Infected with spyware

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Infected with spyware not sure what it is called

#1 noxqs

New Member

Group: Members
Posts: 4
Joined: 23-December 10

Posted 31 March 2011 - 03:22 PM

Hiya there guys, my computer keeps slowing down, I keep getting random popups as well. I've definately got spyware and my computer performs better when I close down "Byzhaa.exe" (I think that is what it is called). Thanks for any help given, my computer is driving me mad!

Anyways, heres the log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Asif at 20:56:47.89 on 31/03/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.544 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Documents and Settings\All Users\Application Data\QuestBrwSearch\questbrowse129.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuestBrwSearch\questbrwsearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Asif\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Asif\My Documents\Downloads\dds(2).scr
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OfferBox: {fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} - c:\program files\offerbox\OfferBoxBHO.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Ysayezanonulur] rundll32.exe "c:\windows\kbdgcas.dll",Startup
uRun: [OUU6KC5WPX] c:\docume~1\asif\locals~1\temp\Bxf.exe
uRun: [BSRURUF55J] c:\windows\Bzyhaa.exe
mRun: [INPROCOMMWireless] c:\program files\atheros\wireless\utility\WlanUtil.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Inulehadajak] rundll32.exe "c:\windows\agifecujof.dll",Startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.666.0\ClickPotatoLiteSABHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\asif\applic~1\mozilla\firefox\profiles\0iaia907.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\asif\application data\mozilla\firefox\profiles\0iaia907.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\asif\application data\mozilla\firefox\profiles\0iaia907.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\asif\application data\mozilla\firefox\profiles\0iaia907.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\asif\application data\mozilla\firefox\profiles\0iaia907.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\documents and settings\asif\application data\mozilla\firefox\profiles\0iaia907.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\offerbox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
FF - component: c:\program files\shopperreports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\clickpotatolite\bin\10.0.666.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: QuestBrowse: {D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0} - c:\program files\mozilla firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - %profile%\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
FF - Ext: AutocompletePro - Your handy search suggestions tool: support@predictad.com - %profile%\extensions\support@predictad.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: ShopperReports: ShopperReports@ShopperReports.com - c:\program files\shopperreports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions
FF - Ext: ClickPotatoLite Component: ClickPotatoLite@ClickPotatoLite.com - c:\program files\clickpotatolite\bin\10.0.666.0\firefox\extensions
FF - Ext: OfferBox: offerboxffx@offerbox.com - c:\program files\offerbox\offerboxffx@offerbox.com
FF - Ext: XULRunner: {D72BEF5E-869F-49E0-B436-06DA3163C12F} - c:\documents and settings\asif\local settings\application data\{D72BEF5E-869F-49E0-B436-06DA3163C12F}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2010-12-3 196912]
R2 QuestBrowse Service;QuestBrowse Service;c:\documents and settings\all users\application data\questbrwsearch\questbrowse129.exe [2011-3-30 49152]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-21 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
.
=============== Created Last 30 ================
.
2011-03-28 19:38:30 -------- d-----w- c:\program files\common files\Symantec Shared
2011-03-28 19:38:19 -------- d-----w- c:\windows\system32\drivers\nss\0300000.067
2011-03-28 19:38:19 -------- d-----w- c:\windows\system32\drivers\NSS
2011-03-28 19:38:19 -------- d-----w- c:\program files\Norton Security Scan
2011-03-28 19:38:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-03-28 19:38:14 -------- d-----w- c:\program files\NortonInstaller
2011-03-28 19:38:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-03-28 16:37:52 -------- d-----w- c:\windows\system32\Adobe
2011-03-27 15:10:14 0 ----a-w- c:\windows\Ssobaxiq.bin
2011-03-27 15:09:58 -------- d-----w- c:\docume~1\asif\locals~1\applic~1\{D72BEF5E-869F-49E0-B436-06DA3163C12F}
2011-03-27 15:09:15 -------- d-----w- c:\docume~1\asif\applic~1\OfferBox
2011-03-27 15:08:35 -------- d-----w- c:\program files\OfferBox
2011-03-27 15:08:19 149504 --sha-r- c:\windows\system32\usrlogonb.dll
2011-03-27 15:08:19 135168 --sha-r- c:\windows\system32\dhcpcsvcv.dll
2011-03-27 15:08:04 128000 ----a-w- c:\windows\Bzyhaa.exe
2011-03-20 15:46:16 -------- d-----w- c:\windows\Favorites
2011-03-20 15:46:13 -------- d-----w- c:\program files\ElefunMultimedia
2011-03-13 19:49:34 -------- d-----w- c:\program files\QuestBrwSearch
2011-03-13 19:49:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\QuestBrwSearch
2011-03-13 19:49:18 70448 ----a-w- c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
2011-03-13 19:49:16 -------- d-----w- c:\program files\ClickPotatoLite
2011-03-13 19:49:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\ClickPotatoLiteSA
2011-03-13 19:49:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2011-03-13 19:48:58 -------- d-----w- c:\program files\ShopperReports3
2011-03-13 19:48:58 -------- d-----w- c:\docume~1\asif\applic~1\ShopperReports3
2011-03-03 14:40:22 -------- d-----w- c:\program files\EA SPORTS
.
==================== Find3M ====================
.
2011-02-16 18:02:07 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-02-16 17:51:21 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-02-16 17:51:21 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-02-16 17:51:21 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 14:07:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-27 14:07:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-26 19:18:00 34064 ----a-w- c:\windows\system32\lhacm.acm
2011-01-21 16:15:18 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-21 16:15:18 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-21 14:42:25 439808 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 19:28:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-01-07 14:09:31 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK6034GSX rev.AH101J -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x897EF439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x897f57d0]; MOV EAX, [0x897f584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89887AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x897796E0]
\Driver\atapi[0x89887878] -> IRP_MJ_CREATE -> 0x897EF439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK6034GSX_______________________AH101J__#5&3107df17&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x897EF27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:58:38.00 ===============

Attached File(s)

Attach.txt (10.71K)
Number of downloads: 0
ark.txt (23.89K)
Number of downloads: 0

#2 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 31 March 2011 - 08:20 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Please do not PM me directly for help. If you have any questions, post them in this topic.
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Posted Image

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

NEXT:

Running TDSSKiller

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

NEXT:

Running OTL

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

NEXT:

Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 noxqs

New Member

Group: Members
Posts: 4
Joined: 23-December 10

Posted 01 April 2011 - 06:55 AM

Hey

Thanks for all your help, I can't believe you guys are volunteers! Appreciate it.

After I rebooted my computer the Bzyhaa was still running in my task manager and slowing down the computer. Thats all I can tell so far.

Heres the logs

TDSSKiller

2011/04/01 12:42:40.0580 4080 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/01 12:42:40.0986 4080 ================================================================================
2011/04/01 12:42:40.0986 4080 SystemInfo:
2011/04/01 12:42:40.0986 4080
2011/04/01 12:42:40.0986 4080 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/01 12:42:40.0986 4080 Product type: Workstation
2011/04/01 12:42:40.0986 4080 ComputerName: ASIF-7EEF9A93C3
2011/04/01 12:42:40.0986 4080 UserName: Asif
2011/04/01 12:42:40.0986 4080 Windows directory: C:\WINDOWS
2011/04/01 12:42:40.0986 4080 System windows directory: C:\WINDOWS
2011/04/01 12:42:40.0986 4080 Processor architecture: Intel x86
2011/04/01 12:42:40.0986 4080 Number of processors: 1
2011/04/01 12:42:40.0986 4080 Page size: 0x1000
2011/04/01 12:42:40.0986 4080 Boot type: Normal boot
2011/04/01 12:42:40.0986 4080 ================================================================================
2011/04/01 12:42:42.0033 4080 Initialize success
2011/04/01 12:42:53.0394 0284 ================================================================================
2011/04/01 12:42:53.0394 0284 Scan started
2011/04/01 12:42:53.0394 0284 Mode: Manual;
2011/04/01 12:42:53.0394 0284 ================================================================================
2011/04/01 12:42:54.0238 0284 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/01 12:42:54.0285 0284 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/01 12:42:54.0394 0284 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/01 12:42:54.0472 0284 AFD (4d43e74f2a1239d53929b82600f1971c) C:\WINDOWS\System32\drivers\afd.sys
2011/04/01 12:42:54.0816 0284 AR5211 (baa6b3cc74a4377d063c5a92dd9c4098) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/04/01 12:42:55.0003 0284 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/01 12:42:55.0066 0284 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/01 12:42:55.0316 0284 ati2mtag (e609b308910f7a495d323ab13d011a70) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/01 12:42:55.0472 0284 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/01 12:42:55.0519 0284 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/01 12:42:55.0566 0284 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/01 12:42:55.0629 0284 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/01 12:42:55.0675 0284 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/01 12:42:55.0738 0284 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/01 12:42:55.0785 0284 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/01 12:42:55.0879 0284 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/01 12:42:55.0988 0284 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/01 12:42:56.0035 0284 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/01 12:42:56.0160 0284 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/01 12:42:56.0238 0284 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/01 12:42:56.0316 0284 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/01 12:42:56.0363 0284 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/01 12:42:56.0410 0284 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/01 12:42:56.0488 0284 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/01 12:42:56.0613 0284 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/01 12:42:56.0676 0284 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/01 12:42:56.0707 0284 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/01 12:42:56.0738 0284 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/01 12:42:56.0816 0284 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/01 12:42:56.0863 0284 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/01 12:42:56.0894 0284 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/01 12:42:56.0941 0284 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/01 12:42:56.0972 0284 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/01 12:42:57.0082 0284 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/01 12:42:57.0113 0284 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/01 12:42:57.0223 0284 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/01 12:42:57.0379 0284 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/01 12:42:57.0473 0284 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/01 12:42:57.0769 0284 IntcAzAudAddService (909d03b3b7fb7c830b74f74f4d0ea7ce) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/01 12:42:57.0941 0284 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/01 12:42:58.0004 0284 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/01 12:42:58.0035 0284 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/01 12:42:58.0082 0284 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/01 12:42:58.0160 0284 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/01 12:42:58.0207 0284 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/01 12:42:58.0285 0284 isapnp (642d6479d259cbf81c9b840dfdc53e07) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/01 12:42:58.0301 0284 isapnp - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/01 12:42:58.0457 0284 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/01 12:42:58.0535 0284 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/01 12:42:58.0582 0284 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/01 12:42:58.0707 0284 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/01 12:42:58.0770 0284 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/01 12:42:58.0816 0284 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/01 12:42:58.0926 0284 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/01 12:42:58.0988 0284 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/01 12:42:59.0051 0284 MRxDAV (0a25b866933d126d1e831fd025a278c2) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/01 12:42:59.0145 0284 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/01 12:42:59.0207 0284 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/01 12:42:59.0270 0284 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/01 12:42:59.0317 0284 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/01 12:42:59.0363 0284 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/01 12:42:59.0442 0284 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/01 12:42:59.0551 0284 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/01 12:42:59.0645 0284 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/01 12:42:59.0707 0284 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/01 12:42:59.0770 0284 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/01 12:42:59.0817 0284 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/01 12:42:59.0863 0284 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/01 12:42:59.0942 0284 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/01 12:43:00.0020 0284 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/01 12:43:00.0114 0284 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/01 12:43:00.0239 0284 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/01 12:43:00.0285 0284 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/01 12:43:00.0442 0284 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/04/01 12:43:00.0504 0284 NPF (d21fee8db254ba762656878168ac1db6) C:\WINDOWS\system32\drivers\npf.sys
2011/04/01 12:43:00.0567 0284 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/01 12:43:00.0629 0284 Ntfs (a0857c97770034fd2af17dc4014b5abd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/01 12:43:00.0707 0284 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/01 12:43:00.0801 0284 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/01 12:43:00.0832 0284 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/01 12:43:00.0926 0284 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/01 12:43:00.0973 0284 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/01 12:43:01.0004 0284 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/01 12:43:01.0067 0284 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/01 12:43:01.0223 0284 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/01 12:43:01.0270 0284 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/01 12:43:01.0551 0284 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/01 12:43:01.0629 0284 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/01 12:43:01.0676 0284 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/01 12:43:01.0754 0284 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/01 12:43:01.0801 0284 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/01 12:43:02.0051 0284 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/01 12:43:02.0129 0284 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/01 12:43:02.0161 0284 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/01 12:43:02.0208 0284 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/01 12:43:02.0254 0284 Rdbss (9629383f70db691cb6aa5bbd828cd9a9) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/01 12:43:02.0286 0284 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/01 12:43:02.0379 0284 rdpdr (3a99642ed25a2fad5b0ba55f09ba2f93) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/01 12:43:02.0473 0284 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/01 12:43:02.0536 0284 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/01 12:43:02.0692 0284 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/04/01 12:43:02.0754 0284 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/04/01 12:43:02.0879 0284 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/04/01 12:43:02.0911 0284 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/04/01 12:43:03.0005 0284 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/04/01 12:43:03.0067 0284 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/01 12:43:03.0317 0284 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/01 12:43:03.0395 0284 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/01 12:43:03.0505 0284 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/01 12:43:03.0598 0284 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/01 12:43:03.0755 0284 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/01 12:43:03.0755 0284 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/01 12:43:03.0770 0284 sptd - detected Locked file (1)
2011/04/01 12:43:03.0848 0284 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/01 12:43:03.0973 0284 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/01 12:43:04.0067 0284 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/01 12:43:04.0145 0284 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/01 12:43:04.0223 0284 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/01 12:43:04.0411 0284 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/01 12:43:04.0583 0284 Tcpip (367de8e5f638c091f49273144274f629) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/01 12:43:04.0661 0284 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/01 12:43:04.0708 0284 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/01 12:43:04.0770 0284 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/01 12:43:04.0958 0284 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/01 12:43:05.0067 0284 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/01 12:43:05.0145 0284 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/01 12:43:05.0224 0284 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/01 12:43:05.0333 0284 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/01 12:43:05.0411 0284 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/01 12:43:05.0442 0284 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/01 12:43:05.0520 0284 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/01 12:43:05.0567 0284 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/01 12:43:05.0645 0284 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/01 12:43:05.0755 0284 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/01 12:43:05.0989 0284 VX1000 (d22c6b9c2f840d403fd387ad207a4b16) C:\WINDOWS\system32\DRIVERS\VX1000.sys
2011/04/01 12:43:06.0192 0284 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/01 12:43:06.0302 0284 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/01 12:43:06.0427 0284 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/01 12:43:06.0521 0284 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/01 12:43:06.0646 0284 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/01 12:43:06.0677 0284 ================================================================================
2011/04/01 12:43:06.0677 0284 Scan finished
2011/04/01 12:43:06.0677 0284 ================================================================================
2011/04/01 12:43:06.0692 3996 Detected object count: 3
2011/04/01 12:43:22.0835 3996 isapnp (642d6479d259cbf81c9b840dfdc53e07) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/01 12:43:24.0914 3996 Backup copy found, using it..
2011/04/01 12:43:24.0929 3996 C:\WINDOWS\system32\DRIVERS\isapnp.sys - will be cured after reboot
2011/04/01 12:43:24.0929 3996 Rootkit.Win32.TDSS.tdl3(isapnp) - User select action: Cure
2011/04/01 12:43:24.0929 3996 Locked file(sptd) - User select action: Skip
2011/04/01 12:43:25.0007 3996 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/01 12:43:25.0007 3996 \HardDisk0 - ok
2011/04/01 12:43:25.0007 3996 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/01 12:43:37.0040 4076 Deinitialize success

OTL.txt

OTL logfile created on: 01/04/2011 12:48:06 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Asif\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 4.70 Gb Free Space | 8.42% Space Free | Partition Type: NTFS
Drive D: | 92.43 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 134.20 Gb Free Space | 28.81% Space Free | Partition Type: NTFS

Computer Name: ASIF-7EEF9A93C3 | User Name: Asif | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 12:47:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asif\Desktop\OTL.exe
PRC - [2011/03/28 18:03:26 | 000,049,152 | ---- | M] () -- C:\Program Files\QuestBrwSearch\questbrwsearch.exe
PRC - [2011/03/28 18:03:26 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QuestBrwSearch\questbrowse129.exe
PRC - [2011/03/24 12:31:36 | 001,966,936 | ---- | M] (Secure Digital Services Limited) -- C:\Program Files\OfferBox\OfferBox.exe
PRC - [2011/03/24 10:36:25 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/21 17:15:21 | 000,491,168 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2011/01/21 17:15:20 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/01/20 17:20:34 | 000,426,840 | ---- | M] (IObit) -- C:\Program Files\IObit\Game Booster\gbtray.exe
PRC - [2010/12/13 22:28:54 | 000,507,904 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Asif\Local Settings\Temp\RtkBtMnt.exe
PRC - [2010/12/09 20:28:24 | 001,226,608 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/12/08 22:15:44 | 000,063,360 | ---- | M] (DivX, LLC) -- C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
PRC - [2010/12/03 12:09:06 | 000,196,912 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
PRC - [2010/09/22 19:12:16 | 000,015,800 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
PRC - [2010/07/06 15:01:16 | 002,634,048 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PRC - [2010/05/20 16:27:24 | 000,762,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX1000.exe
PRC - [2010/05/20 16:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2010/04/01 10:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2008/07/03 12:38:24 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/01/02 18:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

========== Modules (SafeList) ==========

MOD - [2011/04/01 12:47:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asif\Desktop\OTL.exe
MOD - [2011/03/30 18:56:16 | 000,573,440 | ---- | M] () -- C:\Program Files\QuestBrwSearch\questbrwsearch.dll
MOD - [2011/01/21 17:15:57 | 000,040,448 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/07/12 01:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
MOD - [2009/07/12 01:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
MOD - [2008/04/14 13:00:00 | 000,286,720 | ---- | M] () -- C:\WINDOWS\agifecujof.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/03/28 18:03:26 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\QuestBrwSearch\questbrowse129.exe -- (QuestBrowse Service)
SRV - [2010/12/03 12:09:06 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
SRV - [2010/05/20 16:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2010/01/21 18:51:12 | 030,963,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2005/08/02 22:18:49 | 000,086,016 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)

========== Driver Services (SafeList) ==========

DRV - [2010/12/13 22:11:28 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/05/20 16:27:26 | 001,961,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2010/05/10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/04/14 13:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 23:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2006/09/26 22:50:06 | 001,754,624 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/08/16 12:21:00 | 004,304,384 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/01/25 11:44:52 | 000,488,448 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/08/02 22:10:13 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-725345543-1801674531-1003\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo1.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-299502267-725345543-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "DAEMON Search"
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.2.0185
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.5.2
FF - prefs.js..extensions.enabledItems: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}:3.2.5.2
FF - prefs.js..extensions.enabledItems: {cd90bf73-20f6-44ef-993d-bb920303bd2e}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: support@predictad.com:1.11
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}:1.0
FF - prefs.js..extensions.enabledItems: ShopperReports@ShopperReports.com:3.0.517.0
FF - prefs.js..extensions.enabledItems: ClickPotatoLite@ClickPotatoLite.com:10.0.0.0
FF - prefs.js..extensions.enabledItems: offerboxffx@offerbox.com:2.1.3600.135
FF - prefs.js..extensions.enabledItems: {D72BEF5E-869F-49E0-B436-06DA3163C12F}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/01/05 16:53:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/01/05 16:53:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/01/21 17:15:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\ShopperReports@ShopperReports.com: C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions [2011/03/13 20:49:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\ClickPotatoLite@ClickPotatoLite.com: C:\Program Files\ClickPotatoLite\bin\10.0.666.0\firefox\extensions [2011/03/13 20:49:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\offerboxffx@offerbox.com: C:\Program Files\OfferBox\offerboxffx@offerbox.com [2011/03/27 16:09:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{D72BEF5E-869F-49E0-B436-06DA3163C12F}: C:\Documents and Settings\Asif\Local Settings\Application Data\{D72BEF5E-869F-49E0-B436-06DA3163C12F} [2011/03/27 16:09:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/24 10:36:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/24 10:36:32 | 000,000,000 | ---D | M]

[2010/12/13 22:02:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Extensions
[2011/03/31 20:43:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions
[2010/12/19 14:01:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/27 15:07:46 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/12/13 22:52:44 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2011/01/05 02:19:27 | 000,000,000 | ---D | M] (Veoh Web Player Toolbar) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
[2010/12/13 22:11:36 | 000,000,000 | ---D | M] ("DAEMON Tools Toolbar") -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\DTToolbar@toolbarnet.com
[2010/12/13 22:52:44 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\engine@conduit.com
[2011/01/07 14:03:35 | 000,000,000 | ---D | M] ("AutocompletePro - Your handy search suggestions tool") -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\extensions\support@predictad.com
[2010/06/29 18:22:34 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\searchplugins\conduit.xml
[2010/12/13 22:11:32 | 000,002,059 | ---- | M] () -- C:\Documents and Settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\searchplugins\daemon-search.xml
[2011/03/31 20:43:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/27 15:07:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/13 20:49:38 | 000,000,000 | ---D | M] (QuestBrowse) -- C:\Program Files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}
[2011/01/21 17:15:58 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2011/03/27 16:09:58 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ASIF\LOCAL SETTINGS\APPLICATION DATA\{D72BEF5E-869F-49E0-B436-06DA3163C12F}
[2011/03/13 20:49:18 | 000,000,000 | ---D | M] (ClickPotatoLite Component) -- C:\PROGRAM FILES\CLICKPOTATOLITE\BIN\10.0.666.0\FIREFOX\EXTENSIONS
[2011/01/05 16:53:04 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 <video>) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
[2011/01/05 16:53:05 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
[2011/01/27 15:07:01 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/27 16:09:55 | 000,000,000 | ---D | M] (OfferBox) -- C:\PROGRAM FILES\OFFERBOX\OFFERBOXFFX@OFFERBOX.COM
[2011/03/13 20:49:05 | 000,000,000 | ---D | M] (ShopperReports) -- C:\PROGRAM FILES\SHOPPERREPORTS3\BIN\3.0.517.0\FIREFOX\FIREFOXTOOLBAR\EXTENSIONS
[2011/03/02 01:48:22 | 000,070,448 | ---- | M] (Pinball Corporation.) -- C:\Program Files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
[2011/01/27 15:07:01 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/10/27 06:24:34 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/10/27 06:24:34 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/10/27 06:24:34 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/10/27 06:24:34 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AC-Pro) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Program Files\AutocompletePro\AutocompletePro.dll (SimplyGen)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll (Conduit Ltd.)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo1.dll (Conduit Ltd.)
O2 - BHO: (OfferBox) - {FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C} - C:\Program Files\OfferBox\OfferBoxBHO.dll (Secure Digital Services Limited)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo1.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-299502267-725345543-1801674531-1003\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\S-1-5-21-299502267-725345543-1801674531-1003\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTo1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DivX Download Manager] C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe (DivX, LLC)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [INPROCOMMWireless] File not found
O4 - HKLM..\Run: [Inulehadajak] C:\WINDOWS\agifecujof.dll ()
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [BSRURUF55J] C:\WINDOWS\Bzyhaa.exe (Jordan Russell)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [OUU6KC5WPX] C:\Documents and Settings\Asif\Local Settings\Temp\Bxf.exe (Jordan Russell)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [RegistryBooster] File not found
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [Ysayezanonulur] C:\WINDOWS\kbdgcas.dll (CyberLink Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-725345543-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: ClickPotato - {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - C:\Program Files\ClickPotatoLite\bin\10.0.666.0\ClickPotatoLiteSABHO.dll (Pinball Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.20,93.188.160.50
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/12/13 21:51:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 12:47:40 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Asif\Desktop\OTL.exe
[2011/04/01 12:42:31 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Asif\Desktop\TDSSKiller.exe
[2011/03/31 00:24:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/03/28 20:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/03/28 20:38:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NSS
[2011/03/28 20:38:19 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Scan
[2011/03/28 20:38:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Scan
[2011/03/28 20:38:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NSS\0300000.067
[2011/03/28 20:38:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2011/03/28 20:38:14 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/03/28 20:38:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/03/28 17:37:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/03/27 16:36:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/27 16:23:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/27 16:23:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/27 16:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Local Settings\Application Data\{D72BEF5E-869F-49E0-B436-06DA3163C12F}
[2011/03/27 16:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Application Data\OfferBox
[2011/03/27 16:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\OfferBox
[2011/03/27 16:08:04 | 000,128,000 | ---- | C] (Jordan Russell) -- C:\WINDOWS\Bzyhaa.exe
[2011/03/20 16:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Start Menu\Programs\Tetris 5000(v1.10 full version)
[2011/03/20 16:46:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Favorites
[2011/03/20 16:46:13 | 000,000,000 | ---D | C] -- C:\Program Files\ElefunMultimedia
[2011/03/18 23:56:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\My Documents\BOOOO
[2011/03/14 16:09:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Ubisoft
[2011/03/14 16:03:08 | 000,000,000 | ---D | C] -- C:\Program Files\Ubisoft
[2011/03/13 20:49:34 | 000,000,000 | ---D | C] -- C:\Program Files\QuestBrwSearch
[2011/03/13 20:49:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\QuestBrwSearch
[2011/03/13 20:49:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato
[2011/03/13 20:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA
[2011/03/13 20:49:16 | 000,000,000 | ---D | C] -- C:\Program Files\ClickPotatoLite
[2011/03/13 20:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
[2011/03/13 20:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports
[2011/03/13 20:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\ShopperReports3
[2011/03/13 20:48:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Application Data\ShopperReports3
[2011/03/03 15:44:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\My Documents\EA SPORTS™ Cricket 07
[2011/03/03 15:43:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EA SPORTS
[2011/03/03 15:40:22 | 000,000,000 | ---D | C] -- C:\Program Files\EA SPORTS
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/01 12:49:56 | 000,435,498 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/01 12:49:56 | 000,068,354 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/01 12:47:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asif\Desktop\OTL.exe
[2011/04/01 12:45:24 | 000,000,244 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/04/01 12:45:22 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/01 12:45:22 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-299502267-725345543-1801674531-1003.job
[2011/04/01 12:45:15 | 000,000,256 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/04/01 12:45:03 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\NJJRAOZD.job
[2011/04/01 12:45:02 | 000,000,246 | ---- | M] () -- C:\WINDOWS\tasks\Game_Booster_Startup.job
[2011/04/01 12:44:59 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\Mxfenzg.job
[2011/04/01 12:44:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/01 02:18:01 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/01 02:08:31 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Fqewocij.dat
[2011/04/01 01:02:31 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-725345543-1801674531-1003.job
[2011/04/01 00:04:51 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ssobaxiq.bin
[2011/03/31 22:15:31 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/31 20:35:00 | 000,611,536 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\dds.scr.part
[2011/03/31 18:48:23 | 000,000,476 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Asif.job
[2011/03/31 16:48:59 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Asif\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/30 18:53:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/28 20:38:27 | 000,000,986 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2011/03/27 16:08:19 | 000,149,504 | RHS- | M] () -- C:\WINDOWS\System32\usrlogonb.dll
[2011/03/27 16:08:19 | 000,135,168 | RHS- | M] () -- C:\WINDOWS\System32\dhcpcsvcv.dll
[2011/03/27 16:07:31 | 000,128,000 | ---- | M] (Jordan Russell) -- C:\WINDOWS\Bzyhaa.exe
[2011/03/26 19:36:30 | 000,000,164 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\BIG bleep CURRY ORDER WITH MARINA, GOOD TIMES...LOVADUB HER.rtf
[2011/03/26 02:19:08 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/03/20 17:07:56 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\gmer.exe
[2011/03/20 16:46:19 | 000,001,961 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\Tetris 5000.lnk
[2011/03/20 16:46:19 | 000,000,905 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\Try Other Games.lnk
[2011/03/18 09:40:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/17 23:43:46 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Asif\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/17 19:33:34 | 000,005,871 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\ABROAD MEETINGS.rtf
[2011/03/17 02:15:21 | 002,901,384 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\pragmatic language impairment.pdf
[2011/03/17 01:30:34 | 000,046,839 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\pli journal.pdf
[2011/03/17 01:28:13 | 001,518,717 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\pragment language impairment.pdf
[2011/03/17 01:27:49 | 001,518,717 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\Proefschrift Mieke Ketelaars.pdf
[2011/03/15 14:31:05 | 000,036,778 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\BULK DIET.rtf
[2011/03/14 16:09:33 | 000,000,930 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Far Cry.lnk
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Asif\Desktop\TDSSKiller.exe
[2011/03/10 04:03:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/05 19:34:03 | 000,000,362 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\PLAN.rtf
[2011/03/03 15:43:07 | 000,001,841 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EA SPORTS™ Cricket 07.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/31 20:59:38 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\gmer.exe
[2011/03/31 20:34:38 | 000,611,536 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\dds.scr.part
[2011/03/31 20:22:57 | 000,000,244 | -H-- | C] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/03/28 20:38:30 | 000,000,476 | -H-- | C] () -- C:\WINDOWS\tasks\Norton Security Scan for Asif.job
[2011/03/28 20:38:27 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2011/03/28 20:38:19 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NSS\0300000.067\isolate.ini
[2011/03/27 16:36:22 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/27 16:10:14 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Fqewocij.dat
[2011/03/27 16:10:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ssobaxiq.bin
[2011/03/27 16:08:22 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\Mxfenzg.job
[2011/03/27 16:08:22 | 000,000,304 | -HS- | C] () -- C:\WINDOWS\tasks\NJJRAOZD.job
[2011/03/27 16:08:19 | 000,149,504 | RHS- | C] () -- C:\WINDOWS\System32\usrlogonb.dll
[2011/03/27 16:08:19 | 000,135,168 | RHS- | C] () -- C:\WINDOWS\System32\dhcpcsvcv.dll
[2011/03/26 19:36:30 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\BIG bleep CURRY ORDER WITH MARINA, GOOD TIMES...LOVADUB HER.rtf
[2011/03/20 16:46:19 | 000,001,961 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\Tetris 5000.lnk
[2011/03/20 16:46:19 | 000,000,905 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\Try Other Games.lnk
[2011/03/20 16:45:56 | 005,503,392 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\Tetris5000_full.exe
[2011/03/20 16:45:56 | 000,697,306 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\dragonfly_theme.exe
[2011/03/17 19:33:34 | 000,005,871 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\ABROAD MEETINGS.rtf
[2011/03/17 02:15:21 | 002,901,384 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\pragmatic language impairment.pdf
[2011/03/17 01:30:34 | 000,046,839 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\pli journal.pdf
[2011/03/17 01:28:13 | 001,518,717 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\pragment language impairment.pdf
[2011/03/17 01:27:49 | 001,518,717 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\Proefschrift Mieke Ketelaars.pdf
[2011/03/15 14:26:15 | 000,036,778 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\BULK DIET.rtf
[2011/03/14 16:09:33 | 000,000,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Far Cry.lnk
[2011/03/03 15:43:06 | 000,001,841 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EA SPORTS™ Cricket 07.lnk
[2011/02/28 16:15:52 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2011/02/25 16:31:09 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2011/02/17 01:22:29 | 000,233,472 | R--- | C] () -- C:\WINDOWS\System32\MafiaSetup.exe
[2011/02/16 18:56:55 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2011/02/16 18:46:05 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2011/02/16 18:46:05 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2011/02/16 18:46:05 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2011/01/07 14:07:15 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/01/07 14:07:15 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/12/13 22:30:11 | 000,000,604 | ---- | C] () -- C:\WINDOWS\Sof2.INI
[2010/12/13 22:17:46 | 002,515,656 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2010/12/13 22:17:46 | 000,136,650 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/12/13 22:11:00 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/12/13 22:11:00 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/12/13 22:02:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/12/13 22:00:11 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Asif\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/13 21:54:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/12/13 21:47:12 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/12/13 21:37:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/12/13 21:36:08 | 000,329,096 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 13:00:00 | 000,435,498 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 13:00:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\agifecujof.dll
[2008/04/14 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 13:00:00 | 000,068,354 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 13:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 13:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/02 22:24:01 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll

< End of report >

Extras.txt

OTL Extras logfile created on: 01/04/2011 12:48:06 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Asif\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 4.70 Gb Free Space | 8.42% Space Free | Partition Type: NTFS
Drive D: | 92.43 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.76 Gb Total Space | 134.20 Gb Free Space | 28.81% Space Free | Partition Type: NTFS

Computer Name: ASIF-7EEF9A93C3 | User Name: Asif | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"57837:TCP" = 57837:TCP:*:Enabled:Pando Media Booster
"57837:UDP" = 57837:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"57837:TCP" = 57837:TCP:*:Enabled:Pando Media Booster
"57837:UDP" = 57837:UDP:*:Enabled:Pando Media Booster
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Soldier of Fortune II - Double Helix\SoF2MP.exe" = C:\Program Files\Soldier of Fortune II - Double Helix\SoF2MP.exe:*:Enabled:SoF2MP
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" = C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player -- (Veoh Networks)
"C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Sports Interactive\Football Manager 2011\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2011\fm.exe:*:Enabled:Football Manager 2011 -- (Sports Interactive)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe" = C:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe:*:Enabled:Zoo Tycoon 2 Executable -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0556F885-2415-4666-B53E-33727E46AEA1}" = The Movies™
"{12383CA3-0733-4210-00B8-D83642F1192C}" = EA SPORTS™ Cricket 07
"{15292416-A464-4FBA-BB96-7298EAACFC07}" = Zoo Tycoon 2 - Extinct Animals
"{1C8F5952-1960-457E-95EC-40DAAD39F7E3}" = Nitro PDF Reader
"{25A73B29-EA39-4429-997A-ECA33B417865}" = Virgin Media Broadband SpeedBooster
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{7EF15AAF-42AC-4CF6-B4B4-C4F0D1D92122}" = Far Cry (Patch 1.4)
"{857BCA7D-DFCD-4A47-8BA5-D13C0E59BB56}" = ATI Catalyst Control Center
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B720288E-778A-4308-8D65-8EE2E775042A}" = -=CASH=- SOF Minimizer
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C270BC04-1540-4673-960F-A546B2C860CD}" = Commandos 3 - Destination Berlin
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"{D70DE630-0D13-4394-A15B-5ACE6CF2A18D}" = Atheros Wireless LAN
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced DVD Player_is1" = Advanced DVD Player
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AutocompletePro3_is1" = AutocompletePro
"ClickPotatoLiteSA" = ClickPotato
"conduitEngine" = Conduit Engine
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"DivX Setup.divx.com" = Instalação do DivX
"EAX Unified" = EAX Unified
"FLVTube Player" = FLVTube Player
"Football Manager 2011" = Football Manager 2011
"Game Booster_is1" = Game Booster
"Google Chrome" = Google Chrome
"InstallShield_{0556F885-2415-4666-B53E-33727E46AEA1}" = The Movies™
"InstallShield_{15292416-A464-4FBA-BB96-7298EAACFC07}" = Zoo Tycoon 2 - Extinct Animals
"InstallShield_{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Silverlight" = Microsoft Silverlight
"Monopoly by Parker Brothers" = Monopoly by Parker Brothers
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"NetCut_is1" = NetCut 2.08
"NSS" = Norton Security Scan
"OfferBox Browser" = OfferBox Browser
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"QuestBrowse" = QuestBrowse 1.0 build 129 powered by FIRST SEARCHBAR
"RealPlayer 12.0" = RealPlayer
"Risk II_is1" = Risk II
"ShopperReportsSA" = ShopperReports
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"Tetris 5000(v1.10 full version)" = Tetris 5000(v1.10 full version)
"uTorrent" = µTorrent
"uTorrentBar Toolbar" = uTorrentBar Toolbar
"Veoh Web Player Beta" = Veoh Web Player
"VLC media player" = VLC media player 1.1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Rights Management Client" = Windows Rights Management Client with Service Pack 2
"Windows Rights Management Client Backwards" = Windows Rights Management Client Backwards Compatibility SP2
"WinPcapInst" = WinPcap 3.1
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TeamSpeak 3 Client" = TeamSpeak 3 Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 31/03/2011 17:14:07 | Computer Name = ASIF-7EEF9A93C3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 31/03/2011 19:34:50 | Computer Name = ASIF-7EEF9A93C3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 31/03/2011 19:34:51 | Computer Name = ASIF-7EEF9A93C3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 31/03/2011 19:34:53 | Computer Name = ASIF-7EEF9A93C3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 31/03/2011 19:34:53 | Computer Name = ASIF-7EEF9A93C3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 31/03/2011 19:54:57 | Computer Name = ASIF-7EEF9A93C3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 31/03/2011 19:56:50 | Computer Name = ASIF-7EEF9A93C3 | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4095, faulting module
np32dsw.dll, version 11.5.9.620, fault address 0x000078f0.

Error - 31/03/2011 19:57:10 | Computer Name = ASIF-7EEF9A93C3 | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4095, faulting module
np32dsw.dll, version 11.5.9.620, fault address 0x000078f0.

Error - 31/03/2011 19:58:19 | Computer Name = ASIF-7EEF9A93C3 | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4095, faulting module
np32dsw.dll, version 11.5.9.620, fault address 0x000078f0.

Error - 31/03/2011 20:18:05 | Computer Name = ASIF-7EEF9A93C3 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

Error - 01/04/2011 07:44:54 | Computer Name = ASIF-7EEF9A93C3 | Source = ati2mtag | ID = 43015
Description = I2c return failed

< End of report >

#4 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 01 April 2011 - 08:48 AM

noxqs,

You were infected with an infection called TDL4 and TDL3. They are two very serious infections on there own.

See the snippet of text below:

Quote

2011/04/01 12:43:06.0692 3996 Detected object count: 3
2011/04/01 12:43:22.0835 3996 isapnp (642d6479d259cbf81c9b840dfdc53e07) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/01 12:43:24.0914 3996 Backup copy found, using it..
2011/04/01 12:43:24.0929 3996 Rootkit.Win32.TDSS.tdl3(isapnp) - User select action: Cure
2011/04/01 12:43:25.0007 3996 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/01 12:43:25.0007 3996 \HardDisk0 - ok
2011/04/01 12:43:25.0007 3996 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/01 12:43:37.0040 4076 Deinitialize success

You can read more about this infection here:

Special thanks to quietman7 for providing the above links.

NEXT:

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:OTL
PRC - [2011/03/24 12:31:36 | 001,966,936 | ---- | M] (Secure Digital Services Limited) -- C:\Program Files\OfferBox\OfferBox.exe
MOD - [2008/04/14 13:00:00 | 000,286,720 | ---- | M] () -- C:\WINDOWS\agifecujof.dll
FF - prefs.js..extensions.enabledItems: ShopperReports@ShopperReports.com:3.0.517.0
FF - prefs.js..extensions.enabledItems: ClickPotatoLite@ClickPotatoLite.com:10.0.0.0
FF - prefs.js..extensions.enabledItems: offerboxffx@offerbox.com:2.1.3600.135
FF - HKLM\software\mozilla\Firefox\Extensions\\ShopperReports@ShopperReports.com: C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions [2011/03/13 20:49:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\ClickPotatoLite@ClickPotatoLite.com: C:\Program Files\ClickPotatoLite\bin\10.0.666.0\firefox\extensions [2011/03/13 20:49:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\offerboxffx@offerbox.com: C:\Program Files\OfferBox\offerboxffx@offerbox.com [2011/03/27 16:09:55 | 000,000,000 | ---D | M]
[2011/03/27 16:09:58 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ASIF\LOCAL SETTINGS\APPLICATION DATA\{D72BEF5E-869F-49E0-B436-06DA3163C12F}
[2011/03/13 20:49:18 | 000,000,000 | ---D | M] (ClickPotatoLite Component) -- C:\PROGRAM FILES\CLICKPOTATOLITE\BIN\10.0.666.0\FIREFOX\EXTENSIONS
[2011/03/27 16:09:55 | 000,000,000 | ---D | M] (OfferBox) -- C:\PROGRAM FILES\OFFERBOX\OFFERBOXFFX@OFFERBOX.COM
[2011/03/13 20:49:05 | 000,000,000 | ---D | M] (ShopperReports) -- C:\PROGRAM FILES\SHOPPERREPORTS3\BIN\3.0.517.0\FIREFOX\FIREFOXTOOLBAR\EXTENSIONS
O2 - BHO: (OfferBox) - {FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C} - C:\Program Files\OfferBox\OfferBoxBHO.dll (Secure Digital Services Limited)
O4 - HKLM..\Run: [INPROCOMMWireless] File not found
O4 - HKLM..\Run: [Inulehadajak] C:\WINDOWS\agifecujof.dll ()
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [BSRURUF55J] C:\WINDOWS\Bzyhaa.exe (Jordan Russell)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [OUU6KC5WPX] C:\Documents and Settings\Asif\Local Settings\Temp\Bxf.exe (Jordan Russell)
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [RegistryBooster] File not found
O4 - HKU\S-1-5-21-299502267-725345543-1801674531-1003..\Run: [Ysayezanonulur] C:\WINDOWS\kbdgcas.dll (CyberLink Corp.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.20,93.188.160.50
[2011/03/27 16:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Local Settings\Application Data\{D72BEF5E-869F-49E0-B436-06DA3163C12F}
[2011/03/27 16:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Application Data\OfferBox
[2011/03/27 16:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\OfferBox
[2011/03/27 16:08:04 | 000,128,000 | ---- | C] (Jordan Russell) -- C:\WINDOWS\Bzyhaa.exe
[2011/03/13 20:49:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato
[2011/03/13 20:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA
[2011/03/13 20:49:16 | 000,000,000 | ---D | C] -- C:\Program Files\ClickPotatoLite
[2011/03/13 20:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports
[2011/03/13 20:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\ShopperReports3
[2011/03/13 20:48:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asif\Application Data\ShopperReports3
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/04/01 12:45:24 | 000,000,244 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/04/01 12:45:03 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\NJJRAOZD.job
[2011/04/01 12:44:59 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\Mxfenzg.job
[2011/04/01 02:08:31 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Fqewocij.dat
[2011/04/01 00:04:51 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ssobaxiq.bin
[2011/03/31 20:35:00 | 000,611,536 | ---- | M] () -- C:\Documents and Settings\Asif\Desktop\dds.scr.part
[2011/03/27 16:08:19 | 000,149,504 | RHS- | M] () -- C:\WINDOWS\System32\usrlogonb.dll
[2011/03/27 16:08:19 | 000,135,168 | RHS- | M] () -- C:\WINDOWS\System32\dhcpcsvcv.dll
[2011/03/27 16:07:31 | 000,128,000 | ---- | M] (Jordan Russell) -- C:\WINDOWS\Bzyhaa.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/03/31 20:34:38 | 000,611,536 | ---- | C] () -- C:\Documents and Settings\Asif\Desktop\dds.scr.part
[2011/03/31 20:22:57 | 000,000,244 | -H-- | C] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/03/27 16:10:14 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Fqewocij.dat
[2011/03/27 16:10:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ssobaxiq.bin
[2011/03/27 16:08:22 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\Mxfenzg.job
[2011/03/27 16:08:22 | 000,000,304 | -HS- | C] () -- C:\WINDOWS\tasks\NJJRAOZD.job
[2011/03/27 16:08:19 | 000,149,504 | RHS- | C] () -- C:\WINDOWS\System32\usrlogonb.dll
[2011/03/27 16:08:19 | 000,135,168 | RHS- | C] () -- C:\WINDOWS\System32\dhcpcsvcv.dll
[2008/04/14 13:00:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\agifecujof.dll

:Reg

:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

#5 noxqs

New Member

Group: Members
Posts: 4
Joined: 23-December 10

Posted 01 April 2011 - 10:08 AM

My computer seems to be running better, theres no pauses or redirections anymore and I haven't got any popups yet.

Here's the two logs you requested...

Once again, thanks for your help so far and the prompt replies!

OTL

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
No active process named OfferBox.exe was found!
Prefs.js: ShopperReports@ShopperReports.com:3.0.517.0 removed from extensions.enabledItems
Prefs.js: ClickPotatoLite@ClickPotatoLite.com:10.0.0.0 removed from extensions.enabledItems
Prefs.js: offerboxffx@offerbox.com:2.1.3600.135 removed from extensions.enabledItems
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ShopperReports@ShopperReports.com deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\components folder moved successfully.
C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\chrome folder moved successfully.
C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions folder moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ClickPotatoLite@ClickPotatoLite.com deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.666.0\firefox\extensions\plugins folder moved successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.666.0\firefox\extensions folder moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\offerboxffx@offerbox.com deleted successfully.
C:\Program Files\OfferBox\offerboxffx@offerbox.com\components folder moved successfully.
C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome\content folder moved successfully.
C:\Program Files\OfferBox\offerboxffx@offerbox.com\chrome folder moved successfully.
C:\Program Files\OfferBox\offerboxffx@offerbox.com folder moved successfully.
C:\DOCUMENTS AND SETTINGS\ASIF\LOCAL SETTINGS\APPLICATION DATA\{D72BEF5E-869F-49E0-B436-06DA3163C12F}\chrome\content folder moved successfully.
C:\DOCUMENTS AND SETTINGS\ASIF\LOCAL SETTINGS\APPLICATION DATA\{D72BEF5E-869F-49E0-B436-06DA3163C12F}\chrome folder moved successfully.
C:\DOCUMENTS AND SETTINGS\ASIF\LOCAL SETTINGS\APPLICATION DATA\{D72BEF5E-869F-49E0-B436-06DA3163C12F} folder moved successfully.
Folder C:\PROGRAM FILES\CLICKPOTATOLITE\BIN\10.0.666.0\FIREFOX\EXTENSIONS\ not found.
Folder C:\PROGRAM FILES\OFFERBOX\OFFERBOXFFX@OFFERBOX.COM\ not found.
Folder C:\PROGRAM FILES\SHOPPERREPORTS3\BIN\3.0.517.0\FIREFOX\FIREFOXTOOLBAR\EXTENSIONS\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}\ deleted successfully.
C:\Program Files\OfferBox\OfferBoxBHO.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\INPROCOMMWireless deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Inulehadajak deleted successfully.
C:\WINDOWS\agifecujof.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\BSRURUF55J deleted successfully.
C:\WINDOWS\Bzyhaa.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\OUU6KC5WPX deleted successfully.
C:\Documents and Settings\Asif\Local Settings\Temp\Bxf.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\RegistryBooster deleted successfully.
Registry value HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Ysayezanonulur deleted successfully.
C:\WINDOWS\kbdgcas.dll moved successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
Folder C:\Documents and Settings\Asif\Local Settings\Application Data\{D72BEF5E-869F-49E0-B436-06DA3163C12F}\ not found.
C:\Documents and Settings\Asif\Application Data\OfferBox folder moved successfully.
C:\Program Files\OfferBox\res folder moved successfully.
C:\Program Files\OfferBox folder moved successfully.
File C:\WINDOWS\Bzyhaa.exe not found.
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato folder moved successfully.
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA folder moved successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.666.0\firefox folder moved successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.666.0 folder moved successfully.
C:\Program Files\ClickPotatoLite\bin folder moved successfully.
C:\Program Files\ClickPotatoLite folder moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports folder moved successfully.
C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar folder moved successfully.
C:\Program Files\ShopperReports3\bin\3.0.517.0\firefox folder moved successfully.
C:\Program Files\ShopperReports3\bin\3.0.517.0 folder moved successfully.
C:\Program Files\ShopperReports3\bin folder moved successfully.
C:\Program Files\ShopperReports3 folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\IE\cs\res1 folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\IE\cs\report folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\IE\cs\dwld folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\IE\cs\db folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\IE\cs folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\IE folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\Firefox\cs\res1 folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\Firefox\cs\report folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\Firefox\cs\dwld folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\Firefox\cs\db folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\Firefox\cs folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3\Firefox folder moved successfully.
C:\Documents and Settings\Asif\Application Data\ShopperReports3 folder moved successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job moved successfully.
C:\WINDOWS\tasks\NJJRAOZD.job moved successfully.
C:\WINDOWS\tasks\Mxfenzg.job moved successfully.
C:\WINDOWS\Fqewocij.dat moved successfully.
C:\WINDOWS\Ssobaxiq.bin moved successfully.
C:\Documents and Settings\Asif\Desktop\dds.scr.part moved successfully.
C:\WINDOWS\system32\usrlogonb.dll moved successfully.
C:\WINDOWS\system32\dhcpcsvcv.dll moved successfully.
File C:\WINDOWS\Bzyhaa.exe not found.
File C:\Documents and Settings\Asif\Desktop\dds.scr.part not found.
File C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job not found.
File C:\WINDOWS\Fqewocij.dat not found.
File C:\WINDOWS\Ssobaxiq.bin not found.
File C:\WINDOWS\tasks\Mxfenzg.job not found.
File C:\WINDOWS\tasks\NJJRAOZD.job not found.
File C:\WINDOWS\System32\usrlogonb.dll not found.
File C:\WINDOWS\System32\dhcpcsvcv.dll not found.
File C:\WINDOWS\agifecujof.dll not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Asif\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Asif\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Asif
->Temp folder emptied: 569325526 bytes
->Temporary Internet Files folder emptied: 16183064 bytes
->Java cache emptied: 4099310 bytes
->FireFox cache emptied: 92566179 bytes
->Google Chrome cache emptied: 594288 bytes
->Flash cache emptied: 2938743 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 696676 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 52554614 bytes
->Java cache emptied: 17027 bytes
->Flash cache emptied: 5610 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 63675702 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 93292612 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 41423679 bytes

Total Files Cleaned = 894.00 mb

[EMPTYFLASH]

User: All Users

User: Asif
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04012011_150533

ComboFix Log

ComboFix 11-03-31.04 - Asif 01/04/2011 15:21:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.699 [GMT 1:00]
Running from: c:\documents and settings\Asif\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\QuestBrwSearch
c:\documents and settings\All Users\Application Data\QuestBrwSearch\questbrowse129.exe
c:\documents and settings\Asif\Application Data\Local
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\u8tkm08pomz1s.avi.ddp
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\wrdvignuqehr.avi
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\u8tkm08pomz1s.avi.ddr
c:\documents and settings\Asif\Application Data\Local\Temp\DDM\Settings\wrdvignuqehr.avi.ddr
c:\documents and settings\Asif\Application Data\PriceGong
c:\documents and settings\Asif\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Asif\Application Data\PriceGong\Data\z.xml
c:\program files\AutocompletePro
c:\program files\AutocompletePro\64\AutocompletePro64.dll
c:\program files\AutocompletePro\AutocompletePro.dll
c:\program files\AutocompletePro\chrome\autocompleteprochrome.crx
c:\program files\AutocompletePro\FireFoxExtension.exe
c:\program files\AutocompletePro\InstTracker.exe
c:\program files\AutocompletePro\support@predictad.com\chrome.manifest
c:\program files\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul
c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.js
c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.xul
c:\program files\AutocompletePro\support@predictad.com\chrome\content\utils.js
c:\program files\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js
c:\program files\AutocompletePro\support@predictad.com\install.rdf
c:\program files\AutocompletePro\unins000.dat
c:\program files\AutocompletePro\unins000.exe
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome\questbrowse.jar
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\defaults\preferences\prefs.js
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\install.rdf
c:\program files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
c:\program files\QuestBrwSearch
c:\program files\QuestBrwSearch\questbrwsearch.dll
c:\program files\QuestBrwSearch\questbrwsearch.exe
c:\program files\QuestBrwSearch\uninstall.exe
c:\windows\system32\spool\prtprocs\w32x86\xMY3c7sK.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_QUESTBROWSE_SERVICE
-------\Service_QuestBrowse Service
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-04-01 14:05 . 2011-04-01 14:05 -------- d-----w- C:\_OTL
2011-03-30 23:24 . 2011-03-30 23:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-28 19:38 . 2011-03-28 19:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-03-28 19:38 . 2011-03-28 19:38 -------- d-----w- c:\windows\system32\drivers\NSS
2011-03-28 19:38 . 2011-03-28 19:38 -------- d-----w- c:\program files\Norton Security Scan
2011-03-28 19:38 . 2011-03-28 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-03-28 19:38 . 2011-03-28 19:38 -------- d-----w- c:\program files\NortonInstaller
2011-03-28 16:37 . 2011-03-28 16:38 -------- d-----w- c:\windows\system32\Adobe
2011-03-20 15:46 . 2011-03-20 15:46 -------- d-----w- c:\windows\Favorites
2011-03-20 15:46 . 2011-03-20 15:46 -------- d-----w- c:\program files\ElefunMultimedia
2011-03-14 15:03 . 2011-03-14 15:03 -------- d-----w- c:\program files\Ubisoft
2011-03-03 14:40 . 2011-03-03 14:40 -------- d-----w- c:\program files\EA SPORTS
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 11:44 . 2008-04-14 12:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2011-02-16 18:02 . 2011-02-16 17:56 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-02-16 17:51 . 2011-02-16 17:46 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-02-16 17:51 . 2011-02-16 17:46 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-02-16 17:51 . 2011-02-16 17:46 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-12-13 20:45 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 14:07 . 2011-01-27 14:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-27 14:07 . 2011-01-27 14:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-27 11:57 . 2010-12-13 20:45 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-26 19:18 . 2011-01-26 19:18 34064 ----a-w- c:\windows\system32\lhacm.acm
2011-01-21 16:15 . 2011-01-21 16:15 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-21 16:15 . 2011-01-21 16:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-21 14:42 . 2008-04-14 12:00 439808 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 19:28 . 2011-01-20 19:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-01-07 14:09 . 2008-05-27 17:29 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-01-08 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-08 01:29 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-01-08 01:29 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-01-08 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2011-01-08 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo1.dll" [2011-01-08 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-13 395640]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-24 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-16 16248320]
"SkyTel"="SkyTel.EXE" [2006-08-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-08-16 53248]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-01-21 274608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"VX1000"="c:\windows\vVX1000.exe" [2010-05-20 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2011\\fm.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57837:TCP"= 57837:TCP:Pando Media Booster
"57837:UDP"= 57837:UDP:Pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13/12/2010 22:11 691696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [03/12/2010 12:09 196912]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/01/2011 17:13 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [21/01/2010 18:51 30963576]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [02/08/2005 22:10 32512]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 11:50]
.
2011-04-01 c:\windows\Tasks\Game_Booster_Startup.job
- c:\program files\IObit\Game Booster\gbtray.exe [2011-01-22 16:20]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-21 16:13]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-21 16:13]
.
2011-03-31 c:\windows\Tasks\Norton Security Scan for Asif.job
- c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-03-28 07:25]
.
2011-04-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-299502267-725345543-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-04-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-725345543-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-04-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-13 22:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Asif\Application Data\Mozilla\Firefox\Profiles\0iaia907.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - %profile%\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
FF - Ext: AutocompletePro - Your handy search suggestions tool: support@predictad.com - %profile%\extensions\support@predictad.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Ysayezanonulur - c:\windows\kbdgcas.dll
SafeBoot-klmdb.sys
AddRemove-AutocompletePro3_is1 - c:\program files\AutocompletePro\unins000.exe
AddRemove-OfferBox Browser - c:\program files\OfferBox\uninst.exe
AddRemove-QuestBrowse - c:\program files\QuestBrwSearch\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 15:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-299502267-725345543-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,07,f8,0b,23,4e,81,ae,c3,b3,9a,eb,63,43,10,94,79,0f,e6,0b,7e,15,c4,
30,7d,e1,9a,57,3a,e3,19,58,21,af,a0,36,a1,59,a8,75,bd,4f,77,5d,be,5c,2b,ff,\
"??"=hex:47,75,b0,5d,2c,6f,06,d1,ab,96,db,ae,46,7b,54,13
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3516)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\Asif\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-04-01 15:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-01 14:58
.
Pre-Run: 5,804,335,104 bytes free
Post-Run: 5,694,275,584 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5BDB264ABA8CF61B80EA56B017B09EAF

#6 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 01 April 2011 - 10:14 AM

No problem!

Lets see where we stand after these scans:

Scanning with MalwareBytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.

Download Link 1

Download Link 2

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to this Guide.
When the installation begins, follow the prompts and do not make any changes to default settings.
Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself. Press the OK button and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
Click on the Scan button.
When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
Make sure that everything is checked and then click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

NEXT:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
- Enable Anti-Stealth technology
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NEXT:

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

#7 noxqs

New Member

Group: Members
Posts: 4
Joined: 23-December 10

Posted 02 April 2011 - 06:58 AM

Hey man, sorry for the late reply...that esetscan took forever!

I think my computers finally healed up, but heres the documents you asked for sir.

I know I keep saying this, but thanks alot for your help so far man.

MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6235

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

01/04/2011 16:26:12
mbam-log-2011-04-01 (16-26-12).txt

Scan type: Quick scan
Objects scanned: 144008
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ACC62306-9A63-4864-BD2F-C8825D2D7EA6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbAx (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.HbAx.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButton (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButtonA (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.IEButtonA.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BSRURUF55J (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\OUU6KC5WPX (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\QuestBrowse (Adware.QuestBrowse) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Asif\my documents\downloads\FLVTube.exe (Adware.FlvTube) -> Quarantined and deleted successfully.

ESETScan.txt

C:\Program Files\netcut\netcut.exe probably a variant of Win32/Agent.DYWPBNJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\QuestBrwSearch\questbrowse129.exe.vir a variant of Win32/Adware.OneStep.Y application
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome\questbrowse.jar.vir Win32/Adware.OneStep application
C:\Qoobox\Quarantine\C\Program Files\QuestBrwSearch\questbrwsearch.dll.vir a variant of Win32/Adware.OneStep.W application
C:\Qoobox\Quarantine\C\Program Files\QuestBrwSearch\questbrwsearch.exe.vir a variant of Win32/Adware.OneStep.Y application
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\xMY3c7sK.dll.vir a variant of Win32/Olmarik.ARI trojan
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP2\A0008012.exe a variant of Win32/Adware.OneStep.X application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0009001.dll a variant of Win32/Adware.OneStep.W application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0009002.exe a variant of Win32/Adware.OneStep.X application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0009024.exe probably a variant of Win32/Adware.180Solutions application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0009025.dll a variant of Win32/Adware.HotBar.E application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0009026.exe a variant of Win32/Adware.HotBar.E application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0009027.dll Win32/Adware.Toolbar.Shopper.AC application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0012001.dll a variant of Win32/Olmarik.ARI trojan
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP3\A0012002.dll a variant of Win32/Olmarik.ARI trojan
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP4\A0016059.exe a variant of Win32/Adware.OneStep.Y application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP4\A0016068.dll a variant of Win32/Adware.OneStep.W application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP4\A0016069.exe a variant of Win32/Adware.OneStep.Y application
C:\System Volume Information\_restore{29B978FD-A56B-4CA6-BB8E-9382A9AD9125}\RP4\A0016071.dll a variant of Win32/Olmarik.ARI trojan
C:\_OTL\MovedFiles\04012011_150533\C_DOCUMENTS AND SETTINGS\ASIF\LOCAL SETTINGS\Temp\Bxf.exe a variant of Win32/Kryptik.MBT trojan
C:\_OTL\MovedFiles\04012011_150533\C_Program Files\ShopperReports3\bin\3.0.517.0\CmndFF.dll a variant of Win32/Adware.Toolbar.Shopper.AC application
C:\_OTL\MovedFiles\04012011_150533\C_Program Files\ShopperReports3\bin\3.0.517.0\Pltfrm.dll a variant of Win32/Adware.Toolbar.Shopper.AC application
C:\_OTL\MovedFiles\04012011_150533\C_WINDOWS\agifecujof.dll a variant of Win32/Cimag.GQ trojan
C:\_OTL\MovedFiles\04012011_150533\C_WINDOWS\Bzyhaa.exe Win32/TrojanDownloader.FakeAlert.BGV trojan
C:\_OTL\MovedFiles\04012011_150533\C_WINDOWS\kbdgcas.dll a variant of Win32/Cimag.GM trojan
C:\_OTL\MovedFiles\04012011_150533\C_WINDOWS\system32\dhcpcsvcv.dll Win32/Adware.Virtumonde.NHD application
C:\_OTL\MovedFiles\04012011_150533\C_WINDOWS\system32\usrlogonb.dll a variant of Win32/Adware.Virtumonde.NHL application

checkup.txt

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.2.152.26
Adobe Reader 9.4.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.16) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

#8 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 02 April 2011 - 08:30 AM

No worries on the delay. I know that at times ESET can take a bit of time to run.

You're very welcome.

Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy

Go to Start > Control Panel > Add/Remove Programs
Remove ALL instances of Adobe Reader
Re-boot your computer as required.
Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader

Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.

NEXT:

Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Microsoft: ‘Unprecedented Wave of Java Exploitation’

Drive-by Trojan preying on out-of-date Java installations

Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Platform, Standard Edition".
Click the "Download JRE" button to the right.
Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to

> Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

NEXT

OTL Custom Scan

We need to run an OTL Custom Scan

Please reopen on your desktop.
Copy and Paste the following bolded text into the textbox.

netsvcs
drivers32
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Push the button.
A report will open. Copy and Paste that report in your next reply.

NEXT:

What outstanding issues (if any) are you still experiencing with your computer?

#9 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 05 April 2011 - 05:22 PM

Are you still with me?

#10 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 06 April 2011 - 09:49 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.