solomon7

208.73.210.29 (firefox.exe) blocked by Malwarebytes every 10 minutes

58 posts in this topic

Yes, the block happened again as soon as I opened firefox to post my previous post..

Share this post


Link to post
Share on other sites

Hi again,

Please run also the following OTL fix:

:otl
[2012/04/24 17:53:09 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

Let me know if the problem persists afterwards.

Share this post


Link to post
Share on other sites

Oh ok, that was a quick one.. here is the output:

========== OTL ==========

C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll moved successfully.

OTL by OldTimer - Version 3.2.42.1 log created on 04272012_130719

***************************************

Will post after 15 minutes, have to wait to see if it blocks again

Share this post


Link to post
Share on other sites

Yes, it happened again, approx 15 minutes after opening firefox...

Share this post


Link to post
Share on other sites

OTL logfile created on: 4/27/2012 2:43:13 PM - Run 2

OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Mediacube\Desktop

64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7601.17514)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.99 Gb Total Physical Memory | 5.91 Gb Available Physical Memory | 73.93% Memory free

15.98 Gb Paging File | 13.59 Gb Available in Paging File | 85.02% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 195.31 Gb Total Space | 141.53 Gb Free Space | 72.47% Space Free | Partition Type: NTFS

Drive D: | 270.45 Gb Total Space | 0.99 Gb Free Space | 0.37% Space Free | Partition Type: NTFS

Drive E: | 596.17 Gb Total Space | 99.10 Gb Free Space | 16.62% Space Free | Partition Type: NTFS

Drive F: | 465.76 Gb Total Space | 13.34 Gb Free Space | 2.86% Space Free | Partition Type: NTFS

Drive I: | 149.05 Gb Total Space | 4.57 Gb Free Space | 3.06% Space Free | Partition Type: NTFS

Computer Name: MEDIAQUBE | User Name: Mediacube | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/27 12:15:27 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Mediacube\Desktop\OTL.exe

PRC - [2012/04/24 17:53:09 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe

PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2011/08/22 10:01:00 | 000,593,920 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

PRC - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () -- C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

PRC - [2011/07/28 19:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

PRC - [2010/07/07 16:00:22 | 007,667,970 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe

PRC - [2007/09/02 13:58:52 | 000,495,616 | ---- | M] () -- C:\Program Files (x86)\RocketDock\RocketDock.exe

========== Modules (No Company Name) ==========

MOD - [2012/04/24 17:53:09 | 001,952,696 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

MOD - [2012/03/14 09:39:46 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\eedf95f16a7e81ca43dd8accf11498a3\System.Data.ni.dll

MOD - [2012/03/14 09:39:07 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll

MOD - [2012/03/14 09:39:04 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll

MOD - [2012/03/14 09:39:03 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll

MOD - [2012/03/14 09:38:57 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll

MOD - [2011/08/22 10:01:00 | 001,515,520 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\Maps\R66Api.dll

MOD - [2011/08/22 10:01:00 | 000,593,920 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

MOD - [2011/08/22 10:01:00 | 000,559,244 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.7.dll

MOD - [2011/08/22 10:01:00 | 000,516,599 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.dll

MOD - [2011/08/22 10:01:00 | 000,389,120 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetect.dll

MOD - [2011/08/22 10:01:00 | 000,139,264 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDisk.dll

MOD - [2011/08/22 10:01:00 | 000,139,264 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetectLegend.dll

MOD - [2011/08/22 10:01:00 | 000,094,208 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\fdHttpd.dll

MOD - [2011/07/28 19:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll

MOD - [2011/07/28 19:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

MOD - [2010/11/04 21:58:05 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

MOD - [2010/07/07 16:00:22 | 007,667,970 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe

MOD - [2010/07/07 16:00:22 | 000,868,352 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\RBScript.dll

MOD - [2010/07/07 16:00:22 | 000,762,368 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\XML.dll

MOD - [2010/07/07 16:00:22 | 000,266,240 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\CGamma.dll

MOD - [2010/07/07 16:00:22 | 000,147,456 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\RegEx.dll

MOD - [2010/07/07 16:00:22 | 000,139,264 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\Appearance Pak.dll

MOD - [2010/07/07 16:00:22 | 000,098,304 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\Shell.dll

MOD - [2010/07/07 16:00:22 | 000,065,536 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\CSensor.dll

MOD - [2010/07/07 16:00:22 | 000,028,672 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\MBSRegistrationPlugin16042.dll

MOD - [2010/07/07 16:00:22 | 000,025,600 | ---- | M] () -- C:\Program Files (x86)\Datacolor\Spyder3Pro\Utility\Spyder3Utility Libs\MBSPluginVersionPlugin16042.dll

MOD - [2007/09/02 13:58:52 | 000,495,616 | ---- | M] () -- C:\Program Files (x86)\RocketDock\RocketDock.exe

MOD - [2007/09/02 13:57:36 | 000,069,632 | ---- | M] () -- C:\Program Files (x86)\RocketDock\RocketDock.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/09 01:10:20 | 000,235,520 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)

SRV:64bit: - [2011/04/04 10:57:32 | 003,501,696 | ---- | M] (Agnitum Ltd.) [Auto | Running] -- C:\Program Files\Agnitum\Outpost Security Suite Free\acs.exe -- (acssrv)

SRV:64bit: - [2010/11/15 11:08:10 | 005,716,848 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe -- (TabletServiceWacom)

SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV - [2012/04/24 17:53:09 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)

SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)

SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)

SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)

DRV:64bit: - [2012/03/09 02:28:08 | 010,857,984 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)

DRV:64bit: - [2012/03/08 23:58:02 | 000,328,704 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)

DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)

DRV:64bit: - [2011/12/05 15:47:30 | 000,095,248 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)

DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)

DRV:64bit: - [2011/03/21 16:29:04 | 001,097,672 | ---- | M] (Agnitum Ltd.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\SandBox64.sys -- (SandBox)

DRV:64bit: - [2011/03/21 16:28:12 | 000,042,976 | ---- | M] (Agnitum Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Filt\VBFilt64.dll -- (VBFilt)

DRV:64bit: - [2011/03/21 16:28:06 | 000,049,168 | ---- | M] (Agnitum Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Filt\ASWFilt64.dll -- (ASWFilt)

DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2011/02/02 17:04:24 | 000,293,048 | ---- | M] (VirusBuster Kft.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBEngNT.sys -- (VBEngNT)

DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)

DRV:64bit: - [2010/11/02 16:07:54 | 000,013,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wacmoumonitor.sys -- (wacmoumonitor)

DRV:64bit: - [2010/10/25 10:59:32 | 000,012,848 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wacommousefilter.sys -- (wacommousefilter)

DRV:64bit: - [2010/10/25 10:59:28 | 000,016,168 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wacomvhid.sys -- (wacomvhid)

DRV:64bit: - [2010/09/27 15:38:44 | 000,424,040 | ---- | M] (Agnitum Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\afwcore.sys -- (afwcore)

DRV:64bit: - [2010/06/25 16:08:10 | 000,036,928 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\htcnprot.sys -- (htcnprot)

DRV:64bit: - [2010/04/20 16:02:50 | 000,039,528 | ---- | M] (Agnitum Ltd.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\afw.sys -- (afw)

DRV:64bit: - [2010/03/30 22:27:42 | 000,015,360 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Spyder3.sys -- (Spyder3)

DRV:64bit: - [2009/11/18 07:12:00 | 000,032,344 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBfilt64.sys -- (MBfilt)

DRV:64bit: - [2009/11/02 18:16:50 | 000,033,736 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ANDROIDUSB.sys -- (HTCAND64)

DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/03/02 15:00:46 | 000,118,888 | ---- | M] (Rocket Division Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\StarPortLite.sys -- (StarPortLite) StarPort Storage Controller (Lite)

DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-3488321904-1041780870-3181433465-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@wacom.com/wacom-plugin,version=1.1.0.5: C:\Program Files (x86)\TabletPlugins\npwacom.dll (Wacom, Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Mediacube\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Mediacube\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/04/27 13:07:19 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2011/09/07 19:38:51 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2011/06/23 14:55:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mediacube\AppData\Roaming\Mozilla\Extensions

[2012/04/26 11:09:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mediacube\AppData\Roaming\Mozilla\Firefox\Profiles\3ygotqwa.default\extensions

[2011/11/11 09:08:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

() (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{1280606B-2510-4FE0-97EF-9B5A22EAFE30}.XPI

() (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{37FA1426-B82D-11DB-8314-0800200C9A66}.XPI

() (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI

() (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI

() (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{DC572301-7619-498C-A57D-39143191B318}.XPI

[2011/11/11 09:08:04 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2011/11/11 09:08:04 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

CHR - Extension: Web Developer = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbameneiokkgbdmiekhjnmfkcnldhhm\0.3.1_0\

CHR - Extension: YouTube = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\

CHR - Extension: YouTube = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\

CHR - Extension: Google Search = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\

CHR - Extension: Google Search = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\

CHR - Extension: Gmail = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

CHR - Extension: Gmail = C:\Users\Mediacube\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/04/26 15:34:16 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)

O4:64bit: - HKLM..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Security Suite Free\feedback.exe (Agnitum Ltd.)

O4:64bit: - HKLM..\Run: [OutpostMonitor] C:\Program Files\Agnitum\Outpost Security Suite Free\op_mon.exe (Agnitum Ltd.)

O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)

O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()

O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [startCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)

O4 - HKU\S-1-5-21-3488321904-1041780870-3181433465-1000..\Run: [RocketDock] C:\Program Files (x86)\RocketDock\RocketDock.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-3488321904-1041780870-3181433465-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-3488321904-1041780870-3181433465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.245.129 167.206.245.130

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89C615C7-1B65-4F59-AF2F-08993A8FC71C}: DhcpNameServer = 167.206.245.129 167.206.245.130

O18:64bit: - Protocol\Handler\skype4com - No CLSID value found

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20:64bit: - AppInit_DLLs: (c:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook64.dll) - c:\Program Files\Agnitum\Outpost Security Suite Free\wl_hook64.dll (Agnitum Ltd.)

O20 - AppInit_DLLs: (c:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll) - c:\Program Files\Agnitum\Outpost Security Suite Free\wl_hook.dll (Agnitum Ltd.)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/04/27 12:23:21 | 000,000,000 | ---D | C] -- C:\_OTL

[2012/04/27 12:15:28 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Mediacube\Desktop\OTL.exe

[2012/04/26 15:38:20 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/04/26 15:34:21 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN

[2012/04/26 10:22:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/04/26 10:22:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/04/26 10:22:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/04/26 10:22:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/04/26 10:21:47 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/04/25 01:21:38 | 005,559,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2012/04/25 01:21:38 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe

[2012/04/25 01:21:37 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe

[2012/04/25 01:20:09 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\imagehlp.dll

[2012/04/25 01:20:09 | 000,023,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fs_rec.sys

[2012/04/25 01:20:07 | 000,220,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll

[2012/04/24 17:53:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla

[2012/04/24 17:53:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service

[2012/04/21 21:43:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Camera Bits, Inc

[2012/04/21 21:31:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Mechanic 4.6.8

[2012/04/21 18:26:19 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Roaming\Camera Bits, Inc

[2012/04/21 18:23:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Camera Bits

[2012/04/21 18:16:07 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt

[2012/04/21 02:46:36 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Roaming\XnView

[2012/04/20 16:25:10 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Local\ACD Systems

[2012/04/20 16:25:09 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Roaming\ACD Systems

[2012/04/20 16:22:27 | 000,000,000 | ---D | C] -- C:\ProgramData\ACD Systems

[2012/04/19 16:49:56 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Local\QuickPar

[2012/04/19 16:47:55 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\QuickPar

[2012/04/19 16:47:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickPar

[2012/04/19 16:47:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickPar

[2012/04/19 12:51:54 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome

[2012/04/19 12:51:23 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Local\Google

[2012/04/18 18:04:50 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\Documents\StarBurn

[2012/04/18 18:04:50 | 000,000,000 | ---D | C] -- C:\Users\Mediacube\AppData\Roaming\StarBurn

[2012/04/04 17:08:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP

[2012/04/04 16:59:30 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI

[2012/04/04 16:54:04 | 000,000,000 | ---D | C] -- C:\ProgramData\AMD

[2012/04/04 16:54:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT

[2012/04/04 16:53:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies

[2012/04/04 16:53:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies

[2012/04/04 16:53:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center

[2012/04/04 16:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\ATI

[2012/04/04 16:49:54 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies

[2012/04/04 16:19:08 | 000,000,000 | ---D | C] -- C:\AMD

========== Files - Modified Within 30 Days ==========

[2012/04/27 13:57:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3488321904-1041780870-3181433465-1000UA.job

[2012/04/27 12:56:01 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3488321904-1041780870-3181433465-1000Core.job

[2012/04/27 12:34:25 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2012/04/27 12:34:25 | 000,014,832 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2012/04/27 12:33:05 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2012/04/27 12:33:05 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2012/04/27 12:33:05 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2012/04/27 12:26:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/04/27 12:26:52 | 2140,495,871 | -HS- | M] () -- C:\hiberfil.sys

[2012/04/27 12:15:27 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Mediacube\Desktop\OTL.exe

[2012/04/26 17:20:29 | 000,000,132 | ---- | M] () -- C:\Users\Mediacube\AppData\Roaming\Adobe Targa Format CS5 Prefs

[2012/04/26 15:34:16 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2012/04/22 20:12:13 | 000,000,132 | ---- | M] () -- C:\Users\Mediacube\AppData\Roaming\Adobe PNG Format CS5 Prefs

[2012/04/20 16:25:32 | 000,003,584 | ---- | M] () -- C:\Users\Mediacube\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/04/04 16:38:19 | 000,000,034 | ---- | M] () -- C:\Windows\SysNative\machine.ini

[2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2012/04/02 22:33:20 | 000,000,132 | ---- | M] () -- C:\Users\Mediacube\AppData\Roaming\Adobe GIF Format CS5 Prefs

[2012/04/01 15:28:13 | 000,001,466 | ---- | M] () -- C:\Users\Public\Desktop\Firestorm v4.lnk

========== Files Created - No Company Name ==========

[2012/04/26 10:22:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/04/26 10:22:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/04/26 10:22:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/04/26 10:22:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/04/26 10:22:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/04/20 16:25:32 | 000,003,584 | ---- | C] () -- C:\Users\Mediacube\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/04/19 12:51:26 | 000,000,924 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3488321904-1041780870-3181433465-1000UA.job

[2012/04/19 12:51:25 | 000,000,872 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3488321904-1041780870-3181433465-1000Core.job

[2012/04/04 16:38:19 | 000,000,034 | ---- | C] () -- C:\Windows\SysNative\machine.ini

[2012/03/09 01:26:20 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll

[2012/03/09 00:31:26 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat

[2012/03/09 00:31:26 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat

[2012/01/31 07:00:24 | 000,016,896 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll

[2012/01/08 02:03:46 | 000,000,118 | ---- | C] () -- C:\Windows\SysWow64\Binder Functions.dll

[2011/11/17 14:06:06 | 000,000,132 | ---- | C] () -- C:\Users\Mediacube\AppData\Roaming\Adobe GIF Format CS5 Prefs

[2011/09/23 09:53:14 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini

[2011/09/23 09:53:12 | 000,650,752 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll

[2011/09/23 09:53:12 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll

[2011/09/23 09:53:11 | 000,074,752 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll

[2011/09/12 18:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

[2011/07/12 19:09:03 | 000,000,132 | ---- | C] () -- C:\Users\Mediacube\AppData\Roaming\Adobe BMP Format CS5 Prefs

[2011/06/26 18:30:07 | 000,000,132 | ---- | C] () -- C:\Users\Mediacube\AppData\Roaming\Adobe PNG Format CS5 Prefs

[2011/06/26 15:27:13 | 000,000,805 | ---- | C] () -- C:\Windows\cedt.INI

[2011/06/26 14:32:59 | 000,000,132 | ---- | C] () -- C:\Users\Mediacube\AppData\Roaming\Adobe Targa Format CS5 Prefs

[2011/06/25 14:40:15 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll

[2011/06/23 15:10:16 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin

[2011/06/23 13:49:17 | 000,007,605 | ---- | C] () -- C:\Users\Mediacube\AppData\Local\Resmon.ResmonCfg

[2011/03/24 14:37:50 | 000,324,096 | ---- | C] () -- C:\Windows\SysWow64\SDL.dll

========== Files - Unicode (All) ==========

[2011/12/22 13:59:05 | 000,000,000 | ---D | M](C:\Users\Mediacube\AppData\Local\???__?????

Share this post


Link to post
Share on other sites

Hello again,

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlicon.png on your desktop.
  2. Copy and Paste the following code into the customscanfix.png textbox.
    :otl
    () (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{1280606B-2510-4FE0-97EF-9B5A22EAFE30}.XPI
    () (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{37FA1426-B82D-11DB-8314-0800200C9A66}.XPI
    () (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI
    () (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    () (No name found) -- C:\USERS\MEDIACUBE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3YGOTQWA.DEFAULT\EXTENSIONS\{DC572301-7619-498C-A57D-39143191B318}.XPI
    [2012/04/24 17:53:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service


  3. Push runfix.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click the OK button.
  6. A report will open. Copy and Paste that report in your next reply.

Share this post


Link to post
Share on other sites

Here is the result. It didn't ask to reboot. Will see if the block shows up again.

========== OTL ==========

C:\Program Files (x86)\Mozilla Maintenance Service folder moved successfully.

OTL by OldTimer - Version 3.2.42.1 log created on 04272012_151526

Share this post


Link to post
Share on other sites

To be sure restart your computer as well.

Share this post


Link to post
Share on other sites

All other Firefox components look legit, while obviously there is still a malicious component active.

Can you click Start > All Programs > Mozilla Firefox > Firefox (safe mode).

Let me know if by running it that way (without add ons) you still get the IP blocks.

Share this post


Link to post
Share on other sites

IP Block still showing up after reboot.. 15 minutes after starting firefox

Share this post


Link to post
Share on other sites

There is no Firefox Safe Mode in the apps menu, but I got it into safe mode via Firefox \ Help \ "Restart with Addons Disabled".. Will wait 15min and see what happens.

I don't recall any extensions or addons being installed or updated at the time the popups first began. I looked at the protection logs of MBAM and they show the first blocked connections happening on April 21st:

2012/04/21 21:33:31 -0400 MEDIAQUBE Mediacube MESSAGE Database refreshed successfully

2012/04/21 21:33:31 -0400 MEDIAQUBE Mediacube MESSAGE Starting IP protection

2012/04/21 21:33:32 -0400 MEDIAQUBE Mediacube MESSAGE IP Protection started successfully

2012/04/21 23:00:48 -0400 MEDIAQUBE Mediacube IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 49249, Process: firefox.exe)

but there were no MBAM popups reporting the blocked connections until the 24th, which is the same day Firefox was updated to the latest version.

Share this post


Link to post
Share on other sites

Given the owner of the blocked domain (Oversee Net) could you please test if you get this block only when accessing certain sites?

Share this post


Link to post
Share on other sites

Yes, everything else about the machine is fine. Firefox can access any other website and there are no redirects/hijacks taking place.

Also, perhaps I'm misreading your message, but I'm not "accessing" that Oversee site/domain.. Whatever has infected this machine is connecting out to it every 15 minutes even with Firefox sitting idle.

At this point I'm beginning to think I need to wipe out the machine and reinstall it. Even if we could find what the issue is, I don't think I would trust this machine on my network again and there's no way to tell what else may have been downloaded onto it and still remains hidden. Whatever it is wouldn't survive a format and reinstall, would it?

Share this post


Link to post
Share on other sites

I would start with just uninstalling Firefox and removing all your firefox user data as well. There is a new Firefox/Chrome hijacker doing the rounds that does not show up in any of the normal locations, which means its extremely hard to remove it without also removing the program. However this is limited to firefox so your machine should be fine otherwise.

After completely uninstalling firefox and all its components you can reinstall it and see if the problem returns or not.

Share this post


Link to post
Share on other sites

Ok, so I wiped the machine today.. reinstalled win7 while disconnected from the network.. then installed MBAM.. then installed Outpost Security Suite.. then installed Firefox.. copied my places.sqlite bookmark file, and 15 minutes later, on a brand new machine, the same connections began again.. I've just shut down firefox, removed my bookmarks, replaced the original/default places.sqlite file, and restarted firefox.. am waiting to see what happens..

So, if this is what happened, how is it that a bookmarked link is trying to connect out? Or could it be the bookmark database file itself that is infected with something.. (I don't have any custom live bookmarks.. only the pre-installed live bookmarks that are installed with Firefox)...

So if this proves to be the case, is there a way to figure out which bookmark is causing the problem?

Share this post


Link to post
Share on other sites

On doing some reading, it seems that by default, Live Bookmarks in Firefox update every 60 minutes.. I'm not sure if there's a way to change this, but if there is not, then it wouldn't seem to be any of the preinstalled Live Bookmarks...

Firefox has now been running for 25 minutes with the default places.sqlite file instead of my personal bookmark file, and there have been no connections.. so I *think* I've identified the culprit... So now I need to figure out which bookmarked link is causing it, or if it's the bookmark database itself.

Share this post


Link to post
Share on other sites

Firefox has now been running over an hour with the default bookmark file and no blocked connection attempts...

Share this post


Link to post
Share on other sites

Ok.. I ran Firefox with the default places.sqlite file for over 90 minutes and not a single outbound connection attempt.. I then shut down firefox, renamed the default bookmark file to places.sqlite.ORIG and copied my backup bookmark file into the profile folder.. I started firefox again and went to Bookmarks \ Show All Bookmarks \ Import and Backup \ Export Bookmarks to HTML and saved the file as bookmarks.html

I then shut down Firefox, deleted my custom places.sqlite file, and renamed places.sqlite.ORIG back to places.sqlite.. I then restarted firefox and let it run for 25 minutes.. no outbound connection attempts.. again confirming the problem seems to be either the bookmark file itself, or a bookmarked site in the bookmark file..

After the 25 minutes, I went to Bookmarks \ Show All Bookmarks \ Import and Backup \ Import Bookmarks from HTML and imported the html file I saved..

Immediately an outbound connection was blocked by MBAM..

So this now confirms, I think, that the problem is with one of the bookmarked sites / links in the bookmark file, and not the bookmark database file itself...

Does this seem logical?

So now how do I go about finding which one it is...?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.