What is this malware PUP.BundleInstall

lcyber · #1 April 18th, 2012, 12:23 PM

Antimalware keeps removing this but it keeps coming back Google doesn't show any information on it at all

Aaflac · #2 April 18th, 2012, 01:50 PM

Welcome to CTH, Icyber!

PUP.BundleInstaller is a potentially unwanted program that self installs with other programs, such as games. Have you downloaded anything recently??

If it keeps coming back after using Malwarebytes' Anti-Malware, let's see what we can find with the following...

Please download OTL from: Here

Save it to the Desktop.
OTL is does not need to be installed, simply click OTL.exe to run the program.
Click the Scan All Users checkbox.
Press the Run Scan button.
Two reports appear:
- OTL.txt <-- Opened on the Desktop
- Extra.txt <-- Minimized on the TaskBar

Please post (do not attach) the OTL.txt and Extra.txt reports in your reply.

lcyber · #3 April 18th, 2012, 11:39 PM

Hi Aaflec,thanks for your response
AntiMalware deletes this but it comes straight back,I haven't downloaded anything I can recall as I don't do gaming and downloading videos etc.I'll post the Extras.TXT separately

OTL logfile created on: 18/04/2012 23:26:42 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Users\user\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 51.44% Memory free
6.48 Gb Paging File | 4.77 Gb Available in Paging File | 73.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 76.59 Gb Total Space | 48.49 Gb Free Space | 63.31% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/18 23:26:22 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Users\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Users\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/04/03 10:08:08 | 000,178,840 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\RAV\RsTray.exe
PRC - [2012/04/03 10:02:00 | 000,150,168 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\RSD\RsMgrSvc.exe
PRC - [2012/04/03 10:01:38 | 000,123,856 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\RSD\popwndexe.exe
PRC - [2012/04/03 09:44:23 | 000,264,448 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Program Files\Rising\RAV\RavMonD.exe
PRC - [2012/03/11 13:48:36 | 001,652,536 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/03/11 13:48:36 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/04/29 10:30:27 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

========== Modules (No Company Name) ==========

MOD - [2012/03/11 13:50:38 | 000,516,368 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\Rapport MS\baseline\RapportMS.dll
MOD - [2011/11/10 16:11:00 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Users\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/04/03 10:02:00 | 000,150,168 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Auto | Running] -- C:\Program Files\Rising\RSD\RsMgrSvc.exe -- (RsMgrSvc)
SRV - [2012/04/03 09:44:23 | 000,264,448 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Auto | Running] -- C:\Program Files\Rising\RAV\RavMonD.exe -- (RsRavMon)
SRV - [2012/03/11 13:48:36 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/03/24 22:02:15 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x 32.sys -- (cpuz134)
DRV - [2012/04/05 13:24:38 | 000,012,568 | ---- | M] (Sysinternals - www.sysinternals.com) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PROCEXP113.SYS -- (PROCEXP113)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/04/03 10:03:52 | 000,173,336 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Hooksys.sys -- (hooksys)
DRV - [2012/04/03 10:01:40 | 000,017,336 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\protreg.sys -- (rsdsys)
DRV - [2012/03/29 10:56:58 | 000,031,896 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\hvm.sys -- (HyperVM)
DRV - [2012/03/29 10:56:53 | 000,023,576 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\HookTdi.sys -- (HookTdi)
DRV - [2012/03/11 13:50:38 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\ProgramData\Trusteer\Rapport\store\exts\Rapport MS\baseline\RapportIaso.sys -- (RapportIaso)
DRV - [2012/03/11 13:48:52 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/03/11 13:48:50 | 000,164,112 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/03/11 13:48:50 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/03/07 01:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/07 01:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/07 01:02:14 | 000,044,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2012/03/07 01:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/07 01:01:48 | 000,057,688 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/03/07 01:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/02/23 17:11:24 | 000,024,408 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswKbd.sys -- (aswKbd)
DRV - [2011/12/15 18:08:25 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\Rapport Cerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2010/11/26 19:02:22 | 000,015,672 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/11/20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 11:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 00:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 23:02:47 | 000,050,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {E5DA3E03-D40E-4A8E-92D5-24973B70C1EC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9E BE F8 A7 D1 97 CC 01 [binary data]
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\..\SearchScopes,DefaultScope = {E5DA3E03-D40E-4A8E-92D5-24973B70C1EC}
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\..\SearchScopes\{80D0D368-780B-4BAE-8A6B-C8EC832E474B}: "URL" = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=685749&p={searchTerms}
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\..\SearchScopes\{E5DA3E03-D40E-4A8E-92D5-24973B70C1EC}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:{language}:{referrer:source}&ie={inputEncoding ?}&oe={outputEncoding?}&rlz=
IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1579020501-843201239-3247690963-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: E:\Picasa3\npPicasa3.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

[2011/03/30 23:45:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user\AppData\Roaming\Mozilla\Extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:accepte dSuggestion}{google:originalQueryForSuggestion}{go ogle:searchFieldtrialParameter}{google:instantFiel dTrialGroupParameter}sourceid=chrome&ie={inputEnco ding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldt rialParameter}{google:instantFieldTrialGroupParame ter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.162\ppGo ogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.162\pdf. dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.162\gcsw f32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 7 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldk acnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljnie djpjpf\0.0.0.19_0\
CHR - Extension: avast! WebRep = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnp ncnbda\7.0.1426_0\
CHR - Extension: Gmail = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoe jaedia\7_0\

O1 HOSTS File: ([2012/03/22 10:49:14 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Users\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RavTRAY] C:\Program Files\Rising\RAV\RSTRAY.EXE (Beijing Rising Information Technology Co., Ltd.)
O4 - HKU\S-1-5-21-1579020501-843201239-3247690963-1000..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found
O4 - HKU\S-1-5-21-1579020501-843201239-3247690963-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKLM..\RunOnce: [SpybotSnD] C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (Safer Networking Limited)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{2DA66059-73EF-43F1-ADBA-DA389CBA88B4}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.ex e (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (bsmain)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/18 23:26:07 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
[2012/04/18 13:14:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/04/17 22:39:51 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{64B76F39-93CD-43B7-8CE2-B59C6E29A87D}
[2012/04/17 22:39:48 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{72EA01DB-A58D-4599-989F-D07192E591B6}
[2012/04/17 10:39:44 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8F062186-26BE-4F9A-92D2-C41169313258}
[2012/04/17 10:39:41 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{15678FFA-A11F-415A-BA28-0CAD72FAB672}
[2012/04/16 19:58:16 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{AD8FF240-EE4C-4550-99DC-08FB0BEF8184}
[2012/04/16 19:58:13 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{14C45A8C-1C0C-4A99-A14B-9EE8151CD64D}
[2012/04/11 20:17:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/11 20:17:13 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/04/11 20:05:14 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{3EE95848-45F2-47CE-854C-BD0CC4AB916D}
[2012/04/11 20:05:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BC1DF2AB-5BBF-46AD-A8A5-AABB5FBCCFD5}
[2012/04/11 17:32:45 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/04/11 17:32:44 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/04/11 17:32:43 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/04/11 17:32:42 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/04/11 17:32:42 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/04/11 17:32:41 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/04/11 17:31:32 | 000,000,000 | ---D | C] -- C:\757e21846fcbfb11b74f058b29c1
[2012/04/11 17:31:12 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/04/11 17:31:11 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/04/11 08:04:53 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{B4726DE1-6997-43BE-BD94-856773919B47}
[2012/04/11 08:04:50 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{CF88BC11-D3EB-4F78-9590-EA30A7370F42}
[2012/04/10 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\SpeedMaxPc
[2012/04/10 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\DriverCure
[2012/04/10 13:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SpeedMaxPc
[2012/04/10 13:08:51 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedMaxPc
[2012/04/10 13:08:51 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedMaxPc
[2012/04/10 09:06:10 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{EE0D824E-2A9B-489B-94A7-AF80C2810147}
[2012/04/10 09:06:06 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{4DF43118-3FE1-413F-B44E-BF883AD6E5F7}
[2012/04/09 22:46:36 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/04/09 11:09:03 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{BE18A3B7-783C-4647-B526-67722E56454E}
[2012/04/09 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{CD5B8316-78F0-4898-9078-B2661349F662}
[2012/04/08 11:12:06 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{AC76500C-8ED6-4A2B-A205-F3BE172ED722}
[2012/04/08 11:11:57 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9A6300E6-0386-4753-896E-CE294B2E7D67}
[2012/04/08 11:02:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/04/08 11:02:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/04/08 10:55:55 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{6823C505-8104-4491-8005-A28688BC1DF6}
[2012/04/08 10:27:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D135D94B-195B-4685-BE62-F72FC8E2A78C}
[2012/04/07 17:17:42 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{51F13232-1EBA-460F-AE5F-A3E6B0FE210D}
[2012/04/07 17:17:33 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D67DD075-0038-4B61-91A4-5351E00201A9}
[2012/04/07 17:16:45 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{ACF08866-7186-49CA-A4BF-2EEAEBDD2962}
[2012/04/07 15:26:11 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{17E1F011-4809-4D8F-8F91-0B176644356C}
[2012/04/07 10:18:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{87B11A62-4123-4A66-AFC0-0C989CF2C99F}
[2012/04/06 11:19:20 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{04AD890F-AA99-44A0-BEBF-CBB523208983}
[2012/04/06 10:38:26 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F8F4DEDE-2F97-446B-A7DF-A6844A51B8F0}
[2012/04/06 10:37:23 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F0E54F6C-ECAE-40AE-961F-93504A4DDFA9}
[2012/04/05 13:26:41 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/04/05 13:24:38 | 000,012,568 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\drivers\PROCEXP113.SYS
[2012/04/05 13:17:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/04/05 13:17:24 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2012/04/05 13:17:24 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/04/05 13:17:24 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/04/05 13:17:24 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/04/05 09:38:07 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{5B0E3992-024A-403B-9D91-1D1D2CF2E3FA}
[2012/04/04 10:00:39 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A92ACE3D-7F1A-420A-B229-049380D37A0E}
[2012/04/03 13:44:54 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{9D5BCA27-FED9-4EF4-86AC-C477F0463587}
[2012/04/03 10:02:45 | 000,017,336 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\protreg.sys
[2012/04/02 09:07:07 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{4CBFF80B-EEDD-4429-B90C-F0C558D8565F}
[2012/03/31 10:13:06 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{A223940D-2CCA-4C02-8A90-0BBAB6A0E76E}
[2012/03/30 07:42:04 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FF78211E-96C7-432C-BBCB-19A1F611EA3B}
[2012/03/29 16:35:05 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{158923E8-0CBC-4FAE-8B2D-885781D2DBAF}
[2012/03/29 10:59:32 | 000,000,000 | R-SD | C] -- C:\RavBin
[2012/03/29 10:59:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rising Antivirus
[2012/03/29 10:59:27 | 000,023,576 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\HookTdi.sys
[2012/03/29 10:59:26 | 000,234,648 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\ravext.dll
[2012/03/29 10:59:26 | 000,031,896 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\hvm.sys
[2012/03/29 10:59:25 | 000,239,768 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\bsmain.exe
[2012/03/29 10:59:24 | 000,173,336 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\Hooksys.sys
[2012/03/29 10:59:24 | 000,038,552 | ---- | C] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\HookHelp.sys
[2012/03/29 10:59:08 | 000,000,000 | ---D | C] -- C:\Program Files\Rising
[2012/03/29 10:58:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Rising
[2012/03/28 20:30:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7BF1F974-9C3A-4C2B-BE44-56D14FF2AF0C}
[2012/03/28 20:30:12 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{C2B762A9-EB1C-434A-9C57-B26C7CE73444}
[2012/03/28 08:29:54 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{37E74923-1C1F-435A-8214-69D23866748C}
[2012/03/28 08:29:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{862DA64E-8021-4939-9246-B2CDE75EEC43}
[2012/03/27 15:28:45 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{84C0D648-9B5A-4810-B9F2-975702BCEB26}
[2012/03/27 15:28:43 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{10311F1B-9CD1-4B10-80B7-4D867F0A3D8B}
[2012/03/26 22:33:17 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{226068EB-0D1C-483A-A48B-19D1C00DDD8D}
[2012/03/26 22:33:15 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{0A6F248A-652E-411E-BD83-D7C96B8ACE76}
[2012/03/26 10:24:47 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{933EE1F6-E52A-4F24-B93F-7B409678C825}
[2012/03/26 10:24:44 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{18CC9685-69E2-47B1-8A1F-F4A33D475BB7}
[2012/03/26 09:45:52 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/03/25 22:24:25 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FFA27BD6-5F58-4B8D-A138-C140226DC110}
[2012/03/25 22:24:22 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7A627937-A722-4898-BCA4-476F272FA44D}
[2012/03/25 10:24:02 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{7F25588C-E9CA-4724-9028-9B7EDDFA5FB0}
[2012/03/25 10:23:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{8311307A-2FD1-4E7A-8DAB-F50FD8E74A76}
[2012/03/24 11:13:33 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E17F32DE-E343-4D5B-8FFA-124DD039E82A}
[2012/03/24 11:13:07 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{FCA11557-F5B5-4B5A-BFE3-DC053C713798}
[2012/03/23 10:59:00 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F1E357CA-D386-4F83-AEEF-322512CBC5D7}
[2012/03/23 10:58:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{38F6861E-76E8-44E6-8FAD-AF86729786B1}
[2012/03/22 12:57:31 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{E8E94342-AB26-4943-A955-19CC1D369F9C}
[2012/03/22 12:57:29 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{3FF592F4-C098-4EB1-99BD-26E5EF551FEB}
[2012/03/22 10:50:46 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/03/22 10:40:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/03/21 12:02:42 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\temp
[2012/03/21 11:51:32 | 000,000,000 | ---D | C] -- C:\avast! sandbox
[2012/03/20 11:56:53 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D1F84C77-BB7A-4648-A452-576E746E95D5}
[2012/03/20 11:56:51 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{F72DB11C-DADF-43C7-A899-D35E8BA308F5}
[2012/03/19 23:31:58 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{2DD7C7C8-D389-4E0F-90E6-A6C66DD15F90}
[2012/03/19 23:31:55 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\{D6C33FC9-7FA2-41E3-ADD3-A4C431DACBEB}
[4 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/18 23:26:22 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
[2012/04/18 22:55:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/18 20:44:43 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/18 18:32:18 | 000,017,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/18 18:32:18 | 000,017,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/18 18:24:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/18 18:24:56 | 2608,979,968 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/18 13:14:49 | 000,001,176 | ---- | M] () -- C:\Users\user\Desktop\Spybot - Search & Destroy.lnk
[2012/04/11 22:10:19 | 000,615,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/11 22:10:19 | 000,106,190 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/11 20:17:18 | 000,001,010 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/11 11:22:34 | 000,000,247 | ---- | M] () -- C:\Users\user\netsh
[2012/04/09 15:44:10 | 000,009,725 | ---- | M] () -- C:\Users\user\Desktop\Documents\Equinity.odt
[2012/04/08 10:59:45 | 000,077,824 | ---- | M] () -- C:\Users\user\Desktop\Documents\best pic 2011.jpg
[2012/04/07 17:17:40 | 000,001,785 | ---- | M] () -- C:\Users\user\Desktop\Google Chrome - Shortcut.lnk
[2012/04/06 10:19:58 | 000,002,477 | ---- | M] () -- C:\Users\user\Desktop\hijack uninstall
[2012/04/05 13:26:42 | 000,000,355 | ---- | M] () -- C:\Start_.cmd
[2012/04/05 13:24:38 | 000,012,568 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\System32\drivers\PROCEXP113.SYS
[2012/04/05 13:17:08 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/04/05 13:17:08 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/04/05 13:17:08 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/04/05 13:17:07 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2012/04/04 19:15:54 | 000,000,925 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/04/04 08:41:57 | 000,000,159 | ---- | M] () -- C:\Users\user\Desktop\PC running slowly again - Page 5 - Cyber Tech Help Support Forums.URL
[2012/04/03 10:22:14 | 000,001,952 | ---- | M] () -- C:\Users\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Rising Antivirus.lnk
[2012/04/03 10:22:14 | 000,001,928 | ---- | M] () -- C:\Users\Public\Desktop\Rising Antivirus.lnk
[2012/04/03 10:03:54 | 000,038,552 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\HookHelp.sys
[2012/04/03 10:03:52 | 000,173,336 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\Hooksys.sys
[2012/04/03 10:01:40 | 000,017,336 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\protreg.sys
[2012/04/03 09:47:13 | 000,000,132 | RHS- | M] () -- C:\rising.ini
[2012/04/03 09:47:12 | 000,000,122 | ---- | M] () -- C:\Windows\System32\BsMain.ini
[2012/03/29 10:56:59 | 000,234,648 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\ravext.dll
[2012/03/29 10:56:58 | 000,031,896 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\hvm.sys
[2012/03/29 10:56:57 | 000,239,768 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\bsmain.exe
[2012/03/29 10:56:53 | 000,023,576 | ---- | M] (Beijing Rising Information Technology Co., Ltd.) -- C:\Windows\System32\drivers\HookTdi.sys
[2012/03/22 10:49:14 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/03/20 20:05:41 | 000,000,133 | ---- | M] () -- C:\Users\user\Desktop\Free eBay Sniper.url
[4 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/18 13:14:49 | 000,001,176 | ---- | C] () -- C:\Users\user\Desktop\Spybot - Search & Destroy.lnk
[2012/04/11 20:17:18 | 000,001,010 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/11 11:21:11 | 000,000,247 | ---- | C] () -- C:\Users\user\netsh
[2012/04/10 20:57:56 | 000,001,364 | ---- | C] () -- C:\Users\user\Desktop\Documents\Windows Live Mail.lnk
[2012/04/09 15:44:08 | 000,009,725 | ---- | C] () -- C:\Users\user\Desktop\Documents\Equinity.odt
[2012/04/08 10:59:44 | 000,077,824 | ---- | C] () -- C:\Users\user\Desktop\Documents\best pic 2011.jpg
[2012/04/07 17:17:40 | 000,001,785 | ---- | C] () -- C:\Users\user\Desktop\Google Chrome - Shortcut.lnk
[2012/04/06 10:19:58 | 000,002,477 | ---- | C] () -- C:\Users\user\Desktop\hijack uninstall
[2012/04/05 13:26:42 | 000,000,355 | ---- | C] () -- C:\Start_.cmd
[2012/04/01 13:14:24 | 000,000,159 | ---- | C] () -- C:\Users\user\Desktop\PC running slowly again - Page 5 - Cyber Tech Help Support Forums.URL
[2012/03/29 10:59:33 | 000,000,132 | RHS- | C] () -- C:\rising.ini
[2012/03/29 10:59:31 | 000,000,122 | ---- | C] () -- C:\Windows\System32\BsMain.ini
[2012/03/29 10:59:28 | 000,001,952 | ---- | C] () -- C:\Users\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Rising Antivirus.lnk
[2012/03/29 10:59:28 | 000,001,928 | ---- | C] () -- C:\Users\Public\Desktop\Rising Antivirus.lnk
[2012/03/21 18:10:27 | 000,000,925 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/03/21 11:45:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/03/20 20:05:41 | 000,000,133 | ---- | C] () -- C:\Users\user\Desktop\Free eBay Sniper.url
[2011/11/30 16:46:24 | 000,017,828 | ---- | C] () -- C:\Users\user\AppData\Roaming\UserTile.png
[2011/11/25 20:19:22 | 000,098,304 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2011/09/06 20:08:46 | 000,007,635 | ---- | C] () -- C:\Users\user\AppData\Local\resmon.resmoncfg
[2011/08/04 09:25:42 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/08/04 09:25:36 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/07/25 20:51:46 | 000,002,712 | ---- | C] () -- C:\Windows\System32\AVRedirector.ini
[2011/07/25 20:51:46 | 000,001,392 | ---- | C] () -- C:\Windows\System32\AVRedirectorOff.ini
[2011/06/15 10:50:22 | 000,000,286 | ---- | C] () -- C:\Windows\reimage.ini
[2011/06/06 21:06:53 | 000,000,144 | ---- | C] () -- C:\Users\user\AppData\Roaming\ohvoiryn.bat
[2011/02/28 12:48:11 | 000,028,496 | ---- | C] () -- C:\Windows\System32\SmartDefragBootTime.exe
[2011/02/28 12:48:11 | 000,015,672 | ---- | C] () -- C:\Windows\System32\drivers\SmartDefragDriver.sys
[2011/02/13 22:36:11 | 000,006,656 | ---- | C] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/08 17:09:10 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 1069 bytes -> C:\Users\Public\Documents\Statin users have a 48% higher risk of developing diabetes.eml:OECustomProperty

< End of report >

lcyber · #4 April 18th, 2012, 11:41 PM

OTL Extras logfile created on: 18/04/2012 23:26:42 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Users\user\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.24 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 51.44% Memory free
6.48 Gb Paging File | 4.77 Gb Available in Paging File | 73.58% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 76.59 Gb Total Space | 48.49 Gb Free Space | 63.31% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1579020501-843201239-3247690963-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\PublicPr ofile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall]
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{82AF3E91-57E1-4754-84D0-40A46E2479AB}" = OpenOffice.org 3.3
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CCleaner" = CCleaner
"Easy Duplicate Finder_is1" = Easy Duplicate Finder v. 3.2
"Google Chrome" = Google Chrome
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Rapport_msi" = Rapport
"RAV" = Rising Antivirus
"Revo Uninstaller" = Revo Uninstaller 1.92
"RSD" = Rising Software Deployment System
"TVWiz" = Intel(R) TV Wizard
"VLC media player" = VideoLAN VLC media player 0.8.6f
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

**Jintan** · #5 April 19th, 2012, 11:39 PM

Excuse me Aaflac.

Icyber, you now have three, maybe four, open request threads, for what I suspect is the same system. Please post back here if this is the case, choose one, and I will close all the others. Thanks.

lcyber · #6 April 20th, 2012, 09:52 AM

Hi Jintan,
It is the same system, I hadn't realised the symptoms were connected to one common cause.I would like my OTL log checked ,so I will leave it to you to choose which ones to close
lcyber

lcyber · #7 April 20th, 2012, 10:00 AM

Hi Jintan I can only see two posts ,not three or four.One is about Lava Soft interfering with Spybot and another one asking about PUP BundleInstall.Two different things.
lcyber

lcyber · #8 April 20th, 2012, 01:26 PM

Hi Jintan,
On reflection I see there are a few posts on different subjects that have been outstanding for about 10 days,so I assumed that no-one knew the answers and amalgamating them into one post didn't occur to me.So I did in fact post more than two, contrary to what I previously wrote,on searching for my posts, these older two,didn't initally show up.What is the procedure if this happens again?
lcyber

**Jintan** · #9 April 21st, 2012, 03:20 PM

Since we are all volunteers here, we do CTH stuff as time permits for each of us. So the review completed late last night. I work 6 days a week so am at work now. But I get off early, to do my dump run, banking and other things I only get a shot at Saturday afternoons. Then I'll likely do some gardening, visit some farm friend folks to discuss growing things, maybe scrape a little supper together, then see about helping out here. Including replying in your thread.

I'll delete your post in the No Answer in 2 Days thread, since of course you have had quite a few responses in the last 48 hours, and close two of your three Malware Removal Forum threads for now, then get back to work.

**Jintan** · #10 April 21st, 2012, 11:46 PM

Sure do not mean to be mean Icyber, in these replies, and always wiling to help folks. I hope you understand.

"PUP" suggests "Potentially Undesirable Program". I don't see them installed, but all these would likely be considered as that:

[2012/04/10 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\SpeedMaxPc
[2012/04/10 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\DriverCure
[2012/04/10 13:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SpeedMaxPc
[2012/04/10 13:08:51 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedMaxPc
[2012/04/10 13:08:51 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedMaxPc

DRV - [2010/11/26 19:02:22 | 000,015,672 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)

Actually that "Defrag" program, which I believe is Iolo or Iobit (both seem to crank out such stuff), shows running active components, but I don't see it as an installed program. If you would, go to Start - All Programs, and see if it is shown there, and also shows an uninstaller you can use.

**Jintan** · #11 April 22nd, 2012, 02:22 AM

FYI - post back even if you did not locate the Defrag uninstall, and we will go ahead and take it our manually.

lcyber · #12 April 22nd, 2012, 10:09 AM

No,
I can't find it mentioned,I read somewhere that doing a sfc/scannow might help,so I did that and found there were corrupt files that were unable to be fixed.It referred to a specific log but this log could not be found when doing a search,it is a CBS .log. I mention this as it will mean more to you than it does to me

**Jintan** · #13 April 22nd, 2012, 11:17 PM

Unless you use the install CD/DVD to fix files, scannow is really more a look than a repair tool.

I didn't know it created a log, but web info suggests:

C:\Windows\Logs\CBS\CBS.log

You did make sure you can View Hidden Files?

-------------

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

sc delete SmartDefragDriver

Then type exit and press Enter to close that window.

----------

And delete these files and folders:

C:\Windows\System32\drivers\SmartDefragDriver.sys
C:\Users\user\AppData\Roaming\ohvoiryn.bat
C:\Windows\System32\SmartDefragBootTime.exe

C:\Users\user\AppData\Roaming\SpeedMaxPc
C:\Users\user\AppData\Roaming\DriverCure
C:\Program Files\Common Files\SpeedMaxPc
C:\ProgramData\SpeedMaxPc
C:\Program Files\SpeedMaxPc

reboot, and post back how all that went, as well as post on any other issues we still need to address please.

lcyber · #14 April 24th, 2012, 12:08 AM

SmartDefragDriver not exist as installed service
SmartDefragDriver.Sys label syntax incorrect
C:\Users\user\AppData\Roaming\ohvoiryn.bat unrecognized command
C:\Windows\System32\SmartDefragBootTime.exe syntax incorrect
C:\Users\user\AppData\Roaming\SpeedMaxPc unrecognized command
C:\ProgramData\SpeedMaxPc syntax incorrect
C:\Program Files\SpeedMaxPc syntax incorrrect
The other outstanding problems are ' PUP.BundleInstall Malwarebytes removes this but it comes straight back, also LavaSoft is interfering with Spybot but I can't find it on my system

**Jintan** · #15 April 24th, 2012, 12:13 AM

What created that list please? I was just suggesting you go to each of those locations, and delete the files/folders.

I will check back for remants of Ad-Aware, but you may want to reconsider keeping SpyBot. It's value as an effective security program anymore is terribly questionable.