Google Redirect Virus

View previous topic View next topic Go down

Solved Google Redirect Virus

Post by squaljonovic on Sat 20 Oct 2012, 8:51 am

My initial infection occurred Monday night at around 8pm. I was briefly using Internet Explorer to look up a haunted place in my state because I didn't want to use Firefox or Chrome and use additional resources when it tried to force me to download a randomly titled .pdf file even though I hadn't clicked a link. I immediately disconnected from the internet, then checked my task manager and saw two new processes running, both withg randomly-generated filenames. I ended the processes, restarted in safe mode, found the files, got rid of them, and thought my job was done. After work the next day (Tuesday), I opened up Firefox and immediately noticed it took more CPU usage than normal to open, and maintained that for a few seconds after starting. Each time I did anything in Firefox, be it opening a new tab or loading a page, the CPU usage would go up to around 60% and the browser would hang when I tried to load any page, with Google searches having the worst of all. I started looking up the symptoms and while doing so got redirected to ad sites a couple times, leading me to believe I have the Google Redirect Virus.

Now! I've already gotten rid of some additional spyware that probably got downloaded while I was looking this baddie up. Something hijacked and locked my hosts file, adding six google ad domains to it, but I've since fixed that. There were other assorted piddly little spyware too, also gone. However, my browsers all continue to hang, with the worst of it being on Google searches, and Google Chrome being affected the worst. Windows Firewall appears to have been removed/disabled as well, as it no longer appears in my Services list at all:/ My AVG and Malwarebytes scans now come up clean, and I ran ComboFix yesterday.

In my research for fixing this thing, most places mentioned using TDSSkiller and FixTDSS, neither of which will run for me. I tried RKill and RogueKiller to help with that, but those didn't allow the other two to work. RogueKiller did, however say there was an issue with my MBR, so after backing up my data, I used MBRCheck to overwrite it, but running it again after restarting or even immediately after it says it's successfully overwritten the MBR, it still says the MBR is faked. I also tried to use Avast's aswMBR.exe, but like TDSSkiller and FixTDSS, it won't open. I've been keeping myself disconnected from the internet through all of my attempts at fixing this, only connecting again for a second to post this message after copying it out of a Word document. Uhh...I believe that's everything I've tried, and this is the the first virus to completely kick my ass like this, so I humbly ask help of the professionals here at GeekPolice! Thanks in advance for any help you might give me:)

Below are my OTL log and the adwcleaner log. I ran OTL with the custom settings in place as directed and didn't change any settings, but it didn't produce an Extras.txt for reasons unknown to me.



OTL logfile created on: 10/19/2012 4:52:05 PM - Run 2
OTL by OldTimer - Version 3.2.70.1 Folder = C:\Users\Squall\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.90 Gb Available Physical Memory | 72.50% Memory free
5.88 Gb Paging File | 4.74 Gb Available in Paging File | 80.74% Paging File free
Paging file location(s): c:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 186.31 Gb Total Space | 10.14 Gb Free Space | 5.44% Space Free | Partition Type: NTFS

Computer Name: DRAKMANERIK | User Name: Squall | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/17 17:45:00 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Squall\Desktop\OTL.com
PRC - [2012/09/14 22:40:35 | 000,175,968 | ---- | M] (Impulse Point, LLC) -- C:\Program Files (x86)\SafeConnect\scManager.sys
PRC - [2012/07/27 15:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/02/15 11:01:48 | 000,019,968 | ---- | M] (Fork Ltd.) -- C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\SysWOW64\PSIService.exe
PRC - [2003/01/15 11:46:24 | 000,151,552 | ---- | M] (Dachshund Software) -- C:\Windows\Integrator.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV:64bit: - [2010/10/26 21:51:36 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2012/10/16 18:57:38 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/14 22:40:35 | 000,175,968 | ---- | M] (Impulse Point, LLC) [Auto | Running] -- C:\Program Files (x86)\SafeConnect\scManager.sys -- (SCManager)
SRV - [2012/07/27 15:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/05/26 12:04:52 | 000,913,792 | ---- | M] (IObit) [On_Demand | Stopped] -- C:\Program Files (x86)\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/09/18 16:19:43 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/02/15 11:01:48 | 000,019,968 | ---- | M] (Fork Ltd.) [Auto | Running] -- C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe -- (CronService)
SRV - [2010/08/19 20:45:07 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [On_Demand | Stopped] -- C:\Program Files (x86)\AVG 8.5\avgwdsvc.exe -- (avg8wd)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files (x86)\Spybot\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/11/04 03:41:00 | 000,437,248 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\XAudio64.dll -- (HsfXAudioService)
SRV - [2007/10/16 20:04:28 | 001,769,240 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files (x86)\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/02/29 08:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/04/11 03:47:10 | 000,097,040 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\MijXfilt.sys -- (MotioninJoyXFilter)
DRV:64bit: - [2010/11/17 07:04:18 | 000,111,120 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdLH6.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/10/26 23:00:14 | 008,012,288 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2010/10/26 23:00:14 | 008,012,288 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/10/26 21:14:22 | 000,287,232 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/08/19 20:45:12 | 000,427,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\avgldx64.sys -- (AvgLdx64)
DRV:64bit: - [2010/08/19 20:15:53 | 000,033,416 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\Drivers\avgmfx64.sys -- (AvgMfx64)
DRV:64bit: - [2010/07/15 08:44:20 | 000,016,776 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\epmntdrv.sys -- (epmntdrv)
DRV:64bit: - [2010/07/15 08:44:20 | 000,009,096 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\EuGdiDrv.sys -- (EuGdiDrv)
DRV:64bit: - [2010/06/23 10:21:34 | 000,318,568 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2010/05/31 13:58:49 | 007,533,568 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64)
DRV:64bit: - [2009/11/08 22:28:08 | 000,091,568 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu)
DRV:64bit: - [2009/09/30 09:32:44 | 000,120,336 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/08/28 10:33:48 | 000,292,400 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/04/08 14:28:46 | 000,068,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/03/18 17:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\hamachi.sys -- (hamachi)
DRV:64bit: - [2008/12/13 15:47:38 | 000,037,392 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\hotcore3.sys -- (hotcore3)
DRV:64bit: - [2008/11/04 03:40:46 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\XAudio64.sys -- (XAudio)
DRV:64bit: - [2008/10/15 08:57:50 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2008/10/15 08:53:44 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2008/10/15 08:52:24 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2008/01/20 21:47:27 | 000,903,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\xnacc.sys -- (xnacc)
DRV:64bit: - [2008/01/20 21:46:57 | 000,286,720 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTAZL6.SYS -- (HSFHWAZL)
DRV:64bit: - [2008/01/03 20:57:26 | 000,062,464 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTSTOR64.SYS -- (RTSTOR)
DRV:64bit: - [2007/12/19 16:44:44 | 000,209,424 | ---- | M] (AMD Technologies Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\ahcix64s.sys -- (ahcix64s)
DRV:64bit: - [2007/05/23 17:47:28 | 000,020,784 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV:64bit: - [2006/12/08 19:06:12 | 003,240,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NETw4v64.sys -- (NETw4v64)
DRV:64bit: - [2006/06/19 05:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - [2010/07/15 08:44:20 | 000,014,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\epmntdrv.sys -- (epmntdrv)
DRV - [2010/07/15 08:44:20 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\EuGdiDrv.sys -- (EuGdiDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\zbani: "URL" = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\Squall\Desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{D5F4AB0A-4C39-49FD-98AE-00DEA410BBF6}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\zbani: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Zbani"
FF - prefs.js..browser.search.defaulturl: "home.Zbani.com/en/get/"
FF - prefs.js..browser.search.order.1: "Zbani"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledAddons: [You must be registered and logged in to see this link.]:0.4
FF - prefs.js..extensions.enabledAddons: [You must be registered and logged in to see this link.]:1.2.3
FF - prefs.js..extensions.enabledAddons: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.2
FF - prefs.js..extensions.enabledAddons: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:4.14
FF - prefs.js..extensions.enabledAddons: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.10
FF - prefs.js..extensions.enabledAddons: [You must be registered and logged in to see this link.]:1.50
FF - prefs.js..extensions.enabledAddons: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:1.4
FF - prefs.js..extensions.enabledAddons: {690A38D2-18AA-11E2-8271-B8AC6F996F26}:2.0.14
FF - prefs.js..extensions.enabledAddons: {2f149710-41a6-11e0-9207-0800200c9a66}:2.9.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.6.8
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.9
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:3.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.4
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.2.3
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:4.13
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.20
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.12.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}:6.0.33
FF - prefs.js..extensions.enabledItems: {7a94a9a7-be7f-4d51-afe9-06063380ca94}:3.07
FF - prefs.js..keyword.URL: "http://www.google.com/search?btnG=Google+Search&q="
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1165635.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files (x86)\VLC Player\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Components: C:\Program Files (x86)\Firefox\components [2012/10/16 18:57:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Plugins: C:\Program Files (x86)\Firefox\plugins [2012/10/16 18:57:34 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Ex\\UnicodeExtensionMap: 0000000E66D36B746E793C3C70CDB7EB426C6498
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{690A38D2-18AA-11E2-8271-B8AC6F996F26}: C:\Users\Squall\AppData\Local\{690A38D2-18AA-11E2-8271-B8AC6F996F26}\ [2012/10/17 18:45:02 | 000,000,000 | ---D | M]

[2011/08/26 02:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Extensions
[2011/08/26 02:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2012/10/16 19:01:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions
[2011/08/25 17:02:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}-trash
[2012/10/16 19:01:46 | 000,000,000 | ---D | M] (FT PureWhite) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{2f149710-41a6-11e0-9207-0800200c9a66}
[2011/02/06 13:42:49 | 000,000,000 | ---D | M] (PDF Download) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/08/19 15:08:17 | 000,000,000 | ---D | M] (Modern Modoki) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{7a94a9a7-be7f-4d51-afe9-06063380ca94}
[2012/09/26 16:57:13 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/06/23 05:06:10 | 000,000,000 | ---D | M] (Adblock Plus Pop-up Addon) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\adblockpopups@jessehakanen.net
[2011/08/25 17:02:24 | 000,000,000 | ---D | M] (YouTube to MP3) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\youtube2mp3@mondayx.de
[2012/07/21 13:41:51 | 000,827,050 | ---- | M] () (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\ffe_ff3aeroff4@game-point.net.xpi
[2012/10/03 20:15:36 | 000,081,602 | ---- | M] () (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\helper@savefrom.net.xpi
[2012/08/01 13:24:01 | 000,375,811 | ---- | M] () (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi
[2012/07/31 23:48:03 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/10/11 18:55:36 | 000,252,340 | ---- | M] () (No name found) -- C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
[2012/10/17 18:45:02 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\SQUALL\APPDATA\LOCAL\{690A38D2-18AA-11E2-8271-B8AC6F996F26}

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Squall\AppData\Local\Google\Chrome\Application\22.0.1229.94\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files (x86)\Firefox\plugins\np-mswmp.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files (x86)\Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: king.com - Game controller for firefox (Enabled) = C:\Program Files (x86)\Firefox\plugins\npmidas.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files (x86)\Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\Firefox\plugins\npqtplugin6.dll
CHR - plugin: getPlusPlus for Adobe 16263 (Enabled) = C:\Program Files (x86)\Firefox\plugins\np_gp.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 7 U7 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.70.11 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VLC Player\npvlc.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\SysWOW64\Adobe\Director\np32dsw_1165635.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\Squall\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Squall\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\Squall\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/10/17 22:32:23 | 000,443,838 | R--- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15271 more lines...
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - Startup: C:\Users\Squall\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Battery Doubler.lnk = C:\Program Files (x86)\Battery Doubler\Battery Doubler.exe ()
O4 - Startup: C:\Users\Squall\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk = C:\Windows\SysWOW64\taskmgr.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStrCmpLogical = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1696D998-0FAA-4575-8270-4579CE102CF5}: DhcpNameServer = 10.107.128.1 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{40C4C29E-47F9-4DEB-8EFD-F4922F7E6AB0}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{40C4C29E-47F9-4DEB-8EFD-F4922F7E6AB0}: NameServer = 8.8.8.8,8.8.4.4
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Squall\Desktop\leblanc___the_deciever_by_myyyth-d38kc7k.jpg
O24 - Desktop BackupWallPaper: C:\Users\Squall\Desktop\leblanc___the_deciever_by_myyyth-d38kc7k.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

MsConfig:64bit - StartUpReg: APSDaemon - hkey= - key= - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
MsConfig:64bit - StartUpReg: Google Update - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: NetSetMan - hkey= - key= - C:\Program Files (x86)\NetSetMan\netsetman.exe (Ilja Herlein)
MsConfig:64bit - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files (x86)\QT Lite\QTTask.exe (Apple Inc.)
MsConfig:64bit - StartUpReg: Steam - hkey= - key= - C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
MsConfig:64bit - State: "bootini" - Reg Error: Unable to open variant key

SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: hitmanpro36 - Reg Error: Value error.
SafeBootMin:64bit: hitmanpro36.sys - Reg Error: Value error.
SafeBootMin:64bit: HitmanPro36Crusader - Reg Error: Value error.
SafeBootMin:64bit: HitmanPro36CrusaderBoot - Reg Error: Value error.
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: hitmanpro36 - Reg Error: Value error.
SafeBootMin: hitmanpro36.sys - Reg Error: Value error.
SafeBootMin: HitmanPro36Crusader - Reg Error: Value error.
SafeBootMin: HitmanPro36CrusaderBoot - Reg Error: Value error.
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices


Last edited by squaljonovic on Sat 20 Oct 2012, 8:54 am; edited 1 time in total

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Sat 20 Oct 2012, 8:52 am

ActiveX:64bit: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {11138C04-427B-29E8-424F-2ED0079A2FB8} - Browser Customizations
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {7DCBEDEA-B6BA-BC79-B8A6-2174B368650F} - Browser Customizations
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F2D84A5E-9C6B-317B-8B1B-4EE99D64379F} - Java (Sun)
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\Program Files (x86)\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.x264 - C:\Program Files (x86)\x264vfw\x264vfw.dll ()
Drivers32: vidc.XVID - C:\Windows\SysWow64\xvidvfw.dll ()


CREATERESTOREPOINT
System Restore Service not available.

========== Files/Folders - Created Within 30 Days ==========

[2012/10/18 23:10:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/10/18 20:55:40 | 000,919,968 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Squall\Desktop\iexplore64.exe
[2012/10/18 20:45:41 | 001,678,240 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Squall\Desktop\iexplore.exe
[2012/10/18 20:05:29 | 000,000,000 | ---D | C] -- C:\Users\Squall\Desktop\Reinstall Screenshots
[2012/10/17 22:29:42 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/10/17 22:18:01 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/10/17 22:18:00 | 000,000,000 | ---D | C] -- C:\Users\Squall\AppData\Local\temp
[2012/10/17 21:20:08 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/10/17 18:45:02 | 000,000,000 | ---D | C] -- C:\Users\Squall\AppData\Local\{690A38D2-18AA-11E2-8271-B8AC6F996F26}
[2012/10/17 17:44:53 | 000,600,064 | ---- | C] (OldTimer Tools) -- C:\Users\Squall\Desktop\OTL.com
[2012/10/17 17:11:12 | 000,696,760 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/10/17 17:11:12 | 000,073,656 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/10/17 17:11:09 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012/10/17 16:13:18 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/10/17 00:35:27 | 000,000,000 | ---D | C] -- C:\$AVG8.VAULT$
[2012/10/16 23:17:38 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Squall\Desktop\aswMBR.exe
[2012/10/16 23:00:10 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/10/16 22:59:41 | 008,944,496 | ---- | C] (SurfRight B.V.) -- C:\Users\Squall\Desktop\HitmanPro36_x64.exe
[2012/10/16 22:56:22 | 002,213,464 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Squall\Desktop\Balls.com
[2012/10/16 22:43:27 | 000,000,000 | ---D | C] -- C:\Users\Squall\Desktop\RK_Quarantine
[2012/10/16 21:03:38 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/10/16 21:03:38 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/10/16 21:03:38 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/10/16 21:01:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/10/16 21:00:22 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/10/16 20:52:10 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Users\Squall\Desktop\FixTDSS.exe
[2012/10/16 18:57:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Firefox
[2012/10/16 18:24:42 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/10/09 18:42:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
[2012/10/09 18:11:59 | 001,268,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2012/10/09 18:11:59 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2012/10/09 18:11:54 | 000,218,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2012/10/09 18:11:19 | 004,699,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2012/10/08 20:19:41 | 000,024,960 | ---- | C] (IObit) -- C:\Windows\SysNative\RegistryDefragBootTime.exe
[2012/10/08 19:57:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Works
[2012/10/08 19:57:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2012/10/08 19:34:58 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2012/10/08 19:34:47 | 000,000,000 | ---D | C] -- C:\Users\Squall\AppData\Roaming\IObit
[2012/10/08 19:34:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 5
[2012/10/08 19:34:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Advanced SystemCare 5
[2012/10/08 19:03:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/10/08 19:02:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Synchronization Services
[2012/10/08 19:02:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2012/10/08 19:01:49 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2012/10/08 19:01:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2012/10/08 18:56:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Analysis Services
[2012/10/08 18:10:25 | 000,000,000 | ---D | C] -- C:\Users\Squall\AppData\Roaming\Real
[2012/10/08 18:09:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
[2012/10/03 23:01:18 | 000,000,000 | ---D | C] -- C:\Users\Squall\AppData\Roaming\DAEMON Tools Lite
[2012/10/03 22:59:40 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2012/09/30 10:38:39 | 000,000,000 | ---D | C] -- C:\League of Legends
[2012/09/30 10:38:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games
[2012/09/29 18:19:32 | 000,000,000 | ---D | C] -- C:\Users\Squall\AppData\Local\MPlayer
[2012/09/29 18:18:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PS3 Media Server
[2012/09/29 18:18:44 | 000,000,000 | ---D | C] -- C:\ProgramData\PMS
[2012/09/29 18:18:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PS3 Media Server
[2012/09/27 17:40:59 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\backup
[2012/09/25 16:55:41 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/09/25 16:55:41 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/09/25 16:55:40 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/09/25 16:55:40 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/09/25 16:55:40 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/09/25 16:55:40 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/09/25 16:55:39 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/09/25 16:55:39 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/09/25 16:55:39 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/09/25 16:55:39 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/09/25 16:55:38 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/09/25 16:55:38 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2012/09/25 16:55:37 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/09/25 16:55:37 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/09/25 16:55:37 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/19 16:57:16 | 000,000,029 | ---- | M] () -- C:\Windows\SysWow64\TempWmicBatchFile.bat
[2012/10/19 16:52:44 | 000,756,164 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/10/19 16:52:44 | 000,640,870 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/10/19 16:52:44 | 000,119,090 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/10/19 16:47:12 | 000,000,065 | ---- | M] () -- C:\Windows\battery.dat
[2012/10/19 16:47:09 | 000,003,840 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/19 16:47:09 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2012/10/19 16:47:08 | 000,003,840 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/19 16:47:08 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/10/19 16:46:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/19 16:34:51 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/10/18 23:38:14 | 000,000,512 | ---- | M] () -- C:\Users\Squall\Desktop\MBRCheck_MBR_Backup_10-18-12_23-38-14.bak
[2012/10/18 23:10:16 | 000,001,992 | ---- | M] () -- C:\Users\Squall\Desktop\Google Chrome.lnk
[2012/10/18 23:10:16 | 000,001,976 | ---- | M] () -- C:\Users\Squall\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/10/18 21:02:05 | 000,000,512 | ---- | M] () -- C:\Users\Squall\Desktop\Test.dat
[2012/10/18 20:57:58 | 000,000,512 | ---- | M] () -- C:\Users\Squall\Desktop\MBRCheck_MBR_Backup_10-18-12_20-57-58.bak
[2012/10/18 20:55:40 | 000,919,968 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Squall\Desktop\iexplore64.exe
[2012/10/18 20:48:57 | 000,000,512 | ---- | M] () -- C:\Users\Squall\Desktop\MBRCheck_MBR_Backup_10-18-12_20-48-57.bak
[2012/10/17 23:28:29 | 000,000,732 | ---- | M] () -- C:\Users\Squall\AppData\Local\d3d9caps64.dat
[2012/10/17 22:32:23 | 000,443,838 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/10/17 21:59:21 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20121017-223223.backup
[2012/10/17 21:06:21 | 000,089,088 | ---- | M] () -- C:\Users\Squall\Desktop\mbr.exe
[2012/10/17 21:06:07 | 000,294,216 | ---- | M] () -- C:\Users\Squall\Desktop\gmer.zip
[2012/10/17 20:50:21 | 002,194,704 | ---- | M] () -- C:\Users\Squall\Desktop\tdsskiller.zip
[2012/10/17 20:46:40 | 000,000,334 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2012/10/17 20:46:02 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/10/17 20:46:02 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/10/17 20:24:59 | 000,001,356 | ---- | M] () -- C:\Users\Squall\AppData\Local\d3d9caps.dat
[2012/10/17 20:24:31 | 000,000,761 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20121017-202632.backup
[2012/10/17 17:45:57 | 000,538,941 | ---- | M] () -- C:\Users\Squall\Desktop\adwcleaner.exe
[2012/10/17 17:45:00 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Squall\Desktop\OTL.com
[2012/10/17 17:09:40 | 000,080,384 | ---- | M] () -- C:\Users\Squall\Desktop\MBRCheck.exe
[2012/10/16 23:47:25 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Users\Squall\Desktop\FixTDSS.exe
[2012/10/16 23:17:48 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Squall\Desktop\aswMBR.exe
[2012/10/16 23:00:06 | 008,944,496 | ---- | M] (SurfRight B.V.) -- C:\Users\Squall\Desktop\HitmanPro36_x64.exe
[2012/10/16 22:56:49 | 002,213,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Squall\Desktop\Balls.com
[2012/10/16 22:47:19 | 001,678,240 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Squall\Desktop\iexplore.exe
[2012/10/16 22:46:00 | 000,000,806 | ---- | M] () -- C:\Users\Squall\Desktop\FixEXE.reg
[2012/10/16 22:43:21 | 001,425,920 | ---- | M] () -- C:\Users\Squall\Desktop\RogueKiller.exe
[2012/10/16 21:50:51 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20121016-224923.backup
[2012/10/16 20:32:11 | 000,000,759 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20121016-203351.backup
[2012/10/16 16:07:24 | 059,079,994 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
[2012/10/10 18:45:45 | 000,137,728 | ---- | M] () -- C:\Users\Squall\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/10/09 18:34:25 | 000,310,648 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/09/29 18:33:21 | 000,000,838 | ---- | M] () -- C:\Users\Squall\Desktop\PS3 Media Server.lnk
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/18 23:38:14 | 000,000,512 | ---- | C] () -- C:\Users\Squall\Desktop\MBRCheck_MBR_Backup_10-18-12_23-38-14.bak
[2012/10/18 23:10:16 | 000,001,992 | ---- | C] () -- C:\Users\Squall\Desktop\Google Chrome.lnk
[2012/10/18 23:10:16 | 000,001,976 | ---- | C] () -- C:\Users\Squall\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/10/18 21:02:05 | 000,000,512 | ---- | C] () -- C:\Users\Squall\Desktop\Test.dat
[2012/10/18 20:57:58 | 000,000,512 | ---- | C] () -- C:\Users\Squall\Desktop\MBRCheck_MBR_Backup_10-18-12_20-57-58.bak
[2012/10/18 20:48:57 | 000,000,512 | ---- | C] () -- C:\Users\Squall\Desktop\MBRCheck_MBR_Backup_10-18-12_20-48-57.bak
[2012/10/17 21:06:21 | 000,089,088 | ---- | C] () -- C:\Users\Squall\Desktop\mbr.exe
[2012/10/17 21:06:05 | 000,294,216 | ---- | C] () -- C:\Users\Squall\Desktop\gmer.zip
[2012/10/17 20:50:16 | 002,194,704 | ---- | C] () -- C:\Users\Squall\Desktop\tdsskiller.zip
[2012/10/17 20:46:40 | 000,000,334 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2012/10/17 17:45:54 | 000,538,941 | ---- | C] () -- C:\Users\Squall\Desktop\adwcleaner.exe
[2012/10/17 17:09:40 | 000,080,384 | ---- | C] () -- C:\Users\Squall\Desktop\MBRCheck.exe
[2012/10/16 22:46:05 | 000,000,806 | ---- | C] () -- C:\Users\Squall\Desktop\FixEXE.reg
[2012/10/16 22:43:17 | 001,425,920 | ---- | C] () -- C:\Users\Squall\Desktop\RogueKiller.exe
[2012/10/16 21:03:38 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/10/16 21:03:38 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/10/16 21:03:38 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/10/16 21:03:38 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/10/16 21:03:38 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/09/30 09:38:31 | 000,248,050 | ---- | C] () -- C:\Users\Squall\Desktop\Tryndamere_Splash_0.jpg
[2012/09/30 09:38:31 | 000,036,885 | ---- | C] () -- C:\Users\Squall\Desktop\Tryndamere_Square_0.png
[2012/09/29 18:32:54 | 000,000,838 | ---- | C] () -- C:\Users\Squall\Desktop\PS3 Media Server.lnk
[2012/06/04 11:19:05 | 000,001,394 | ---- | C] () -- C:\Windows\SysWow64\bash.exe.stackdump
[2012/03/20 15:58:05 | 000,000,016 | ---- | C] () -- C:\Windows\entpack.ini
[2011/12/15 20:16:31 | 000,000,170 | ---- | C] () -- C:\Users\Squall\AppData\Roaming\prio.ini
[2011/08/07 04:23:57 | 000,751,744 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/08/01 05:01:03 | 000,131,884 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2011/08/01 04:29:46 | 000,000,136 | ---- | C] () -- C:\Users\Squall\AppData\Local\configurator.xml
[2011/06/29 13:42:33 | 000,032,608 | ---- | C] () -- C:\Windows\king-uninstall.exe
[2011/06/27 16:23:20 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/03/16 02:09:16 | 002,336,384 | ---- | C] () -- C:\Windows\SysWow64\BootMan.exe
[2011/03/16 02:09:16 | 000,014,848 | ---- | C] () -- C:\Windows\SysWow64\EuEpmGdi.dll
[2011/03/16 02:09:14 | 000,086,408 | ---- | C] () -- C:\Windows\SysWow64\setupempdrv03.exe
[2011/03/16 02:09:14 | 000,014,216 | ---- | C] () -- C:\Windows\SysWow64\epmntdrv.sys
[2011/03/16 02:09:14 | 000,008,456 | ---- | C] () -- C:\Windows\SysWow64\EuGdiDrv.sys
[2011/01/26 18:09:49 | 000,676,224 | ---- | C] () -- C:\Windows\SysWow64\OGACheckControl.dll
[2011/01/24 03:14:17 | 000,005,064 | ---- | C] () -- C:\Users\Squall\AppData\Roaming\UserTile.png
[2010/08/18 22:50:07 | 000,137,728 | ---- | C] () -- C:\Users\Squall\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/18 22:48:17 | 000,001,356 | ---- | C] () -- C:\Users\Squall\AppData\Local\d3d9caps.dat
[2010/08/18 20:41:49 | 000,000,732 | ---- | C] () -- C:\Users\Squall\AppData\Local\d3d9caps64.dat

========== ZeroAccess Check ==========

[2006/11/02 10:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 12:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 02:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 21:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\wbemess.dll

========== Custom Scans ==========

< %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >

< %AppData%\Local\ >

< %systemroot%\system32\sysprep >

< *.xpi /md5 >

< %systemroot%\Downloaded Program Files\ >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Firefox\uninstall\helper.exe" /HideShortcuts [2012/10/16 18:57:38 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Firefox\uninstall\helper.exe" /ShowShortcuts [2012/10/16 18:57:38 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/10/16 18:57:38 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files (x86)\Firefox\firefox.exe [2012/10/16 18:57:38 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files (x86)\Firefox\firefox.exe" -preferences [2012/10/16 18:57:38 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files (x86)\Firefox\firefox.exe" -safe-mode [2012/10/16 18:57:38 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/10/10 05:06:17 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --hide-icons [2012/10/10 05:06:17 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --show-icons [2012/10/10 05:06:17 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" [2012/10/10 05:06:17 | 001,239,064 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -hide [2011/04/06 01:11:48 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -show [2011/04/06 01:11:48 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -reinstall [2011/04/06 01:11:48 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2012/08/24 02:34:41 | 000,748,680 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files (x86)\Internet Explorer\iexplore.exe [2012/08/24 02:34:41 | 000,748,680 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\USERS\SQUALL\APPDATA\LOCAL\GOOGLE\CHROME\APPLICATION\CHROME.EXE"
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2011/04/06 01:11:43 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2011/04/06 01:11:43 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2011/04/06 01:11:43 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2012/08/24 02:34:41 | 000,748,680 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" [2012/08/24 02:34:41 | 000,748,680 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.exe /md5 >

< "%WinDir%\$NtUninstallKB*$." /30 >

< %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\Installer\ /s >

< %systemroot%\system32\Cache\ /s >

< %systemroot%\system32\config\systemprofile\ /s >

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Sat 20 Oct 2012, 8:53 am


< %PROGRAMFILES%\*. >
[2011/11/10 12:37:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\7-Zip
[2012/07/21 13:00:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe
[2012/07/21 13:00:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe Reader 9.0
[2012/10/18 21:21:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Advanced SystemCare 5
[2011/08/08 04:31:26 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AMD APP
[2010/08/18 22:41:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ANFOView
[2012/07/21 13:04:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Apple Software Update
[2010/12/12 00:50:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ATI Technologies
[2012/04/23 03:02:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AVG 8.5
[2011/09/04 07:17:04 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Bastion
[2011/05/31 13:44:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\BatchPurifier Lite
[2010/08/18 21:36:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Battery Doubler
[2012/02/14 13:51:05 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Better File Rename
[2011/03/04 01:15:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\BrainWave Generator
[2010/09/10 16:16:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Camera Assistant Software for Gateway
[2011/07/08 17:03:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Canon
[2010/08/18 22:42:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\CCleaner
[2010/08/18 22:11:19 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\CDCheck
[2010/08/18 22:42:24 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\CDisplay
[2010/08/20 11:45:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Chaos Faction
[2010/08/20 11:46:00 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Cloud
[2011/09/04 04:57:41 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Clutter
[2011/08/27 20:29:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Color Cross
[2012/02/25 22:25:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Combined Community Codec Pack
[2012/10/17 21:41:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Common Files
[2010/08/19 21:40:51 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Corel Paint Shop Pro Photo X2
[2010/08/20 11:52:39 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Crimsonland
[2011/08/26 09:30:59 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Diskeeper
[2011/09/11 06:50:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Easeus Data Recovery Wizard Professional 4.3.6
[2011/03/16 02:09:14 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EASEUS Partition Master 7.0.1 Professional Edition
[2010/08/18 22:43:46 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ECM Tools
[2012/08/07 12:29:42 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Enigma Item Changer 2.3.0
[2012/10/16 18:58:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Firefox
[2010/08/20 11:55:47 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Flow
[2010/08/19 21:27:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\FxVisor
[2010/08/18 22:16:04 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Glary Utilities
[2012/10/18 23:10:04 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Google
[2010/08/20 00:46:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\GooTool
[2011/04/08 14:34:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\GSpot
[2011/12/25 05:01:46 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\HP
[2012/08/19 05:55:12 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\HyperCam 3
[2012/09/30 10:38:32 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\InstallShield Installation Information
[2012/09/28 19:02:34 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Internet Explorer
[2010/08/18 22:44:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\IrfanView
[2012/09/10 20:53:26 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Java
[2010/08/20 11:56:46 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Jets 'n Guns Gold
[2010/09/13 23:18:57 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\JoyToKey
[2010/08/18 22:45:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Logon Studio Vista
[2012/08/06 18:44:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\LOLReplay
[2012/10/15 22:26:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/08/20 11:59:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Meatboy
[2012/10/08 18:56:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Analysis Services
[2011/05/13 18:15:04 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
[2012/10/08 20:01:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office
[2012/07/09 00:25:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Silverlight
[2012/10/08 19:01:49 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2012/10/08 19:02:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Synchronization Services
[2012/10/08 19:57:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Visual Studio
[2012/10/09 18:25:05 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Works
[2011/08/07 04:21:43 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft XNA
[2012/10/08 19:01:49 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft.NET
[2011/04/11 03:40:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Motion in Joy
[2012/10/16 19:37:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2006/11/02 10:07:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSBuild
[2012/07/26 01:17:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MyDefrag 4.3.1
[2012/07/26 03:33:56 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Nero
[2011/02/20 23:38:46 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\NetSetMan
[2011/08/08 03:45:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\NVIDIA Corporation
[2011/02/28 02:52:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\OpenAL
[2012/07/21 13:08:51 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Oracle
[2011/02/27 19:50:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Paragon Drive Backup 9
[2010/08/18 22:19:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\PowerISO
[2011/05/14 02:46:15 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Prey
[2012/10/08 20:14:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\PS3 Media Server
[2012/07/21 13:05:16 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\QT Lite
[2006/11/02 10:07:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Reference Assemblies
[2011/08/29 23:21:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ReflexiveArcade
[2012/10/06 22:25:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\SafeConnect
[2011/11/10 12:47:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Sequence
[2010/08/18 22:05:51 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ShellExView
[2011/12/18 03:17:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ShellMenuView
[2010/08/20 11:59:39 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\SkiFree
[2012/08/27 22:56:55 | 000,000,000 | R--D | M] -- C:\Program Files (x86)\Skype
[2010/09/20 00:59:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Spybot
[2012/04/26 20:46:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Steam
[2010/08/20 11:59:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Styrateg
[2010/09/13 14:30:50 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Subtitle Workshop
[2010/08/19 21:12:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Sudoku
[2011/01/03 16:38:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Super Meat Boy
[2010/09/22 23:16:00 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\SWF & FLV Player
[2011/11/29 22:54:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\To the Moon
[2010/08/20 12:00:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Twinxoid
[2010/08/18 22:06:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Types
[2011/08/27 05:48:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Ubisoft
[2006/11/02 10:36:07 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Uninstall Information
[2010/08/18 22:39:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VirtualDubMod 1.5.10.2
[2010/08/19 01:07:32 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VisualBoyAdvance
[2012/07/21 18:13:56 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VLC Player
[2010/08/18 22:53:12 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\WinDjView
[2010/08/21 11:09:10 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Calendar
[2008/01/20 22:09:47 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Collaboration
[2008/01/20 22:09:41 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Defender
[2010/12/23 05:10:51 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Mail
[2010/11/21 17:22:56 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Media Player
[2006/11/02 10:07:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows NT
[2010/08/21 11:09:10 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Photo Gallery
[2010/08/21 11:55:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Portable Devices
[2010/08/21 11:09:10 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Sidebar
[2010/08/18 21:06:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\WinRAR
[2011/08/29 23:33:41 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\World Mosaics
[2011/08/29 23:22:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\World Mosaics 2
[2011/08/29 23:17:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\World Mosaics 3 - Fairy Tales
[2011/08/23 19:49:16 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\World Mosaics 4
[2010/08/20 00:46:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\World of Goo
[2010/08/20 00:50:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\World of Goo (GooTools)
[2012/02/20 00:06:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\x264vfw
[2010/08/18 22:36:12 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Xilisoft Video Converter Ultimate 6
[2011/11/05 21:13:40 | 000,000,000 | R--D | M] -- C:\Program Files (x86)\Xpadder 5.3
[2010/08/18 22:54:00 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Xvid
[2010/08/18 22:36:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Yahoo Message Archive Decoder
[2011/08/28 02:13:57 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Yahoo!
[2010/08/19 10:04:05 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Yume Nikki


< %appdata%\*.* >
[2011/12/15 20:33:32 | 000,000,170 | ---- | M] () -- C:\Users\Squall\AppData\Roaming\prio.ini
[2011/01/24 03:14:17 | 000,005,064 | ---- | M] () -- C:\Users\Squall\AppData\Roaming\UserTile.png

< MD5 for: AFD.SYS >
[2012/01/03 09:21:38 | 000,404,992 | ---- | M] (Microsoft Corporation) MD5=022ED7EB19DFECF39C106E0F9CF2BB19 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22770_none_362b4e6b2d472f6a\afd.sys
[2011/04/21 09:20:24 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=0CC146C4ADDEA45791B18B1E2659F4A9 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_35be4fb214130ed1\afd.sys
[2009/04/11 00:44:24 | 000,406,016 | ---- | M] (Microsoft Corporation) MD5=12415CCFD3E7CEC55B5184E67B039FE4 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_35f2572213ec5bd2\afd.sys
[2011/04/21 08:54:10 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=7B8E5F3A0626CA83B706F0738830845F -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_366a5ebb2d168a9d\afd.sys
[2011/04/21 08:42:48 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=9BB97042FA331A0FB4BDD98B9280A50A -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_33ef7c5016dab752\afd.sys
[2011/04/21 08:47:41 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=B53144D2EBB0843DD0436F5EA6953F65 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_34958b832fe3983b\afd.sys
[2012/01/03 09:25:21 | 000,404,992 | ---- | M] (Microsoft Corporation) MD5=C4F6CE6087760AD70960C9EB130E7943 -- C:\Windows\SysNative\drivers\afd.sys
[2012/01/03 09:25:21 | 000,404,992 | ---- | M] (Microsoft Corporation) MD5=C4F6CE6087760AD70960C9EB130E7943 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18564_none_35b080ce141ddbe4\afd.sys

< MD5 for: ATAPI.SYS >
[2008/01/20 21:46:50 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=1898FAE8E07D97F2F6C2D5326C633FAC -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\atapi.sys
[2009/04/11 02:15:00 | 000,020,952 | ---- | M] (Microsoft Corporation) MD5=E68D9B3A3905619732F7FE039466A623 -- C:\Windows\erdnt\cache64\atapi.sys
[2009/04/11 02:15:00 | 000,020,952 | ---- | M] (Microsoft Corporation) MD5=E68D9B3A3905619732F7FE039466A623 -- C:\Windows\SysNative\drivers\atapi.sys
[2009/04/11 02:15:00 | 000,020,952 | ---- | M] (Microsoft Corporation) MD5=E68D9B3A3905619732F7FE039466A623 -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_3b423ca9d7090b1e\atapi.sys

< MD5 for: CRYPTSVC.DLL >
[2009/04/11 02:11:14 | 000,166,912 | ---- | M] (Microsoft Corporation) MD5=18918613E63F387CDE4D95CA7D49DCF7 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18005_none_d409adf4504e8a6b\cryptsvc.dll
[2012/06/01 18:36:29 | 000,177,664 | ---- | M] (Microsoft Corporation) MD5=256B8B96B83AEA5213EE90782446DA38 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22869_none_d45679a969992348\cryptsvc.dll
[2012/04/23 11:25:30 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=62740B9D2A137E8CED41A9E4239A7A31 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18618_none_d401ea4a5053e14b\cryptsvc.dll
[2012/04/23 11:00:53 | 000,133,120 | ---- | M] (Microsoft Corporation) MD5=75C6A297E364014840B48ECCD7525E30 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18618_none_77e34ec697f67015\cryptsvc.dll
[2012/04/23 09:48:06 | 000,135,168 | ---- | M] (Microsoft Corporation) MD5=C979AEA8C4D8F875CD25507D08980006 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22840_none_78447b63b1339621\cryptsvc.dll
[2012/06/01 19:20:42 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=CA78B312C44E4D52E842C2C8BD48E452 -- C:\Windows\erdnt\cache64\cryptsvc.dll
[2012/06/01 19:20:42 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=CA78B312C44E4D52E842C2C8BD48E452 -- C:\Windows\SysNative\cryptsvc.dll
[2012/06/01 19:20:42 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=CA78B312C44E4D52E842C2C8BD48E452 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18643_none_d3dc79145070b66b\cryptsvc.dll
[2012/04/23 10:25:00 | 000,177,664 | ---- | M] (Microsoft Corporation) MD5=DD9C01648A6455278A441775CA59E2FD -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22840_none_d46316e769910757\cryptsvc.dll
[2012/06/02 06:09:26 | 000,135,168 | ---- | M] (Microsoft Corporation) MD5=DD9CCF40ED80DD0D62F1B607A1EA4449 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22869_none_7837de25b13bb212\cryptsvc.dll
[2012/06/01 19:02:32 | 000,133,120 | ---- | M] (Microsoft Corporation) MD5=F1E8C34892336D33EDDCDFE44E474F64 -- C:\Windows\erdnt\cache86\cryptsvc.dll
[2012/06/01 19:02:32 | 000,133,120 | ---- | M] (Microsoft Corporation) MD5=F1E8C34892336D33EDDCDFE44E474F64 -- C:\Windows\SysWOW64\cryptsvc.dll
[2012/06/01 19:02:32 | 000,133,120 | ---- | M] (Microsoft Corporation) MD5=F1E8C34892336D33EDDCDFE44E474F64 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18643_none_77bddd9098134535\cryptsvc.dll
[2009/04/11 01:28:18 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=FB27772BEAF8E1D28CCD825C09DA939B -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18005_none_77eb127097f11935\cryptsvc.dll

< MD5 for: DNSRSLVR.DLL >
[2011/03/02 11:12:21 | 000,117,760 | ---- | M] (Microsoft Corporation) MD5=06230F1B721494A6DF8D47FD395BB1B0 -- C:\Windows\SysNative\dnsrslvr.dll
[2011/03/02 11:12:21 | 000,117,760 | ---- | M] (Microsoft Corporation) MD5=06230F1B721494A6DF8D47FD395BB1B0 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6002.18416_none_3fe2c96337dfc9d1\dnsrslvr.dll
[2009/04/11 02:11:14 | 000,117,760 | ---- | M] (Microsoft Corporation) MD5=21D16B37257370975C7457C3A5EFA530 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6002.18005_none_3fec916d37d89fed\dnsrslvr.dll
[2011/03/02 11:04:08 | 000,117,760 | ---- | M] (Microsoft Corporation) MD5=2386A8AA5C09D86CE1D0B781736BDD3F -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6002.22600_none_4071364450fab2c7\dnsrslvr.dll
[2011/03/02 09:52:10 | 000,117,760 | ---- | M] (Microsoft Corporation) MD5=B4E755E76A92C6405390C057CDB9EA93 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.22866_none_3e4fe4aa53ffa02c\dnsrslvr.dll
[2011/03/02 10:10:39 | 000,117,760 | ---- | M] (Microsoft Corporation) MD5=DAF05293C1264E251D3A25E7E24B2DDF -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18611_none_3df754233abdf8d3\dnsrslvr.dll

< MD5 for: ES.DLL >
[2008/04/19 03:27:37 | 000,268,800 | ---- | M] (Microsoft Corporation) MD5=131B7E46A7ACD49CB56BB03917A76DE3 -- C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.20818_none_720177625a73c603\es.dll
[2008/04/19 03:32:17 | 000,361,472 | ---- | M] (Microsoft Corporation) MD5=1782416278B378F80862187EEBC0A51C -- C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.16677_none_66e14e8d0d26f566\es.dll
[2008/04/18 00:48:39 | 000,269,312 | ---- | M] (Microsoft Corporation) MD5=3CB3343D720168B575133A0A20DC2465 -- C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_7331d75d3e9e1070\es.dll
[2012/10/10 05:05:14 | 000,008,728 | ---- | M] () MD5=543EC1FF66953631A17477AEC9C7A111 -- C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.94\Locales\es.dll
[2009/04/11 01:28:19 | 000,268,800 | ---- | M] (Microsoft Corporation) MD5=67058C46504BC12D821F38CF99B7B28F -- C:\Windows\erdnt\cache86\es.dll
[2009/04/11 01:28:19 | 000,268,800 | ---- | M] (Microsoft Corporation) MD5=67058C46504BC12D821F38CF99B7B28F -- C:\Windows\SysWOW64\es.dll
[2009/04/11 01:28:19 | 000,268,800 | ---- | M] (Microsoft Corporation) MD5=67058C46504BC12D821F38CF99B7B28F -- C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6002.18005_none_754c5dff3b9d9ea6\es.dll
[2008/04/17 23:42:44 | 000,361,984 | ---- | M] (Microsoft Corporation) MD5=6B1A97BF9FEFBDC83F3C7C7D0F826C66 -- C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_68dd2d0b0a3d4e75\es.dll
[2008/04/19 03:30:27 | 000,361,472 | ---- | M] (Microsoft Corporation) MD5=7143F5F8D7FF0712B6D2F336495554FE -- C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.20818_none_67accd1026130408\es.dll
[2008/04/18 00:30:29 | 000,269,312 | ---- | M] (Microsoft Corporation) MD5=776D75AF432C598068CC933C7421171B -- C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.22162_none_73aba2ca57c84d78\es.dll
[2008/04/19 03:13:07 | 000,268,800 | ---- | M] (Microsoft Corporation) MD5=7B4971C3D43525175A4EA0D143E0412E -- C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.16677_none_7135f8df4187b761\es.dll
[2008/04/18 01:40:34 | 000,361,984 | ---- | M] (Microsoft Corporation) MD5=AE5538074DF0BB8EE5A3ECB9F5460965 -- C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.22162_none_6956f87823678b7d\es.dll
[2009/04/11 02:11:14 | 000,361,984 | ---- | M] (Microsoft Corporation) MD5=E12F22B73F153DECE721CD45EC05B4AF -- C:\Windows\erdnt\cache64\es.dll
[2009/04/11 02:11:14 | 000,361,984 | ---- | M] (Microsoft Corporation) MD5=E12F22B73F153DECE721CD45EC05B4AF -- C:\Windows\SysNative\es.dll
[2009/04/11 02:11:14 | 000,361,984 | ---- | M] (Microsoft Corporation) MD5=E12F22B73F153DECE721CD45EC05B4AF -- C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6002.18005_none_6af7b3ad073cdcab\es.dll

< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_b5f700fe698beb14\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_b7eb106e66a7ac19\explorer.exe
[2008/10/29 01:15:50 | 003,087,360 | ---- | M] (Microsoft Corporation) MD5=50514057C28A74BAC2BD04B7B990D615 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_aba256ac352b2919\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_b8583e9d7fda0512\explorer.exe
[2009/04/11 02:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\erdnt\cache86\explorer.exe
[2009/04/11 02:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\explorer.exe
[2009/04/11 02:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_afbebba22f3bab41\explorer.exe
[2008/10/27 21:30:12 | 003,086,848 | ---- | M] (Microsoft Corporation) MD5=72B9990E45C25AA3C75C4FB50A9D6CE0 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_ac5266dd4e2b0a41\explorer.exe
[2008/10/29 01:49:22 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_ad96661c3246ea1e\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SysWOW64\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_ba1365f4639c6d3c\explorer.exe
[2008/10/30 00:30:07 | 003,081,216 | ---- | M] (Microsoft Corporation) MD5=E404A65EF890140410E9F3D405841C95 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_ae03944b4b794317\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_b6a7112f828bcc3c\explorer.exe

< MD5 for: IPNATHLP.DLL >
[2008/01/20 21:48:03 | 000,342,016 | ---- | M] (Microsoft Corporation) MD5=4C5AEE179DA7E1EE9A9CCB9DA289AF34 -- C:\Windows\SysNative\ipnathlp.dll
[2008/01/20 21:48:03 | 000,342,016 | ---- | M] (Microsoft Corporation) MD5=4C5AEE179DA7E1EE9A9CCB9DA289AF34 -- C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.0.6001.18000_none_60ebfa2a01a9b99d\ipnathlp.dll

< MD5 for: NETBT.SYS >
[2009/04/11 00:42:33 | 000,248,320 | ---- | M] (Microsoft Corporation) MD5=FC2C792EBDDC8E28DF939D6A92C83D61 -- C:\Windows\SysNative\drivers\netbt.sys
[2009/04/11 00:42:33 | 000,248,320 | ---- | M] (Microsoft Corporation) MD5=FC2C792EBDDC8E28DF939D6A92C83D61 -- C:\Windows\winsxs\amd64_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_be6edcf1acc363e7\netbt.sys

< MD5 for: NETMAN.DLL >
[2008/01/20 21:48:10 | 000,348,160 | ---- | M] (Microsoft Corporation) MD5=9B63B29DEFC0F3115A559D2597BF5D75 -- C:\Windows\erdnt\cache64\netman.dll
[2008/01/20 21:48:10 | 000,348,160 | ---- | M] (Microsoft Corporation) MD5=9B63B29DEFC0F3115A559D2597BF5D75 -- C:\Windows\SysNative\netman.dll
[2008/01/20 21:48:10 | 000,348,160 | ---- | M] (Microsoft Corporation) MD5=9B63B29DEFC0F3115A559D2597BF5D75 -- C:\Windows\winsxs\amd64_microsoft-windows-netman_31bf3856ad364e35_6.0.6001.18000_none_6bdbb71a0a2d4469\netman.dll

< MD5 for: QMGR.DLL >
[2009/04/11 02:11:22 | 001,081,856 | ---- | M] (Microsoft Corporation) MD5=6D316F4859634071CC25C4FD4589AD2C -- C:\Windows\erdnt\cache64\qmgr.dll
[2009/04/11 02:11:22 | 001,081,856 | ---- | M] (Microsoft Corporation) MD5=6D316F4859634071CC25C4FD4589AD2C -- C:\Windows\SysNative\qmgr.dll
[2009/04/11 02:11:22 | 001,081,856 | ---- | M] (Microsoft Corporation) MD5=6D316F4859634071CC25C4FD4589AD2C -- C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6002.18005_none_819ad97caef1480e\qmgr.dll

< MD5 for: RPCSS.DLL >
[2009/03/02 23:40:28 | 000,724,992 | ---- | M] (Microsoft Corporation) MD5=007F8DE7AC0F9386C3FD2EC7DC87C37A -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_c3e2cce1f92f2ca2\rpcss.dll
[2009/03/02 23:57:01 | 000,718,336 | ---- | M] (Microsoft Corporation) MD5=52CDADE8289FF21F1F2215FF51A5F36C -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_c5d9dd2ff64839ac\rpcss.dll
[2009/03/02 23:35:22 | 000,724,992 | ---- | M] (Microsoft Corporation) MD5=54FF562C2710BB610B019D723B16FB2A -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_c47a129912422fc2\rpcss.dll
[2009/03/02 23:59:29 | 000,717,824 | ---- | M] (Microsoft Corporation) MD5=857E04C16007E60FCC0803239C853E78 -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_c6259b510f93cd21\rpcss.dll
[2009/04/11 02:11:23 | 000,719,872 | ---- | M] (Microsoft Corporation) MD5=CF8B9A3A5E7DC57724A89D0C3E8CF9EF -- C:\Windows\erdnt\cache64\rpcss.dll
[2009/04/11 02:11:23 | 000,719,872 | ---- | M] (Microsoft Corporation) MD5=CF8B9A3A5E7DC57724A89D0C3E8CF9EF -- C:\Windows\SysNative\rpcss.dll
[2009/04/11 02:11:23 | 000,719,872 | ---- | M] (Microsoft Corporation) MD5=CF8B9A3A5E7DC57724A89D0C3E8CF9EF -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_c7d4f08bf35f3abe\rpcss.dll

< MD5 for: SERVICES.EXE >
[2009/04/11 02:10:50 | 000,384,512 | ---- | M] (Microsoft Corporation) MD5=934E0B7D77FF78C18D9F8891221B6DE3 -- C:\Windows\erdnt\cache64\services.exe
[2009/04/11 02:10:50 | 000,384,512 | ---- | M] (Microsoft Corporation) MD5=934E0B7D77FF78C18D9F8891221B6DE3 -- C:\Windows\SysNative\services.exe
[2009/04/11 02:10:50 | 000,384,512 | ---- | M] (Microsoft Corporation) MD5=934E0B7D77FF78C18D9F8891221B6DE3 -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\SysWOW64\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

< MD5 for: SVCHOST.EXE >
[2008/01/20 21:48:05 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\erdnt\cache86\svchost.exe
[2008/01/20 21:48:05 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\SysWOW64\svchost.exe
[2008/01/20 21:48:05 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2008/01/20 21:50:24 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=CDA9F1373805AF88F6FA4F2064BBA24D -- C:\Windows\erdnt\cache64\svchost.exe
[2008/01/20 21:50:24 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=CDA9F1373805AF88F6FA4F2064BBA24D -- C:\Windows\SysNative\svchost.exe
[2008/01/20 21:50:24 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=CDA9F1373805AF88F6FA4F2064BBA24D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_11d9f524bdab2f1b\svchost.exe

< MD5 for: TCPIP.SYS >
[2010/06/16 12:14:29 | 001,424,264 | ---- | M] (Microsoft Corporation) MD5=0011810B5211FDACD784DE585262ECFE -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22425_none_119c298735134c99\tcpip.sys
[2011/06/17 15:14:30 | 001,424,272 | ---- | M] (Microsoft Corporation) MD5=19A7321E3A5F1DDB215D2815DCC8F8E4 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22662_none_116decc535366aa6\tcpip.sys
[2011/09/20 16:06:18 | 001,426,304 | ---- | M] (Microsoft Corporation) MD5=2CC45D932BD193CD4117321D469AD6B2 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18519_none_1121619c1be9f088\tcpip.sys
[2010/02/18 10:01:57 | 001,420,688 | ---- | M] (Microsoft Corporation) MD5=30C4ABC8075DEA44D7E775D434AF1753 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18427_none_0f2e179c1ecd900b\tcpip.sys
[2009/08/14 09:44:27 | 001,200,640 | ---- | M] (Microsoft Corporation) MD5=34B30202AECCB530FDDC6C6CCFA2FB46 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16908_none_bbc5fabc4a894d2a\tcpip.sys
[2010/02/18 07:25:21 | 001,200,640 | ---- | M] (Microsoft Corporation) MD5=396CF3FD8D2A4FDF55570C01894DB9DF -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.17021_none_bba931004aa006ed\tcpip.sys
[2009/08/14 13:05:16 | 001,418,840 | ---- | M] (Microsoft Corporation) MD5=3BCD46BE9988B09D3510A0EF54F0D65B -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_0f32e3e61ecadee9\tcpip.sys
[2010/02/18 10:04:06 | 001,414,032 | ---- | M] (Microsoft Corporation) MD5=4680D08A2E8A2509CD9B751D7AF59606 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_0fabe61737f42f96\tcpip.sys
[2012/03/30 07:45:03 | 001,423,744 | ---- | M] (Microsoft Corporation) MD5=46D448E9117464E4D3BBF36D7E3FA48E -- C:\Windows\erdnt\cache64\tcpip.sys
[2012/03/30 07:45:03 | 001,423,744 | ---- | M] (Microsoft Corporation) MD5=46D448E9117464E4D3BBF36D7E3FA48E -- C:\Windows\SysNative\drivers\tcpip.sys
[2012/03/30 07:45:03 | 001,423,744 | ---- | M] (Microsoft Corporation) MD5=46D448E9117464E4D3BBF36D7E3FA48E -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18604_none_112731fc1be6530b\tcpip.sys
[2010/02/18 09:22:15 | 001,423,752 | ---- | M] (Microsoft Corporation) MD5=4AD4600DF1F09EE7462152C061B683C8 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22341_none_118286a1352721f8\tcpip.sys
[2011/06/17 15:14:30 | 001,427,344 | ---- | M] (Microsoft Corporation) MD5=4DAD14118FBCF7C609F2A4CE21FBCC5F -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18484_none_10d0aed01c273845\tcpip.sys
[2011/09/20 16:06:18 | 001,423,744 | ---- | M] (Microsoft Corporation) MD5=73BED5067ED53A9DF05FA8EAB42578D0 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22719_none_11ab004d35078d79\tcpip.sys
[2009/08/14 11:42:31 | 001,413,208 | ---- | M] (Microsoft Corporation) MD5=74B776CA1B328095FE23A3306B1613A3 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_0f6c030d3823f645\tcpip.sys
[2010/02/18 07:27:40 | 001,198,080 | ---- | M] (Microsoft Corporation) MD5=7B0B928E318CADC23C87226BE0A1097D -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21226_none_bc37d12363b92291\tcpip.sys
[2010/06/16 11:40:37 | 001,420,176 | ---- | M] (Microsoft Corporation) MD5=7D86275FB640011B372FD566C0EAFA8D -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18493_none_0ede67001f09ee46\tcpip.sys
[2008/04/26 03:55:25 | 001,421,368 | ---- | M] (Microsoft Corporation) MD5=8E041924441FF8755E5B4F135C8C3767 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_0efecf2c1ef1a5d7\tcpip.sys
[2010/06/16 12:11:35 | 001,426,816 | ---- | M] (Microsoft Corporation) MD5=973658A2EA9C06B2976884B9046DFC6C -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18272_none_10d97a5c1c20ef58\tcpip.sys
[2009/04/11 02:15:48 | 001,426,408 | ---- | M] (Microsoft Corporation) MD5=99D07AD0EF2C535610F6573C29BC045E -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18005_none_112826e21be57d78\tcpip.sys
[2009/08/14 11:39:38 | 001,425,992 | ---- | M] (Microsoft Corporation) MD5=A7BFF59C2F610F62E6C292074FF36A1E -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18091_none_10c2d66e1c321395\tcpip.sys
[2012/03/30 07:45:03 | 001,422,720 | ---- | M] (Microsoft Corporation) MD5=AC8D5728E6AD6A7C4819D9A67008337A -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22828_none_119f31fd35108d3a\tcpip.sys
[2010/02/18 09:28:06 | 001,427,336 | ---- | M] (Microsoft Corporation) MD5=B4B7B375FDD672AF79B0CBE9B9A48B47 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18209_none_112c2bd61be1dd22\tcpip.sys
[2010/06/16 18:28:33 | 001,414,544 | ---- | M] (Microsoft Corporation) MD5=D43D5336BE9DD93E02EE124297295713 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys
[2009/08/14 11:32:21 | 001,424,952 | ---- | M] (Microsoft Corporation) MD5=D45D67A18C9FD4CC637BC9D4585C0646 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22200_none_11acc42135079bb6\tcpip.sys
[2009/08/15 17:55:23 | 001,196,032 | ---- | M] (Microsoft Corporation) MD5=D4E30E6BADFF21865C3A075457CF9C00 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21108_none_bc4f6fa963a72036\tcpip.sys
[2008/04/26 03:47:15 | 001,421,368 | ---- | M] (Microsoft Corporation) MD5=F10A60005FB50698E33A1940C6EBB010 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22167_none_0f8c6d1f380baafd\tcpip.sys

< MD5 for: TDX.SYS >
[2009/04/11 00:43:00 | 000,094,720 | ---- | M] (Microsoft Corporation) MD5=458919C8C42E398DC4802178D5FFEE27 -- C:\Windows\erdnt\cache64\tdx.sys
[2009/04/11 00:43:00 | 000,094,720 | ---- | M] (Microsoft Corporation) MD5=458919C8C42E398DC4802178D5FFEE27 -- C:\Windows\SysNative\drivers\tdx.sys
[2009/04/11 00:43:00 | 000,094,720 | ---- | M] (Microsoft Corporation) MD5=458919C8C42E398DC4802178D5FFEE27 -- C:\Windows\winsxs\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_4847dcdb9194e539\tdx.sys

< MD5 for: USERINIT.EXE >
[2008/01/20 21:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\erdnt\cache86\userinit.exe
[2008/01/20 21:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\SysWOW64\userinit.exe
[2008/01/20 21:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2008/01/20 21:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\erdnt\cache64\userinit.exe
[2008/01/20 21:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\SysNative\userinit.exe
[2008/01/20 21:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2009/04/11 02:15:45 | 000,269,288 | ---- | M] (Microsoft Corporation) MD5=5280AADA24AB36B01A84A6424C475C8D -- C:\Windows\SysNative\drivers\volsnap.sys
[2009/04/11 02:15:45 | 000,269,288 | ---- | M] (Microsoft Corporation) MD5=5280AADA24AB36B01A84A6424C475C8D -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_73c0cc10b194374f\volsnap.sys
[2008/01/20 21:47:03 | 000,271,416 | ---- | M] (Microsoft Corporation) MD5=DE4307412D98050239026E56A7DFF3C0 -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_71d55304b4726c03\volsnap.sys

< MD5 for: WININIT.EXE >
[2008/01/20 21:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\erdnt\cache86\wininit.exe
[2008/01/20 21:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\SysWOW64\wininit.exe
[2008/01/20 21:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2008/01/20 21:50:23 | 000,123,904 | ---- | M] (Microsoft Corporation) MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\erdnt\cache64\wininit.exe
[2008/01/20 21:50:23 | 000,123,904 | ---- | M] (Microsoft Corporation) MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\SysNative\wininit.exe
[2008/01/20 21:50:23 | 000,123,904 | ---- | M] (Microsoft Corporation) MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_8d115452bcae17d8\wininit.exe

< MD5 for: WINLOGON.EXE >
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/04/11 02:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\erdnt\cache64\winlogon.exe
[2009/04/11 02:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\SysNative\winlogon.exe
[2009/04/11 02:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_cdcd15a68a70b877\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\SysWOW64\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe

< MD5 for: WMISVC.DLL >
[2009/04/11 02:11:29 | 000,221,696 | ---- | M] (Microsoft Corporation) MD5=D2E7296ED1BD26D8DB2799770C077A02 -- C:\Windows\SysNative\wbem\WMIsvc.dll
[2009/04/11 02:11:29 | 000,221,696 | ---- | M] (Microsoft Corporation) MD5=D2E7296ED1BD26D8DB2799770C077A02 -- C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.0.6002.18005_none_febcd05fac705b10\WMIsvc.dll

< MD5 for: WSCSVC.DLL >
[2009/04/11 02:11:31 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=9EA3E6D0EF7A5C2B9181961052A4B01A -- C:\Windows\SysNative\wscsvc.dll
[2009/04/11 02:11:31 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=9EA3E6D0EF7A5C2B9181961052A4B01A -- C:\Windows\winsxs\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.0.6002.18005_none_784a7242679812c3\wscsvc.dll

========== Files - Unicode (All) ==========
[2012/10/08 21:59:57 | 054,005,958 | ---- | M] ()(C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (?????) PARODY! KIM JONG STYLE!.mp4) -- C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (강남스타일) PARODY! KIM JONG STYLE!.mp4
[2012/10/08 21:43:01 | 054,005,958 | ---- | C] ()(C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (?????) PARODY! KIM JONG STYLE!.mp4) -- C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (강남스타일) PARODY! KIM JONG STYLE!.mp4
[2012/09/11 19:07:07 | 093,076,756 | ---- | M] ()(C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (?????) M_V.mp4) -- C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (강남스타일) M_V.mp4
[2012/09/11 19:05:18 | 093,076,756 | ---- | C] ()(C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (?????) M_V.mp4) -- C:\Users\Squall\Desktop\PSY - GANGNAM STYLE (강남스타일) M_V.mp4


========== Alternate Data Streams ==========

@Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:852F2262
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:8EB0D744

< End of report >




# AdwCleaner v2.005 - Logfile created 10/19/2012 at 16:44:33
# Updated 14/10/2012 by Xplode
# Operating system : Windows (TM) Vista Home Premium Service Pack 2 (64 bits)
# User : Squall - DRAKMANERIK
# Boot Mode : Normal
# Running from : C:\Users\Squall\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default
File : C:\Users\Squall\AppData\Roaming\Mozilla\Firefox\Profiles\u5y0pz6f.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Squall\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1996 octets] - [17/10/2012 20:27:16]
AdwCleaner[S1].txt - [1922 octets] - [17/10/2012 20:27:48]
AdwCleaner[R2].txt - [1542 octets] - [18/10/2012 21:07:41]
AdwCleaner[R3].txt - [1602 octets] - [18/10/2012 21:09:32]
AdwCleaner[S3].txt - [1553 octets] - [19/10/2012 16:44:33]

########## EOF - C:\AdwCleaner[S3].txt - [1613 octets] ##########

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Sat 20 Oct 2012, 9:53 am

Hello, and welcome to GeekPolice.

I'm Rodel Ituralde and I will be helping you with your issues.

Please note the following information about the malware forum:

  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


I am a student and will need to get approval prior to each step. I will return shortly with the first step.

Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Sat 20 Oct 2012, 9:59 am

Thanks for such a prompt response, Rodel! All points duly noted, and now awaiting your further instruction:)

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Sun 21 Oct 2012, 9:49 am

Hello squaljonovic.

My AVG and Malwarebytes scans now come up clean, and I ran ComboFix yesterday.
ComboFix is a very powerful tool and it is strongly not advised to run it without the supervision of a helper. Please bear this in mind.

Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL
    IE - HKLM\..\SearchScopes\zbani: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\SearchScopes\zbani: "URL" = [You must be registered and logged in to see this link.]
    FF - prefs.js..browser.search.defaultenginename: "Zbani"
    FF - prefs.js..browser.search.defaulturl: "home.Zbani.com/en/get/"
    FF - prefs.js..browser.search.order.1: "Zbani"
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    @Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMP:852F2262
    @Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:8EB0D744

    :commands
    [EmptyTemp]
    [EmptyFlash]
    [Reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====

Please then re-run MBRCheck and post a fresh log in your reply.
=====

I would like to see the Fix log from OTL and a fresh log form MBRCheck in your reply please.

Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Sun 21 Oct 2012, 11:50 am

Thanks for your response, Rodel! I started running the fix with OTL within a couple minutes of your last post, but it's still running now. Is it normal for a fix like that to take more than an hour to apply? OTL's CPU usage keeps going up and down sporadically and it's memory usage has been increasing very slowly, so it seems to be running still. However, when I click on the window, it says it's not responding for a bit before the window'll even load. I'll just leave it going unless I hear otherwise from you, but I wanted to check to make sure that was normal, as previous uses of the program didn't take this long.

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Sun 21 Oct 2012, 3:41 pm

The fix ended up taking about five hours, but here's the log it produced followed by a fresh MBRcheck log:


All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{searchTerms}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{searchTerms}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{searchTerms}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{searchTerms}\ not found.
Prefs.js: "Zbani" removed from browser.search.defaultenginename
Prefs.js: "home.Zbani.com/en/get/" removed from browser.search.defaulturl
Prefs.js: "Zbani" removed from browser.search.order.1
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
ADS C:\ProgramData\TEMP:852F2262 deleted successfully.
ADS C:\ProgramData\TEMP:8EB0D744 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Squall
->Temp folder emptied: 7078364 bytes
->Temporary Internet Files folder emptied: 18050347 bytes
->Java cache emptied: 9952 bytes
->FireFox cache emptied: 81715704 bytes
->Google Chrome cache emptied: 8176973 bytes
->Flash cache emptied: 57468 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 294822 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 1591808 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 636 bytes
RecycleBin emptied: 115600 bytes

Total Files Cleaned = 112.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Squall
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.70.1 log created on 10202012_190705

Files\Folders moved on Reboot...
File move failed. C:\Windows\SysNative\SET8E3A.tmp scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\SET8EF8.tmp scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...







MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Gateway
BIOS Manufacturer: Gateway
System Manufacturer: Gateway
System Product Name: M-6864FX
Logical Drives Mask: 0x00000014

Kernel Drivers (total 140):
0x0220C000 \SystemRoot\system32\ntoskrnl.exe
0x02724000 \SystemRoot\system32\hal.dll
0x0060E000 \SystemRoot\system32\kdcom.dll
0x00611000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x0064C000 \SystemRoot\system32\PSHED.dll
0x00660000 \SystemRoot\system32\CLFS.SYS
0x006BD000 \SystemRoot\system32\CI.dll
0x00804000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008A8000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008B7000 \SystemRoot\system32\drivers\acpi.sys
0x0090D000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00916000 \SystemRoot\system32\drivers\msisadrv.sys
0x00920000 \SystemRoot\system32\drivers\pci.sys
0x00950000 \SystemRoot\System32\drivers\partmgr.sys
0x00965000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00969000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00975000 \SystemRoot\system32\drivers\volmgr.sys
0x00989000 \SystemRoot\System32\drivers\volmgrx.sys
0x009EF000 \SystemRoot\system32\drivers\intelide.sys
0x0076F000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x0077F000 \SystemRoot\System32\drivers\mountmgr.sys
0x00792000 \SystemRoot\system32\drivers\nvraid.sys
0x007B5000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x009F7000 \SystemRoot\system32\drivers\atapi.sys
0x00A04000 \SystemRoot\system32\drivers\ataport.SYS
0x00A28000 \SystemRoot\system32\drivers\msahci.sys
0x00A32000 \SystemRoot\system32\drivers\fltmgr.sys
0x00A79000 \SystemRoot\system32\drivers\fileinfo.sys
0x00A8D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00C04000 \SystemRoot\system32\drivers\ndis.sys
0x00B14000 \SystemRoot\system32\drivers\msrpc.sys
0x00B64000 \SystemRoot\system32\drivers\NETIO.SYS
0x00E00000 \SystemRoot\System32\drivers\tcpip.sys
0x00F74000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0100C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0118C000 \SystemRoot\system32\drivers\volsnap.sys
0x011D0000 \SystemRoot\System32\Drivers\spldr.sys
0x011D8000 \SystemRoot\System32\Drivers\mup.sys
0x00FA0000 \SystemRoot\System32\drivers\ecache.sys
0x011EA000 \SystemRoot\system32\DRIVERS\hotcore3.sys
0x00FCC000 \SystemRoot\system32\drivers\disk.sys
0x011F6000 \SystemRoot\system32\drivers\crcdisk.sys
0x00FEE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x01000000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x00DC7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x00FFB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x0200F000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x02200000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x0205A000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0213D000 \SystemRoot\System32\drivers\watchdog.sys
0x02A0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x02AF9000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x02B05000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x02B4B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x02B5C000 \SystemRoot\system32\DRIVERS\Rtlh64.sys
0x02C07000 \SystemRoot\system32\DRIVERS\NETw5v64.sys
0x03342000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x03358000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x03366000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x033B3000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x033B5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x033C1000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02BAC000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x0214D000 \SystemRoot\system32\DRIVERS\storport.sys
0x033DD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x021AA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x033EA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x021CD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x02BE5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x00DDA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x00BBD000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x00BD5000 \SystemRoot\system32\DRIVERS\termdd.sys
0x033F6000 \SystemRoot\system32\DRIVERS\swenum.sys
0x03609000 \SystemRoot\system32\DRIVERS\ks.sys
0x0363D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03648000 \SystemRoot\system32\DRIVERS\umbus.sys
0x03658000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x036A0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x036B4000 \SystemRoot\system32\drivers\AtihdLH6.sys
0x036D4000 \SystemRoot\system32\drivers\portcls.sys
0x0370F000 \SystemRoot\system32\drivers\drmk.sys
0x03732000 \SystemRoot\system32\drivers\ksthunk.sys
0x03738000 \SystemRoot\system32\drivers\HdAudio.sys
0x03781000 \SystemRoot\system32\DRIVERS\CAXHWAZL.sys
0x04E05000 \SystemRoot\system32\DRIVERS\CAX_DPV.sys
0x05003000 \SystemRoot\system32\DRIVERS\CAX_CNXT.sys
0x050CE000 \SystemRoot\system32\drivers\modem.sys
0x050DD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x050E7000 \SystemRoot\System32\Drivers\Null.SYS
0x050FB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05103000 \SystemRoot\System32\drivers\vga.sys
0x05111000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x05136000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x0513F000 \SystemRoot\system32\drivers\rdpencdd.sys
0x05148000 \SystemRoot\System32\Drivers\Msfs.SYS
0x05153000 \SystemRoot\System32\Drivers\Npfs.SYS
0x05164000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x0516D000 \SystemRoot\system32\DRIVERS\tdx.sys
0x0518A000 \SystemRoot\system32\DRIVERS\smb.sys
0x051A5000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04F79000 \SystemRoot\system32\drivers\afd.sys
0x051E9000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x037D3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04FE4000 \SystemRoot\system32\DRIVERS\netbios.sys
0x007E1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x04C0F000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0x04C29000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04C76000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04C82000 \SystemRoot\System32\Drivers\dfsc.sys
0x04C9F000 \SystemRoot\System32\Drivers\avgmfx64.sys
0x04CA6000 \SystemRoot\System32\Drivers\avgldx64.sys
0x04D14000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x04D30000 \SystemRoot\system32\drivers\RTSTOR64.SYS
0x00020000 \SystemRoot\System32\win32k.sys
0x04D52000 \SystemRoot\System32\drivers\Dxapi.sys
0x04D5E000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00430000 \SystemRoot\System32\TSDDD.dll
0x006E0000 \SystemRoot\System32\cdd.dll
0x04D71000 \SystemRoot\system32\drivers\luafv.sys
0x07001000 \SystemRoot\system32\drivers\spsys.sys
0x0709B000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x070AF000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x070E3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x070EE000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x07106000 \SystemRoot\system32\drivers\HTTP.sys
0x071A9000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x071D2000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04D93000 \SystemRoot\system32\drivers\mrxdav.sys
0x04DBA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x08601000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0864A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x08669000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0869B000 \SystemRoot\System32\DRIVERS\srv.sys
0x0872E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x08733000 \SystemRoot\system32\drivers\peauth.sys
0x087E9000 \SystemRoot\System32\Drivers\secdrv.SYS
0x071F0000 \SystemRoot\System32\drivers\tcpipreg.sys
0x087F4000 \SystemRoot\system32\DRIVERS\XAudio64.sys
0x04DE3000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x775D0000 \Windows\System32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
472 C:\Windows\System32\smss.exe
540 csrss.exe
596 C:\Windows\System32\wininit.exe
616 csrss.exe
652 C:\Windows\System32\services.exe
668 C:\Windows\System32\lsass.exe
676 C:\Windows\System32\lsm.exe
756 C:\Windows\System32\winlogon.exe
892 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\atiesrxx.exe
268 C:\Windows\System32\svchost.exe
488 C:\Windows\System32\svchost.exe
512 C:\Windows\System32\svchost.exe
296 C:\Windows\System32\audiodg.exe
1048 C:\Windows\System32\svchost.exe
1064 C:\Windows\System32\SLsvc.exe
1088 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\atieclxx.exe
1264 C:\Windows\System32\svchost.exe
1508 C:\Windows\System32\taskeng.exe
1576 C:\Windows\System32\spoolsv.exe
1628 C:\Windows\System32\taskeng.exe
1676 C:\Windows\System32\svchost.exe
1700 C:\Windows\System32\dwm.exe
1756 C:\Windows\explorer.exe
1124 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1212 C:\Program Files (x86)\Prey\platform\windows\cronsvc.exe
1584 C:\Program Files (x86)\Diskeeper\DkService.exe
724 C:\Windows\System32\svchost.exe
1216 C:\Windows\System32\svchost.exe
1056 C:\Windows\System32\svchost.exe
1592 C:\Windows\System32\svchost.exe
2088 C:\Windows\SysWOW64\PSIService.exe
2160 C:\Program Files (x86)\SafeConnect\scManager.sys
2264 C:\Windows\System32\svchost.exe
2332 C:\Windows\System32\svchost.exe
2432 C:\Windows\System32\SearchIndexer.exe
2768 C:\Windows\notepad.exe
2932 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2972 C:\Windows\System32\taskmgr.exe
3028 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
1184 C:\Windows\Integrator.exe
2736 C:\Windows\System32\svchost.exe
2104 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2696 C:\Users\Squall\Desktop\MBRCheck.exe

\\.\C: --> error 1

PhysicalDrive0 Model Number: ST9200420AS, Rev: 3.AAA

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Tue 23 Oct 2012, 10:07 pm

Hello squaljonovic.

Before going to the next stage please ensure you back all of your folders and files to an external source, such as a hard drive.

The fix is going to involve attempting to rewrite your MBR code to replace the fake one. It is possible it could become damaged, and while this unlikely, please be aware of this possibility.

Please post back when you have backed up your files.

Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Wed 24 Oct 2012, 6:49 am

I backed up all my files days ago, so no worries there. I'm ready when you are:)

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Wed 24 Oct 2012, 7:43 am

Hello squaljonovic.

Please run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:



  • Please select your version of Windows from the list and enter 3 and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your Desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:

  • How to use the Recovery Console
  • How to fix MBR in Windows XP and Vista


If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.




Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Wed 24 Oct 2012, 8:31 am

I did exactly as you instructed; the log is below. After my laptop was done booting, I opened MBRCheck again, and it still claims the MBR is faked:/


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Gateway
BIOS Manufacturer: Gateway
System Manufacturer: Gateway
System Product Name: M-6864FX
Logical Drives Mask: 0x00000014

\\.\C: --> error 1

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows Vista)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 3
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Wed 24 Oct 2012, 7:50 pm

Hey squaljonovic.

  • Please insert your disc for Windows Vista and boot from the disc. When the menu loads please select Repair Your Computer.
  • Choose Vista to repair and then Next.
  • In the following window please select Command Prompt.
  • Type in bootrec.exe /fixmbr and press Enter.
  • Restart your computer and please re-run MBRCheck. Post its new log in your reply.

Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Fri 26 Oct 2012, 12:44 pm

I have no idea why, but my computer refuses to read my Vista disk. When I put it in, it tries to read the disk but concludes there's no disk in the drive. Trying to boot to my disk drive gives no results. I put my disk into another computer and it read it fine. I tried a different bootable disk in my own computer (from a drive back-up program I have), and it booted to it without issue. I tried disabling and enabling my disk drive in the Device Manager. I tried uninstalling the disk drive's driver then reinstalling it. I tried booting to safe mode with command prompt and manually opening the setup.exe in the root directory, but it said there was nothing on the E drive. I tried everything I could think of to boot to my Vista disk, and nothing worked. Is it possible that the virus in my MBR has the capacity to block my disk drive from loading a disk named "OS"? I have access to a computer than can burn disks, so I imagine we should try one of the boot disks you were going to suggest I make earlier, right? Or do you know of some other clever computer wizardry I could try to get this disk a-workin'?

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Mon 29 Oct 2012, 2:11 pm

Hello squaljonovic.

Please download aswMBR from here


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below




Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives


  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review

Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Fri 02 Nov 2012, 1:43 pm

Hey Rodel!

That program was one of the ones the rootkit/virus/whatever was preventing from opening, so I wouldn't have been able to run it. But! Since I last posted, I was forced to give in and reinstall Windows on my laptop because I couldn't do without internet access on my computer any longer. The reinstall was successful, my computer is malware-free, and all is good and well again. Sorry we didn't get to remedy the situation before I had to resort to that drastic measure, but I truly appreciate your help regardless. Thanks again for all your guidance, and I wish you all the best in the future:) Peace!

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Rodel Ituralde on Fri 02 Nov 2012, 7:21 pm

Hey squaljonovic.

Glad to hear you have your computer sorted.

Please follow these recommendations to help you stay safe online and prevent malware in the future.

Software Recommendations:


Antispyware Programs:
On top of antivirus protection antispyware programs help protect against spyware and adware.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from installing on your computer may be found here.


Firewalls:

I recommend installing a software firewall to further boost your computer security. The below firewalls provide free versions:

  • COMODO
  • Online Armor
  • Outpost

Please visit this tutorial for further information on firewalls.

Please keep these programs up-to-date. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning antispyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.


An Alternative Internet Browser:

I strongly recommend using an alternate browser. Mozilla's Firefox browser is an excellent option. In addition to offering greater security than Internet Explorer, it also has a fantastic popup blocker and add-ons, like Adblock Plus, NoScript and Web of Trust. Google Chrome or Opera are other decent alternatives.


General Security Recommendations:

Update your programs on a regular basis to stay safe and secure.

Updating Windows regularly ensures you keep your computer safe with the latest system improvements and fixes. Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections.

Please be aware of rogue and scareware programs as they can compromise your security. Please go here for more information or ask at a security forum like the GeekPolice.


For further information please read these security articles:

[You must be registered and logged in to see this link.]
So how did I get infected?
Staying safe on the Internet

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

Rodel Ituralde

Senior Surfer
Senior Surfer

Posts : 387
Joined : 2011-01-27
Operating System : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by squaljonovic on Sun 04 Nov 2012, 4:15 am

I already have all of your suggestions enacted to protect my computer, though I did toss Online Armor onto my computer. Window Firewall didn't do anything to help with my most recent infection, so I appreciate that suggestion! I'll be leaving feedback momentarily after sending this, so now I bid you adieu and thank you once again, Rodel!

squaljonovic

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-10-18
Operating System : Windows Vista 64-bit Home Premium

View user profile

Back to top Go down

Solved Re: Google Redirect Virus

Post by Sponsored content Today at 12:47 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum