1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google Redirect Issue

Discussion in 'Malware and Virus Removal Archive' started by quirkymac, 2010/03/24.

Page 6 of 6
  1. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    I'm back....but the redirect isn't as long as I keep the manual dns settings. I have managed to run the ESET online scanner results below. Am about to try the Kapersky one..if you see this in the next few hours and think it is not necessary to run both then please let me know. Kapersky looks like it takes AGES to download and scan....
    QK
     
    quirkymac,
    #101
  2. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    C:\Users\Milne Clan\Downloads\avi2video_install.exe Win32/Adware.Mongoose application deleted - quarantined
     
    quirkymac,
    #102


  3. to hide this advert.

  4. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    FWIW - the exact same issue is now happening on my Media Centre PC running Win7 Pro 64bit. I discovered it when it popped up with an error saying that the security software could not update. I changed the DNS settings to the manual addresses and that has fixed the issue there as well. Before I did that I checked if google searches were being redirected in a similar way and yes they were. After the DNS adjustment no more issues.
    Weird - Yes. Would love to figure out what is playing round with those DNS lookups.
    Am running ESET on the other computer as well....so far it has found 2 threats. w32.toolbar.AskSBar application
     
    quirkymac,
    #103
  5. 2010/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Great! Not only it keeps raining in California, but you're back with your problems...hahahahaha...LOL

    I guess, we have to get some fresh logs. Those threats discovered so far by Eset seem to be meaningless.

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    ===============================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #104
  6. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Raining and rootkits?
    Gmer Log
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-13 05:57:02
    Windows 6.1.7600
    Running: 4xsve082.exe; Driver: C:\Users\MILNEC~1\AppData\Local\Temp\uwldauob.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302AAF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A3F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83012634
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83012898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A1DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A6F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302AF2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302B1A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C458E9 1 Byte [06]
    .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C653D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text peauth.sys A8512C9D 28 Bytes [84, 52, 0A, 0A, 1F, 3C, 96, ...]
    .text peauth.sys A8512CC1 28 Bytes [84, 52, 0A, 0A, 1F, 3C, 96, ...]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!CreateWindowExW 769D0E51 5 Bytes JMP 675380F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxIndirectParamW 769F4AA7 5 Bytes JMP 6765F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxParamW 769F564A 5 Bytes JMP 67454B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxParamA 76A0CF6A 5 Bytes JMP 6765F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxIndirectParamA 76A0D29C 5 Bytes JMP 6765F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxIndirectA 76A1E8C9 5 Bytes JMP 6765F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxIndirectW 76A1E9C3 5 Bytes JMP 6765F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxExA 76A1EA29 5 Bytes JMP 6765F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxExW 76A1EA4D 5 Bytes JMP 6765F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!UnhookWindowsHookEx 769CCC7B 5 Bytes JMP 675482FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!CallNextHookEx 769CCC8F 5 Bytes JMP 67529D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!CreateWindowExW 769D0E51 5 Bytes JMP 675380F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!SetWindowsHookExW 769D210A 5 Bytes JMP 674E45DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!DialogBoxIndirectParamW 769F4AA7 5 Bytes JMP 6765F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!DialogBoxParamW 769F564A 5 Bytes JMP 67454B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!DialogBoxParamA 76A0CF6A 5 Bytes JMP 6765F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!DialogBoxIndirectParamA 76A0D29C 5 Bytes JMP 6765F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!MessageBoxIndirectA 76A1E8C9 5 Bytes JMP 6765F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!MessageBoxIndirectW 76A1E9C3 5 Bytes JMP 6765F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!MessageBoxExA 76A1EA29 5 Bytes JMP 6765F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] USER32.dll!MessageBoxExW 76A1EA4D 5 Bytes JMP 6765F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] ole32.dll!OleLoadFromStream 773F5B88 5 Bytes JMP 6765F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3060] ole32.dll!CoCreateInstance 774457FC 5 Bytes JMP 67538BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!UnhookWindowsHookEx 769CCC7B 5 Bytes JMP 675482FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!CallNextHookEx 769CCC8F 5 Bytes JMP 67529D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!CreateWindowExW 769D0E51 5 Bytes JMP 675380F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!SetWindowsHookExW 769D210A 5 Bytes JMP 674E45DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamW 769F4AA7 5 Bytes JMP 6765F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamW 769F564A 5 Bytes JMP 67454B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamA 76A0CF6A 5 Bytes JMP 6765F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamA 76A0D29C 5 Bytes JMP 6765F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectA 76A1E8C9 5 Bytes JMP 6765F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectW 76A1E9C3 5 Bytes JMP 6765F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExA 76A1EA29 5 Bytes JMP 6765F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExW 76A1EA4D 5 Bytes JMP 6765F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] ole32.dll!OleLoadFromStream 773F5B88 5 Bytes JMP 6765F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3096] ole32.dll!CoCreateInstance 774457FC 5 Bytes JMP 67538BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Lenovo\System Update\SUService.exe[2264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Lenovo\System Update\SUService.exe[2264] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Lenovo\System Update\SUService.exe[2264] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Lenovo\System Update\SUService.exe[2264] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Lenovo\System Update\SUService.exe[2264] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2672] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2672] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2672] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2672] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [755F5E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3afc1970
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3afc1970 (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----
     
    quirkymac,
    #105
  7. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    OTL logfile created on: 13/04/2010 5:59:13 AM - Run 4
    OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Milne Clan\Desktop
    An unknown product (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 71.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 76.33 Gb Free Space | 51.21% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    Drive E: | 6.83 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: MILNECLAN-PC
    Current User Name: Milne Clan
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/04/13 05:58:42 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    PRC - [2010/02/21 04:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
    PRC - [2009/12/09 17:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    PRC - [2009/10/31 15:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/10/19 16:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
    PRC - [2009/09/28 15:27:18 | 000,144,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
    PRC - [2009/08/24 12:43:54 | 000,038,176 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe
    PRC - [2009/08/20 08:38:30 | 000,062,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
    PRC - [2009/08/06 16:15:36 | 000,173,080 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe
    PRC - [2009/07/15 09:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
    PRC - [2009/07/14 11:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2009/07/08 19:12:06 | 000,337,184 | ---- | M] (Lenovo.) -- C:\Windows\System32\TpShocks.exe
    PRC - [2009/05/18 12:28:04 | 001,314,816 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
    PRC - [2009/03/13 16:32:46 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    PRC - [2009/02/02 17:04:08 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    PRC - [2008/07/15 12:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE


    ========== Modules (SafeList) ==========

    MOD - [2010/04/13 05:58:42 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    MOD - [2009/07/14 11:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
    MOD - [2009/07/14 11:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
    MOD - [2009/07/14 11:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
    MOD - [2009/07/14 11:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
    MOD - [2009/07/14 11:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
    MOD - [2009/07/14 11:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
    MOD - [2009/07/14 11:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
    MOD - [2009/07/14 11:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
    MOD - [2009/07/14 11:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
    MOD - [2009/07/14 11:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
    MOD - [2009/07/14 11:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/12 03:17:23 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2009/12/09 17:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
    SRV - [2009/10/19 16:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
    SRV - [2009/09/09 02:05:00 | 000,075,040 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE -- (Power Manager DBC Service)
    SRV - [2009/08/24 12:43:54 | 000,038,176 | ---- | M] (Lenovo) [Auto | Running] -- C:\Windows\System32\ibmpmsvc.exe -- (IBMPMSVC)
    SRV - [2009/07/15 09:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
    SRV - [2009/07/14 11:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
    SRV - [2009/07/14 11:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
    SRV - [2009/07/14 11:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
    SRV - [2009/07/14 11:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
    SRV - [2009/07/14 11:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
    SRV - [2009/07/14 11:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/14 11:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
    SRV - [2009/07/14 11:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/14 11:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/14 11:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
    SRV - [2009/07/14 11:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
    SRV - [2009/07/14 11:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
    SRV - [2009/07/14 11:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
    SRV - [2009/07/14 11:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/07/14 11:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
    SRV - [2009/07/14 11:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
    SRV - [2009/07/14 11:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
    SRV - [2009/07/14 11:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
    SRV - [2009/07/14 11:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
    SRV - [2009/07/14 11:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
    SRV - [2009/07/14 11:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
    SRV - [2009/07/14 11:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
    SRV - [2009/07/03 17:47:08 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
    SRV - [2009/06/29 12:51:00 | 000,039,976 | ---- | M] (Lenovo.) [On_Demand | Stopped] -- C:\Windows\System32\TPHDEXLG.exe -- (TPHDEXLGSVC)
    SRV - [2008/07/15 12:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
    SRV - [2004/01/18 09:59:18 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    O1 HOSTS File: ([2010/03/29 07:05:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No CLSID value found.
    O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
    O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
    O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
    O4 - HKLM..\Run: [TpShocks] C:\Windows\System32\TpShocks.exe (Lenovo.)
    O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (systempropertiesperformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/11 07:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2009/11/23 22:05:40 | 006,321,456 | R--- | M] (Codemasters Software Co.) - E:\Autorun.exe -- [ UDF ]
    O32 - AutoRun File - [2009/09/28 23:23:06 | 000,000,068 | R--- | M] () - E:\autorun.inf -- [ UDF ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias [2009/07/14 12:37:08 | 000,000,000 | ---D | M]
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found
    NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
    NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/13 05:58:32 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    [2010/04/12 16:17:53 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2010/04/01 04:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2010/03/31 13:55:38 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2010/03/31 13:55:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2010/03/31 13:48:18 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2010/03/31 13:48:18 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2010/03/31 13:48:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2010/03/31 13:48:07 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/03/31 13:47:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2010/03/31 13:47:51 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2010/03/31 13:36:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/03/31 13:36:33 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/03/31 13:36:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/03/31 12:51:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
    [2010/03/31 12:51:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/03/31 12:51:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java

    ========== Files - Modified Within 14 Days ==========

    [2010/04/13 06:00:07 | 001,835,008 | -HS- | M] () -- C:\Users\Milne Clan\NTUSER.DAT
    [2010/04/13 05:58:42 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    [2010/04/13 05:46:28 | 000,293,376 | ---- | M] () -- C:\Users\Milne Clan\Desktop\4xsve082.exe
    [2010/04/13 05:45:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/04/12 03:31:32 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
    [2010/04/12 03:31:32 | 000,621,772 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2010/04/12 03:31:32 | 000,108,912 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2010/04/10 19:53:24 | 000,014,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/04/10 19:53:24 | 000,014,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/04/01 04:52:17 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010/04/01 04:52:05 | 1577,816,064 | -HS- | M] () -- C:\hiberfil.sys
    [2010/04/01 04:51:28 | 002,786,809 | -H-- | M] () -- C:\Users\Milne Clan\AppData\Local\IconCache.db
    [2010/04/01 04:50:58 | 000,006,532 | ---- | M] () -- C:\Users\Milne Clan\Documents\cc_20100401_055050.reg
    [2010/03/31 13:54:08 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
    [2010/03/31 13:06:26 | 000,145,243 | ---- | M] () -- C:\Users\Milne Clan\Documents\quirkykiwi screenshot.jpg

    ========== Files Created - No Company Name ==========

    [2010/04/13 05:46:22 | 000,293,376 | ---- | C] () -- C:\Users\Milne Clan\Desktop\4xsve082.exe
    [2010/04/01 04:50:53 | 000,006,532 | ---- | C] () -- C:\Users\Milne Clan\Documents\cc_20100401_055050.reg
    [2010/03/31 13:48:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2010/03/31 13:48:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2010/03/31 13:48:18 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
    [2010/03/31 13:48:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2010/03/31 13:06:23 | 000,145,243 | ---- | C] () -- C:\Users\Milne Clan\Documents\quirkykiwi screenshot.jpg
    [2010/03/30 18:48:11 | 057,521,259 | ---- | C] () -- C:\Users\Milne Clan\Desktop\Zen Relax - Chinese Bamboo Flute Music - Sounds Of Nature - Relaxation & Meditation With Music & Nature.mp3
    [2010/03/29 07:06:16 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2010/03/24 05:27:51 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
    [2010/02/21 06:46:27 | 000,014,115 | ---- | C] () -- C:\Windows\twspmm.ini
    [2010/02/01 14:08:46 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
    [2010/01/25 07:01:52 | 000,000,539 | ---- | C] () -- C:\Users\Milne Clan\AppData\Local\CastleLinkProps.dat
    [2010/01/04 16:19:59 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
    [2010/01/04 14:53:15 | 000,524,288 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
    [2010/01/04 14:53:15 | 000,524,288 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
    [2010/01/04 14:53:15 | 000,262,144 | -HS- | C] () -- C:\Users\Milne Clan\ntuser.dat.LOG1
    [2010/01/04 14:53:15 | 000,065,536 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
    [2010/01/04 14:53:15 | 000,000,020 | -HS- | C] () -- C:\Users\Milne Clan\ntuser.ini
    [2010/01/04 14:53:15 | 000,000,000 | -HS- | C] () -- C:\Users\Milne Clan\ntuser.dat.LOG2
    [2010/01/04 14:53:14 | 001,835,008 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT
    [2009/10/07 07:24:22 | 000,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
    [2009/07/14 09:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/14 09:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2005/05/06 18:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

    ========== LOP Check ==========

    [2010/03/28 06:10:53 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\GetRight
    [2010/03/09 16:48:42 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\LEAPS
    [2010/02/01 14:11:32 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Leawo
    [2010/01/07 19:00:28 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\OpenOffice.org
    [2010/03/09 16:46:07 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Pegasys Inc
    [2010/01/18 14:45:22 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Red Alert 3
    [2010/03/25 05:08:21 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\uTorrent
    [2009/07/14 14:53:46 | 000,013,952 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2009/07/14 11:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys
    [2009/07/14 11:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
    [2009/07/14 11:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
    [2009/07/14 11:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

    < MD5 for: ATAPI.SYS >
    [2009/07/14 11:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
    [2009/07/14 11:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
    [2009/07/14 11:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
    [2009/07/14 11:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

    < MD5 for: CNGAUDIT.DLL >
    [2009/07/14 11:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
    [2009/07/14 11:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
    [2009/07/14 11:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

    < MD5 for: IASTORV.SYS >
    [2009/07/14 11:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
    [2009/07/14 11:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
    [2009/07/14 11:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

    < MD5 for: NETLOGON.DLL >
    [2009/07/14 11:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
    [2009/07/14 11:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
    [2009/07/14 11:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

    < MD5 for: NVSTOR.SYS >
    [2009/07/14 11:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
    [2009/07/14 11:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
    [2009/07/14 11:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

    < MD5 for: SCECLI.DLL >
    [2009/07/14 11:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
    [2009/07/14 11:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
    [2009/07/14 11:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >

    < End of report >
     
    quirkymac,
    #106
  8. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Did I do something wrong? No extras.txt file was either opened or saved. I saw (and posted) the OTL.txt and can see it saved on my desktop (where OTL is)...I shall try again!
     
    quirkymac,
    #107
  9. 2010/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Don't worry about extras...

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No CLSID value found.
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab  (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2010/03/29 07:06:16 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
    broni,
    #108
  10. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    I am not going mad (completely) - No extras.txt generated this time either...
     
    quirkymac,
    #109
  11. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}\ not found.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Starting removal of ActiveX control {3860DD98-0549-4D50-AA72-5D17D200EE10}
    C:\Windows\Downloaded Program Files\wlscCtrl2.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3860DD98-0549-4D50-AA72-5D17D200EE10}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3860DD98-0549-4D50-AA72-5D17D200EE10}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3860DD98-0549-4D50-AA72-5D17D200EE10}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3860DD98-0549-4D50-AA72-5D17D200EE10}\ not found.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\ProgramData\ezsidmv.dat moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Milne Clan
    ->Temp folder emptied: 103976260 bytes
    ->Temporary Internet Files folder emptied: 42963073 bytes
    ->Java cache emptied: 230531 bytes
    ->Flash cache emptied: 4829 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 65768 bytes
    RecycleBin emptied: 3645223927 bytes

    Total Files Cleaned = 3,617.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.1.1 log created on 04132010_061714

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    quirkymac,
    #110
  12. 2010/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, so where are we at now?
    What are the current issues?
     
    broni,
    #111
  13. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    OTL logfile created on: 13/04/2010 6:42:31 AM - Run 6
    OTL by OldTimer - Version 3.2.1.1 Folder = C:\Users\Milne Clan\Desktop
    An unknown product (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 79.68 Gb Free Space | 53.46% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    Drive E: | 6.83 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: MILNECLAN-PC
    Current User Name: Milne Clan
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/04/13 05:58:42 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    PRC - [2010/02/21 04:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
    PRC - [2009/12/09 17:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    PRC - [2009/10/31 15:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/10/19 16:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe
    PRC - [2009/09/28 15:27:18 | 000,144,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
    PRC - [2009/08/24 12:43:54 | 000,038,176 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe
    PRC - [2009/08/20 08:38:30 | 000,062,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
    PRC - [2009/07/15 09:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
    PRC - [2009/07/14 11:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2009/07/14 11:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe
    PRC - [2009/07/08 19:12:06 | 000,337,184 | ---- | M] (Lenovo.) -- C:\Windows\System32\TpShocks.exe
    PRC - [2009/05/18 12:28:04 | 001,314,816 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
    PRC - [2009/03/13 16:32:46 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    PRC - [2009/02/02 17:04:08 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    PRC - [2008/07/15 12:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE


    ========== Modules (SafeList) ==========

    MOD - [2010/04/13 05:58:42 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    MOD - [2009/07/14 11:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
    MOD - [2009/07/14 11:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
    MOD - [2009/07/14 11:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
    MOD - [2009/07/14 11:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
    MOD - [2009/07/14 11:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
    MOD - [2009/07/14 11:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
    MOD - [2009/07/14 11:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
    MOD - [2009/07/14 11:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
    MOD - [2009/07/14 11:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
    MOD - [2009/07/14 11:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
    MOD - [2009/07/14 11:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/12 03:17:23 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2009/12/09 17:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
    SRV - [2009/10/19 16:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
    SRV - [2009/09/09 02:05:00 | 000,075,040 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE -- (Power Manager DBC Service)
    SRV - [2009/08/24 12:43:54 | 000,038,176 | ---- | M] (Lenovo) [Auto | Running] -- C:\Windows\System32\ibmpmsvc.exe -- (IBMPMSVC)
    SRV - [2009/07/15 09:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
    SRV - [2009/07/14 11:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
    SRV - [2009/07/14 11:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
    SRV - [2009/07/14 11:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
    SRV - [2009/07/14 11:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
    SRV - [2009/07/14 11:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
    SRV - [2009/07/14 11:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/14 11:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
    SRV - [2009/07/14 11:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/14 11:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/14 11:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
    SRV - [2009/07/14 11:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
    SRV - [2009/07/14 11:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
    SRV - [2009/07/14 11:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
    SRV - [2009/07/14 11:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/07/14 11:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
    SRV - [2009/07/14 11:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
    SRV - [2009/07/14 11:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
    SRV - [2009/07/14 11:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
    SRV - [2009/07/14 11:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
    SRV - [2009/07/14 11:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
    SRV - [2009/07/14 11:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
    SRV - [2009/07/14 11:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
    SRV - [2009/07/03 17:47:08 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
    SRV - [2009/06/29 12:51:00 | 000,039,976 | ---- | M] (Lenovo.) [On_Demand | Stopped] -- C:\Windows\System32\TPHDEXLG.exe -- (TPHDEXLGSVC)
    SRV - [2008/07/15 12:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
    SRV - [2004/01/18 09:59:18 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    O1 HOSTS File: ([2010/04/13 06:17:54 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
    O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
    O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
    O4 - HKLM..\Run: [TpShocks] C:\Windows\System32\TpShocks.exe (Lenovo.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (systempropertiesperformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
    O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/11 07:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2009/11/23 22:05:40 | 006,321,456 | R--- | M] (Codemasters Software Co.) - E:\Autorun.exe -- [ UDF ]
    O32 - AutoRun File - [2009/09/28 23:23:06 | 000,000,068 | R--- | M] () - E:\autorun.inf -- [ UDF ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/13 05:58:32 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    [2010/04/12 16:17:53 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2010/04/01 04:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2010/03/31 13:55:38 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2010/03/31 13:55:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2010/03/31 13:48:18 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2010/03/31 13:48:18 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2010/03/31 13:48:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2010/03/31 13:48:07 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/03/31 13:47:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2010/03/31 13:47:51 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2010/03/31 13:36:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/03/31 13:36:33 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/03/31 13:36:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/03/31 12:51:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
    [2010/03/31 12:51:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/03/31 12:51:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java

    ========== Files - Modified Within 14 Days ==========

    [2010/04/13 06:39:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010/04/13 06:39:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/04/13 06:39:17 | 1577,816,064 | -HS- | M] () -- C:\hiberfil.sys
    [2010/04/13 06:38:39 | 000,003,288 | ---- | M] () -- C:\bootsqm.dat
    [2010/04/13 06:18:07 | 001,835,008 | -HS- | M] () -- C:\Users\Milne Clan\NTUSER.DAT
    [2010/04/13 06:17:54 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
    [2010/04/13 05:58:42 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Milne Clan\Desktop\OTL.exe
    [2010/04/13 05:46:28 | 000,293,376 | ---- | M] () -- C:\Users\Milne Clan\Desktop\4xsve082.exe
    [2010/04/12 03:31:32 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
    [2010/04/12 03:31:32 | 000,621,772 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2010/04/12 03:31:32 | 000,108,912 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2010/04/10 19:53:24 | 000,014,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/04/10 19:53:24 | 000,014,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/04/01 04:51:28 | 002,786,809 | -H-- | M] () -- C:\Users\Milne Clan\AppData\Local\IconCache.db
    [2010/04/01 04:50:58 | 000,006,532 | ---- | M] () -- C:\Users\Milne Clan\Documents\cc_20100401_055050.reg
    [2010/03/31 13:54:08 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
    [2010/03/31 13:06:26 | 000,145,243 | ---- | M] () -- C:\Users\Milne Clan\Documents\quirkykiwi screenshot.jpg

    ========== Files Created - No Company Name ==========

    [2010/04/13 06:38:39 | 000,003,288 | ---- | C] () -- C:\bootsqm.dat
    [2010/04/13 05:46:22 | 000,293,376 | ---- | C] () -- C:\Users\Milne Clan\Desktop\4xsve082.exe
    [2010/04/01 04:50:53 | 000,006,532 | ---- | C] () -- C:\Users\Milne Clan\Documents\cc_20100401_055050.reg
    [2010/03/31 13:48:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2010/03/31 13:48:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2010/03/31 13:48:18 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
    [2010/03/31 13:48:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2010/03/31 13:06:23 | 000,145,243 | ---- | C] () -- C:\Users\Milne Clan\Documents\quirkykiwi screenshot.jpg
    [2010/03/30 18:48:11 | 057,521,259 | ---- | C] () -- C:\Users\Milne Clan\Desktop\Zen Relax - Chinese Bamboo Flute Music - Sounds Of Nature - Relaxation & Meditation With Music & Nature.mp3
    [2010/03/24 05:27:51 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
    [2010/02/21 06:46:27 | 000,014,115 | ---- | C] () -- C:\Windows\twspmm.ini
    [2010/02/01 14:08:46 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll
    [2010/01/25 07:01:52 | 000,000,539 | ---- | C] () -- C:\Users\Milne Clan\AppData\Local\CastleLinkProps.dat
    [2010/01/04 16:19:59 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
    [2010/01/04 14:53:15 | 000,524,288 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
    [2010/01/04 14:53:15 | 000,524,288 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
    [2010/01/04 14:53:15 | 000,262,144 | -HS- | C] () -- C:\Users\Milne Clan\ntuser.dat.LOG1
    [2010/01/04 14:53:15 | 000,065,536 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
    [2010/01/04 14:53:15 | 000,000,020 | -HS- | C] () -- C:\Users\Milne Clan\ntuser.ini
    [2010/01/04 14:53:15 | 000,000,000 | -HS- | C] () -- C:\Users\Milne Clan\ntuser.dat.LOG2
    [2010/01/04 14:53:14 | 001,835,008 | -HS- | C] () -- C:\Users\Milne Clan\NTUSER.DAT
    [2009/10/07 07:24:22 | 000,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
    [2009/07/14 09:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/14 09:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2005/05/06 18:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

    ========== LOP Check ==========

    [2010/03/28 06:10:53 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\GetRight
    [2010/03/09 16:48:42 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\LEAPS
    [2010/02/01 14:11:32 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Leawo
    [2010/01/07 19:00:28 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\OpenOffice.org
    [2010/03/09 16:46:07 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Pegasys Inc
    [2010/01/18 14:45:22 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\Red Alert 3
    [2010/03/25 05:08:21 | 000,000,000 | ---D | M] -- C:\Users\Milne Clan\AppData\Roaming\uTorrent
    [2009/07/14 14:53:46 | 000,014,204 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
     
    quirkymac,
    #112
  14. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    No redirection.
    No popups.
    No issues with access to anti virus/spyware etc sites
    No issues with Windows update.

    The only issue is that if I change the DNS settings in my networking back to Auto DNS all of the above symptoms reappear and we are back to sqaure one.
    Perhaps this is not necessarily a spyware/malware issue but a networking one now?
     
    quirkymac,
    #113
  15. 2010/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It may be. It may be some network security setting.
    However, regarding networking, my level of knowledge is close to an idiot :))), so I won't even attempt to give you any advice.

    Since we don't have any malware issues right now, if you don't mind, I'll mark this thread as resolved and you'll start new topic at networking forum and hopefully someone will give you correct advice.

    What do you say?
     
    broni,
    #114
  16. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    That sounds like a very good (and well earned) outcome....lets see what the networking boffins can do. Is it reasonable to believe that the symptoms started as a result of some sort of Malware?

    Thanks for your patience and help with this once again.

    Perhaps once this becomes [Resolved] the rain will stop in California?
    QK
     
    quirkymac,
    #115
  17. 2010/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer was definitely infected. Most stuff was removed on initial Combofix run.

    Let's do some cleanup, before you leave this thread.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ================================================================

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator ")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ===============================================================

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.
     
    broni,
    #116
  18. 2010/04/12
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    All the above steps have been completed. SWMBO has given her seal of approval.
    Thanks again.
     
    quirkymac,
    #117
  19. 2010/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hahahaha....good :)
     
    broni,
    #118
Page 6 of 6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...