22 22:50:12 | 001,567,360 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 23:23:47 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/12 01:48:30 | 000,039,024 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV:64bit: - [2010/11/05 06:45:48 | 000,438,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/10/18 23:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2010/10/14 07:28:16 | 000,317,440 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2010/01/20 18:36:28 | 000,114,688 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SDDToki.sys -- (SDDToki)
DRV:64bit: - [2010/01/20 13:19:22 | 000,139,776 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SDDisk2K.sys -- (SDDisk2K)
DRV:64bit: - [2009/09/28 13:54:00 | 000,021,504 | ---- | M] (WinMagic, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PinFile.sys -- (PinFile)
DRV:64bit: - [2009/09/25 17:59:14 | 000,070,656 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SDDVD.sys -- (SDDVD)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM)
DRV:64bit: - [2009/06/10 17:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 17:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 17:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/03/05 16:04:26 | 000,020,992 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SDUPC.sys -- (SDUPC)
DRV - [2013/11/21 08:06:18 | 000,484,952 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2013/11/21 08:06:18 | 000,137,648 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/08/29 07:44:15 | 002,099,288 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20140415.005\ex64.sys -- (NAVEX15)
DRV - [2013/08/29 07:44:14 | 000,126,040 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20140415.005\eng64.sys -- (NAVENG)
DRV - [2011/09/12 13:16:04 | 000,482,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)
DRV - [2011/09/12 13:16:04 | 000,453,240 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)
DRV - [2011/09/12 13:16:04 | 000,032,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)
DRV - [2010/11/29 17:46:32 | 000,084,080 | ---- | M] (Lumension Security, Inc.) [File_System | System | Running] -- C:\Windows\SysWOW64\drivers\eps.sys -- (EPS)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet.newyorklife.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = njproxy:80


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Users\t5403cg\AppData\Local\Citrix\Plugins\97\npappdetector.dll (Citrix Online)


[2014/04/15 19:13:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions

O1 HOSTS File: ([2014/04/14 10:17:02 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\Snagit 9\DLLx64\SnagitBHO64.dll (TechSmith Corporation)
O2:64bit: - BHO: (WebEx Productivity Tools) - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli64.dll (Cisco WebEx LLC)
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (WebEx Productivity Tools) - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll (Cisco WebEx LLC)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\Snagit 9\DLLx64\SnagitIEAddin64.dll (TechSmith Corporation)
O3:64bit: - HKLM\..\Toolbar: (WebEx Productivity Tools) - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli64.dll (Cisco WebEx LLC)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (WebEx Productivity Tools) - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll (Cisco WebEx LLC)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AeXAgentLogon] C:\Program Files (x86)\Altiris\Altiris Agent\AeXAgentActivate.exe (Symantec Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [IBM Lotus Notes Preloader] C:\Notes\nntspreld.exe (IBM Corp)
O4 - HKLM..\Run: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [SDTray] C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [StartSecurDoc] C:\Program Files (x86)\WinMagic\SecureDoc-NT\SDPin.exe (Winmagic Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeKeyboardNavigationIndicators = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: PromptRunasInstallNetPath = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: GreyMSIAds = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowCpl = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: 2 = Scheduled Tasks
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: 3 = Users and Passwords
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConnectHomeDirToRoot = 0
O8:64bit: - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9:64bit: - Extra Button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files (x86)\Altova\XMLSpy2013\spy.htm ()
O9:64bit: - Extra 'Tools' menuitem : Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files (x86)\Altova\XMLSpy2013\spy.htm ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program FilesPersonal\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program FilesPersonal\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program FilesPersonal\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files (x86)\Altova\XMLSpy2013\spy.htm ()
O9 - Extra 'Tools' menuitem : Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files (x86)\Altova\XMLSpy2013\spy.htm ()
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {A6CA29DD-AD4A-4891-A8CC-C2B88741CF4A} http://onlinebudget..../CPMActiveX.CAB (CPMActiveX.CBWX)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://newyorklife....ng/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.31.100.100 172.28.100.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.nt.newyorklife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7CCA90B7-B2F9-414C-8CC0-1BFDB1BDA465}: DhcpNameServer = 172.31.100.100 172.28.100.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D47835FD-A7B7-426A-9496-7159A0B45C08}: DhcpNameServer = 172.31.100.100 172.28.100.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D47835FD-A7B7-426A-9496-7159A0B45C08}: Domain = newyorklife.com
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O20:64bit: - AppInit_DLLs: (AMINIT64.DLL) - C:\Windows\SysNative\AMInit64.dll (Altiris, Inc.)
O20 - AppInit_DLLs: (aminit32.dll) - C:\Windows\SysWow64\Aminit32.dll (Altiris, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\900\G2AWinLogon_x64.dll) - C:\Program Files (x86)\Citrix\GoToAssist\900\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/04/15 15:22:14 | 000,000,000 | ---D | C] -- C:\Users\t5403cg\AppData\Local\NPE
[2014/04/15 15:22:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2014/04/15 12:19:37 | 000,000,000 | ---D | C] -- C:\Users\t5403cg\Desktop\rkill
[2014/04/15 07:51:29 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\MpEngineStore
[2014/04/15 06:16:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2014/04/15 06:16:19 | 000,021,040 | ---- | C] (Safer Networking Limited) -- C:\Windows\SysNative\sdnclean64.exe
[2014/04/15 06:16:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2014/04/15 06:16:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy 2
[2014/04/14 11:51:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Grep
[2014/04/14 11:51:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Grep
[2014/04/14 11:20:36 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2014/04/14 10:14:18 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2014/04/14 10:13:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2014/04/14 10:13:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2014/04/14 09:32:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2014/04/14 09:32:20 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2014/04/14 07:13:35 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2014/04/13 10:59:18 | 000,000,000 | ---D | C] -- C:\Users\t5403cg\Desktop\Maleware
[2014/04/02 07:52:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec Endpoint Protection
[2014/04/02 06:35:32 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2014/04/02 06:35:06 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2014/03/31 06:38:15 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/03/17 17:19:42 | 000,000,000 | ---D | C] -- C:\Users\t5403cg\AppData\Roaming\Malwarebytes
[2014/03/17 17:19:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014/03/17 17:19:22 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2014/03/17 17:19:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2014/03/17 17:19:10 | 000,000,000 | ---D | C] -- C:\Users\t5403cg\AppData\Local\Programs
[22 C:\Users\t5403cg\Documents\*.tmp files -> C:\Users\t5403cg\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/04/16 07:07:27 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/04/16 07:07:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/04/16 05:45:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/04/15 19:23:37 | 000,019,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/04/15 19:23:37 | 000,019,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/04/15 19:15:19 | 3129,397,248 | -HS- | M] () -- C:\hiberfil.sys
[2014/04/15 15:26:35 | 000,006,591 | ---- | M] () -- C:\Users\t5403cg\Documents\test2.csv
[2014/04/15 15:24:12 | 000,000,075 | ---- | M] () -- C:\Windows\SysNative\dpmo.qnz
[2014/04/15 15:17:11 | 000,000,233 | ---- | M] () -- C:\Users\t5403cg\Documents\test.csv
[2014/04/14 10:17:02 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2014/04/12 12:14:34 | 000,001,484 | ---- | M] () -- C:\Users\t5403cg\Desktop\KL-Station.url
[2014/04/11 11:12:22 | 000,002,183 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2014/04/03 09:12:09 | 000,782,500 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/04/03 09:12:09 | 000,662,632 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/04/03 09:12:09 | 000,122,274 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/03/25 20:19:50 | 000,000,000 | ---- | M] () -- C:\t14s.2
[2014/03/25 20:19:50 | 000,000,000 | ---- | M] () -- C:\t14s.1
[2014/03/20 14:17:04 | 000,000,414 | ---- | M] () -- C:\Windows\tasks\At1.job
[2014/03/19 19:27:22 | 000,000,600 | ---- | M] () -- C:\Users\t5403cg\AppData\Roaming\winscp.rnd
[2014/03/17 17:19:25 | 000,001,105 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/03/17 12:31:51 | 000,000,600 | ---- | M] () -- C:\Users\t5403cg\AppData\Local\PUTTY.RND
[22 C:\Users\t5403cg\Documents\*.tmp files -> C:\Users\t5403cg\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/04/15 15:26:35 | 000,006,591 | ---- | C] () -- C:\Users\t5403cg\Documents\test2.csv
[2014/04/15 15:17:11 | 000,000,233 | ---- | C] () -- C:\Users\t5403cg\Documents\test.csv
[2014/04/15 06:16:24 | 000,001,387 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2014/03/25 20:19:50 | 000,000,000 | ---- | C] () -- C:\t14s.2
[2014/03/25 20:19:50 | 000,000,000 | ---- | C] () -- C:\t14s.1
[2014/03/17 17:19:25 | 000,001,105 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/12/09 17:53:25 | 000,000,600 | ---- | C] () -- C:\Users\t5403cg\AppData\Roaming\winscp.rnd
[2013/11/25 19:50:26 | 000,000,298 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
[2013/10/24 07:22:54 | 000,234,792 | ---- | C] () -- C:\Windows\ngmsi.dll
[2013/10/24 07:21:24 | 000,020,776 | ---- | C] () -- C:\Windows\ngutil.exe
[2013/09/13 08:53:39 | 000,000,262 | ---- | C] () -- C:\Users\t5403cg\.serena.vm.applet.config
[2013/06/25 13:45:46 | 002,052,904 | R--- | C] () -- C:\Windows\SysWow64\XmlSpyLib.dll
[2013/05/13 07:42:49 | 000,000,600 | ---- | C] () -- C:\Users\t5403cg\AppData\Local\PUTTY.RND
[2013/04/10 08:13:46 | 000,103,832 | ---- | C] () -- C:\Users\t5403cg\GoToAssistDownloadHelper.exe
[2013/03/23 14:41:31 | 001,558,432 | ---- | C] () -- C:\Windows\TotalUninstaller.exe
[2013/03/20 14:13:25 | 000,051,328 | RHS- | C] () -- C:\Users\t5403cg\ntuser.pol
[2013/03/08 11:50:22 | 000,000,510 | ---- | C] () -- C:\Windows\ODBC.INI
[2013/03/06 19:43:36 | 000,960,940 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2013/03/06 19:43:34 | 000,207,376 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2013/03/06 19:43:32 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2013/03/06 19:43:28 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll
[2013/03/06 17:28:59 | 000,776,716 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/03/06 16:56:58 | 000,005,750 | RHS- | C] () -- C:\ProgramData\ntuser.pol

========== ZeroAccess Check ==========

[2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
"" = \\?\globalroot\Device\HarddiskVolume1\Users\t5403cg\AppData\Local\Temp\syncsvb\sxynbvq\wow.dll

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/03/07 03:22:18 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/03/07 03:22:18 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 23:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014/04/12 09:57:44 | 000,000,000 | ---D | M] -- C:\Users\t5403cg\AppData\Roaming\Aventail
[2013/03/21 07:57:21 | 000,000,000 | ---D | M] -- C:\Users\t5403cg\AppData\Roaming\Helios
[2013/03/21 08:08:13 | 000,000,000 | ---D | M] -- C:\Users\t5403cg\AppData\Roaming\ieSpell
[2014/03/17 19:12:48 | 000,000,000 | ---D | M] -- C:\Users\t5403cg\AppData\Roaming\Micro Focus
[2013/03/21 11:43:21 | 000,000,000 | ---D | M] -- C:\Users\t5403cg\AppData\Roaming\Quest Software
[2014/03/27 09:25:13 | 000,000,000 | ---D | M] -- C:\Users\t5403cg\AppData\Roaming\webex

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 478 bytes -> C:\Users\t5403cg\Documents\Untitled.eml:OECustomProperty
@Alternate Data Stream - 1406 bytes -> C:\Users\t5403cg\Documents\documentation for vendor mgt (ALERTS conversion) .eml:OECustomProperty

< End of report >

Attached Files


Edited by Essexboy, 16 April 2014 - 10:29 AM.

  • 0

Advertisements

#2
Pyxis
Posted 16 April 2014 - 08:39 AM

Pyxis

    Trusted Helper

  • Malware Removal
  • 1,228 posts
Greetings,

Welcome to Geeks to Go--the friendliest online community dedicated to the sole goal of helping people from all around the world! :)

I am Pyxis and I will be assisting you with the problem at hand. Whilst I am taking the time to analyse your set of provided logs, I would like to stress the following reminders:
  • I am a student that is currently undergoing training. As such, my responses have to be checked by a professional before I present them to you to ensure you get the best quality help. If you deem I have overlooked your thread, which is in a matter of more than 24 hours, please send me a PM and I will get back to you shortly.
  • It is important that you do not install anything unless asked while the process is ongoing. Doing so may hinder or even complicate the cleaning of your system. You will get the chance to install things as you would like after the process has been completed.
  • Ensure you take extra caution to precisely follow my instructions. It is important that you only use the tools I have asked you to. The instructions for your computer are unique and should therefore only apply to your system.
I hope you keep in mind these reminders. I will be right back with a full response! :thumbsup:

Thank you.
  • 0

#3
t5403cg
Posted 16 April 2014 - 10:19 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Can't Wait....want to crush this bug once and for all!


Edited by t5403cg, 16 April 2014 - 10:20 AM.

  • 0

#4
Pyxis
Posted 16 April 2014 - 10:34 AM

Pyxis

    Trusted Helper

  • Malware Removal
  • 1,228 posts
  • Warning

    I would like to inform you that your machine has been infected with a file that is capable of stealing sensitive information. It is difficult to tell whether or not any data has been stolen and finding out which is true instead of doing countermeasures is unproductive. In this light, for your safety, assume that your log-in details and other information have been accessed by another source.

    Below are the steps that you should administer:
    • Disconnect from the Internet immediately and do not use it unless requested to and until we finish the cleaning process. This is especially true when you are using the computer in question for online banking and other sites that require sensitive and personal information.
    • Using a clean and private computer, change your passwords that concern accounts like PayPal, Amazon, banks and other personal accounts. The password(s) for your e-mail account(s) should also be modified.
    Though the infection has been identified and can be removed, because of its nature, your computer is very likely compromised and that there is no way to be sure your computer can ever again be trusted. Experts in the security community believe that a reformat and re-installation of the operating system is the best solution. Please peruse the following if you would like to know more:Though this machine can still be cleaned, there are no guarantees that it will be 100% secure after. Let me know of your decision. If you decide to go through the process, please proceed with the following steps.
  • Step 1

    Certain programs will hinder the cleaning process. As such, I ask that you uninstall all the below programs to ensure no such conflict arises. Note that you may choose to disable these instead. However, for a more hassle-free solution in the long run, I recommend removing them now and later re-installing them once I declare you clean.

    I advise you to uninstall alll but one of the following programs through Control Panel > Add or Remove Programs (Windows XP) or Control Panel > Programs and Features > Uninstall a Program (Windows Vista & Windows 7):
    • Spybot - Search & Destroy
    If you are having difficulties, please tell me.
  • Step 2

    If you haven't already, download 'OTL by OldTimer' and save it to your desktop or move your existing copy into the said location.
    • Simply double-click the program icon to run it. It will ask for administrator privileges.

      cF4ib.png

    • Copy and paste the following into the Custom Scans/Fixes box:
      :OTL
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy
@Alternate Data Stream - 478 bytes -> C:\Users\t5403cg\Documents\Untitled.eml:OECustomProperty
@Alternate Data Stream - 1406 bytes -> C:\Users\t5403cg\Documents\documentation for vendor mgt (ALERTS conversion) .eml:OECustomProperty
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = njproxy:80

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]

:Files
%USERPROFILE%\AppData\Local\Temp\syncsvb

:Commands
[emptytemp]
[resethosts]
    • Click Run Fix.
    • OTL will reboot your system. Allow it by clicking OK.
    • After the reboot, a Notepad window will appear, named MMDDYYYY_HHMMSS.log. Alternatively, you can find that log at C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log.
    • Copy (CTRL + A and CTRL + C) and paste (CTRL + V) the content of the log in your next reply.
  • Step 3

    Download 'RogueKiller by Tigzy' and save it to your desktop.
    • Ensure all programs and windows are closed before proceeding.
    • Simply double-click the program icon to run it. It will ask for administrator privileges.
    • Wait for its initial scan to complete.
      • Click Accept once done.
      • Click the Scan button after.
    • Once the scan has finished, click the Report button.
    • A log will pop-up. Copy (CTRL + A and CTRL + C) and paste (CTRL + V) the content of the log in your next reply.
    • The log will also be made available in the same location as RogueKiller, called RKreport[N]_S_MMDDYYYY_HHMMSS.txt.
  • Step 4

    Download 'Farbar Service Scanner by Farbar' and save it to your desktop.
    • Ensure the following options are checked:
      • Internet Services
        Windows Firewall
        System Restore
        Windows Update
        Windows Defender
    • Press Scan.
    • A log will pop-up once done. Alternatively, you can find FSS.txt at your desktop.
    • Copy (CTRL + A and CTRL + C) and paste (CTRL + V) the content of the log in your next reply.
  • Logs to Post

    In summary of the above, I will need you to post the following log(s):
    • MMDDYYYY_HHMMSS.log (OTL)
    • RKreport[N]_S_MMDDYYYY_HHMMSS.txt (RogueKiller)
    • FSS.txt (Farbar Service Scanner)

  • 0

#5
t5403cg
Posted 16 April 2014 - 10:40 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Not sure which programs you wish for me to uninstall?  Those installed within the last 30 days?

 

Please be more specific


  • 0

#6
t5403cg
Posted 16 April 2014 - 10:54 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Here's the log:

 

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
ADS C:\Users\t5403cg\Documents\Untitled.eml:OECustomProperty deleted successfully.
ADS C:\Users\t5403cg\Documents\documentation for vendor mgt (ALERTS conversion) .eml:OECustomProperty deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== REGISTRY ==========
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ not found.
========== FILES ==========
Folder move failed. C:\Users\t5403cg\AppData\Local\Temp\syncsvb scheduled to be moved on reboot.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: smeclnt
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: t5403cg
->Temp folder emptied: 43833521 bytes
->Temporary Internet Files folder emptied: 147597437 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1336 bytes
 
User: WINDIST
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 105667243 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 9683713 bytes
 
Total Files Cleaned = 293.00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.69.0 log created on 04162014_124432

Files\Folders moved on Reboot...
C:\Users\t5403cg\AppData\Local\Temp\syncsvb\sxynbvq folder moved successfully.
C:\Users\t5403cg\AppData\Local\Temp\syncsvb folder moved successfully.
C:\Users\t5403cg\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IQ9Q3T9U\8n77RrR4jg0[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP127SC1\338608-google-redirect-and-browser-setting-hijacker[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP127SC1\8n77RrR4jg0[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP127SC1\8n77RrR4jg0[2].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP127SC1\918[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP127SC1\fastbutton[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FP127SC1\posts[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5W4B2RYO\338608-google-redirect-and-browser-setting-hijacker[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5W4B2RYO\k3k702ZOKiLJc3WVjuplzHZ2MAKAc2x4R1uOSeegc5U[1].eot moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5W4B2RYO\like[2].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5W4B2RYO\postmessageRelay[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5W4B2RYO\xjAJXh38I15wypJXxuGMBmfQcKutQXcIrRfyR5jdjY8[1].eot moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M56ME7T\8n77RrR4jg0[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M56ME7T\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M56ME7T\fastbutton[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M56ME7T\partner[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M56ME7T\postmessageRelay[1].htm moved successfully.
C:\Users\t5403cg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M56ME7T\PRmiXeptR36kaC0GEAetxrFt29aCHKT7otDW9l62Aag[1].eot moved successfully.
File\Folder C:\Windows\temp\etilqs_M2ovtECYmNZw1CPaNgis not found!
File\Folder C:\Windows\temp\etilqs_M2ovtECYmNZw1CPaNgis-journal not found!
File\Folder C:\Windows\temp\nsd_tmp_2108.tmp not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ not found.


  • 0

#7
t5403cg
Posted 16 April 2014 - 11:03 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Step 3 Log:

 

RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : t5403cg [Admin rights]
Mode : Scan -- Date : 04/16/2014 13:02:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\RunOnce : OTL ("C:\Users\t5403cg\Desktop\Maleware\OTL.exe" [-]) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (njproxy:80) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[PROXY IE][PUM] HKLM\[...]\Internet Settings : ProxyServer () -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 :  (\\?\globalroot\Device\HarddiskVolume1\Users\t5403cg\AppData\Local\Temp\syncsvb\sxynbvq\wow.dll [x]) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][SUSP PATH] At1.job : C:\Users\t5403cg\AppData\Local\Temp\hisadconf.exe - -delete >> nul [x] -> FOUND
[V2][SUSP PATH] At1 : C:\Users\t5403cg\AppData\Local\Temp\hisadconf.exe - -delete >> nul [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
[Address] EAT @iexplore.exe (BeginBufferedAnimation) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182DF38)
[Address] EAT @iexplore.exe (BeginBufferedPaint) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182B741)
[Address] EAT @iexplore.exe (BeginPanningFeedback) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718476AF)
[Address] EAT @iexplore.exe (BufferedPaintClear) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182BBDB)
[Address] EAT @iexplore.exe (BufferedPaintInit) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182B8D4)
[Address] EAT @iexplore.exe (BufferedPaintRenderAnimation) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182DE83)
[Address] EAT @iexplore.exe (BufferedPaintSetAlpha) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CE19)
[Address] EAT @iexplore.exe (BufferedPaintStopAllAnimations) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182E428)
[Address] EAT @iexplore.exe (BufferedPaintUnInit) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71837525)
[Address] EAT @iexplore.exe (CloseThemeData) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71821FA1)
[Address] EAT @iexplore.exe (DrawThemeBackground) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182D464)
[Address] EAT @iexplore.exe (DrawThemeBackgroundEx) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7183436D)
[Address] EAT @iexplore.exe (DrawThemeEdge) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C01C)
[Address] EAT @iexplore.exe (DrawThemeIcon) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184D123)
[Address] EAT @iexplore.exe (DrawThemeParentBackground) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182E776)
[Address] EAT @iexplore.exe (DrawThemeParentBackgroundEx) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182E5C5)
[Address] EAT @iexplore.exe (DrawThemeText) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182DB21)
[Address] EAT @iexplore.exe (DrawThemeTextEx) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182A70C)
[Address] EAT @iexplore.exe (EnableThemeDialogTexture) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7183786D)
[Address] EAT @iexplore.exe (EnableTheming) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C9FF)
[Address] EAT @iexplore.exe (EndBufferedAnimation) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182ACE8)
[Address] EAT @iexplore.exe (EndBufferedPaint) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182ACE8)
[Address] EAT @iexplore.exe (EndPanningFeedback) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184762C)
[Address] EAT @iexplore.exe (GetBufferedPaintBits) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182CF26)
[Address] EAT @iexplore.exe (GetBufferedPaintDC) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CDCF)
[Address] EAT @iexplore.exe (GetBufferedPaintTargetDC) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CD86)
[Address] EAT @iexplore.exe (GetBufferedPaintTargetRect) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C893)
[Address] EAT @iexplore.exe (GetCurrentThemeName) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718363AE)
[Address] EAT @iexplore.exe (GetThemeAppProperties) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182EBD6)
[Address] EAT @iexplore.exe (GetThemeBackgroundContentRect) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182DA9E)
[Address] EAT @iexplore.exe (GetThemeBackgroundExtent) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71837155)
[Address] EAT @iexplore.exe (GetThemeBackgroundRegion) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71830190)
[Address] EAT @iexplore.exe (GetThemeBitmap) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71824B9C)
[Address] EAT @iexplore.exe (GetThemeBool) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71826651)
[Address] EAT @iexplore.exe (GetThemeColor) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718227C0)
[Address] EAT @iexplore.exe (GetThemeDocumentationProperty) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C346)
[Address] EAT @iexplore.exe (GetThemeEnumValue) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718227C0)
[Address] EAT @iexplore.exe (GetThemeFilename) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184B997)
[Address] EAT @iexplore.exe (GetThemeFont) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718376A2)
[Address] EAT @iexplore.exe (GetThemeInt) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718227C0)
[Address] EAT @iexplore.exe (GetThemeIntList) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184B86E)
[Address] EAT @iexplore.exe (GetThemeMargins) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71822F97)
[Address] EAT @iexplore.exe (GetThemeMetric) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718355B4)
[Address] EAT @iexplore.exe (GetThemePartSize) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182289F)
[Address] EAT @iexplore.exe (GetThemePosition) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184B80D)
[Address] EAT @iexplore.exe (GetThemePropertyOrigin) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71830923)
[Address] EAT @iexplore.exe (GetThemeRect) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184B936)
[Address] EAT @iexplore.exe (GetThemeStream) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184B8CF)
[Address] EAT @iexplore.exe (GetThemeString) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184B7A1)
[Address] EAT @iexplore.exe (GetThemeSysBool) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CB86)
[Address] EAT @iexplore.exe (GetThemeSysColor) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71835530)
[Address] EAT @iexplore.exe (GetThemeSysColorBrush) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CA32)
[Address] EAT @iexplore.exe (GetThemeSysFont) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C3D8)
[Address] EAT @iexplore.exe (GetThemeSysInt) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C5E7)
[Address] EAT @iexplore.exe (GetThemeSysSize) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CC61)
[Address] EAT @iexplore.exe (GetThemeSysString) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184C553)
[Address] EAT @iexplore.exe (GetThemeTextExtent) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718289FE)
[Address] EAT @iexplore.exe (GetThemeTextMetrics) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7183778C)
[Address] EAT @iexplore.exe (GetThemeTransitionDuration) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182E1A1)
[Address] EAT @iexplore.exe (GetWindowTheme) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7183535B)
[Address] EAT @iexplore.exe (HitTestThemeBackground) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71832DC1)
[Address] EAT @iexplore.exe (IsAppThemed) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71837009)
[Address] EAT @iexplore.exe (IsCompositionActive) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718265DF)
[Address] EAT @iexplore.exe (IsThemeActive) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71836F36)
[Address] EAT @iexplore.exe (IsThemeBackgroundPartiallyTransparent) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7182281C)
[Address] EAT @iexplore.exe (IsThemeDialogTextureEnabled) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CB3F)
[Address] EAT @iexplore.exe (IsThemePartDefined) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718230CF)
[Address] EAT @iexplore.exe (OpenThemeData) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71825F29)
[Address] EAT @iexplore.exe (OpenThemeDataEx) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718306FE)
[Address] EAT @iexplore.exe (SetThemeAppProperties) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x7184CCEC)
[Address] EAT @iexplore.exe (SetWindowTheme) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71837AFC)
[Address] EAT @iexplore.exe (SetWindowThemeAttribute) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71829E39)
[Address] EAT @iexplore.exe (ThemeInitApiHook) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x71824571)
[Address] EAT @iexplore.exe (UpdatePanningFeedback) : SDXML.dll -> HOOKED (C:\Windows\SysWOW64\uxtheme.dll @ 0x718475ED)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD1600BEKT-08PVMT1 +++++
--- User ---
[MBR] 2b3e75cade1d0b4ecd8d1dc108f0a7ff
[BSP] 690a7c17ddc09714d5cee3f12f1c9dad : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 MB
Error reading LL1 MBR! ([0x1] Incorrect function. )
User != LL2 ... KO!
--- LL2 ---
[MBR] bba47f050e4e5b3420cf305212aa0feb
[BSP] af9eb0b34d8dbf75e1d170dae7bf74e8 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 MB

Finished : << RKreport[0]_S_04162014_130250.txt >>

 

 


  • 0

#8
Pyxis
Posted 16 April 2014 - 11:12 AM

Pyxis

    Trusted Helper

  • Malware Removal
  • 1,228 posts

Not sure which programs you wish for me to uninstall?  Those installed within the last 30 days?
 
Please be more specific


I believe I did specify it. Here's a screen shot of my post:

 

tlhUIgs.png


  • 0

#9
t5403cg
Posted 16 April 2014 - 11:25 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Sorry....thought that was uninstall all but SpyBot....will do


  • 0

#10
Pyxis
Posted 16 April 2014 - 11:26 AM

Pyxis

    Trusted Helper

  • Malware Removal
  • 1,228 posts

I have to fix my faulty wording. Thank you for pointing it out.  :oops:


  • 0

Advertisements

#11
t5403cg
Posted 16 April 2014 - 11:30 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

SpyBot removed....do I need to run the already provided logs over again?


  • 0

#12
Pyxis
Posted 16 April 2014 - 11:34 AM

Pyxis

    Trusted Helper

  • Malware Removal
  • 1,228 posts
Luckily, the important fixes went through, so you do not need to repeat anything. You just have to do the fourth step now. :)
  • 0

#13
t5403cg
Posted 16 April 2014 - 11:39 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Step 4 Log:

 

Farbar Service Scanner Version: 25-02-2014
Ran by t5403cg (administrator) on 16-04-2014 at 13:40:16
Running from "C:\Users\t5403cg\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable
IE proxy is enabled.
ProxyServer: njproxy:80

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=DWORD:1

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****


  • 0

#14
t5403cg
Posted 16 April 2014 - 11:45 AM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

BTW, using RogueKiller...I did NOT delete or fix anything....awaiting your instructions....


  • 0

#15
t5403cg
Posted 16 April 2014 - 12:03 PM

t5403cg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Is there more to do...?


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP