The How-To Geek Forums Have Migrated to Discourse


How-To Geek Forums / Windows 7

Browser possibly getting hijacked

(48 posts)
  • Started 4 years ago by joefuf
  • Latest reply from StringJunky
  • Topic Viewed 2553 times

joefuf
Posts: 121

In the last few weeks, I have noticed that clicking links will sometimes being me to one of these links in the picture below. The page never loads, however if I click back, the intended link loads. There is no trend I have noticed related to when this happens (it happens whether I am clicking a Reddit link or a Google link). I am using Waterfox (the 64-bit variant of Firefox) on my Dell running Windows 7 Ultimate.

I have run multiple Malwarebytes full scans since this has started happening and I have no found anything indicative of a virus. The website blocking feature never flags any of these sites while loading.

Is this a known issue?

Posted 4 years ago
Top
 
Fhirkin9
Posts: 179

I would say Hijacked, and someone is profiting from those clicks. I did a whois of that IP range and it looks suspicious : "searchanyway" which pays in some manner for clicks. I could be wrong but the evidence is there. http://www.networksolutions.co......15.72.104

Posted 4 years ago
Top
 
GuiltySpark
Posts: 4024

Agree with Fhirkin9, check your browser for Toolbars, Add-ons etc, and download CCleaner close browser and run the cleaner.

Posted 4 years ago
Top
 
joefuf
Posts: 121

See anything suspicious in any of these?

http://imgur.com/a/CngzE

Posted 4 years ago
Top
 
GuiltySpark
Posts: 4024

Doesn't look like there should be problems there.

Did you try CCleaner ?

Also (just to rule them out) try starting your browser with add-ons disabled.

Posted 4 years ago
Top
 
joefuf
Posts: 121

Haven't tried CCleaner today, but I run that almost once a week. I've definitely run it since this problem started.

Heading into an exam now, but check back in three hours and I will update you on starting with add-ons disabled.

Posted 4 years ago
Top
 
joefuf
Posts: 121

I used CCleaner and that was working until just now. I just got redirected again, but this time, something loaded on the page:

The link goes to this address:

http://click.livesearchnow.com.....7-15-35-05

I have not clicked it.

I am not sure how to start Waterfox without add ons...

Posted 4 years ago
Top
 
warlock
Posts: 4100

http://www.malwarebytes.org Try the free version of this.

Posted 4 years ago
Top
 
joefuf
Posts: 121

I use the Pro version and that doesn't get anything when I scan. Is the free version going to do something different?

Posted 4 years ago
Top
 
warlock
Posts: 4100

Probably not, didn't say you used it in your posting. Are your using the full scan?

Posted 4 years ago
Top
 
joefuf
Posts: 121

Yeah, I do full scans. I posted that below the picture in my original post. Probably should have written it above the picture. My bad.

Posted 4 years ago
Top
 
warlock
Posts: 4100

http://blog.ffextensionguru.co.....re-mishap/ Maybe read through this see if it might apply.

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Have a go with this. Just install > Click Search > If the log shows something click Delete > Reboot. This is designed for browser and search crap.

http://www.softpedia.com/get/A.....aner.shtml

Tony

Posted 4 years ago
Top
 
joefuf
Posts: 121

Tony, here is the log that followed the scan. Do you see anything here?

# AdwCleaner v2.113 - Logfile created 02/27/2013 at 20:34:39
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Jeff - JEFF
# Boot Mode : Normal
# Running from : C:\Users\Jeff\Downloads\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\searchplugins\daemon-search.xml
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\Viewpoint
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\ProgramData\Viewpoint
Folder Found : C:\Users\Jeff\AppData\Local\Conduit
Folder Found : C:\Users\Jeff\AppData\LocalLow\boost_interprocess
Folder Found : C:\Users\Jeff\AppData\LocalLow\Conduit
Folder Found : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\Conduit
Folder Found : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\CT1060933
Folder Found : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Folder Found : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\FCTB
Folder Found : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\jetpack

***** [Registry] *****

Key Found : HKCU\Software\1ClickDownload
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Ask&Record
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Iminent
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\Orbit\OpenCandy
Key Found : HKLM\Software\Viewpoint
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKU\S-1-5-21-2492272126-1598020779-2127758990-1000\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKU\S-1-5-21-2492272126-1598020779-2127758990-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Found : HKU\S-1-5-21-2492272126-1598020779-2127758990-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKU\S-1-5-21-2492272126-1598020779-2127758990-1018\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKU\S-1-5-21-2492272126-1598020779-2127758990-1018\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Found : HKU\S-1-5-21-2492272126-1598020779-2127758990-1018\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxps://isearch.avg.com/?cid={4D61A652-C560-487C-93F9-87E59E692CD2}&mid=bf1b429bf3d4431992fcf65403e8d46b-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=ip011&pr=sa&d=2012-08-30 11:35:34&v=12.1.0.20&sap=hp

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\etp80ct6.New Profile\prefs.js

Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\prefs.js

Found : user_pref("CT1060933.SearchProtectorToolbarDisabled", true);
Found : user_pref("CT1060933.ToolbarDisabled", true);
Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Found : user_pref("extensions.DivXWebPlayer@divx.com.install-event-fired", true);
Found : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B2d3fbcf7-be69-4433-8858[...]
Found : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid=B56921578-efe6-4b28-ab0f-68915605159cD&[...]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\mw8bzlfh.AVGAdobeTest\prefs.js

Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");

File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\eo9qc2nj.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.1899] : homepage = "hxxps://isearch.avg.com/?cid={4D61A652-C560-487C-93F9-87E59E692CD2}&mid=bf1b429bf3d4431992fcf65403e8d46b-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=ip011&pr=sa&d=2012-08-30 11:35:34&v=12.1.0.20&sap=hp",

*************************

AdwCleaner[R1].txt - [7784 octets] - [27/02/2013 20:34:39]

########## EOF - C:\AdwCleaner[R1].txt - [7844 octets] ##########

Posted 4 years ago
Top
 
joefuf
Posts: 121

I just got redirected in Chrome. I didn't have a chance to take a screenshot, but it went to one of the IP addresses when I was trying to go to a B&H site and then I went to a click.livesearchnow.com link... I don't think it's an add-on in Waterfox, it must be adware or malware... Running another full-scan of Malwarebytes now.

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Everything in that log is toolbars and search pages and possibly something else which you don't need at all. Open Adwcleaner and hit search button again >click off the log > Hit Delete > Reboot. You will get a log of what was deleted showing. Click this off. Open and run the app again. If it looks like this log of mine you are done but if it still shows something run again til it looks like mine.

You might have to start all over again with Chrome setting it up but the others probably will need the home pages resetting to your liking.

Tony

Posted 4 years ago
Top
 
GuiltySpark
Posts: 4024

@ joefuf ,

Remove Conduit and Ask from your search engines list and reset your Home page. You may have to go through each browser and do this as they tend to install throughout.

Posted 4 years ago
Top
 
joefuf
Posts: 121

Sorry I dropped out for two days. I had a bit of trouble.

I ended up downloading Ad-Aware Antivirus (which I remembered using back in the day when it was just a scan tool). It found a fair amount of things (one was a toolbar, and I can't remember the rest). I removed things successfully, but the resident shield started to cause me trouble, deleting and disabling things that I had on my computer. I had to uninstall it before it did any more damage. I will try ADW again

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Let us know how you got on with it.

Tony

Posted 4 years ago
Top
 
joefuf
Posts: 121

This was the report when I ran the scan and clicked Delete:


# AdwCleaner v2.113 - Logfile created 03/03/2013 at 15:26:53
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Jeff - JEFF
# Boot Mode : Normal
# Running from : C:\Users\Jeff\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\searchplugins\daemon-search.xml
Folder Deleted : C:\Program Files (x86)\adawaretb
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\Viewpoint
Folder Deleted : C:\ProgramData\blekko toolbars
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Users\Jeff\AppData\Local\Conduit
Folder Deleted : C:\Users\Jeff\AppData\LocalLow\adawaretb
Folder Deleted : C:\Users\Jeff\AppData\LocalLow\boost_interprocess
Folder Deleted : C:\Users\Jeff\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\Conduit
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\CT1060933
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\FCTB
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\jetpack

***** [Registry] *****

Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Ask&Record
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Orbit\OpenCandy
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKU\S-1-5-21-2492272126-1598020779-2127758990-1018\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKU\S-1-5-21-2492272126-1598020779-2127758990-1018\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Deleted : HKU\S-1-5-21-2492272126-1598020779-2127758990-1018\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxps://isearch.avg.com/?cid={4D61A652-C560-487C-93F9-87E59E692CD2}&mid=bf1b429bf3d4431992fcf65403e8d46b-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=ip011&pr=sa&d=2012-08-30 11:35:34&v=12.1.0.20&sap=hp --> hxxp://www.google.com

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\etp80ct6.New Profile\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\prefs.js

Deleted : user_pref("CT1060933.SearchProtectorToolbarDisabled", true);
Deleted : user_pref("CT1060933.ToolbarDisabled", true);
Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("extensions.DivXWebPlayer@divx.com.install-event-fired", true);
Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B2d3fbcf7-be69-4433-8858[...]
Deleted : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid=B56921578-efe6-4b28-ab0f-68915605159cD&[...]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\mw8bzlfh.AVGAdobeTest\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

-\\ Google Chrome v25.0.1364.97

File : C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1906] : homepage = "hxxps://isearch.avg.com/?cid={4D61A652-C560-487C-93F9-87E59E692CD2}&mid=bf1b429bf3d4[...]

*************************

AdwCleaner[R1].txt - [7919 octets] - [03/03/2013 15:26:22]
AdwCleaner[S1].txt - [7478 octets] - [03/03/2013 15:26:53]

########## EOF - C:\AdwCleaner[S1].txt - [7538 octets] ##########

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Quite a busy log! How is it all now?

Tony

Posted 4 years ago
Top
 
joefuf
Posts: 121

Yeah, I was surprised to read all of those results. I never noticed any problems until the redirects started happening. No redirects as of yet. I will update the thread if that changes.

I have my computer protected by Malwarebytes Pro. Should I have something in addition to that? I used to use AVG Free, but their 2013 version disabled a keylogger that I have installed on my laptop (I like to be able to recover typed things when I lose the original copy etc.). Any recommendations or is Malwarebytes Pro enough?

Posted 4 years ago
Top
 
Lighthouse
Posts: 13598

I would install MSE as well,
http://windows.microsoft.com/e.....s-download

Posted 4 years ago
Top
 
joefuf
Posts: 121

I was fine all of yesterday after I posted, but I just tried to go to two links off of Google News, and I was redirected to this link...

http://64.15.72.104/click_seco.....country=US

Posted 4 years ago
Top
 
joefuf
Posts: 121

I would try MSE, but when I tried it in place of AVG Free, I had a weird issue where the process of the program shot up to 90%+ of my CPU Usage. I couldn't figure out what was causing that to happen. It wasn't running a scan and yet the memory that it was taking up would grow exponentially.

Posted 4 years ago
Top
 
vistamike
Posts: 10945

You are still infected with that nasty.

Have you run, as Tony suggested; http://www.bleepingcomputer.co.....dwcleaner/

Edit, you need to uninstall AVG for sure.

Posted 4 years ago
Top
 
GuiltySpark
Posts: 4024

Download and run this : http://support.kaspersky.com/search TDSSKiller

Posted 4 years ago
Top
 
joefuf
Posts: 121

No luck on TDSSKiller. I downloaded the copy of System Center Endpoint Protection that my university provides, and I am running a full scan on that. I will update if that finds anything.

Posted 4 years ago
Top
 
GuiltySpark
Posts: 4024

SCEP is virtually MSE but for Organizations.

In fact I think they discontinued it or are going to discontinue it, I'll have to do some digging.

Edit : They did but not that version http://technet.microsoft.com/e.....t/Bb852242 (I knew I wasn't dreaming it) :D

Posted 4 years ago
Top
 
joefuf
Posts: 121

SCEP is still running the full scan. About an hour an a half in and it's only scanned about 100,000 files :-\ Just got rediredted a few minutes ago, so I know it hasn't detected whatever the problem is (yet).

I think we just made a decision that we wanted to get off of Symantec for students and faculty. I work in the IT department here and it was just awful. Kids got viruses and malware like they had no protection to begin with.

Posted 4 years ago
Top
 
GuiltySpark
Posts: 4024

Can't you just re-image the machine(s), most unis and colleges tend to re-image every quarterly anyway just to keep the machines fresh.

Posted 4 years ago
Top
 
joefuf
Posts: 121

Yeah, I can and probably will reimage at the end of the semester, but since I'm in the middle of producing my senior thesis film, I wanted to hold off for a while. Aside from this issue, I still can't edit or view tags of MP3 files which really bugs me.

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Did you run adwcleaner again to check it was clean?

It's probably worth running SAS...it's geared to this sort of problem:

http://www.softpedia.com/get/I.....ware.shtml

Posted 4 years ago
Top
 
warlock
Posts: 4100

@StringJunky, If joefuf decides to try SAS would you recommend the full scan or the rescue scan? I have never used the rescue scan myself.

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Warlock

From SAS site:

What does "Enable rescue scan" do?

Rescue scan should only be enabled when malware is consuming so many system resources that you are unable to run a scan. Rescue scan attempts to steal back some of those resources. If you are able to run a scan normally, do not enable this option.

Posted 4 years ago
Top
 
warlock
Posts: 4100

@SJ, Never thought to look it up. Thanks, good to know for future use. Surprised it never came up before when it gets recommended here so often.

Edit: Or maybe I missed it.

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Yes, that slipped under the radar this time. :) The hard core app for this if SAS doesn't work is probably Combofix but it needs someone VERY familiar with it to instruct in its use because it can easily cause as many problems as it solves. Joe's probably better off going to Bleeping Computer if the problem persists after using SAS and getting carefully guided assistance by people with specific knowledge in this area.

Joe

It doesn't really solve the problem but I have a hunch if you use Comodo Dragon for now you won't get redirected because in my tests no toolbar or errant search engine has ever been able to high jack it. It's a Chrome variant.

http://www.comodo.com/home/bro.....rowser.php

Posted 4 years ago
Top
 
joefuf
Posts: 121

Just ran SCEP and found a few things. A couple Java exploits which might have been the cause. I posted pictures below of the descriptions of what I found that may have been the cause. Everything else is basically keygens and my Keylogger which I will have to reinstall...

I will try SAS after I reboot. I have Combofix, and I didn't even think to use that. I'm pretty familiar with it since we use it here in IT. If SAS doesn't work, I can try that.

Posted 4 years ago
Top
 
joefuf
Posts: 121

Ran ADW again and this was the log. I will try and run SAS now


# AdwCleaner v2.113 - Logfile created 03/04/2013 at 21:00:19
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Jeff - JEFF
# Boot Mode : Normal
# Running from : C:\Users\Jeff\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\jetpack

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\etp80ct6.New Profile\prefs.js

[OK] File is clean.

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\prefs.js

Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B2d3fbcf7-be69-4433-8858[...]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\mw8bzlfh.AVGAdobeTest\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1960] : homepage = "hxxps://isearch.avg.com/?cid={4D61A652-C560-487C-93F9-87E59E692CD2}&mid=bf1b429bf3d4[...]

*************************

AdwCleaner[R1].txt - [7919 octets] - [03/03/2013 15:26:22]
AdwCleaner[R2].txt - [1757 octets] - [04/03/2013 20:59:53]
AdwCleaner[S1].txt - [7583 octets] - [03/03/2013 15:26:53]
AdwCleaner[S2].txt - [1574 octets] - [04/03/2013 21:00:19]

########## EOF - C:\AdwCleaner[S2].txt - [1634 octets] ##########

Posted 4 years ago
Top
 
joefuf
Posts: 121

So I ran SAS and got these as my results. Nothing harmful showed up, just 199 cookies. Although the click.livesearchnow.com cookie might have something to do with one of the redirects. Not sure though. I'm going to sleep now, and I'll update if I get an redirects tomorrow.

Posted 4 years ago
Top
 
joefuf
Posts: 121

Last thing I do tonight. I ran ComboFix. Below is my log. Let me know if you see anything that stands out.


ComboFix 13-03-05.01 - Jeff 03/05/2013 0:09.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8187.5261 [GMT -5:00]
Running from: c:\users\Jeff\Desktop\ComboFix.exe
AV: System Center 2012 Endpoint Protection *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: System Center 2012 Endpoint Protection *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\boost_interprocess\20130304210141.375199
c:\programdata\boost_interprocess\20130304210141.375199\9334581e-7251-4ef7-a8ec-5bfe8e89ff68
c:\programdata\boost_interprocess\20130304210141.375199\plex_frame_mutex
c:\programdata\SPL32FA.tmp
c:\programdata\SPLB963.tmp
c:\users\Jeff\AppData\Local\assembly\tmp
c:\users\Jeff\AppData\Local\assembly\tmp2U4KPCO\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp2U4KPCO\AddinExpress.PP.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\2DFR78I7\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\2DFR78I7\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\5BB7ULNH\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\5BB7ULNH\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\7XDDXVSX\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\7XDDXVSX\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\B4UFLBA5\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\B4UFLBA5\AddinExpress.XL.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\C2NS73XU\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\C2NS73XU\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\D5QPF2OH\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\D5QPF2OH\AddinExpress.WD.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\FO1E7W9G\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\FO1E7W9G\AddinExpress.ToolbarControls.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\GRW7DNFB\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\GRW7DNFB\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\HX1GCJSR\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\HX1GCJSR\AddinExpress.XL.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\JXNU86XG\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\JXNU86XG\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\KQF7MRI9\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\KQF7MRI9\AddinExpress.WD.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\M2OTDPIN\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\M2OTDPIN\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\ONAYM1A7\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\ONAYM1A7\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\ORCQVAKJ\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\ORCQVAKJ\AddinExpress.XL.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\PESGP908\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\PESGP908\AddinExpress.WD.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\U6GG43L8\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\U6GG43L8\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\W5K1EC92\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\W5K1EC92\AddinExpress.MSO.2005.DLL
c:\users\Jeff\AppData\Local\assembly\tmp\Z4S3D1X5\__AssemblyInfo__.ini
c:\users\Jeff\AppData\Local\assembly\tmp\Z4S3D1X5\AddinExpress.WD.2005.DLL
c:\users\Jeff\AppData\Roaming\Microsoft Corporation\2007 Microsoft Office system
c:\users\Jeff\AppData\Roaming\Microsoft Corporation\2007 Microsoft Office system\jeffreyabr@gmail.com-AllContactsList.xml
c:\users\Jeff\AppData\Roaming\Microsoft Corporation\2007 Microsoft Office system\jeffreyabr@gmail.com-AllContactsList_LastUpdate.xml
c:\users\Jeff\AppData\Roaming\Microsoft Corporation\2007 Microsoft Office system\Offisync-UserSettings.config
c:\users\Jeff\AppData\Roaming\Microsoft Corporation\2007 Microsoft Office system\ostelbuf.dat
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Run
.
.
((((((((((((((((((((((((( Files Created from 2013-02-05 to 2013-03-05 )))))))))))))))))))))))))))))))
.
.
2013-03-05 02:12 . 2013-03-05 02:12 -------- d-----w- c:\users\Jeff\AppData\Roaming\SUPERAntiSpyware.com
2013-03-05 02:12 . 2013-03-05 02:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-03-05 02:12 . 2013-03-05 02:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-03-05 02:08 . 2013-03-05 05:38 -------- d-----w- c:\programdata\boost_interprocess
2013-03-04 16:42 . 2012-10-23 11:04 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6E98343-ABDF-4F5E-9479-3BDF43B303A3}\gapaengine.dll
2013-03-04 16:42 . 2013-02-19 08:57 9162192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A347B55E-4D9E-486C-A341-143CB469D68C}\mpengine.dll
2013-03-04 16:41 . 2013-03-04 16:41 -------- d-----w- c:\program files\Windows Firewall Configuration Provider
2013-03-04 16:40 . 2013-03-04 16:40 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2013-03-04 16:39 . 2013-03-04 16:40 -------- d-----w- c:\program files\Microsoft Security Client
2013-03-04 16:38 . 2013-03-05 02:05 -------- d-----w- c:\windows\CCM
2013-03-04 16:38 . 2013-03-04 16:38 -------- d-----w- c:\windows\ccmcache
2013-03-04 16:38 . 2013-03-04 16:38 -------- d-----w- c:\windows\SysWow64\CCM
2013-03-04 16:38 . 2013-03-04 16:38 -------- d-----w- c:\windows\ms
2013-03-04 16:37 . 2013-03-04 16:37 -------- d-----w- c:\program files\Microsoft Policy Platform
2013-03-04 16:36 . 2013-03-04 16:39 -------- d-----w- c:\windows\ccmsetup
2013-03-04 15:46 . 2013-03-05 05:36 17920 ----a-w- c:\windows\SysWow64\rpcnetp.dll
2013-03-04 15:45 . 2013-03-05 05:35 17920 ----a-w- c:\windows\SysWow64\rpcnetp.exe
2013-03-03 02:51 . 2013-03-03 02:51 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2013-03-03 02:51 . 2013-03-03 02:51 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
2013-03-03 02:51 . 2013-03-03 02:51 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2013-03-03 02:48 . 2013-03-03 02:48 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2013-03-03 02:47 . 2013-03-03 02:47 -------- d-----w- c:\program files\Microsoft Office
2013-03-03 02:46 . 2013-03-03 02:46 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-03-03 02:45 . 2013-03-03 02:45 -------- d-----r- C:\MSOCache
2013-03-02 21:59 . 2013-03-02 21:59 -------- d-----w- c:\program files (x86)\AGEIA Technologies
2013-03-01 22:54 . 2013-03-01 22:54 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-03-01 22:54 . 2013-03-01 22:54 -------- d-----w- c:\program files\iTunes
2013-03-01 22:54 . 2013-03-01 22:54 -------- d-----w- c:\program files\iPod
2013-03-01 21:15 . 2013-03-01 21:15 -------- d-----w- C:\d
2013-02-28 17:28 . 2013-02-11 16:28 38456 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-02-28 15:40 . 2013-02-28 15:40 -------- d-----w- c:\users\Jeff\AppData\Roaming\LavasoftStatistics
2013-02-28 15:40 . 2013-02-28 15:40 -------- d-----w- c:\programdata\Ad-Aware Antivirus
2013-02-28 15:33 . 2013-02-28 15:33 -------- d-----w- c:\programdata\Lavasoft
2013-02-28 15:33 . 2013-03-01 21:11 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus
2013-02-28 15:32 . 2013-02-28 15:32 -------- d-----w- c:\programdata\Downloaded Installations
2013-02-28 15:31 . 2013-02-28 15:31 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2013-02-28 15:30 . 2013-02-28 15:30 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-02-28 15:30 . 2013-02-28 17:31 -------- d-----w- c:\users\Jeff\AppData\Roaming\Ad-Aware Antivirus
2013-02-21 22:09 . 2013-02-21 22:09 -------- d-----w- c:\users\Jeff\AppData\Local\ActiveState
2013-02-21 22:08 . 2013-02-21 22:08 -------- d-----w- c:\program files (x86)\ActiveState Komodo Edit 7
2013-02-14 22:00 . 2013-01-30 18:12 143104 ----a-w- c:\windows\system32\SSCbFsNetRdr3.dll
2013-02-14 22:00 . 2013-01-30 18:12 192256 ----a-w- c:\windows\system32\SSCbFsMntNtf3.dll
2013-02-14 22:00 . 2013-01-30 18:12 159488 ----a-w- c:\windows\SysWow64\SSCbFsMntNtf3.dll
2013-02-14 22:00 . 2013-01-30 18:12 225024 ----a-w- c:\windows\SysWow64\SSCbFsNetRdr3.dll
2013-02-14 21:59 . 2013-01-30 18:11 347904 ----a-w- c:\windows\system32\drivers\sscbfs3.sys
2013-02-12 23:31 . 2013-02-12 23:31 -------- d-----w- c:\users\Jeff\AppData\Local\Singular_Software
2013-02-12 22:26 . 2013-02-12 22:26 -------- d-----w- c:\users\Jeff\AppData\Local\ControlActivation
2013-02-12 22:24 . 2010-11-22 20:50 66560 ----a-w- c:\windows\SysWow64\nlssrv32.exe
2013-02-12 22:24 . 2013-02-12 22:24 -------- d-----w- c:\program files (x86)\Singular Software
2013-02-09 23:43 . 2013-02-09 23:43 555808 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-02-06 01:25 . 2013-02-06 01:25 -------- d-----w- c:\program files (x86)\WinSCP
2013-02-04 18:16 . 2012-08-21 18:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-05 05:36 . 2010-09-21 18:03 29 ----a-w- c:\windows\SysWow64\TempWmicBatchFile.bat
2013-03-05 05:35 . 2010-12-09 15:24 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2013-03-04 16:03 . 2012-06-14 21:52 44544 ----a-w- c:\windows\SysWow64\agremove.exe
2013-03-01 14:25 . 2012-04-05 15:09 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-01 14:25 . 2011-05-28 14:44 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-28 00:52 . 2009-12-22 00:29 99384 ----a-w- c:\users\Jeff\AppData\Roaming\inst.exe
2013-02-28 00:52 . 2009-12-22 00:29 82816 ----a-w- c:\users\Jeff\AppData\Roaming\pcouffin.sys
2013-02-14 04:26 . 2010-03-15 04:17 70004024 ----a-w- c:\windows\system32\MRT.exe
2013-02-10 03:25 . 2011-09-29 18:35 15038296 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2013-02-10 03:25 . 2010-01-12 17:03 2854344 ----a-w- c:\windows\system32\nvapi64.dll
2013-02-10 03:25 . 2010-01-12 17:03 15275744 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-02-10 01:04 . 2010-07-09 20:27 6393120 ----a-w- c:\windows\system32\nvcpl.dll
2013-02-10 01:04 . 2010-07-09 20:27 3472672 ----a-w- c:\windows\system32\nvsvc64.dll
2013-02-10 01:04 . 2010-07-09 20:27 877856 ----a-w- c:\windows\system32\nvvsvc.exe
2013-02-10 01:04 . 2010-07-09 20:27 237856 ----a-w- c:\windows\system32\nvmctray.dll
2013-02-10 01:04 . 2010-01-12 04:19 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-02-10 01:04 . 2010-01-12 04:19 2555680 ----a-w- c:\windows\system32\nvsvcr.dll
2013-01-30 10:53 . 2009-10-02 16:11 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-13 15:29 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-12-16 17:11 . 2012-12-21 20:01 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 20:01 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 20:01 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 20:01 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-14 21:49 . 2013-01-05 05:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-07 13:20 . 2013-01-09 01:50 441856 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 01:50 2746368 ----a-w- c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 01:50 308736 ----a-w- c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 01:50 2576384 ----a-w- c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 01:50 30720 ----a-w- c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 01:50 43520 ----a-w- c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 01:50 23552 ----a-w- c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 01:50 45568 ----a-w- c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 01:50 44544 ----a-w- c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 01:50 20480 ----a-w- c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 01:50 20480 ----a-w- c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 01:50 20480 ----a-w- c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 01:50 46592 ----a-w- c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 01:50 40960 ----a-w- c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 01:50 21504 ----a-w- c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 01:50 15360 ----a-w- c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 01:50 55296 ----a-w- c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 01:50 51712 ----a-w- c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 01:50 43520 ----a-w- c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 01:50 30720 ----a-w- c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 01:50 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 01:50 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 01:50 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 01:50 23552 ----a-w- c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 01:50 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 01:50 46592 ----a-w- c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 01:50 20480 ----a-w- c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 01:50 21504 ----a-w- c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 01:50 40960 ----a-w- c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 01:50 15360 ----a-w- c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 01:50 51712 ----a-w- c:\windows\SysWow64\esrb.rs
2012-12-07 10:46 . 2013-01-09 01:50 55296 ----a-w- c:\windows\SysWow64\cero.rs
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 18:12 159488 ----a-w- c:\windows\SysWOW64\SSCbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files (x86)\SugarSync\SugarSync.exe" [2013-02-13 12343648]
"ShowBatteryBar"="c:\program files\BatteryBar\ShowBatteryBar.exe" [2009-05-28 89600]
"MusicManager"="c:\users\Jeff\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2013-01-14 7437824]
"Plex Media Server"="c:\program files (x86)\Plex\Plex Media Server\Plex Media Server.exe" [2013-01-29 3858600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
"USB Safely Remove"="c:\program files (x86)\USB Safely Remove\USBSafelyRemove.exe" [2012-07-14 5831680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableLUA"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"SoftwareSASGeneration"= 3 (0x3)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\SysWOW64\SSCbFsMntNtf3.dll" [2013-01-30 159488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"EldosMountNotificator"= {C28617FD-4FE7-4043-AD51-C8132CE90106} - c:\windows\SysWOW64\SSCbFsMntNtf3.dll [2013-01-30 159488]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6144]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-02-11 38456]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-01 33736]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe [2011-12-06 50472]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe [2011-12-06 50472]
R3 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe [2007-11-20 1039872]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 31744]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2011-04-04 21504]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 9216]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2009-05-08 53632]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 26624]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-05-12 11776]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2009-12-22 82816]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [2007-03-07 17920]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R4 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe [2012-02-20 605040]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-02-28 14456]
S0 MDFSYSNT;MacDrive file system driver; [x]
S0 MDPMGRNT;MacDrive Partition Driver;c:\windows\system32\DRIVERS\MDPMGRNT.SYS [2010-10-21 32424]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-03 56208]
S0 rpcnetp;rpcnetp;rpcnetp [x]
S1 CBDisk;CBDisk;c:\windows\system32\drivers\CBDisk.sys [2010-05-12 70344]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-02-14 93272]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 AbsoluteNotifier;Absolute Notifier;c:\program files (x86)\Absolute Software\Absolute Notifier\AbsoluteNotifierService.exe [2010-10-08 10408]
S2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [2010-08-31 16384]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2007-10-31 21520]
S2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe [2009-07-09 1044648]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-10-27 2560]
S2 M4LIC;Mediafour M4LIC service;c:\program files (x86)\Common Files\Mediafour\M4LIC.EXE [2009-07-29 205312]
S2 MacDrive8Service;MacDrive 8 service;c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe [2010-10-08 149504]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 MSSQL$TRACKIT;SQL Server (TRACKIT);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [x]
S2 OS Selector;Acronis OS Selector activator;c:\program files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe [2010-05-25 2139400]
S2 PaceLicenseDServices;PACE License Services;c:\program files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2011-07-09 2932224]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-03-31 80896]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-10-05 40832]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-10-05 84864]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-09-02 288256]
S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdgx64.sys [2010-03-05 75624]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2007-03-05 12288]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-05-28 267296]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgtdia
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2492272126-1598020779-2127758990-1000Core.job
- c:\users\Jeff\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-07-20 17:44]
.
2012-02-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2492272126-1598020779-2127758990-1000UA.job
- c:\users\Jeff\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-07-20 17:44]
.
2013-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2492272126-1598020779-2127758990-1000Core.job
- c:\users\Jeff\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 00:45]
.
2013-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2492272126-1598020779-2127758990-1000UA.job
- c:\users\Jeff\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 00:45]
.
2013-03-05 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 7bbb7b4f-66da-418e-b0d1-d2b5e77b3da0.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2013-03-05 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 8725adaa-91d9-40dd-9167-5fcb6cdbac25.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 18:12 192256 ----a-w- c:\windows\System32\SSCbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{39D54CC2-69CF-43b4-B167-577D25E7F496}"
[HKEY_CLASSES_ROOT\CLSID\{39D54CC2-69CF-43b4-B167-577D25E7F496}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncSharedPending]
@="{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}"
[HKEY_CLASSES_ROOT\CLSID\{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-27 309248]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2010-10-08 193536]
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2010-10-08 146432]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-10-29 1437064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\system32\SSCbFsMntNtf3.dll" [2013-01-30 192256]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
IE: &Download by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/202
IE: Download with Xilisoft iPhone Magic Platinum - c:\program files (x86)\Xilisoft\iPhone Magic Platinum\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 172.16.192.20 10.52.50.10
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
HKLM_Wow6432Node-ActiveSetup-{63478872-a091-11de-97f6-806e6f6e6963} - c:\programdata\wscntfy.exe
ShellIconOverlayIdentifiers-MacDrive volume icons - (no file)
SSODL-EldosMountNotificator REG_SZ {C28617FD-4FE7-4043-AD51-C8132CE90106}- - (no file)
AddRemove-Active@ UNDELETE 7 Enterprise - e:\nerd stuff\Active UNDELETE7 Enterprise\UNWISE.EXE
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Minigolf Deluxe Demo - c:\sierra\MgDeluxeDemo\Uninst.isu
AddRemove-VMware_Workstation - c:\programdata\VMware\VMware Workstation\Uninstaller\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8c,71,05,50,a2,1d,ac,ea,51,67,11,37,39,a7,5b,7a,e9,5c,a9,17,b8,
e8,2d,5f,15,7d,f5,23,5d,90,ca,35,57,cb,70,00,48,0a,b2,3d,c0,95,85,6d,de,93,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:0e,97,5f,49,26,83,93,be,bd,58,c5,62,b6,69,b5,29,4f,95,83,33,11,
10,27,1c,f5,74,7f,3c,9b,17,a8,da,8e,a7,64,b6,92,4b,2c,a5,aa,49,ba,96,e6,81,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8c,71,05,50,a2,1d,ac,ea,51,67,11,37,39,a7,5b,7a,e9,5c,a9,17,b8,
e8,2d,5f,15,7d,f5,23,5d,90,ca,35,57,cb,70,00,48,0a,b2,3d,c0,95,85,6d,de,93,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \37C5EB2B5B076D44]
"1"=hex:c9,79,69,4e,3d,a7,2b,2e,39,90,d1,21,b7,06,1b,4a,71,58,51,57,5e,93,d0,
87,b1,de,e3,2f,d3,c6,54,84
"2"=hex:e7,27,cf,42,f4,44,fe,c6,76,b9,01,5b,8d,a1,e7,a3,0b,92,3c,9d,f2,34,8f,
12,7a,a8,71,f2,2f,77,70,41,1f,10,57,54,31,fe,ca,e8
"3"=hex:c9,79,69,4e,3d,a7,2b,2e,39,90,d1,21,b7,06,1b,4a,71,58,51,57,5e,93,d0,
87,d3,a1,56,07,fe,e9,ed,5d,63,43,a8,79,69,5c,96,f5,16,c0,37,ea,62,de,2c,0d,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \37C5EB2B5B076D44\F4D9536879BA6642]
"1"=hex:c9,79,69,4e,3d,a7,2b,2e,a9,3f,42,59,36,dc,b2,cf,19,d8,95,d3,c6,6b,9f,
8d,4e,e1,69,38,67,f5,a9,04,5a,79,51,78,59,6b,1b,63,6c,a8,c6,5c,c6,ab,88,24
"2"=hex:d2,4c,5a,cd,82,f8,df,90
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:85,61,fe,fc,a7,58,24,fd,86,de,72,8f,47,4d,0a,7e,83,3d,10,99,a5,35,45,
2a,33,5e,6a,d1,48,ad,60,64,42,0b,87,10,ed,f1,37,8c,63,2f,1d,b1,60,4a,fc,a6,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2a,be,8e,36,28,f4,02,
cb,7c,17,6e,0b,c5,cd,e3,0b,e5,29,b5,a8,1d,1b,67,b0,43,3d,25,e7,4d,a1,59,48,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\Alias]
@=""
"0"="ActionsPane Schema for Add-Ins"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:0e,97,5f,49,26,83,93,be,bd,58,c5,62,b6,69,b5,29,4f,95,83,33,11,
10,27,1c,f5,74,7f,3c,9b,17,a8,da,8e,a7,64,b6,92,4b,2c,a5,aa,49,ba,96,e6,81,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Digidesign\Drivers\MMERefresh.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\SysWOW64\nlssrv32.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\progra~2\PHAROS~1\Core\CTskMstr.exe
c:\windows\System32\rpcnetp.exe
c:\program files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
c:\program files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\VMware\VMware Player\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
c:\program files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\CCM\SCNotification.exe
c:\program files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
.
**************************************************************************
.
Completion time: 2013-03-05 00:49:57 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-05 05:49
.
Pre-Run: 155,702,108,160 bytes free
Post-Run: 154,910,298,112 bytes free
.
- - End Of File - - 0A9B56F673E239607346A4398A2F3A44

Posted 4 years ago
Top
 
joefuf
Posts: 121

I was doing so well today until just now. I even noticed a few minutes ago that I can see the tags on my MP3 files which had been an issue that had been plaguing me for almost a year. Glad something that we did fixed that... Anyway, I was just trying to get to this link (an MSNBC jobs page I found on Google) when I was redirected to this link:

http://216.172.54.31/feed/go.p.....eab0be8794

Any further suggestions? I've run SAS, ComboFix, MSEP, Malwarebytes Pro, and ADW Cleaner...

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Post a Hijack This log

http://www.softpedia.com/get/I.....This.shtml

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

I'll have a gander at the Hijack This log but have thought of a plan. Uninstall FF and Chrome with Revo on Advanced setting. The browsers standard uninstall routines will run first then Revo will run a scan. Follow the prompts and delete all it finds then reboot. Make sure to uninstall everything even settings and profiles,

You can save your bookmarks in Chrome first by going to Settings > Bookmarks > Bookmark Manager > Organize > Export Bookmarks to HTML File. To restore later use the Import command in the same location.

In Firefox: Settings > Bookmarks > Show All Bookmarks > Import And Backup > Export Bookmarks To HTML. Use Import option to restore.

http://www.softpedia.com/get/T.....ller.shtml

Then Install Comodo Program Manager: http://programs-manager.comodo.com/

Install Chrome and Firefox. See if your issues have resolved. Comodo wil have monitored the installations and if the problem remains, hopefully on uninstalling the browsers again with Comodo, it can find the hidden problem because it tracked the installation of the browsers at the start if it hijacks the browsers again. Make sure, like Revo, to remove all it shows after the standard uninstall routine and reboot. Reinstall browsers again and check them.

This is as far as I can help you and you really need expert help if it fails.

Tony

Posted 4 years ago
Top
 
joefuf
Posts: 121

Sorry for the delay - I've been on Spring Break haha.

Below is the log that I generated from HijackThis. Let me know if you see anything before I try uninstalling things.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:45:10 PM, on 3/13/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
C:\Program Files (x86)\SugarSync\SugarSync.exe
C:\Users\Jeff\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files (x86)\HomeKeylogger\KeyLogger.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll
O2 - BHO: CtxIEInterceptorBHO - {2C4631FF-5CC8-4EBC-A0DF-34C92291759E} - C:\Program Files (x86)\Citrix\ICA Client\IEInterceptor.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files (x86)\HomeKeylogger\KeyLogger.exe
O4 - HKCU\..\Run: [SugarSync] "C:\Program Files (x86)\SugarSync\SugarSync.exe" -startInTray -usedelay=true
O4 - HKCU\..\Run: [ShowBatteryBar] "C:\Program Files\BatteryBar\ShowBatteryBar.exe" show
O4 - HKCU\..\Run: [MusicManager] "C:\Users\Jeff\AppData\Local\Programs\Google\MusicManager\MusicManager.exe"
O4 - HKCU\..\Run: [USB Safely Remove] C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [AdobeBridge] (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [SugarSync] "C:\Program Files (x86)\SugarSync\SugarSyncManager.exe" -startInTray -usedelay=true (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [ShowBatteryBar] "C:\Program Files\BatteryBar\ShowBatteryBar.exe" show (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [MusicManager] "C:\Users\Jeff\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [Connectify] C:\Program Files (x86)\Connectify\Connectify.exe (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [Plex Media Server] "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe" (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\Run: [USB Safely Remove] C:\Program Files (x86)\USB Safely Remove\USBSafelyRemove.exe /startup (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-2492272126-1598020779-2127758990-1018\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with Xilisoft iPhone Magic Platinum - C:\Program Files (x86)\Xilisoft\iPhone Magic Platinum\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll
O21 - SSODL: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\SysWOW64\SSCbFsMntNtf3.dll
O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\SysWOW64\SSCbFsMntNtf3.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cron Service for Prey (CronService) - Fork Ltd. - C:\Prey\platform\windows\cronsvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid Technology, Inc. - C:\Program Files (x86)\Digidesign\Drivers\MMERefresh.exe
O23 - Service: dldt_device - Unknown owner - C:\Windows\system32\dldtcoms.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\Windows\runservice.exe
O23 - Service: lxdp_device - Unknown owner - C:\Windows\system32\lxdpcoms.exe (file missing)
O23 - Service: Mediafour M4LIC service (M4LIC) - Mediafour Corporation - C:\Program Files (x86)\Common Files\Mediafour\M4LIC.EXE
O23 - Service: MacDrive 8 service (MacDrive8Service) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files (x86)\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero Update (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\system32\nlssrv32.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: O2FLASH - Unknown owner - C:\Windows\system32\DRIVERS\o2flash.exe (file missing)
O23 - Service: Acronis OS Selector activator (OS Selector) - Unknown owner - C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe
O23 - Service: PACE License Services (PaceLicenseDServices) - PACE Anti-Piracy, Inc. - C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~2\PHAROS~1\Core\CTskMstr.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sentinel Security Runtime (SentinelSecurityRuntime) - SafeNet, Inc. - C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Crystal Rich Ltd - C:\Program Files (x86)\USB Safely Remove\USBSRService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 17489 bytes

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Have you installed Home Keylogger?

Posted 4 years ago
Top
 
joefuf
Posts: 121

Yeah, I installed it myself. It's fine to stay.

Posted 4 years ago
Top
 
StringJunky
Posts: 2454

Apart from that my research doesn't show anything untoward. Bear in mind I'm not an expert.

Posted 4 years ago
Top
 



Topic Closed

This topic has been closed to new replies.