Browser hijacked

View previous topic View next topic Go down

Browser hijacked

Post by nighthawk80 on 15th January 2011, 4:28 am

Hello,
Recently found out that my browser (Firefox) has been hijacked. I have had pop-up saying that win31/nuqel.E and Alureon.H was trying to infect my computer. I have also noticed my computer being really slow. Any halp will be greatly appreciated!

Here is my OTL logs:
OTL logfile created on: 1/14/2011 10:56:43 PM - Run 1
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\Nicholas\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 207.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): E:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 29.81 Gb Free Space | 61.06% Space Free | Partition Type: NTFS
Drive D: | 230.62 Gb Total Space | 209.83 Gb Free Space | 90.98% Space Free | Partition Type: NTFS
Drive E: | 37.31 Gb Total Space | 16.07 Gb Free Space | 43.09% Space Free | Partition Type: NTFS
Drive F: | 7.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: NIC-9NDA3I | User Name: Nicholas | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/14 22:54:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicholas\Desktop\OTL.com
PRC - [2011/01/14 21:10:11 | 012,368,840 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Nicholas\Desktop\windows-kb890830-v3.15.exe
PRC - [2011/01/04 17:20:12 | 000,082,376 | ---- | M] (Microsoft Corporation) -- d:\00d5b524c73e5203aa\mrtstub.exe
PRC - [2010/12/11 05:23:26 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/24 08:17:58 | 002,069,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/11/24 08:17:17 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/09/23 07:14:30 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/21 07:14:31 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/16 07:33:44 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/16 07:33:42 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/16 07:33:12 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/06/30 19:58:41 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/06/16 19:58:40 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/25 18:42:36 | 000,388,096 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
PRC - [2009/01/07 16:20:18 | 000,121,376 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
PRC - [2008/08/04 19:09:40 | 000,091,432 | ---- | M] (cyberlink) -- C:\Program Files\Cyberlink\Shared Files\brs.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe


========== Modules (SafeList) ==========

MOD - [2011/01/14 22:54:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicholas\Desktop\OTL.com
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 05:42:02 | 001,384,479 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvbvm60.dll
MOD - [2008/04/14 05:41:54 | 000,158,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dinput.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/21 07:14:31 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/16 07:33:42 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/30 19:58:41 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/01/07 16:20:18 | 000,121,376 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- (UpdateCenterService)
SRV - [2009/01/06 15:52:02 | 000,174,624 | ---- | M] (NVIDIA) [On_Demand | Stopped] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)


========== Driver Services (SafeList) ==========

DRV - [2011/01/14 22:12:33 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\MpEngineStore\MpKsld46e4eaa.sys -- (MpKsld46e4eaa)
DRV - [2011/01/14 20:59:29 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\MpEngineStore\MpKsl32f06096.sys -- (MpKsl32f06096)
DRV - [2010/07/16 07:33:45 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/16 07:33:14 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/05 19:58:47 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/06/03 07:01:22 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/04/05 19:56:03 | 000,033,824 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\oreans32.sys -- (oreans32)
DRV - [2009/01/07 16:20:16 | 000,036,896 | ---- | M] (NVIDIA Corp.) [Kernel | Auto | Running] -- C:\WINDOWS\nvflash.sys -- (NVR0FLASHDev)
DRV - [2008/12/26 00:08:00 | 006,301,344 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/04 19:09:16 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Cyberlink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4C74-92FE-5B863F82066B})
DRV - [2008/08/01 11:36:00 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/08/01 11:36:00 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/05/15 00:00:00 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/08/31 14:29:34 | 000,416,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2006/08/31 14:26:04 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2004/11/04 03:38:22 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/07/24 13:52:26 | 000,998,004 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2002/07/19 10:48:32 | 000,156,604 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2002/07/19 10:48:22 | 000,213,860 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2002/07/19 10:48:08 | 000,011,068 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2002/07/19 10:48:04 | 000,195,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2002/07/19 10:47:52 | 000,837,548 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2002/07/19 10:46:28 | 000,127,948 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2001/08/17 12:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 12:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 12:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 12:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8075

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&scc=1<mpl=default<mplcache=2"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/11/24 08:19:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/11 22:45:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/11 22:46:09 | 000,000,000 | ---D | M]

[2009/01/31 14:13:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Extensions
[2010/12/30 16:00:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions
[2009/01/31 14:21:15 | 000,000,000 | ---D | M] (Full Screen) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions\{06CC82D4-29FB-4082-81AA-A445F8A13F0A}
[2009/01/31 14:21:15 | 000,000,000 | ---D | M] (Image Zoom) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
[2009/04/15 07:38:18 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2009/01/31 14:21:17 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2009/02/12 19:41:34 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/01/31 14:21:15 | 000,000,000 | ---D | M] (Flash Killer) -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\extensions\flashkiller@joli.clic
[2011/01/14 21:52:25 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\searchplugins\bing.xml
[2010/12/30 16:00:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/30 14:43:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2009/10/03 14:18:33 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\NICHOLAS\APPLICATION DATA\MOVE NETWORKS
[2010/11/24 08:19:19 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG9\FIREFOX
[2009/01/31 14:18:29 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2008/06/18 01:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/02/03 20:12:43 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2002/08/29 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe (cyberlink)
O4 - HKLM..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKCU..\Run: [vnwklcqb] C:\Documents and Settings\Nicholas\Local Settings\Temp\uljbqyxjg\nxvrwevusbs.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (Xfire Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_23)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Nicholas\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nicholas\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/25 21:23:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: LanguageShortcut - hkey= - key= - C:\Program Files\Cyberlink\PowerDVD\Language\Language.exe ()
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - C:\Program Files\Cyberlink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: UpdReg - hkey= - key= - C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
MsConfig - StartUpReg: WINDVDPatch - hkey= - key= - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: VIDC.XFR1 - C:\WINDOWS\System32\xfcodec.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (77419229346791424)

========== Files/Folders - Created Within 30 Days ==========

[2011/01/14 22:54:52 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nicholas\Desktop\OTL.com
[2011/01/14 22:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/01/14 22:37:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicholas\Start Menu\Programs\HiJackThis
[2011/01/14 22:08:16 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2011/01/14 22:01:05 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ijfhuyxl.sys
[2011/01/14 21:50:37 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Nicholas\Desktop\spybotsd162.exe
[2011/01/14 21:45:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicholas\Desktop\Downloads
[2011/01/14 21:45:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicholas\Application Data\GetRightToGo
[2011/01/14 21:10:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/01/14 21:10:03 | 012,368,840 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Nicholas\Desktop\windows-kb890830-v3.15.exe
[2011/01/14 21:06:06 | 038,357,400 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Nicholas\Desktop\spdoc.exe
[2011/01/14 20:59:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2011/01/11 22:48:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/01/11 22:47:46 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/01/11 22:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/01/11 22:46:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/01/06 21:11:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicholas\Local Settings\Application Data\CyberLink
[2010/12/30 22:32:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicholas\Desktop\gun photo
[2010/12/30 14:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/12/30 14:44:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/12/30 14:43:57 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/12/30 14:43:57 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/12/30 14:43:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/12/30 14:43:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/12/30 14:42:58 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/12/30 14:42:58 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/12/30 14:42:51 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2010/12/30 14:42:34 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/30 14:41:17 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/27 21:28:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicholas\Local Settings\Application Data\CutePDF Writer
[2010/12/27 14:00:28 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2010/12/27 14:00:27 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2010/12/27 14:00:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2009/01/31 14:39:55 | 000,561,152 | ---- | C] (Joshua F. Madison) -- C:\Program Files\Convert.exe
[2009/01/31 14:26:53 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.sys
[2009/01/31 02:56:00 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/14 22:54:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicholas\Desktop\OTL.com
[2011/01/14 22:37:32 | 000,002,453 | ---- | M] () -- C:\Documents and Settings\Nicholas\Desktop\HiJackThis.lnk
[2011/01/14 22:36:40 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Nicholas\Desktop\HiJackThis.msi
[2011/01/14 22:36:02 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/14 22:31:01 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-796845957-725345543-1004UA.job
[2011/01/14 22:09:39 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/01/14 22:07:53 | 000,208,126 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/01/14 22:07:09 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/14 22:06:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/14 22:06:01 | 000,024,672 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000008-00001102-00000002-80401102}.rfx
[2011/01/14 22:06:01 | 000,024,672 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000008-00001102-00000002-80401102}.rfx
[2011/01/14 22:06:01 | 000,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000002-80401102}.rfx
[2011/01/14 22:06:01 | 000,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000008-00001102-00000002-80401102}.rfx
[2011/01/14 22:06:01 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2011/01/14 22:06:01 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2011/01/14 22:06:01 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000008-00001102-00000002-80401102}.dat
[2011/01/14 22:06:01 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000008-00001102-00000002-80401102}.dat
[2011/01/14 22:01:05 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ijfhuyxl.sys
[2011/01/14 21:53:41 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/01/14 21:50:40 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Nicholas\Desktop\spybotsd162.exe
[2011/01/14 21:11:38 | 000,713,222 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/01/14 21:10:11 | 012,368,840 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Nicholas\Desktop\windows-kb890830-v3.15.exe
[2011/01/14 21:06:57 | 038,357,400 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Nicholas\Desktop\spdoc.exe
[2011/01/14 20:47:55 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/14 20:42:19 | 000,000,174 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/01/14 20:41:58 | 000,441,558 | ---- | M] () -- C:\Program Files\Everything.db
[2011/01/14 20:41:57 | 000,004,114 | ---- | M] () -- C:\Program Files\Everything.ini
[2011/01/14 09:06:55 | 070,143,306 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/01/14 02:31:01 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-796845957-725345543-1004Core.job
[2011/01/11 22:48:21 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/12/30 16:12:38 | 000,062,033 | ---- | M] () -- C:\Documents and Settings\Nicholas\Desktop\DSC_0177-1.jpg
[2010/12/30 15:06:57 | 000,258,248 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/30 14:49:04 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/29 10:45:17 | 000,130,369 | ---- | M] () -- D:\Documents and Settings\Nicholas\My Documents\ipod touch gen4 cover mandy.pdf
[2010/12/28 19:29:32 | 000,001,735 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/12/28 18:58:59 | 000,113,616 | ---- | M] () -- D:\Documents and Settings\Nicholas\My Documents\ipod gen3 case paypal.pdf
[2010/12/27 21:29:36 | 000,102,015 | ---- | M] () -- D:\Documents and Settings\Nicholas\My Documents\Smoky Mountain Knife Works Printable Mail Order Form.pdf
[2010/12/27 21:28:28 | 000,117,811 | ---- | M] () -- D:\Documents and Settings\Nicholas\My Documents\smkw order.pdf
[2010/12/20 18:41:34 | 000,006,148 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\.DS_Store
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/14 22:37:21 | 000,002,453 | ---- | C] () -- C:\Documents and Settings\Nicholas\Desktop\HiJackThis.lnk
[2011/01/14 22:36:49 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Nicholas\Desktop\HiJackThis.msi
[2011/01/14 21:11:23 | 000,713,222 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/01/14 20:42:19 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/01/14 20:41:58 | 000,441,558 | ---- | C] () -- C:\Program Files\Everything.db
[2011/01/14 20:41:57 | 000,004,114 | ---- | C] () -- C:\Program Files\Everything.ini
[2011/01/11 22:48:21 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/12/30 16:12:36 | 000,062,033 | ---- | C] () -- C:\Documents and Settings\Nicholas\Desktop\DSC_0177-1.jpg
[2010/12/29 10:45:16 | 000,130,369 | ---- | C] () -- D:\Documents and Settings\Nicholas\My Documents\ipod touch gen4 cover mandy.pdf
[2010/12/28 18:58:59 | 000,113,616 | ---- | C] () -- D:\Documents and Settings\Nicholas\My Documents\ipod gen3 case paypal.pdf
[2010/12/27 21:29:35 | 000,102,015 | ---- | C] () -- D:\Documents and Settings\Nicholas\My Documents\Smoky Mountain Knife Works Printable Mail Order Form.pdf
[2010/12/27 21:28:25 | 000,117,811 | ---- | C] () -- D:\Documents and Settings\Nicholas\My Documents\smkw order.pdf
[2010/12/20 18:41:29 | 000,006,148 | -H-- | C] () -- C:\Documents and Settings\All Users\Documents\.DS_Store
[2010/05/27 19:09:00 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/04/05 19:56:03 | 000,033,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\oreans32.sys
[2010/03/29 20:39:22 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/29 20:38:42 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Nicholas\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/10 22:33:49 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Nicholas\Local Settings\Application Data\fusioncache.dat
[2009/03/10 21:59:45 | 000,000,920 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/02/03 18:59:26 | 000,138,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/01/31 14:39:56 | 000,525,312 | ---- | C] () -- C:\Program Files\Everything Search Engine.exe
[2009/01/31 14:39:55 | 000,000,616 | ---- | C] () -- C:\Program Files\Convert.txt
[2009/01/31 14:39:54 | 000,135,168 | ---- | C] () -- C:\Program Files\ARDC Data Recovery Tools 1.1.exe
[2009/01/31 14:26:56 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.log
[2009/01/31 14:26:53 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Nicholas\Application Data\inst.exe
[2009/01/31 14:26:53 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.cat
[2009/01/31 14:26:53 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.inf
[2009/01/31 14:08:40 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/31 02:56:18 | 000,000,128 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/01/31 02:56:17 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/01/31 02:56:03 | 000,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2009/01/31 02:56:03 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/01/31 02:56:00 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2009/01/31 02:08:14 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/01/25 21:42:28 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/01/25 16:17:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/12/26 00:08:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/26 00:08:00 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/12/26 00:08:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/26 00:08:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/11/06 11:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 11:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/01/25 21:23:39 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/06/19 10:37:00 | 000,135,168 | ---- | M] () -- C:\Program Files\ARDC Data Recovery Tools 1.1.exe
[1999/10/30 22:54:00 | 000,561,152 | ---- | M] (Joshua F. Madison) -- C:\Program Files\Convert.exe
[1999/10/29 20:55:00 | 000,000,616 | ---- | M] () -- C:\Program Files\Convert.txt
[2008/11/13 16:35:00 | 000,525,312 | ---- | M] () -- C:\Program Files\Everything Search Engine.exe
[2011/01/14 20:41:58 | 000,441,558 | ---- | M] () -- C:\Program Files\Everything.db
[2011/01/14 20:41:57 | 000,004,114 | ---- | M] () -- C:\Program Files\Everything.ini

< %APPDATA%\Update\*.* >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/01/25 21:51:51 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/01/25 21:55:52 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Nicholas\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2009/01/25 21:26:39 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Nicholas\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2009/09/08 15:36:24 | 028,868,320 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Nicholas\Desktop\FileFormatConverters.exe
[2010/08/28 17:20:31 | 000,567,640 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Nicholas\Desktop\GoogleVoiceAndVideoSetup.exe
[2010/11/28 18:51:33 | 006,537,048 | ---- | M] () -- C:\Documents and Settings\Nicholas\Desktop\SetupAnyDVD_50081.exe
[2011/01/14 21:06:57 | 038,357,400 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Nicholas\Desktop\spdoc.exe
[2011/01/14 21:50:40 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Nicholas\Desktop\spybotsd162.exe
[2011/01/14 21:10:11 | 012,368,840 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Nicholas\Desktop\windows-kb890830-v3.15.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2010/12/11 05:23:26 | 000,107,480 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2010/12/11 05:23:26 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2010/12/11 05:23:27 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2010/12/11 05:23:27 | 000,245,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2009/01/25 21:55:52 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Nicholas\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 05:42:02 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/01/25 16:15:47 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/25 16:15:47 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/25 16:15:47 | 000,401,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2002/08/29 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2002/08/29 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[1996/04/03 14:33:26 | 000,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys
[2002/08/29 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2002/08/29 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2002/08/29 07:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/03/23 21:12:34 | 000,017,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\nsndis5.sys
[2002/08/29 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2002/08/29 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2002/08/29 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2002/08/29 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2002/08/29 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2008/04/13 22:19:40 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2008/04/13 22:19:44 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2008/04/13 22:19:40 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2008/04/13 22:19:44 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2008/04/13 22:19:42 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[1999/12/17 01:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS
[2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys
[2008/04/14 00:15:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/10/26 08:25:00 | 001,853,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]



nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 15th January 2011, 4:28 am

< %systemroot%\system32\drivers\*.dll >
[2008/04/14 05:41:50 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/14 05:41:50 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/14 05:41:50 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/14 05:41:50 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/14 05:41:50 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/14 05:41:50 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/14 05:41:50 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/14 05:41:52 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/14 05:41:52 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/14 05:41:52 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/14 05:41:52 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/14 05:41:52 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/14 05:41:52 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/14 05:42:06 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/14 05:42:10 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %SYSTEMDRIVE%\*.* >
[2011/01/14 22:06:49 | 000,009,088 | ---- | M] () -- C:\aaw7boot.log
[2009/01/25 21:23:51 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/02/01 15:47:28 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2009/01/25 21:23:51 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/01/25 21:23:51 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/01/25 21:23:51 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/07/08 21:14:15 | 000,001,000 | ---- | M] () -- C:\net_save.dna
[2009/01/25 21:49:28 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/01/25 21:49:28 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2009/03/10 22:38:00 | 000,000,428 | ---- | M] () -- C:\updatedatfix.log

< %PROGRAMFILES%\*. >
[2009/01/31 02:08:11 | 000,000,000 | ---D | M] -- C:\Program Files\Acro Software
[2009/01/26 00:33:58 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/01/31 02:53:52 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2009/01/31 18:37:15 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/02/24 20:31:39 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/02/24 20:10:31 | 000,000,000 | ---D | M] -- C:\Program Files\AVG8
[2010/09/29 19:17:40 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/02/01 20:18:50 | 000,000,000 | ---D | M] -- C:\Program Files\CDex
[2011/01/14 22:06:50 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/01/25 21:21:42 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/03/08 10:17:42 | 000,000,000 | ---D | M] -- C:\Program Files\Coupons
[2009/01/25 22:46:25 | 000,000,000 | ---D | M] -- C:\Program Files\CPU-z
[2009/01/31 02:55:52 | 000,000,000 | ---D | M] -- C:\Program Files\Creative
[2009/01/31 02:05:47 | 000,000,000 | ---D | M] -- C:\Program Files\Cyberlink
[2009/01/31 18:32:39 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2009/01/31 14:26:50 | 000,000,000 | ---D | M] -- C:\Program Files\DVDFab 5
[2010/11/28 19:41:19 | 000,000,000 | ---D | M] -- C:\Program Files\DVDFab 8
[2009/01/25 22:29:52 | 000,000,000 | ---D | M] -- C:\Program Files\ExamDiff
[2010/10/02 21:27:12 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/01/31 02:07:47 | 000,000,000 | ---D | M] -- C:\Program Files\GPLGS
[2009/03/10 22:37:55 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/03/10 22:37:59 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009/02/01 15:36:43 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/12/30 14:47:54 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2011/01/11 22:47:46 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2011/01/11 22:48:16 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/12/30 14:43:53 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/02/24 20:07:41 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2011/01/14 22:06:49 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/25 22:37:04 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/01/31 14:07:43 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2009/01/25 21:23:54 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/09/08 15:36:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/01/31 14:07:05 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/08/12 17:31:42 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/12/11 05:23:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/09/08 15:36:37 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2009/01/25 21:21:31 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/01/25 21:21:22 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/04/20 13:57:16 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/01/25 21:50:29 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009/03/08 11:10:10 | 000,000,000 | ---D | M] -- C:\Program Files\Network Print Monitor
[2010/10/07 20:46:45 | 000,000,000 | ---D | M] -- C:\Program Files\Network Stumbler
[2009/02/01 15:36:43 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2009/01/25 21:21:31 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/12/30 14:44:39 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/02/03 20:12:37 | 000,000,000 | ---D | M] -- C:\Program Files\Pando Networks
[2009/01/31 15:20:38 | 000,000,000 | ---D | M] -- C:\Program Files\Prime95
[2011/01/11 22:46:02 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/01/25 23:11:12 | 000,000,000 | ---D | M] -- C:\Program Files\Realtime HDR Lighting Demo
[2009/02/02 06:47:32 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedFan
[2010/07/08 21:21:57 | 000,000,000 | ---D | M] -- C:\Program Files\support.com
[2011/01/14 22:37:21 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2009/01/25 21:26:32 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/02/01 22:47:55 | 000,000,000 | ---D | M] -- C:\Program Files\UPHClean
[2010/10/06 20:23:36 | 000,000,000 | ---D | M] -- C:\Program Files\USAPhotoMaps
[2009/01/25 23:15:41 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Components
[2009/01/25 23:16:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/01/25 23:16:58 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/01/25 21:50:27 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/01/25 21:21:31 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/01/31 14:41:56 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
[2009/01/25 21:23:54 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/07/13 20:52:10 | 000,000,000 | ---D | M] -- C:\Program Files\Xfire

< %appdata%\*.* >
[2009/01/25 16:16:57 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Nicholas\Application Data\desktop.ini
[2009/01/31 14:26:53 | 000,087,608 | ---- | M] () -- C:\Documents and Settings\Nicholas\Application Data\inst.exe
[2009/01/31 14:26:53 | 000,007,887 | ---- | M] () -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.cat
[2009/01/31 14:26:53 | 000,001,144 | ---- | M] () -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.inf
[2009/01/31 14:26:56 | 000,000,034 | ---- | M] () -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.log
[2009/01/31 14:26:53 | 000,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Nicholas\Application Data\pcouffin.sys


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2002/08/29 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:disk.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2008/04/14 00:10:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/14 00:10:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2007/05/15 00:00:00 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=6B37162E91A7005BAA753CB611ACEA2D -- C:\WINDOWS\system32\drivers\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2002/08/29 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:usbstor.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-01-15 01:42:23

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 15th January 2011, 4:29 am

OTL Extras logfile created on: 1/14/2011 10:56:43 PM - Run 1
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\Nicholas\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 207.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): E:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 29.81 Gb Free Space | 61.06% Space Free | Partition Type: NTFS
Drive D: | 230.62 Gb Total Space | 209.83 Gb Free Space | 90.98% Space Free | Partition Type: NTFS
Drive E: | 37.31 Gb Total Space | 16.07 Gb Free Space | 43.09% Space Free | Partition Type: NTFS
Drive F: | 7.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: NIC-9NDA3I | User Name: Nicholas | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"57463:TCP" = 57463:TCP:*:Enabled:Pando Media Booster
"57463:UDP" = 57463:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon)
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- (Nexon)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe" = E:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe:*:Enabled:BF1942 -- ()
"E:\Program Files\EA GAMES\Battlefield Vietnam\BfVietnam.exe" = E:\Program Files\EA GAMES\Battlefield Vietnam\BfVietnam.exe:*:Enabled:BfVietnam -- ()
"E:\Program Files\EA GAMES\Battlefield 2\BF2.exe" = E:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:BF2 -- ()
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Nexon\Combat Arms\NMService.exe" = C:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core -- (Nexon Corp.)
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*:Enabled:Combat Arms -- (Nexon)
"C:\Documents and Settings\Nicholas\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Nicholas\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 23
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{37C5A56A-00EA-347B-B7A1-5628BED56702}" = Google Talk Plugin
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}" = Sound Blaster Live! Web 2K/XP
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = CyberLink PowerDVD
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F69C969-2942-4E7B-B594-75B37664B8BA}" = NVIDIA System Update
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"Combat Arms" = Combat Arms
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"CutePDF Writer Installation" = CutePDF Writer 2.7
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1" = DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
"DVDFab 8_is1" = DVDFab 8.0.5.0 (18/11/2010)
"FoxyTunesForFirefox" = FoxyTunes for Firefox
"HP Photo & Imaging" = HP Image Zone 4.7
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{6F69C969-2942-4E7B-B594-75B37664B8BA}" = NVIDIA System Update
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Network Print Monitor" = Network Print Monitor for Windows 2000/XP/2003
"Network Stumbler" = Network Stumbler 0.4.0 (remove only)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"SpeedFan" = SpeedFan (remove only)
"USAPhotoMaps" = USAPhotoMaps (remove only)
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"WZCLINE" = WinZip Command Line Support Add-On 2.0
"Xfire" = Xfire (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/7/2011 9:02:39 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 412: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/8/2011 11:38:37 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 400: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/11/2011 11:44:58 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 240: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/11/2011 11:44:58 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 244: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/11/2011 11:44:58 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 416: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/11/2011 11:44:58 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 392: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/11/2011 11:44:58 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 216: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/11/2011 11:44:58 PM | Computer Name = NIC-9NDA3I | Source = Bonjour Service | ID = 100
Description = 408: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/14/2011 11:08:13 PM | Computer Name = NIC-9NDA3I | Source = Application Error | ID = 1000
Description = Faulting application nxvrwevusbs.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x80544c7d.

Error - 1/14/2011 11:08:27 PM | Computer Name = NIC-9NDA3I | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a63cb.

[ System Events ]
Error - 1/14/2011 9:48:24 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 9:48:24 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 10:56:58 PM | Computer Name = NIC-9NDA3I | Source = Service Control Manager | ID = 7034
Description = The PC Tools Security Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 1/14/2011 10:57:06 PM | Computer Name = NIC-9NDA3I | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 1/14/2011 11:07:25 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 11:07:25 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 11:07:25 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 11:07:25 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 11:07:25 PM | Computer Name = NIC-9NDA3I | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/14/2011 11:08:45 PM | Computer Name = NIC-9NDA3I | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.


< End of report >

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by Belahzur on 16th January 2011, 1:44 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKCU..\Run: [vnwklcqb] C:\Documents and Settings\Nicholas\Local Settings\Temp\uljbqyxjg\nxvrwevusbs.exe ()

    :commands
    [emptytemp]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 16th January 2011, 3:18 am

Before I did this, I was able to boot into safe mode and run Malwarebytes a third time. It seemed to stop the attacks I started to get, and the browser hijacking.

Thanks again for your help! It is greatly appreciated!!

Here's the log:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vnwklcqb not found.
File C:\Documents and Settings\Nicholas\Local Settings\Temp\uljbqyxjg\nxvrwevusbs.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 3679324 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Isabella
->Temp folder emptied: 58533487 bytes
->Temporary Internet Files folder emptied: 370949 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 116274973 bytes
->Flash cache emptied: 17808 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33664 bytes

User: NetworkService
->Temp folder emptied: 450974 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: Nicholas
->Temp folder emptied: 1740532280 bytes
->Temporary Internet Files folder emptied: 827737483 bytes
->Java cache emptied: 580249 bytes
->FireFox cache emptied: 72531001 bytes
->Flash cache emptied: 1984665 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119359 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10016346 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3348603639 bytes

Total Files Cleaned = 5,896.00 mb


OTL by OldTimer - Version 3.2.20.2 log created on 01152011_220733

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by Belahzur on 17th January 2011, 1:02 am

Hello.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 17th January 2011, 3:53 am

Thanks again for your help!

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5535

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/16/2011 10:50:28 PM
mbam-log-2011-01-16 (22-50-28).txt

Scan type: Quick scan
Objects scanned: 160297
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by Belahzur on 18th January 2011, 1:06 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 19th January 2011, 11:43 pm

Thanks again for your help!

Here's the log:
ComboFix 11-01-19.01 - Nicholas 01/19/2011 18:36:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.549 [GMT -5:00]
Running from: c:\documents and settings\Nicholas\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nicholas\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-19 to 2011-01-19 )))))))))))))))))))))))))))))))
.

2011-01-16 03:07 . 2011-01-16 03:07 -------- d-----w- C:\_OTL
2011-01-16 00:00 . 2011-01-16 00:00 -------- d-----w- c:\documents and settings\Administrator
2011-01-15 12:39 . 2011-01-15 12:39 64512 ----a-w- c:\windows\system32\drivers\SERIAL.SYS
2011-01-15 03:37 . 2011-01-15 03:37 388096 ----a-r- c:\documents and settings\Nicholas\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-15 03:37 . 2011-01-15 03:37 -------- d-----w- c:\program files\Trend Micro
2011-01-15 03:08 . 2011-01-15 03:08 -------- d-----w- C:\spoolerlogs
2011-01-15 03:01 . 2011-01-15 03:01 64512 ----a-w- c:\windows\system32\drivers\ijfhuyxl.sys
2011-01-15 02:45 . 2011-01-15 02:50 -------- d-----w- c:\documents and settings\Nicholas\Application Data\GetRightToGo
2011-01-15 02:10 . 2011-01-15 02:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-15 01:59 . 2011-01-15 12:39 -------- d-----w- c:\windows\system32\MpEngineStore
2011-01-12 03:47 . 2011-01-12 03:47 -------- d-----w- c:\program files\iPod
2011-01-12 03:47 . 2011-01-12 03:48 -------- d-----w- c:\program files\iTunes
2011-01-07 02:11 . 2011-01-07 02:11 -------- d-----w- c:\documents and settings\Nicholas\Local Settings\Application Data\CyberLink
2010-12-30 19:44 . 2010-12-30 19:44 -------- d-----w- c:\program files\Common Files\Java
2010-12-30 19:43 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-30 19:43 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-30 19:42 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-30 19:42 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-30 19:42 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-30 19:42 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-30 19:41 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-28 02:28 . 2010-12-29 15:45 -------- d-----w- c:\documents and settings\Nicholas\Local Settings\Application Data\CutePDF Writer
2010-12-27 19:00 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-12-27 19:00 . 2008-04-14 10:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-12-27 19:00 . 2010-12-27 19:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-07-09 21:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-07-09 21:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-01-26 02:22 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34 . 2009-01-31 19:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2002-08-29 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:34 . 2002-08-29 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2009-01-26 02:51 78336 ------w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2002-08-29 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2002-08-29 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2009-01-26 02:51 389120 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-08-29 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-08-29 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2002-08-29 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2008-11-13 21:35 . 2009-01-31 19:39 525312 ----a-w- c:\program files\Everything Search Engine.exe
2008-06-19 15:37 . 2009-01-31 19:39 135168 ----a-w- c:\program files\ARDC Data Recovery Tools 1.1.exe
1999-10-31 03:54 . 2009-01-31 19:39 561152 ----a-w- c:\program files\Convert.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-04 2937528]
"Google Update"="c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-28 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"nwiz"="nwiz.exe" [2008-12-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-05 91432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

c:\documents and settings\Nicholas\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-5-27 3493264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2008-05-14 19:48 62760 ----a-w- c:\program files\Cyberlink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-07-21 22:32 87336 ------w- c:\program files\Cyberlink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2002-07-02 22:56 24576 ----a-w- c:\windows\system32\CTHELPER.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Documents and Settings\\Nicholas\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57463:TCP"= 57463:TCP:Pando Media Booster
"57463:UDP"= 57463:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/11/2009 8:58 PM 64288]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/5/2010 7:56 PM 33824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]
S1 MpKsl32f06096;MpKsl32f06096;\??\c:\windows\system32\MpEngineStore\MpKsl32f06096.sys --> c:\windows\system32\MpEngineStore\MpKsl32f06096.sys [?]
S1 syforamu;syforamu;\??\c:\windows\system32\drivers\syforamu.sys --> c:\windows\system32\drivers\syforamu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2010 9:26 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:58]

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 22:21]

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 22:21]

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-796845957-725345543-1004Core.job
- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 22:21]

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-796845957-725345543-1004UA.job
- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 22:21]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:8075
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: [You must be registered and logged in to see this link.] - c:\documents and settings\Nicholas\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
AddRemove-WZCLINE - c:\program files\WinZip\winzip32



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-01-19 18:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-19 18:40:46
ComboFix-quarantined-files.txt 2011-01-19 23:40

Pre-Run: 34,981,482,496 bytes free
Post-Run: 34,977,521,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 48E4EC506D3C5C25860055A7CBD4385E

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by Belahzur on 20th January 2011, 1:49 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\windows\system32\drivers\ijfhuyxl.sys

    Driver::
    syforamu

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:8075
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 25th January 2011, 2:27 am

Sorry for not getting back sooner.
Here's the results:

ComboFix 11-01-19.01 - Nicholas 01/24/2011 21:18:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.535 [GMT -5]
Running from: c:\documents and settings\Nicholas\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Nicholas\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\ijfhuyxl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ijfhuyxl.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_syforamu


((((((((((((((((((((((((( Files Created from 2010-12-25 to 2011-01-25 )))))))))))))))))))))))))))))))
.

2011-01-19 23:32 . 2011-01-19 23:40 -------- d-----w- C:\Combo-Fix
2011-01-16 03:07 . 2011-01-16 03:07 -------- d-----w- C:\_OTL
2011-01-16 00:00 . 2011-01-16 00:00 -------- d-----w- c:\documents and settings\Administrator
2011-01-15 12:39 . 2011-01-15 12:39 64512 ----a-w- c:\windows\system32\drivers\SERIAL.SYS
2011-01-15 03:37 . 2011-01-15 03:37 388096 ----a-r- c:\documents and settings\Nicholas\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-15 03:37 . 2011-01-15 03:37 -------- d-----w- c:\program files\Trend Micro
2011-01-15 03:08 . 2011-01-15 03:08 -------- d-----w- C:\spoolerlogs
2011-01-15 02:45 . 2011-01-15 02:50 -------- d-----w- c:\documents and settings\Nicholas\Application Data\GetRightToGo
2011-01-15 02:10 . 2011-01-15 02:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-01-15 01:59 . 2011-01-15 12:39 -------- d-----w- c:\windows\system32\MpEngineStore
2011-01-12 03:47 . 2011-01-12 03:47 -------- d-----w- c:\program files\iPod
2011-01-12 03:47 . 2011-01-12 03:48 -------- d-----w- c:\program files\iTunes
2011-01-07 02:11 . 2011-01-07 02:11 -------- d-----w- c:\documents and settings\Nicholas\Local Settings\Application Data\CyberLink
2010-12-30 19:44 . 2010-12-30 19:44 -------- d-----w- c:\program files\Common Files\Java
2010-12-30 19:43 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-30 19:43 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-30 19:42 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-30 19:42 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-30 19:42 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-30 19:42 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-30 19:41 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-28 02:28 . 2010-12-29 15:45 -------- d-----w- c:\documents and settings\Nicholas\Local Settings\Application Data\CutePDF Writer
2010-12-27 19:00 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-12-27 19:00 . 2008-04-14 10:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-12-27 19:00 . 2010-12-27 19:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-07-09 21:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-07-09 21:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2009-01-26 02:22 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34 . 2009-01-31 19:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2002-08-29 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:34 . 2002-08-29 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2009-01-26 02:51 78336 ------w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2002-08-29 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2002-08-29 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2009-01-26 02:51 389120 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-08-29 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-08-29 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2008-11-13 21:35 . 2009-01-31 19:39 525312 ----a-w- c:\program files\Everything Search Engine.exe
2008-06-19 15:37 . 2009-01-31 19:39 135168 ----a-w- c:\program files\ARDC Data Recovery Tools 1.1.exe
1999-10-31 03:54 . 2009-01-31 19:39 561152 ----a-w- c:\program files\Convert.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-25 02:23 . 2011-01-25 02:23 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-04 2937528]
"Google Update"="c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-28 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"nwiz"="nwiz.exe" [2008-12-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-05 91432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

c:\documents and settings\Nicholas\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-5-27 3493264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2008-05-14 19:48 62760 ----a-w- c:\program files\Cyberlink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-07-21 22:32 87336 ------w- c:\program files\Cyberlink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2002-07-02 22:56 24576 ----a-w- c:\windows\system32\CTHELPER.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"e:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Documents and Settings\\Nicholas\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57463:TCP"= 57463:TCP:Pando Media Booster
"57463:UDP"= 57463:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/11/2009 8:58 PM 64288]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/5/2010 7:56 PM 33824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]
S1 MpKsl32f06096;MpKsl32f06096;\??\c:\windows\system32\MpEngineStore\MpKsl32f06096.sys --> c:\windows\system32\MpEngineStore\MpKsl32f06096.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2010 9:26 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:58]

2011-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 22:21]

2011-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 22:21]

2011-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-796845957-725345543-1004Core.job
- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 22:21]

2011-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-796845957-725345543-1004UA.job
- c:\documents and settings\Nicholas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 22:21]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\6k9ojqm3.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: [You must be registered and logged in to see this link.] - c:\documents and settings\Nicholas\Application Data\Move Networks
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-01-24 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-24 21:26:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-25 02:26
ComboFix2.txt 2011-01-19 23:40

Pre-Run: 34,837,434,368 bytes free
Post-Run: 34,767,097,856 bytes free

- - End Of File - - F25548EC155C285583135BFFD4E02898

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by Belahzur on 26th January 2011, 1:10 am

Hello.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Browser hijacked

Post by nighthawk80 on 27th January 2011, 1:17 am

Here's the results:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17093 (vista_gdr.101017-1200)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=c3fced4d3029524d8c273f82e84d9a9c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-26 03:25:01
# local_time=2011-01-25 10:25:01 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 28589 28589 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=61318
# found=0
# cleaned=0
# scan_time=3073

nighthawk80
Novice
Novice

Posts Posts : 9
Joined Joined : 2011-01-15
OS OS : XP
Points Points : 21661
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Browser hijacked

Post by Belahzur on 27th January 2011, 10:51 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 8.1.4
    Coupon Printer for Windows

Then download and install [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum