Solved Google Redirect in Windows 7

quirkymac · 2009/08/29

[Resolved] Google Redirect in Windows 7

Unfortunately I cannot run DDS in windows 7, therefore I wonder if someone could suggest what to try in order to get rid of this annoying issue.

Thanks in advance,

QK

broni · 2009/08/29

What browser is getting redirected?

quirkymac · 2009/08/29

I am using IE 8.0.7100
QK

broni · 2009/08/29

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

quirkymac · 2009/08/30

Thanks for that. I cannot get combofix to run in windows 7, it states that it will only work in workstations under windows xp and 2000.
HJT to follow.
QK

quirkymac · 2009/08/30

HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:03 PM, on 30/08/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe

--
End of file - 2840 bytes

broni · 2009/08/30

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

quirkymac · 2009/08/30

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/31/2009 at 07:30 AM

Application Version : 4.27.1002

Core Rules Database Version : 4076
Trace Rules Database Version: 2016

Scan type : Complete Scan
Total Scan Time : 00:28:55

Memory items scanned : 321
Memory threats detected : 0
Registry items scanned : 6276
Registry threats detected : 0
File items scanned : 19292
File threats detected : 281

Adware.Tracking Cookie
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@atdmt[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@doubleclick[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@creativeeliteprojects[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@windowsmedia[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sales.liveperson[4].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@pluckit.demandmedia[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@overture[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.infinisource[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@xiti[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@statse.webtrendslive[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@apmebf[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.cnczone[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ext-us.bestofmedia[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@media.sensis.com[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.babynamescountry[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@atdmt[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@server.lon.liveperson[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.cnn[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@server.lon.liveperson[3].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.bleepingcomputer[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@hardwarezone.com[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sales.liveperson[3].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@baby-medical-questions-and-answers[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@at.atwola[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@serving-sys[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wfkyshczakq.stats.esomniture[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.pointroll[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.techguy[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.associatedcontent[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@backcountry[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@insightexpressai[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@network.alluremedia.com[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.backcountry[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.supplyframe[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ad.yieldmanager[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@stats.paypal[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@atwola[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@kaspersky.122.2o7[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@adtech[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sales.liveperson[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@content.yieldmanager[3].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ad.associatedcontent[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wjmyuoc5cbp.stats.esomniture[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.backcountry[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.crossworxs[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@collective-media[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ad.amgdgt[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@findarticles[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ad.sensismediasmart.com[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@bridge2.admarketplace[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.backcountry[4].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@hardwarezone[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.apn.co[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@mediaonenetwork[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@theadnetwork.com[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@azjmp[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@xml.trafficengine[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@imrworldwide[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@date.ventivmedia[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@backcountrytime[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.magnify[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@iacas.adbureau[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.backcountry[5].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@mediaplex[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads1.mumsnet[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@clicktorrent[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@specificmedia[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@statcounter[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@doubleclick[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.hardwarezone.com[3].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@a1.interclick[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@media6degrees[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.burstnet[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@tracking.hearthstoneonline[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.backcountrytime[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@affiliate.wordtracker[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.ahaanswers[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@view.atdmt[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@adecn[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.statssheet[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@richmedia.yahoo[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sdctrack.thomasnet[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.babynamescountry[3].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@advertising[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sdctrack.thomasnet[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@mazdausamedia[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@media.medhelp[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@interclick[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@kontera[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@chitika[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@112.2o7[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@bs.serving-sys[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@babynamescountry[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@adxpose[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@dmtracker[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@msnportal.112.2o7[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sensismediasmart.com[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@media.mtvnservices[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@revsci[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sdctrack.thomasnet[4].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@stat.dealtime[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@hardwarezone.com[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@tacoda[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@tribalfusion[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@yieldmanager[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.hardwarezone.com[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@xpmediacentre.com[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.twenga[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@femalepatient[2].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.aol.co[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.burstbeacon[1].txt
C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@redirect.clickshield[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@media.sensis.com[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@www.googleadservices[4].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@www.googleadservices[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@www.googleadservices[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@www.googleadservices[3].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@pentonmedia.122.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@cba.122.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ehg-rodale.hitbox[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@dmtracker[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@medhelpinternational.112.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@mediaonenetwork[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@e-2dj6whlicnazmfp.stats.esomniture[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ads1.mumsnet[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@e-2dj6wmk4cgazmdo.stats.esomniture[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@stat.dealtime[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@imrworldwide[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@chitika[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@sensismediasmart.com[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@media.medhelp[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ad.sensismediasmart.com[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@e-2dj6wjlycldjmlo.stats.esomniture[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@microsoftwindows.112.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@e-2dj6wclyaiazigp.stats.esomniture[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@apmebf[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ehg-bskyb.hitbox[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@at.atwola[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ads.apn.co[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@112.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@bonniercorp.122.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@e-2dj6wflosncjkkq.stats.esomniture[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@e-2dj6wgkiegcjwgp.stats.esomniture[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@ehg-oreilly.hitbox[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@kindredmedia.com[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@kontera[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@richmedia.yahoo[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@view.atdmt[2].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@trinitymirror.112.2o7[1].txt
C:\Windows.old\Documents and Settings\User\Cookies\user@xpmediacentre.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@ads.ogdenpubs[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@ads.adap[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@imrworldwide[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@sensismediasmart.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@specificclick[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@statcounter[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@ad.sensismediasmart.com[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@mediaonenetwork[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@media.sensis.com[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@adserver.huggies.redantstaging[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@stat.dealtime[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@adserver.adreactor[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@cba.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@www.googleadservices[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@ad.zanox[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@apmebf[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\laptop@chitika[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@advertising.ctcproductions.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@cracker.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@eas.apm.emediate[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@apmebf[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@xiti[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.adserver28475[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.cnczone[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wgkykhdzcbp.stats.esomniture[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.cnn[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sexuality.about[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@media6degrees[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@archant.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@at.atwola[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.pointroll[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@bergenstidende.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@insightexpressai[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@network.alluremedia.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[3].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[8].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6whk4ggdjebp.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.dvinfo[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@stats.paypal[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@chitika[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@hearstmagazines.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@sensismediasmart.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@wotifcom.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wjkyapcjafo.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@stats.sitesuite[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@paypal.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ad.sensismediasmart.com[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wfloamazkao.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@view.atdmt[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wgkygpajcaq.stats.esomniture[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[5].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@mediaonenetwork[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@imrworldwide[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@media.sensis.com[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@112.2o7[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wmk4sndpgfp.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.stopzilla[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@avgtechnologies.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@statcounter[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wjk4onazeho.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[6].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.burstnet[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.widgetbucks[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@winzip.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@azjmp[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@stat.dealtime[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.ahaanswers[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@viacom.adbureau[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@cba.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@aru.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@elitechoice[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wfkigmcpgkq.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@microsoftwindows.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@kontera[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@specificclick[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@dmtracker[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@stopzilla[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@richmedia.yahoo[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wjny-1sd5cd.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wgkocjcpebq.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@adserver.adreactor[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@e-2dj6wdkoclc5odp.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@f2network.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@ads.twenga[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@nextag.co[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@xpmediacentre.com[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\Low\laptop@www.googleadservices[4].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ads.apn.co[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@media.medhelp[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ehg-oreilly.hitbox[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@richmedia.yahoo[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ehg-bskyb.hitbox[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ad.sensismediasmart.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@pentonmedia.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@medhelpinternational.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@www.googleadservices[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@stat.dealtime[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@trinitymirror.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@www.googleadservices[4].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ads.pointroll[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@media.sensis.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@bonniercorp.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@apmebf[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@dmtracker[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@kontera[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@mediaonenetwork[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@e-2dj6wmk4cgazmdo.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@www.googleadservices[3].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@www.googleadservices[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@e-2dj6wjlycldjmlo.stats.esomniture[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@microsoftwindows.112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@112.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ads1.mumsnet[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@at.atwola[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@cba.122.2o7[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@chitika[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@e-2dj6wclyaiazigp.stats.esomniture[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@e-2dj6wflosncjkkq.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@e-2dj6wgkiegcjwgp.stats.esomniture[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@e-2dj6whlicnazmfp.stats.esomniture[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@ehg-rodale.hitbox[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@imrworldwide[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@kindredmedia.com[1].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@sensismediasmart.com[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@view.atdmt[2].txt
C:\Windows.old.000\Users\laptop\AppData\Roaming\Microsoft\Windows\Cookies\user@xpmediacentre.com[2].txt

Trojan.Agent/Gen-FakeCodec
C:\WINDOWS.OLD.000\USERS\LAPTOP\APPDATA\LOCAL\TEMP\~NSU.TMP\AU_.EXE

quirkymac · 2009/08/30

GMER 1.0.15.15077 [c30d8z7v.exe] - http://www.gmer.net
Rootkit scan 2009-08-31 08:28:58
Windows 6.1.7100

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3AAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3A104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3A3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22FB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3A1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3A958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3A6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3AF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C3B1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13B1 82849549 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828696B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 95C36C9D 28 Bytes [55, 05, 50, BE, 3C, 7A, 1A, ...]
.text peauth.sys 95C36CC1 28 Bytes [55, 05, 50, BE, 3C, 7A, 1A, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!CreateWindowExW 7539E70A 5 Bytes JMP 6EAA4999 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!DialogBoxParamW 753B3AB4 5 Bytes JMP 6E9DBF35 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!DialogBoxIndirectParamW 753C509D 5 Bytes JMP 6EC0676B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!DialogBoxParamA 753DCB32 5 Bytes JMP 6EC06708 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!DialogBoxIndirectParamA 753DCE64 5 Bytes JMP 6EC067CE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!MessageBoxIndirectA 753EE519 5 Bytes JMP 6EC0669D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!MessageBoxIndirectW 753EE613 5 Bytes JMP 6EC06632 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!MessageBoxExA 753EE679 5 Bytes JMP 6EC065D0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] USER32.dll!MessageBoxExW 753EE69D 5 Bytes JMP 6EC0656E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1508] ole32.dll!OleLoadFromStream 76452906 5 Bytes JMP 6EC06A34 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!EnableWindow 7539801C 5 Bytes JMP 6E9D3A69 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!GetAsyncKeyState 7539A13E 5 Bytes JMP 6E9CDEB4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!CallNextHookEx 7539AB7D 5 Bytes JMP 6EA1AEBC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!UnhookWindowsHookEx 7539C6BC 5 Bytes JMP 6EAD1E46 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!SetWindowsHookExW 7539E104 5 Bytes JMP 6EA67670 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!CreateWindowExW 7539E70A 5 Bytes JMP 6EAA4999 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!GetKeyState 753A2D0A 5 Bytes JMP 6E9D473B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!IsDialogMessageW 753A4EEF 5 Bytes JMP 6EB16530 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!CreateDialogParamA 753B252A 5 Bytes JMP 6EC070F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!IsDialogMessage 753B268B 5 Bytes JMP 6EC06B01 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!DialogBoxParamW 753B3AB4 5 Bytes JMP 6E9DBF35 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!CreateDialogIndirectParamA 753B758C 5 Bytes JMP 6EC0712C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!CreateDialogIndirectParamW 753BEF71 5 Bytes JMP 6EC07163 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!CreateDialogParamW 753C06ED 5 Bytes JMP 6E9D3BE2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!EndDialog 753C0AB2 5 Bytes JMP 6E9CE986 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!DialogBoxIndirectParamW 753C509D 5 Bytes JMP 6EC0676B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!SetKeyboardState 753C63A2 5 Bytes JMP 6EC06E66 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!SendInput 753C6A16 5 Bytes JMP 6EC077E4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!DialogBoxParamA 753DCB32 5 Bytes JMP 6EC06708 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!DialogBoxIndirectParamA 753DCE64 5 Bytes JMP 6EC067CE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!MessageBoxIndirectA 753EE519 5 Bytes JMP 6EC0669D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!MessageBoxIndirectW 753EE613 5 Bytes JMP 6EC06632 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!MessageBoxExA 753EE679 5 Bytes JMP 6EC065D0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!MessageBoxExW 753EE69D 5 Bytes JMP 6EC0656E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] USER32.dll!keybd_event 753EE8EB 5 Bytes JMP 6EC07A17 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] SHELL32.dll!DllRegisterServer + 3B2B 75562AB8 1 Byte [8D]
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] SHELL32.dll!DllRegisterServer + 3B2B 75562AB8 4 Bytes [8D, 32, 67, 6D] {LEA ESI, [EDX]; INS DWORD [DI], DX}
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] SHELL32.dll!DllRegisterServer + 3B33 75562AC0 8 Bytes [DB, 31, 67, 6D, 69, 6F, 66, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] ole32.dll!OleLoadFromStream 76452906 5 Bytes JMP 6EC06A34 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1868] ole32.dll!CoCreateInstance 764A672C 5 Bytes JMP 6EACB0A9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SearchPathW] [6D663556] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6D661AF7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [6D65BF4F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetCurrentDirectoryW] [6D6637BF] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindClose] [6D665524] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindNextFileW] [6D6643A7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindFirstFileW] [6D664A80] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6D661967] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6D65EF33] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6D6617E3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateFileW] [6D6602DC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6D65F6D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6D661AF7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6D66165F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CopyFileW] [6D65FC64] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!DeleteFileW] [6D6608C2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SearchPathW] [6D663556] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6D6617E3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CreateFileW] [6D6602DC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6D6617E3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!DeleteFileW] [6D6608C2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!ReplaceFileW] [6D6626FF] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringA] [6D65EDDC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringW] [6D65EF33] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!WritePrivateProfileStringW] [6D65F6D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6D66165F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6D661AF7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileW] [6D664A80] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileW] [6D6643A7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesW] [6D65DB76] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] [6D6602DC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathW] [6D663556] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesW] [6D65D91D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesA] [6D65DA48] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] [6D660193] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6D661967] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesA] [6D65D7F2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathA] [6D663E15] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindClose] [6D665524] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileA] [6D664334] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileA] [6D66471E] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsRootA] [6D667E02] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathStripToRootW] [6D668588] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsURLW] [6D66814C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathFindOnPathW] [6D667A1D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHCreateStreamOnFileW] [6D66889C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHOpenRegStream2W] [6D668CA1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathCombineW] [6D66783A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHDeleteKeyA] [6D6688EE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsDirectoryW] [6D667B56] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!AssocQueryStringByKeyW] [6D667512] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathCreateFromUrlW] [6D6678E1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathSkipRootW] [6D668460] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathRelativePathToW] [6D668288] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathRemoveArgsW] [6D668328] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsContentTypeW] [6D667ABB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegQueryUSValueW] [6D669761] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegEnumUSKeyW] [6D669156] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegOpenUSKeyA] [6D66959A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsDirectoryEmptyW] [6D667BEE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsDirectoryA] [6D667B0A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathBuildRootA] [6D6676AC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetPathW] [6D6693C4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathCanonicalizeW] [6D667799] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegSetPathW] [6D66981A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetUSValueW] [6D66947D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!AssocQueryKeyW] [6D6673B5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetBoolUSValueW] [6D6692C5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsRelativeW] [6D667DB6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsNetworkPathW] [6D667C86] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsRootW] [6D667E4E] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHDeleteKeyW] [6D66893D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathFileExistsW] [6D667982] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHEnumValueW] [6D668B38] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathStripPathW] [6D6684F4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegOpenUSKeyW] [6D6695F2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHQueryValueExW] [6D668EAB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHSetValueW] [6D669A39] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHDeleteValueW] [6D6689DE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathBuildRootW] [6D6676FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHGetValueW] [6D668BF1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!AssocQueryStringW] [6D667462] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsUNCW] [6D667F84] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathMakeSystemFolderW] [6D6681E4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathUnExpandEnvStringsW] [6D668626] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsUNCServerW] [6D66801C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsUNCServerShareW] [6D6680B4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetValueW] [6D66953C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHEnumKeyExW] [6D668A85] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [ntdll.dll!NtQueryDirectoryFile] [6D65D5D0] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [USER32.dll!LoadImageW] [6D660B4C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [USER32.dll!WinHelpW] [6D661528] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [USER32.dll!PrivateExtractIconsW] [6D661043] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6D66165F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateHardLinkW] [6D6605E4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6D65F6D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!WritePrivateProfileSectionW] [6D65F455] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileSectionNamesW] [6D65ECA5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] [6D662423] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6D6617E3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6D65EF33] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileIntW] [6D65E79B] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetShortPathNameA] [6D65E184] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!ReplaceFileW] [6D6626FF] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileW] [6D6623FE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetBinaryTypeW] [6D65E522] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CopyFileW] [6D65FC64] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileSectionW] [6D65EA23] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6D6617E3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6D66165F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHRegGetValueW] [6D66953C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHRegGetValueA] [6D6694DE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathUnExpandEnvStringsA] [6D6685D4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHDeleteKeyA] [6D6688EE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHDeleteValueW] [6D6689DE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathCreateFromUrlW] [6D6678E1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHGetValueA] [6D668B96] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHSetValueA] [6D6699DE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHGetValueW] [6D668BF1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHSetValueW] [6D669A39] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathCombineW] [6D66783A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[1868] @ C:\Windows\system32\secur32.dll [KERNEL32.dll!GetProcAddress] [6D659C74] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

quirkymac · 2009/08/30

Oops forgot to post the log of malware, so have run it again.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.1.7100

31/08/2009 11:59:00 AM
mbam-log-2009-08-31 (11-59-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177936
Time elapsed: 1 hour(s), 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · 2009/08/30

I really don't see much here...

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

quirkymac · 2009/09/01

Thanks. report as reqested

combofix.exe\32788R22FWJFW\c.bat;c:\users\laptop\desktop\combofix.exe;Probably BATCH.Virus;;
combofix.exe;c:\users\laptop\desktop;Archive contains infected objects;;
c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\c.bat;C:\Documents and Settings\laptop\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe;C:\Documents and Settings\laptop\Desktop;Archive contains infected objects;;
ComboFix.exe\32788R22FWJFW\c.bat;C:\Users\laptop\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe;C:\Users\laptop\Desktop;Archive contains infected objects;;

quirkymac · 2009/09/01

An update. Despite all of these programs being installed and run as directed, the problem still exists.

An example.

My homepage is www.google.com.au
I open an internet explorer page and it pops up with google.com.au as expected.

I typed in dry cracked hands and hit the search button.

It came up with a list of items.
The first in the search results was a discussion on answers.yahoo.com
when I click on it the first time a new window opens to a page
http://www.kdirectory.co.uk/results.asp?qry=hand+drier&rfid=lak7_11561-1936_2363&bp=hand+drier

then if I click the same link again it takes me to the correct page (again in a new window)
http://answers.yahoo.com/question/index?qid=20061203200949AAkEhbh

When it is opening the new window it shows the following in the address bar
http://www.google.com.au/click?sa=T....com/question/index?qid=20061203200949AAkEhbh

quirkymac · 2009/09/01

I did some more investigations.

It appears that when we first search for something it will be redirected but only the once, after it has done it once it then behaves normally.

I did a search for dry hands and it sent me (incorrectly!) to

http://www.discoverexactly.com/jump2/?affiliate=7998&subid=1936_2363&terms=dry hands

when I was wanting to go to

http://beauty.about.com/cs/dryskin/f/dryhands03.htm

broni · 2009/09/01

Download [color= "#FF0000"]RootRepeal.zip[/color] (Mirror1, Mirror2) and unzip it to your Desktop.

Double click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

[*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
[*]Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. [color= "red"]DO NOT[/color] run any other programs while the scan is running

When the scan is complete, the Save Report button will become available

Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

quirkymac · 2009/09/01

RootRepeal won't start on my system.

When I double click it it comes up with an error stating

FOPS -DeviceIOControl error with an error code attached 0x0000024

It gives me an option for more information on the error.

I have a feeling this is a bit of an issue that it is on a windows 7 machine.

I would prefer to continue working with windows 7, it has a nice feel to it (much much nicer to use than vista) but will go back to xp if needs be.

Thanks again for all your help....I am hoping something can be done.

I was thinking about trying firefox as a quick and dirty way to bypass the issue.

QK.

broni · 2009/09/01

Trying Firefox won't hurt, but still, it's just workaround, and I don't like unsolved mysteries.

Try couple more things.
Re-run HJT, and checkmark:
- O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
- O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
Click "Fix checked" button.
Restart computer and check for redirection.

If no go...
Open IE, go Tools>Internet Options>Advanced button, click "Reset" button.
Restart computer and check for redirections.

If still no go...

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4

Double click on AVZ.exe to run it.

Run an update by clicking the Auto Update button on the Right of the Log window:

Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

After the update, from the "File " menu, choose "Standard Scripts "

Put a check next to item 2: Advanced System Analysis

Click Execute selected scripts

At the next prompt, click the Yes button

Let the scan run and click "OK" when the completion prompt pops up

Now Close out of the Standard Scripts window, and exit AVZ

Navigate to the avz4 folder and locate the folder LOG

Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip

Upload the compressed file, virusinfo_syscheck.zip here: http://uploadmb.com/. Post download link.

quirkymac · 2009/09/01

Tried firefox and it did exactly the same thing.

Will try your fixes above now and let you know.

HJT log before I make the changes...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:08 PM, on 2/09/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmprph.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4150 bytes

broni · 2009/09/01

Hold on for a moment...

broni · 2009/09/01

I didn't notice Spybot, and HJT entries were not fixed.

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Try HJT fixes again and restart computer.
Re-run HJT and see, if those two entries are still there.

We have to do it one step at a time.

Log in or Sign up

Solved Google Redirect in Windows 7

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Google Redirect in Windows 7

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

quirkymac Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Useful Searches