[Inactive] Keep getting redirected when clicking on Google links

ericlikesmen · Jan 18, 2011

Only get redirected when clicking on google links not when typing it directly into the address bar.
I have ESET Smart Security and it found a trojan but it still did not solve the problem.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5551

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

1/18/2011 8:35:54 PM
mbam-log-2011-01-18 (20-35-54).txt

Scan type: Quick scan
Objects scanned: 171116
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
c:\Windows\Nzanea.exe (Trojan.FraudPack.Gen) -> 5052 -> Unloaded process successfully.

Memory Modules Infected:
c:\Windows\System32\sshnas21.dll (Trojan.FraudPack.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Metropolis (Trojan.FraudPack.Gen) -> Value: Metropolis -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU (Trojan.FraudPack.Gen) -> Value: CE8SIIFGSU -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\sshnas21.dll (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Administrator\AppData\Local\Temp\Nwh.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Windows\Nzanea.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Administrator\AppData\Local\Temp\Nwi.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\sshnas21.dll (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\administrator\AppData\Local\Temp\Nwf.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\administrator\AppData\Local\Temp\Nwg.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\programdata\sysreserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-18 20:59:34
Windows 6.0.6002 Service Pack 2
Running: lcdh8rc0.exe

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.ci 8192 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.dir 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.ci 8192 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.dir 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.ci 8192 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.dir 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid 65536 bytes

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Administrator at 21:01:13.45 on Tue 01/18/2011
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2470 [GMT -5:00]

AV: ESET Smart Security 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

================= FIREFOX ===================

FF - ProfilePath - C:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\mo3qhb2x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mo3qhb2x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mo3qhb2x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mo3qhb2x.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Administrator\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mo3qhb2x.default\extensions\wildpocketsloader@simopsstudios.com\plugins\npWildPocketsLoader.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AnyColor: anycolor.pavlos256@gmail.com - %profile%\extensions\anycolor.pavlos256@gmail.com
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Wild Pockets Loader: wildpocketsloader@simopsstudios.com - %profile%\extensions\wildpocketsloader@simopsstudios.com
FF - Ext: Browser Backgrounds: {3e0c7f3a-3f50-4730-beb5-4a9a10e2831c} - %profile%\extensions\{3e0c7f3a-3f50-4730-beb5-4a9a10e2831c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;C:\Windows\System32\drivers\ehdrv.sys [2009-9-11 136584]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-5-27 203264]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2009-9-11 735960]
R2 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2009-9-11 44944]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-5-27 6856192]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-5-27 264192]
R3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2006-11-2 273408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-1 136176]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-9-27 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-9-27 79360]
S3 HtcUsbMdmV64;HTC Proprietary USB Driver;C:\Windows\System32\drivers\HtcUsbMdmV64.sys [2010-7-2 121800]
S3 HtcVCom32;HTC Diagnostic Port;C:\Windows\System32\drivers\HtcVComV64.sys [2010-7-2 121800]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SMSIVZAM5X64;SMSIVZAM5X64 NDIS Protocol Driver;C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [2009-5-25 43032]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2009-10-16 50176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-2-10 89920]

=============== Created Last 30 ================

2011-01-19 01:27:33 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\Malwarebytes
2011-01-19 01:27:19 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-19 01:27:19 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-19 01:27:16 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-19 01:27:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-19 00:56:14 388096 ----a-r- C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-19 00:56:05 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-01-18 07:26:05 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{90784667-937B-49E1-ABCE-CB65065DBBEC}\mpengine.dll
2011-01-17 22:06:51 -------- d-----w- C:\Users\ADMINI~1\AppData\Local\jagexlauncher
2011-01-17 21:43:15 -------- d-----w- C:\Windows\SysWow64\Log
2011-01-17 16:07:13 -------- d-----w- C:\Windows\.jagex_cache_32
2010-12-28 05:03:10 -------- d-----w- C:\Users\ADMINI~1\AppData\Local\SDK
2010-12-28 04:55:55 679936 ----a-w- C:\Windows\SysWow64\D3DX81ab.dll
2010-12-28 04:55:55 1970176 ----a-w- C:\Windows\SysWow64\d3dx9.dll
2010-12-28 04:55:54 -------- d-----w- C:\Program Files (x86)\Cheat Engine
2010-12-27 21:53:15 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\.minecraft
2010-12-24 18:19:21 -------- d-----w- C:\Users\ADMINI~1\AppData\Roaming\PFStaticIP
2010-12-24 18:19:17 -------- d-----w- C:\Program Files (x86)\PFStaticIP

==================== Find3M ====================

2010-12-28 16:08:18 466944 ----a-w- C:\Windows\System32\odbc32.dll
2010-12-28 15:55:03 413696 ----a-w- C:\Windows\SysWow64\odbc32.dll
2010-12-24 03:57:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-12-14 16:15:49 1251840 ----a-w- C:\Windows\System32\sdclt.exe
2010-11-06 11:18:48 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-06 11:18:27 655872 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-06 11:18:27 410112 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-06 11:18:13 855040 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-04 23:58:17 267776 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-28 13:56:57 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-21 20:23:51 1032192 ----a-w- C:\Windows\System32\wininet.dll
2010-10-21 20:08:42 834048 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-10-21 19:00:26 485376 ----a-w- C:\Windows\System32\html.iec
2010-10-21 18:30:50 389632 ----a-w- C:\Windows\SysWow64\html.iec

============= FINISH: 21:01:34.47 ===============

Broni · Jan 18, 2011

Welcome aboard

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

ericlikesmen · Jan 18, 2011

added logs and tried clicking on links in google and they arent getting redirected

Broni · Jan 18, 2011

Never post logs by editing your previous reply, because I'll never get any email notification about it.

Attach.txt part of DDS is missing.

Post that and then.....

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

ericlikesmen · Jan 18, 2011

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/27/2009 6:13:55 PM
System Uptime: 1/18/2011 8:44:21 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | Rampage Formula
Processor: Intel(R) Core(TM)2 CPU E8600 @ 3.33GHz | LGA775 | 3339/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 932 GiB total, 118.287 GiB free.
D: is CDROM (UDF)
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {85b5ddd0-e090-4b15-bdf2-a443a3ca0b66}
Description: ATITool Driver
Device ID: ROOT\*ATITOOLDEVICE\0000
Manufacturer: W1zzard
Name: ATITool Driver
PNP Device ID: ROOT\*ATITOOLDEVICE\0000
Service: ATITool

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Service:

==== System Restore Points ===================

RP316: 12/16/2010 1:52:44 PM - Windows Update
RP317: 12/17/2010 8:39:55 AM - Windows Update
RP318: 12/18/2010 12:40:04 PM - Scheduled Checkpoint
RP319: 12/21/2010 2:12:00 AM - Windows Update
RP320: 12/21/2010 8:12:11 PM - Scheduled Checkpoint
RP321: 12/22/2010 6:28:41 PM - Scheduled Checkpoint
RP322: 12/23/2010 10:48:13 PM - Installed Java(TM) 6 Update 23
RP323: 12/23/2010 10:55:01 PM - Removed Java(TM) 6 Update 23
RP324: 12/23/2010 10:57:30 PM - Installed Java(TM) 6 Update 23
RP325: 12/24/2010 1:57:37 AM - Windows Update
RP326: 12/28/2010 12:02:35 PM - Windows Update
RP327: 12/30/2010 3:00:02 PM - Windows Update
RP328: 12/31/2010 2:17:46 AM - Windows Update
RP329: 1/1/2011 4:38:38 PM - Scheduled Checkpoint
RP330: 1/4/2011 7:33:54 PM - Windows Update
RP331: 1/5/2011 5:02:34 PM - Scheduled Checkpoint
RP332: 1/7/2011 3:02:33 PM - Windows Update
RP333: 1/11/2011 6:43:25 AM - Windows Update
RP334: 1/13/2011 2:35:05 PM - Windows Update
RP335: 1/14/2011 2:36:34 PM - Windows Update
RP336: 1/15/2011 10:09:22 PM - Scheduled Checkpoint
RP337: 1/17/2011 5:06:15 PM - Installed RuneScape Launcher 1.0.4
RP338: 1/18/2011 2:25:38 AM - Windows Update
RP339: 1/18/2011 7:50:41 PM - Installed HiJackThis
RP340: 1/18/2011 7:52:53 PM - Installed HiJackThis

==== Installed Programs ======================

2570
2570_Help
2570Trb
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
Aion
Apple Application Support
Apple Software Update
Audacity 1.2.6
Audioro iPod Converter 1.01
AutoUpdate
AviSynth 2.5
Axife Mouse Recorder DEMO 5.01
Battlefield 2(TM) Demo
BitTorrent
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
Cheat Engine 5.6.1
Combined Community Codec Pack 2009-09-09
Compatibility Pack for the 2007 Office system
Copy
Counter-Strike: Source
Creative ALchemy
Creative Audio Control Panel
Creative MediaSource 5
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
Creative WaveStudio 7
Curse Client
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
Driver Sweeper 2.1.0
Fax
FrostWire 4.20.6
GCalc 3
Google Update Helper
Guitar Pro 5.2
H.264 Decoder
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Photosmart Essential
HP Update
HxD Hex Editor version 1.7.7.0
iTunes Agent 1.3.3
Java Auto Updater
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft Office Standard Edition 2003
MKV Splitter
Mozilla Firefox (3.5.16)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Naga Firmware Updater 1.13
NetTools 5.0
Notebook Interactive Viewer
Oblivion
Oblivion mod manager 1.1.12
Portforward Static IP Address 1.0.45
Project64 1.6
QuickTime
Razer Naga
RealPlayer
RuneScape Launcher 1.0.4
Scan
ScanToPDF 3.2.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Skype™ 4.2
StarCraft II
Status
Steam
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.762
Videora iPod Converter 5.03
VLC media player 1.0.5
VZAccess Manager
WebReg
Windows Media Player Firefox Plugin
WinSCP 4.2.5
WModem Driver Installer
World in Conflict - DEMO
World of Warcraft
World of Warcraft Public Test
XPort 360
Yahoo! BrowserPlus 2.9.8

==== Event Viewer Messages From Past Week ========

1/18/2011 8:46:06 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B88CA224-E5F1-4D8B-9EFC-DE0C69E9E595}. The master browser is stopping or an election is being forced.
1/18/2011 8:43:19 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/18/2011 8:41:40 PM, Error: Service Control Manager [7034] - The Creative Audio Service service terminated unexpectedly. It has done this 1 time(s).
1/14/2011 2:33:49 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{B88CA224-E5F1-4D8B-9EFC-DE0C69E9E595} because another computer on the network has the same name. The server could not start.
1/11/2011 1:13:27 PM, Error: EventLog [6008] - The previous system shutdown at 1:10:10 PM on 1/11/2011 was unexpected.

==== End Of File ===========================

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: System manufacturer
System Product Name: Rampage Formula
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 141):
0x02258000 \SystemRoot\system32\ntoskrnl.exe
0x02212000 \SystemRoot\system32\hal.dll
0x00609000 \SystemRoot\system32\kdcom.dll
0x00613000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x0064E000 \SystemRoot\system32\PSHED.dll
0x00662000 \SystemRoot\system32\CLFS.SYS
0x006BF000 \SystemRoot\system32\CI.dll
0x0080B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E5000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F3000 \SystemRoot\system32\drivers\acpi.sys
0x00949000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00952000 \SystemRoot\system32\drivers\msisadrv.sys
0x0095C000 \SystemRoot\system32\drivers\pci.sys
0x0098C000 \SystemRoot\System32\drivers\partmgr.sys
0x009A1000 \SystemRoot\system32\drivers\volmgr.sys
0x00771000 \SystemRoot\System32\drivers\volmgrx.sys
0x009B5000 \SystemRoot\system32\drivers\pciide.sys
0x009BC000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009CC000 \SystemRoot\System32\drivers\mountmgr.sys
0x009DF000 \SystemRoot\system32\drivers\atapi.sys
0x007D7000 \SystemRoot\system32\drivers\ataport.SYS
0x00A05000 \SystemRoot\system32\drivers\fltmgr.sys
0x00A4C000 \SystemRoot\system32\drivers\fileinfo.sys
0x00A60000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00C06000 \SystemRoot\system32\drivers\ndis.sys
0x00AE7000 \SystemRoot\system32\drivers\msrpc.sys
0x00B37000 \SystemRoot\system32\drivers\NETIO.SYS
0x00E0F000 \SystemRoot\System32\drivers\tcpip.sys
0x00F85000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01001000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01181000 \SystemRoot\system32\drivers\volsnap.sys
0x011C5000 \SystemRoot\System32\Drivers\spldr.sys
0x011CD000 \SystemRoot\System32\Drivers\mup.sys
0x00FB1000 \SystemRoot\System32\drivers\ecache.sys
0x011DF000 \SystemRoot\system32\drivers\disk.sys
0x00DC9000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x011F3000 \SystemRoot\system32\drivers\crcdisk.sys
0x00E00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x00DF5000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x00B90000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x00BA3000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x02001000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x026DD000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x027C0000 \SystemRoot\System32\drivers\watchdog.sys
0x02806000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x028F3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x028FF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x02945000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x02956000 \SystemRoot\system32\DRIVERS\yk60x64.sys
0x0299D000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x029B9000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x02A06000 \SystemRoot\system32\drivers\P17.sys
0x02B85000 \SystemRoot\system32\drivers\portcls.sys
0x02BC0000 \SystemRoot\system32\drivers\drmk.sys
0x029C6000 \SystemRoot\system32\drivers\ks.sys
0x02BE3000 \SystemRoot\system32\drivers\ksthunk.sys
0x02BE9000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x027D0000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x027E0000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0x027E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x00BE9000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x009E7000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
0x02E06000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x02E3F000 \SystemRoot\system32\DRIVERS\storport.sys
0x02E9C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02EA9000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x02ECC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x02ED8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x02F09000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x02F19000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x02F37000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x02F4F000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02F62000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x02F6E000 \SystemRoot\system32\DRIVERS\swenum.sys
0x02F70000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02F7B000 \SystemRoot\system32\DRIVERS\umbus.sys
0x02F8B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x02FD3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x03A0E000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x03A30000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x03A3A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x03A52000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03A54000 \SystemRoot\System32\Drivers\Null.SYS
0x03A5D000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0x03A8B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x03A93000 \SystemRoot\System32\drivers\vga.sys
0x03AA1000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03AC6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03ACF000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03AD8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03AE3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x03AF4000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x03AFD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03B1A000 \SystemRoot\system32\DRIVERS\smb.sys
0x03B35000 \SystemRoot\system32\drivers\afd.sys
0x03BA0000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03C0B000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03C29000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03C38000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x03C54000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03C6F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03CBC000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03CC8000 \SystemRoot\System32\Drivers\dfsc.sys
0x03CE5000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x03CEE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x03D00000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x03D0B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x03D16000 \SystemRoot\system32\drivers\usbaudio.sys
0x03D2F000 \SystemRoot\system32\DRIVERS\udfs.sys
0x03D7D000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03D8B000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x03D97000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x000B0000 \SystemRoot\System32\win32k.sys
0x03D9F000 \SystemRoot\System32\drivers\Dxapi.sys
0x03DAB000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00490000 \SystemRoot\System32\TSDDD.dll
0x006C0000 \SystemRoot\System32\cdd.dll
0x03DBE000 \SystemRoot\system32\drivers\luafv.sys
0x05E02000 \SystemRoot\system32\DRIVERS\eamon.sys
0x05ED4000 \SystemRoot\system32\DRIVERS\epfw.sys
0x05F00000 \SystemRoot\system32\drivers\spsys.sys
0x05F9A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x05FAE000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x06805000 \SystemRoot\system32\drivers\HTTP.sys
0x068A8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x068D1000 \SystemRoot\system32\DRIVERS\bowser.sys
0x068EF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x06909000 \SystemRoot\system32\drivers\mrxdav.sys
0x06930000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x06959000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x069A2000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x069C1000 \SystemRoot\System32\DRIVERS\srv2.sys
0x06A0A000 \SystemRoot\System32\DRIVERS\srv.sys
0x06A9E000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x06AA9000 \SystemRoot\system32\DRIVERS\epfwwfp.sys
0x06AB9000 \SystemRoot\system32\drivers\peauth.sys
0x06B6F000 \SystemRoot\System32\Drivers\secdrv.SYS
0x06B7A000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06B8A000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x06BAA000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x76F70000 \Windows\System32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
412 C:\Windows\System32\smss.exe
484 csrss.exe
540 C:\Windows\System32\wininit.exe
560 csrss.exe
596 C:\Windows\System32\services.exe
620 C:\Windows\System32\lsass.exe
628 C:\Windows\System32\lsm.exe
812 C:\Windows\System32\winlogon.exe
836 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\atiesrxx.exe
200 C:\Windows\System32\svchost.exe
308 C:\Windows\System32\svchost.exe
292 C:\Windows\System32\svchost.exe
404 C:\Windows\System32\audiodg.exe
624 C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
1028 C:\Windows\System32\SLsvc.exe
1076 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\atieclxx.exe
1288 C:\Windows\System32\svchost.exe
1472 C:\Windows\System32\spoolsv.exe
1496 C:\Windows\System32\svchost.exe
1824 C:\Windows\System32\taskeng.exe
1888 C:\Windows\System32\dwm.exe
1936 C:\Windows\System32\taskeng.exe
1592 C:\Windows\explorer.exe
2000 C:\Program Files\Windows Defender\MSASCui.exe
1944 C:\Program Files\ESET\ESET Smart Security\egui.exe
784 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
1700 C:\Windows\SysWOW64\rundll32.exe
1704 C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
2088 C:\Program Files (x86)\iTunes\iTunesHelper.exe
2100 C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
2128 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2320 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2476 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2496 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
2528 C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
2632 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2664 C:\Windows\SysWOW64\svchost.exe
2688 C:\Windows\System32\svchost.exe
2736 C:\Windows\System32\svchost.exe
2756 C:\Windows\System32\svchost.exe
2812 C:\Windows\System32\svchost.exe
2908 C:\Windows\System32\svchost.exe
2940 C:\Windows\System32\SearchIndexer.exe
892 WUDFHost.exe
3080 C:\Windows\System32\mobsync.exe
3728 C:\Program Files\iPod\bin\iPodService.exe
3940 C:\Program Files\Windows Media Player\wmpnscfg.exe
4036 C:\Program Files\Windows Media Player\wmpnetwk.exe
3384 C:\Windows\System32\wbem\unsecapp.exe
3444 WmiPrvSE.exe
3616 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
3636 C:\Windows\System32\svchost.exe
3772 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2840 C:\Windows\System32\wuauclt.exe
2428 WmiPrvSE.exe
1168 C:\Windows\System32\VSSVC.exe
2348 C:\Windows\System32\svchost.exe
1880 C:\Windows\System32\SearchProtocolHost.exe
1124 C:\Windows\System32\SearchFilterHost.exe
3248 C:\Users\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD103UJ, Rev: 1AA01112

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

ericlikesmen · Jan 18, 2011

ComboFix 11-01-18.02 - Administrator 01/18/2011 21:18:25.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2252 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
SP: ESET Smart Security 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-19 to 2011-01-19 )))))))))))))))))))))))))))))))
.

2011-01-19 02:16 . 2011-01-19 02:16 -------- d-----w- C:\32788R22FWJFW
2011-01-19 01:27 . 2011-01-19 01:27 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2011-01-19 01:27 . 2011-01-19 01:27 -------- d-----w- c:\programdata\Malwarebytes
2011-01-19 01:27 . 2010-12-20 23:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-19 01:27 . 2011-01-19 01:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-19 01:27 . 2010-12-20 23:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-19 00:56 . 2011-01-19 00:56 388096 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-19 00:56 . 2011-01-19 00:56 -------- d-----w- c:\program files (x86)\Trend Micro
2011-01-18 07:26 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{90784667-937B-49E1-ABCE-CB65065DBBEC}\mpengine.dll
2011-01-17 22:06 . 2011-01-17 22:06 -------- d-----w- c:\users\Administrator\AppData\Local\jagexlauncher
2011-01-17 21:43 . 2011-01-18 19:24 -------- d-----w- c:\windows\SysWow64\Log
2011-01-17 16:07 . 2011-01-18 22:56 -------- d-----w- c:\windows\.jagex_cache_32
2010-12-28 05:03 . 2010-12-28 05:03 -------- d-----w- c:\users\Administrator\AppData\Local\SDK
2010-12-28 04:55 . 2009-11-03 19:07 679936 ----a-w- c:\windows\SysWow64\D3DX81ab.dll
2010-12-28 04:55 . 2009-11-03 19:07 1970176 ----a-w- c:\windows\SysWow64\d3dx9.dll
2010-12-28 04:55 . 2010-12-28 04:56 -------- d-----w- c:\program files (x86)\Cheat Engine
2010-12-27 21:53 . 2010-12-27 21:54 -------- d-----w- c:\users\Administrator\AppData\Roaming\.minecraft
2010-12-24 18:19 . 2010-12-27 20:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\PFStaticIP
2010-12-24 18:19 . 2010-12-24 18:19 -------- d-----w- c:\program files (x86)\PFStaticIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-24 03:57 . 2010-10-12 21:01 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-11-06 11:18 . 2010-12-16 02:06 500224 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-06 11:18 . 2010-12-16 02:06 655872 ----a-w- c:\windows\system32\taskschd.dll
2010-11-06 11:18 . 2010-12-16 02:06 410112 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-06 11:18 . 2010-12-16 02:06 855040 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 23:58 . 2010-12-16 02:06 267776 ----a-w- c:\windows\system32\taskeng.exe
2010-11-04 18:55 . 2010-12-16 02:06 352768 ----a-w- c:\windows\SysWow64\taskschd.dll
2010-11-04 18:55 . 2010-12-16 02:06 270336 ----a-w- c:\windows\SysWow64\taskcomp.dll
2010-11-04 16:34 . 2010-12-16 02:06 171520 ----a-w- c:\windows\SysWow64\taskeng.exe
2010-10-28 16:29 . 2010-12-16 02:06 48128 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 15:44 . 2010-12-16 02:06 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2010-10-28 14:05 . 2010-12-16 02:06 367104 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:56 . 2010-12-16 02:06 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-28 13:27 . 2010-12-16 02:06 292352 ----a-w- c:\windows\SysWow64\atmfd.dll
2010-10-28 13:20 . 2010-12-16 02:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-10-21 20:23 . 2010-12-16 02:06 1032192 ----a-w- c:\windows\system32\wininet.dll
2010-10-21 20:08 . 2010-12-16 02:06 834048 ----a-w- c:\windows\SysWow64\wininet.dll
2010-10-21 19:00 . 2010-12-16 02:06 485376 ----a-w- c:\windows\system32\html.iec
2010-10-21 18:30 . 2010-12-16 02:06 389632 ----a-w- c:\windows\SysWow64\html.iec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-18 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2010-02-09 198160]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-4 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 136176]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-09-28 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-09-27 79360]
R3 HtcUsbMdmV64;HTC Proprietary USB Driver;c:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [2010-03-08 121800]
R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV64.sys [2010-03-08 121800]
R3 SMSIVZAM5X64;SMSIVZAM5X64 NDIS Protocol Driver;c:\progra~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [2009-05-25 43032]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-10-16 50176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 136584]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-27 203264]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2009-09-11 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-09-11 44944]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-27 6856192]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-27 264192]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [2006-10-04 273408]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 13:23]

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 13:23]
.

--------- x86-64 -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2716216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mo3qhb2x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AnyColor: anycolor.pavlos256@gmail.com - %profile%\extensions\anycolor.pavlos256@gmail.com
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: PlainOldFavorites: {7E7165E2-0767-448c-852F-5FA8714F2C37} - %profile%\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Wild Pockets Loader: wildpocketsloader@simopsstudios.com - %profile%\extensions\wildpocketsloader@simopsstudios.com
FF - Ext: Browser Backgrounds: {3e0c7f3a-3f50-4730-beb5-4a9a10e2831c} - %profile%\extensions\{3e0c7f3a-3f50-4730-beb5-4a9a10e2831c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-P17RunE - P17RunE.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-GCalc 3 - c:\windows\system32\javaws.exe

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.3g2"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.3gp"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.3gp2"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.3gpp"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.aac"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ac3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ac3"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aif"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aifc"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.aiff"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.alac\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.alac"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.amr"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.amv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ape\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ape"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.apl"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.asf"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.asx"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.au"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.AVI.1"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bdmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.bdmv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bik\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.bik"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cda"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.d2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.d2v"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.divx"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.drc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.drc"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dsa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dsa"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dsm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dsm"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dss\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dss"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dsv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dsv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dts"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.evo\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.evo"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flac"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flc"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fli\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.fli"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flic\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flic"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdmov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.hdmov"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iflv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.iflv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ifo\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ifo"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ite\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ite"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itlp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itlp"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ivf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ivf"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\WinRAR.exe"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m1a"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m1v"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2a"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2p"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2t"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2ts"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2v"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4a"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m4v"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mid"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.midi"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mka\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mka"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.Matroska.1"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mov"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp2"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mp2v"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.mp3"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.MP4.1"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mp4v"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpa"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpc"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpcpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpcpl"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpe"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpeg"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpg"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpv2"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpv4"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mts"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ofr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ofr"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ofs\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ofs"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.oga\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.oga"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ogg"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.OGM.1"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ogv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pva\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.pva"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ratdvd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ratdvd"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rmi"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.roq\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.roq"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rpm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rpm"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smk\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.smk"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.snd"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.swf"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.tp"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tpr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.tpr"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ts"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tta\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.tta"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vob\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.vob"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vp6\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.vp6"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wav"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wax"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wm"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wma"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wmp"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wmv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wmx"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wv"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wvx"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WinRAR.ZIP"

[HKEY_USERS\S-1-5-21-3925668971-1567665090-2508350984-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:82,76,88,c8,3f,59,d9,e9,40,47,41,cd,35,1d,c9,20,ac,42,38,f1,7c,d3,97,
99,92,4c,50,35,b8,f6,26,36,46,41,8e,69,18,7e,f4,81,a3,12,ae,af,10,7d,f0,02,\
"??"=hex:33,9b,ad,85,05,d9,14,30,a6,55,c6,ea,44,51,8a,b1

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-18 21:24:58
ComboFix-quarantined-files.txt 2011-01-19 02:24

Pre-Run: 126,853,427,200 bytes free
Post-Run: 125,724,336,128 bytes free

- - End Of File - - 4A8E9A14ACA052E19F82015E3AA7F46E

Broni · Jan 18, 2011

Both logs look clean.
Are you still getting redirected?
If so, which browser?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

ericlikesmen · Jan 18, 2011

havent been redirected on any browser

Broni · Jan 18, 2011

Very well

We still need to finish, what we started.
OTL log please.

TechSpot

[Inactive] Keep getting redirected when clicking on Google links

ericlikesmen Newcomer, in training

Broni Malware Annihilator

ericlikesmen Newcomer, in training

Broni Malware Annihilator

ericlikesmen Newcomer, in training

ericlikesmen Newcomer, in training

Broni Malware Annihilator

ericlikesmen Newcomer, in training

Broni Malware Annihilator