Serious malware infection

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Serious malware infection Stubborn remnants won't go away

#1 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 06 June 2011 - 01:17 PM

Hello there,

I hope there is a malware expert that can help me. I had a serious malware infection last week, I was getting vista security and galileo anti-virus pop ups everytime I started my computer. Very annoying. Also the browser would be hijacked/redirected all the time. I managed to remove these by running rkill, vista exe reg fix, then MBAM, Spybot and AVG. AVG also found a large infestation of the Zbot trojan and removed it. Unfortunately, although I can open applications and browse the net without pop ups, now I am left with remnants that I am unable to remove. The symptoms are as follows.

1. Error message that appears every time Windows loads (screenshot below).
2. Browser occasionally re-directing to other sites when I click on links.
3. AVG warning me about a trojan in the C:\Windows\Temp folder. Clicking remove/quarantine makes no difference as this re-appears every time I log on.
4. Internet Explorer / Firefox starting by itself. Every 5 - 10 minutes it seems. If the computer is left alone there will eventually be lots of tabs in the browser. All of them going to my default homepage of google.co.uk
5. Blue screen of death when loading Windows, maybe 1 in 3 times this happens. Did not occur before the infection.

I have run the DDS and GMER logs and will attach below along with the screenshot of the error (mentioned in symptom #1).

I am determined to fight this and win, I really don't want to resort to formatting. I look forward to your response!

SJ

Attached File(s)

gmer.log (3.09K)
Number of downloads: 1
Attach.txt (22.07K)
Number of downloads: 1
error.jpg (14.89K)
Number of downloads: 3

#2 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 13 June 2011 - 02:01 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)

Link 2 (zipped file)

Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.
Click the Report tab, then click Scan.
Check Drivers, Stealth Code, and uncheck the rest.
Click OK.
Wait until it's finished and then go to File > Save Report.
Save the report to your Desktop.
Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

NEXT:

Running OTL

We need to create a FULL OTL Report

Please download OTL from here:
- Main Mirror
- Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Change the "Extra Registry" option to "SafeList"
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extras.txt <-- Will be minimized

NEXT:

Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 15 June 2011 - 02:25 PM

Hi!

It's been several days since I last posted instructions for you to complete. Do you still require assistance in getting your computer cleaned up?

Please Note: Unless notified in advance, threads with no response in 3 days get closed.

Thanks,
SweetTech.

#4 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 15 June 2011 - 03:31 PM

Hi,

Here are the logs as requested. Thank you.

RKUnhooker

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8CE0A000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 11001856 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 258.96 )
0x81A37000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x81A37000 PnpManager 3907584 bytes
0x81A37000 RAW 3907584 bytes
0x81A37000 WMIxWDM 3907584 bytes
0x94E30000 Win32k 2113536 bytes
0x94E30000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8DC0C000 C:\Windows\system32\drivers\cmudaxp.sys 2101248 bytes (C-Media Inc, C-Media Audio WDM Driver)
0x87C06000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x82603000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x87A0D000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804DB000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x9B4F5000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x97C3E000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8249B000 C:\Windows\system32\drivers\pctEFA.sys 675840 bytes (PC Tools, PC Tools Extended File Attributes)
0x8D88A000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8D936000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x87B68000 C:\Windows\system32\DRIVERS\rdpdr.sys 561152 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x80608000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x82540000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80411000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x97D1B000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8E33E000 C:\Windows\system32\drivers\csc.sys 372736 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x82444000 C:\Windows\system32\drivers\pctDS.sys 356352 bytes (PC Tools, PC Tools Data Store)
0x9B49F000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x8075F000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8E251000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806C3000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8049A000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8DF40000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x825B1000 C:\Windows\system32\drivers\HdAudio.sys 258048 bytes (Microsoft Corporation, High Definition Audio Function Driver)
0x87B2A000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x82407000 C:\Windows\system32\drivers\PCTCore.sys 249856 bytes (PC Tools, PC Tools KDS Core Driver)
0x8E3B0000 C:\Windows\system32\DRIVERS\avgldx86.sys 245760 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x8E2F8000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x82739000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x9B426000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x87D16000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x82784000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x81A04000 ACPI_HAL 208896 bytes
0x81A04000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x80691000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8E21F000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8DF11000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8DE0D000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8270E000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8DE5F000 C:\Windows\system32\drivers\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x9B477000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x87D66000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x8071A000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8DE3A000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8DFAE000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8E2D0000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x87D9E000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x97DD3000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x827DD000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x9B407000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x807D6000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x97D88000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x87AF7000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x97C1B000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8DE94000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x97DA5000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8DEF9000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9B45F000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8DEB8000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x8E399000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8DF8C000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x9B5E8000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8E299000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x805E2000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x97DBE000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8D9DD000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8DFE0000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8E20B000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8DED0000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x97CFE000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8E2BD000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x87D8D000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x827B9000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80481000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x805BB000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x97CEE000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x807BE000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x82774000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x87B1B000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x97C0C000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x87D57000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x80741000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8DFD1000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8D9CE000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x80750000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x95070000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8E2AF000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x805CB000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x807B0000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x87DD3000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8D9F2000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x80684000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x87BF1000 C:\Windows\system32\DRIVERS\avgmfx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0x9B5D3000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x827D1000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8D92A000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8E200000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8DE89000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x8DEEE000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8DEE3000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x807F4000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8DFA3000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8DF81000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x87DF3000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8D9C3000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x87DE8000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8DC00000 C:\Windows\system32\DRIVERS\flpydisk.sys 40960 bytes (Microsoft Corporation, Floppy Driver)
0x8DFF6000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8E334000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x8DEAE000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x97D11000 C:\Windows\system32\DRIVERS\steth.sys 40960 bytes (THOMSON Telecom Belgium, SpeedTouch Ethernet Adapter)
0x9B5DF000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x97C00000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x87DBF000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8CE00000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x805D9000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x95050000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x87B12000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80709000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x807CE000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80492000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x87DE0000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x80712000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x825F0000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x825F8000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x87D4F000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8E3EC000 C:\Windows\system32\drivers\st330.sys 32768 bytes (THOMSON Telecom Belgium, SpeedTouch 330 usb-driver)
0x87DC8000 C:\Windows\system32\DRIVERS\avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0x827CA000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x807A9000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x8040A000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x87A00000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x9B4EE000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x8E2F2000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x87DCF000 C:\Windows\system32\DRIVERS\AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0x8E3F4000 C:\Windows\system32\drivers\lpwdm.sys 16384 bytes (THOMSON Telecom Belgium, SpeedTouch WDM Library)
0x8E3F8000 C:\Windows\system32\drivers\stbus.sys 16384 bytes (THOMSON Telecom Belgium, SpeedTouch vbus driver)
0x8D888000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 258.96 )
0x8DFF4000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
==============================================
>Stealth
==============================================

OTL

OTL logfile created on: 15/06/2011 21:34:37 - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Users\William\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.95 Gb Available Physical Memory | 47.75% Memory free
4.23 Gb Paging File | 3.06 Gb Available in Paging File | 72.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 41.40 Gb Free Space | 55.55% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 122.24 Gb Free Space | 82.02% Space Free | Partition Type: NTFS

Computer Name: HOMEPC | User Name: William | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/15 21:33:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\William\Desktop\OTL.exe
PRC - [2011/05/23 16:00:06 | 002,424,192 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2011/05/08 21:22:22 | 000,581,632 | ---- | M] (THOMSON Telecom Belgium) -- C:\Program Files\Thomson\ST330\service\st330service.exe
PRC - [2011/05/08 21:22:22 | 000,557,149 | ---- | M] (THOMSON Telecom Belgium) -- C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe
PRC - [2011/04/18 17:40:08 | 002,334,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/04/14 17:25:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/28 03:00:52 | 000,351,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2011/03/16 16:05:14 | 000,656,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2011/02/08 05:33:20 | 000,658,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/05/14 11:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/06/15 21:33:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\William\Desktop\OTL.exe
MOD - [2010/08/31 16:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (A3AE3628)
SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/05/08 21:22:22 | 000,581,632 | ---- | M] (THOMSON Telecom Belgium) [Auto | Running] -- C:\Program Files\Thomson\ST330\service\st330service.exe -- (st330service)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/11/19 06:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)

========== Driver Services (SafeList) ==========

DRV - [2011/05/25 02:00:36 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2011/05/08 21:22:22 | 000,040,320 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\steth.sys -- (STETH)
DRV - [2011/05/08 21:22:22 | 000,030,464 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\st330.sys -- (ST330)
DRV - [2011/05/08 21:22:22 | 000,012,672 | ---- | M] (THOMSON Telecom Belgium) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stbus.sys -- (STBUS)
DRV - [2011/03/16 16:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 08:12:38 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/25 10:43:00 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/10/28 16:25:20 | 001,505,280 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmudaxp.sys -- (cmudaxp)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2010/07/10 05:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/05/10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2006/11/02 08:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 96 43 50 03 A2 23 CC 01 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 96 43 50 03 A2 23 CC 01 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-870028525-2106275989-2371673209-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-870028525-2106275989-2371673209-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-870028525-2106275989-2371673209-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-870028525-2106275989-2371673209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\software\mozilla\Firefox\Extensions\\{D57F5CCA-87EA-40AF-9730-833BD2427387}: C:\Users\William\AppData\Local\{D57F5CCA-87EA-40AF-9730-833BD2427387} [2011/06/02 14:26:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/06 12:34:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/05/08 22:26:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\William\AppData\Roaming\Mozilla\Extensions
[2011/06/07 12:48:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\William\AppData\Roaming\Mozilla\Firefox\Profiles\qm5yqr5q.default\extensions
[2011/06/06 12:34:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/05 00:09:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\USERS\WILLIAM\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\QM5YQR5Q.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2011/05/14 10:34:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/14 17:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/06/02 19:31:50 | 000,434,050 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 14964 more lines...
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [diagnostics] C:\Program Files\Thomson\ST330\diagnostics\diagnostics.exe (THOMSON Telecom Belgium)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-870028525-2106275989-2371673209-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-870028525-2106275989-2371673209-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-870028525-2106275989-2371673209-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-21-870028525-2106275989-2371673209-1001\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-870028525-2106275989-2371673209-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Filter\AutorunsDisabled - No CLSID value found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\William\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\William\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\uyp.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\uyp.exe" -a "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/15 21:33:29 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\William\Desktop\OTL.exe
[2011/06/12 23:35:06 | 000,000,000 | ---D | C] -- C:\Users\William\Documents\Updater
[2011/06/12 23:24:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe Systems
[2011/06/12 23:21:39 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Adobe PDF
[2011/06/12 23:21:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe Systems Shared
[2011/06/12 23:21:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe
[2011/06/12 22:55:47 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2011/06/12 22:54:55 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\uTorrent
[2011/06/12 22:15:45 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FTP Surfer
[2011/06/12 22:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\Whisper Technology
[2011/06/12 15:06:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Macromedia
[2011/06/12 15:06:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia
[2011/06/12 15:05:12 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2011/06/12 15:05:12 | 000,000,000 | ---D | C] -- C:\Program Files\Macromedia
[2011/06/12 15:04:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2011/06/07 14:12:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2011/06/07 14:11:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Synchronization Services
[2011/06/07 14:10:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/06/07 14:07:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2011/06/07 14:06:39 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2011/06/07 13:05:36 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/06/06 15:33:21 | 000,000,000 | ---D | C] -- C:\Windows\Temp
[2011/06/06 15:19:13 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\TrojanHunter
[2011/06/06 13:40:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/06 12:33:58 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/06/06 12:33:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2011/06/06 12:09:54 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/06/06 12:08:15 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/06 12:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2011/06/06 12:07:37 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\AVG10
[2011/06/06 12:07:07 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/06/06 12:06:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/06/06 12:03:18 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2011/06/06 12:03:17 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/06/06 12:02:05 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/06/06 11:55:37 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/06/04 23:24:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2011/06/03 18:35:17 | 000,000,000 | ---D | C] -- C:\Users\William\Desktop\Anti-Malware
[2011/06/03 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/06/03 17:53:44 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/06/03 17:50:46 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2011/06/03 17:39:16 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2011/06/03 17:32:18 | 000,064,512 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2011/06/03 17:32:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2011/06/03 17:32:12 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/06/03 17:31:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
[2011/06/03 17:31:17 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSSTDFMT.DLL
[2011/06/03 17:31:17 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/06/03 02:19:41 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\WinRAR
[2011/06/02 23:37:15 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\SUPERAntiSpyware.com
[2011/06/02 23:37:15 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/06/02 22:18:17 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/06/02 22:18:17 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/06/02 22:18:10 | 000,249,616 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/06/02 22:18:10 | 000,102,184 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/06/02 22:17:57 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/06/02 22:17:57 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/06/02 22:17:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/06/02 22:17:18 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/06/02 22:16:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/06/02 22:16:36 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/06/02 22:16:36 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\PC Tools
[2011/06/02 21:55:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2011/06/02 21:54:01 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Local\Immunet
[2011/06/02 21:54:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Immunet
[2011/06/02 21:53:52 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2011/06/02 21:53:20 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/06/02 21:48:44 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/06/02 21:47:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/06/02 19:52:16 | 000,000,000 | ---D | C] -- C:\Windows Vista Recovery
[2011/06/02 19:46:04 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2011/06/02 18:58:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/06/02 18:58:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/06/02 18:58:51 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/06/02 18:35:47 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2011/06/02 18:32:56 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2011/06/02 18:30:12 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/06/02 17:34:58 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\GalileoCleaner
[2011/06/02 17:30:07 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Malwarebytes
[2011/06/02 17:30:02 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/06/02 17:30:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/02 17:30:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/02 17:29:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/02 14:27:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\2093
[2011/06/02 14:26:18 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Local\{D57F5CCA-87EA-40AF-9730-833BD2427387}
[2011/06/02 14:25:48 | 000,000,000 | ---D | C] -- C:\ProgramData\oJ28277EjDkC28277
[2011/06/02 14:21:30 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Ofiq
[2011/06/02 14:21:30 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Laaf
[2011/06/01 17:59:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/01 17:59:19 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/01 17:59:19 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/01 17:59:19 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/01 17:59:06 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/05/23 16:11:37 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Yhvaga

========== Files - Modified Within 30 Days ==========

[2011/06/15 21:33:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\William\Desktop\OTL.exe
[2011/06/15 21:25:04 | 000,139,264 | ---- | M] () -- C:\Users\William\Desktop\RKUnhookerLE.EXE
[2011/06/15 20:51:27 | 000,003,648 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/15 20:51:27 | 000,003,648 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/15 18:58:44 | 000,000,396 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{5FDA335F-8ABF-4218-B870-523004112855}.job
[2011/06/15 18:55:49 | 000,608,760 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/15 18:55:49 | 000,108,268 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/15 18:55:03 | 118,623,125 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/06/15 18:51:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/15 18:51:04 | 135,245,190 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/13 10:27:09 | 000,373,336 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/12 23:21:45 | 000,001,170 | ---- | M] () -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
[2011/06/12 19:30:25 | 000,254,513 | ---- | M] () -- C:\Users\William\Desktop\Conv-Kit-Inst
[2011/06/12 14:57:55 | 000,000,938 | ---- | M] () -- C:\Users\William\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/12 14:35:51 | 000,000,069 | ---- | M] () -- C:\Users\William\Desktop\Counselling Directory for UK & Ireland - over 6,000 therapists.URL
[2011/06/06 15:16:18 | 000,059,392 | R--- | M] () -- C:\Windows\System32\streamhlp.dll
[2011/06/06 15:13:59 | 000,017,480 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2011/06/06 14:43:37 | 000,056,181 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/06/06 14:43:36 | 000,056,181 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/06/06 14:42:08 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011/06/06 12:34:24 | 000,000,870 | ---- | M] () -- C:\Users\William\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/03 20:13:36 | 000,083,969 | ---- | M] () -- C:\Users\William\Desktop\viewTaxReturnHtml.htm
[2011/06/03 20:13:34 | 000,011,464 | ---- | M] () -- C:\Users\William\Desktop\submitting.htm
[2011/06/03 20:13:31 | 000,010,981 | ---- | M] () -- C:\Users\William\Desktop\strategy_action_plan.php.htm
[2011/06/03 20:13:01 | 000,008,797 | ---- | M] () -- C:\Users\William\Desktop\default.aspx.htm
[2011/06/03 17:42:43 | 000,002,268 | ---- | M] () -- C:\Windows\System32\.crusader
[2011/06/03 17:39:16 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2011/06/03 17:39:15 | 000,016,432 | ---- | M] () -- C:\Windows\System32\lsdelete.exe
[2011/06/03 17:32:19 | 001,660,132 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/06/02 21:56:32 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/06/02 20:53:46 | 000,025,386 | -HS- | M] () -- C:\Users\William\AppData\Local\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 20:53:46 | 000,025,386 | -HS- | M] () -- C:\ProgramData\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 19:52:17 | 000,000,160 | ---- | M] () -- C:\ProgramData\~38788856r
[2011/06/02 19:52:17 | 000,000,136 | ---- | M] () -- C:\ProgramData\~38788856
[2011/06/02 19:52:11 | 000,000,336 | ---- | M] () -- C:\ProgramData\38788856
[2011/06/02 19:31:50 | 000,434,050 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/06/02 18:48:30 | 000,023,552 | ---- | M] () -- C:\Users\William\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/02 17:47:14 | 000,000,943 | ---- | M] () -- C:\Users\William\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/06/02 17:22:27 | 000,000,789 | ---- | M] () -- C:\Program Files\Common Files\systemcleaner Uninstall.lnk
[2011/06/02 17:13:33 | 000,010,222 | -HS- | M] () -- C:\Users\William\AppData\Local\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 17:13:33 | 000,010,222 | -HS- | M] () -- C:\ProgramData\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 14:28:00 | 000,000,462 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/06/02 14:26:19 | 000,000,120 | ---- | M] () -- C:\Users\William\AppData\Local\Ulipi.dat
[2011/06/02 14:26:19 | 000,000,000 | ---- | M] () -- C:\Users\William\AppData\Local\Yfirusa.bin
[2011/06/01 17:59:09 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/06/01 17:59:09 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/01 17:59:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/01 17:59:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/05/25 02:00:36 | 000,064,512 | ---- | M] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys

========== Files Created - No Company Name ==========

[2011/06/15 21:24:58 | 000,139,264 | ---- | C] () -- C:\Users\William\Desktop\RKUnhookerLE.EXE
[2011/06/15 18:55:03 | 118,623,125 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/06/12 23:22:32 | 000,001,890 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help Center.lnk
[2011/06/12 23:21:45 | 000,001,170 | ---- | C] () -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
[2011/06/12 23:21:19 | 000,001,872 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge.lnk
[2011/06/12 23:20:49 | 000,001,919 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ImageReady CS2.lnk
[2011/06/12 23:20:48 | 000,001,922 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS2.lnk
[2011/06/12 19:30:20 | 000,254,513 | ---- | C] () -- C:\Users\William\Desktop\Conv-Kit-Inst
[2011/06/12 14:57:55 | 000,000,938 | ---- | C] () -- C:\Users\William\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/12 14:35:51 | 000,000,069 | ---- | C] () -- C:\Users\William\Desktop\Counselling Directory for UK & Ireland - over 6,000 therapists.URL
[2011/06/07 19:43:10 | 135,245,190 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/06/06 18:50:20 | 000,000,396 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{5FDA335F-8ABF-4218-B870-523004112855}.job
[2011/06/06 15:16:08 | 000,059,392 | R--- | C] () -- C:\Windows\System32\streamhlp.dll
[2011/06/04 23:30:11 | 000,000,384 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011/06/04 23:00:26 | 000,001,950 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Photo Gallery.lnk
[2011/06/04 23:00:26 | 000,001,852 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Collaboration.lnk
[2011/06/04 23:00:26 | 000,001,768 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Movie Maker.lnk
[2011/06/04 23:00:26 | 000,001,743 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
[2011/06/04 23:00:25 | 000,001,770 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Calendar.lnk
[2011/06/04 23:00:25 | 000,001,757 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Defender.lnk
[2011/06/04 23:00:25 | 000,001,703 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Contacts.lnk
[2011/06/04 23:00:25 | 000,001,589 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2011/06/04 23:00:25 | 000,000,604 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live.lnk
[2011/06/03 20:13:40 | 000,016,432 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2011/06/03 17:42:43 | 000,002,268 | ---- | C] () -- C:\Windows\System32\.crusader
[2011/06/03 16:46:55 | 000,000,949 | ---- | C] () -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/06/03 16:46:55 | 000,000,944 | ---- | C] () -- C:\Users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/06/03 01:47:03 | 000,000,858 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/06/02 21:48:46 | 000,017,480 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2011/06/02 20:45:53 | 000,025,386 | -HS- | C] () -- C:\Users\William\AppData\Local\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 19:54:10 | 000,025,386 | -HS- | C] () -- C:\ProgramData\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 19:52:17 | 000,000,160 | ---- | C] () -- C:\ProgramData\~38788856r
[2011/06/02 19:52:17 | 000,000,136 | ---- | C] () -- C:\ProgramData\~38788856
[2011/06/02 19:52:11 | 000,000,336 | ---- | C] () -- C:\ProgramData\38788856
[2011/06/02 18:39:24 | 000,023,552 | ---- | C] () -- C:\Users\William\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/02 18:36:25 | 001,660,132 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2011/06/02 17:22:27 | 000,000,789 | ---- | C] () -- C:\Program Files\Common Files\systemcleaner Uninstall.lnk
[2011/06/02 14:31:42 | 000,010,222 | -HS- | C] () -- C:\Users\William\AppData\Local\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 14:31:42 | 000,010,222 | -HS- | C] () -- C:\ProgramData\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 14:27:39 | 000,000,462 | ---- | C] () -- C:\Windows\tasks\At2.job
[2011/06/02 14:26:19 | 000,000,120 | ---- | C] () -- C:\Users\William\AppData\Local\Ulipi.dat
[2011/06/02 14:26:19 | 000,000,000 | ---- | C] () -- C:\Users\William\AppData\Local\Yfirusa.bin
[2011/05/14 10:53:53 | 000,056,181 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2011/05/14 10:53:53 | 000,056,181 | ---- | C] () -- C:\ProgramData\nvModes.001
[2011/05/09 01:02:05 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/05/09 01:01:59 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/05/09 01:01:34 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/05/09 01:01:34 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/05/09 00:07:46 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/05/09 00:07:46 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011/05/09 00:07:45 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2011/05/09 00:07:45 | 000,010,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2011/05/08 22:07:22 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/05/08 21:51:20 | 000,000,048 | ---- | C] () -- C:\Windows\System32\cmasiop.ini
[2011/05/08 21:51:17 | 000,561,152 | ---- | C] () -- C:\Windows\System32\Cmeauoxy.exe
[2011/05/08 21:51:17 | 000,042,258 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfl
[2011/05/08 21:51:04 | 000,000,934 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.imi
[2011/05/08 21:51:02 | 000,303,104 | ---- | C] () -- C:\Windows\System32\CmiInstallResAll.dll
[2011/05/08 21:51:02 | 000,004,969 | ---- | C] () -- C:\Windows\Cmicnfgp.ini.cfg
[2011/05/08 21:51:02 | 000,000,516 | ---- | C] () -- C:\Windows\cmudaxp.ini
[2011/05/08 21:38:48 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2011/05/08 20:29:25 | 000,001,356 | ---- | C] () -- C:\Users\William\AppData\Local\d3d9caps.dat
[2006/11/02 13:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:43 | 000,373,336 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 11:33:01 | 000,608,760 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,108,268 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:0B4227B4

< End of report >

Extras

OTL Extras logfile created on: 15/06/2011 21:34:37 - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Users\William\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 0.95 Gb Available Physical Memory | 47.75% Memory free
4.23 Gb Paging File | 3.06 Gb Available in Paging File | 72.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 41.40 Gb Free Space | 55.55% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 122.24 Gb Free Space | 82.02% Space Free | Partition Type: NTFS

Computer Name: HOMEPC | User Name: William | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\uyp.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\uyp.exe" -a "%1" %*

[HKEY_USERS\S-1-5-21-870028525-2106275989-2371673209-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-870028525-2106275989-2371673209-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-870028525-2106275989-2371673209-1001]
"EnableNotifications" = 0
"EnableNotificationsRef" = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{371ECAE0-49FC-4B3D-AE76-DBF4B4937ECC}" = protocol=6 | dir=in | app=c:\users\christine\appdata\local\temp\stinstall.exe |
"{3923680A-7FF7-42E5-B31F-E2D0AA7AB0B8}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{5CDC53F1-4BBF-4DE8-8CFE-2F912B3F70BE}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{71419388-877A-48F9-B9EE-62BD920B1AD8}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{7925FADE-7CBE-49CF-819C-35258042049C}" = protocol=17 | dir=in | app=c:\users\christine\appdata\local\temp\stinstall.exe |
"{9D06B02D-042D-49E7-935C-30036A7F4104}" = protocol=17 | dir=in | app=c:\program files\thomson\st330\service\st330service.exe |
"{A11FEF6B-C14B-4AF8-8B74-5FED7CDDD612}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{BD4596FB-CEE2-4CDC-A055-464448F3C5B6}" = protocol=6 | dir=in | app=c:\program files\thomson\st330\service\st330service.exe |
"TCP Query User{92594A71-B355-4B52-8EEE-5F51A53BC2F4}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |
"TCP Query User{CE22F0AD-E718-4CF8-9F0E-215F6F7713B6}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{0BD5E259-14B6-4C36-9ED8-986718ADD630}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |
"UDP Query User{7F3E2F9D-2012-44AF-B49D-C6A2405B6C7C}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{23DA4222-E517-42B3-8F97-9CFD49E2A732}" = AVG 2011
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{91D2C605-AD2B-44C8-A0A1-9B116B3C91CB}" = AVG 2011
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7EC8A27-CDA2-46AE-8A26-4104A04FA5BE}" = 32 Bit HP CIO Components Installer
"{D88C3E7C-1DA6-4AD7-97FC-75BC8705B266}" = runtime
"{E518C80C-C549-40E1-844C-669ED64195D3}" = FTP Surfer
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"AVG" = AVG 2011
"C-Media Oxygen HD Audio Driver" = ASUS Xonar DS Audio Driver
"ESET Online Scanner" = ESET Online Scanner v3
"Google Updater" = Google Updater
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 2.01
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"Revo Uninstaller" = Revo Uninstaller 1.92
"Spyware Doctor" = Spyware Doctor with AntiVirus 8.0
"SpywareBlaster_is1" = SpywareBlaster 4.4
"uTorrent" = µTorrent
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/06/2011 20:33:51 | Computer Name = HomePC | Source = RasClient | ID = 20227
Description =

Error - 14/06/2011 10:59:49 | Computer Name = HomePC | Source = Windows Search Service | ID = 3024
Description =

Error - 14/06/2011 11:10:24 | Computer Name = HomePC | Source = Windows Search Service | ID = 3024
Description =

Error - 14/06/2011 11:11:40 | Computer Name = HomePC | Source = Windows Search Service | ID = 3024
Description =

Error - 14/06/2011 11:11:50 | Computer Name = HomePC | Source = RasClient | ID = 20227
Description =

Error - 14/06/2011 12:42:46 | Computer Name = HomePC | Source = RasClient | ID = 20227
Description =

Error - 14/06/2011 12:43:36 | Computer Name = HomePC | Source = RasClient | ID = 20227
Description =

Error - 14/06/2011 12:44:27 | Computer Name = HomePC | Source = RasClient | ID = 20227
Description =

Error - 14/06/2011 12:45:17 | Computer Name = HomePC | Source = RasClient | ID = 20227
Description =

Error - 15/06/2011 03:21:48 | Computer Name = HomePC | Source = Windows Search Service | ID = 3024
Description =

[ System Events ]
Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:57:30 | Computer Name = HomePC | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume D:.

Error - 02/06/2011 17:58:00 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 02/06/2011 17:58:00 | Computer Name = HomePC | Source = disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

< End of report >

This post has been edited by stevejones: 15 June 2011 - 03:43 PM

#5 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 15 June 2011 - 03:50 PM

Please note I've also used SpywareBlaster to add exceptions to the host list for restricted sites. SpywareBlaster does this automatically, I did not change any of the settings. I forgot to mention this in the first post.

#6 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 15 June 2011 - 04:13 PM

Hi!

Quote

Okay. Thanks for letting me know.

Lets see what we have here:

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:OTL
SRV - File not found [On_Demand | Stopped] -- -- (A3AE3628)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Filter\AutorunsDisabled - No CLSID value found
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\uyp.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\uyp.exe" -a "%1" %*
[2011/06/02 14:27:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\2093
[2011/06/02 14:26:18 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Local\{D57F5CCA-87EA-40AF-9730-833BD2427387}
[2011/06/02 14:25:48 | 000,000,000 | ---D | C] -- C:\ProgramData\oJ28277EjDkC28277
[2011/06/02 14:21:30 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Ofiq
[2011/06/02 14:21:30 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Laaf
[2011/05/23 16:11:37 | 000,000,000 | ---D | C] -- C:\Users\William\AppData\Roaming\Yhvaga
[2011/06/02 20:53:46 | 000,025,386 | -HS- | M] () -- C:\Users\William\AppData\Local\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 20:53:46 | 000,025,386 | -HS- | M] () -- C:\ProgramData\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 19:52:17 | 000,000,160 | ---- | M] () -- C:\ProgramData\~38788856r
[2011/06/02 19:52:17 | 000,000,136 | ---- | M] () -- C:\ProgramData\~38788856
[2011/06/02 19:52:11 | 000,000,336 | ---- | M] () -- C:\ProgramData\38788856
[2011/06/02 17:13:33 | 000,010,222 | -HS- | M] () -- C:\Users\William\AppData\Local\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 17:13:33 | 000,010,222 | -HS- | M] () -- C:\ProgramData\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 14:28:00 | 000,000,462 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/06/02 14:26:19 | 000,000,120 | ---- | M] () -- C:\Users\William\AppData\Local\Ulipi.dat
[2011/06/02 14:26:19 | 000,000,000 | ---- | M] () -- C:\Users\William\AppData\Local\Yfirusa.bin
[2011/06/02 20:45:53 | 000,025,386 | -HS- | C] () -- C:\Users\William\AppData\Local\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 19:54:10 | 000,025,386 | -HS- | C] () -- C:\ProgramData\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx
[2011/06/02 19:52:17 | 000,000,160 | ---- | C] () -- C:\ProgramData\~38788856r
[2011/06/02 19:52:17 | 000,000,136 | ---- | C] () -- C:\ProgramData\~38788856
[2011/06/02 19:52:11 | 000,000,336 | ---- | C] () -- C:\ProgramData\38788856
[2011/06/02 14:31:42 | 000,010,222 | -HS- | C] () -- C:\Users\William\AppData\Local\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 14:31:42 | 000,010,222 | -HS- | C] () -- C:\ProgramData\6r1043817wg41hmvm1euryts4pr04508b0271rx
[2011/06/02 14:27:39 | 000,000,462 | ---- | C] () -- C:\Windows\tasks\At2.job
[2011/06/02 14:26:19 | 000,000,120 | ---- | C] () -- C:\Users\William\AppData\Local\Ulipi.dat
[2011/06/02 14:26:19 | 000,000,000 | ---- | C] () -- C:\Users\William\AppData\Local\Yfirusa.bin
@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:0B4227B4

:Reg

:Files
C:\Windows\tasks\At*.job
C:\ProgramData\oJ28277EjDkC28277
ipconfig /flushdns /c
:Commands
[purity]
[CreateRestorePoint]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

Please post the C:\ComboFix.txt for further review.

#7 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 16 June 2011 - 10:05 AM

Hi ST,

Here are the logs as requested. Thank you.

OTL Fix

========== SERVICES/DRIVERS ==========
========== OTL ==========
Service A3AE3628 stopped successfully!
Service A3AE3628 deleted successfully!
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled\ deleted successfully.
File Protocol\Handler\AutorunsDisabled - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Windows\System32\2093 folder moved successfully.
C:\Users\William\AppData\Local\{D57F5CCA-87EA-40AF-9730-833BD2427387}\chrome\content folder moved successfully.
C:\Users\William\AppData\Local\{D57F5CCA-87EA-40AF-9730-833BD2427387}\chrome folder moved successfully.
C:\Users\William\AppData\Local\{D57F5CCA-87EA-40AF-9730-833BD2427387} folder moved successfully.
C:\ProgramData\oJ28277EjDkC28277 folder moved successfully.
C:\Users\William\AppData\Roaming\Ofiq folder moved successfully.
C:\Users\William\AppData\Roaming\Laaf folder moved successfully.
C:\Users\William\AppData\Roaming\Yhvaga folder moved successfully.
C:\Users\William\AppData\Local\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx moved successfully.
C:\ProgramData\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx moved successfully.
C:\ProgramData\~38788856r moved successfully.
C:\ProgramData\~38788856 moved successfully.
C:\ProgramData\38788856 moved successfully.
C:\Users\William\AppData\Local\6r1043817wg41hmvm1euryts4pr04508b0271rx moved successfully.
C:\ProgramData\6r1043817wg41hmvm1euryts4pr04508b0271rx moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Users\William\AppData\Local\Ulipi.dat moved successfully.
C:\Users\William\AppData\Local\Yfirusa.bin moved successfully.
File C:\Users\William\AppData\Local\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx not found.
File C:\ProgramData\17ic24eg614a0262p44x744cnvo11uu3m4x15gie23bx not found.
File C:\ProgramData\~38788856r not found.
File C:\ProgramData\~38788856 not found.
File C:\ProgramData\38788856 not found.
File C:\Users\William\AppData\Local\6r1043817wg41hmvm1euryts4pr04508b0271rx not found.
File C:\ProgramData\6r1043817wg41hmvm1euryts4pr04508b0271rx not found.
File C:\Windows\tasks\At2.job not found.
File C:\Users\William\AppData\Local\Ulipi.dat not found.
File C:\Users\William\AppData\Local\Yfirusa.bin not found.
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Windows\tasks\At*.job not found.
File\Folder C:\ProgramData\oJ28277EjDkC28277 not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\William\Desktop\cmd.bat deleted successfully.
C:\Users\William\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.24.0 log created on 06162011_155953

Will update this post and do combofix in a minute.

#8 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 16 June 2011 - 10:25 AM

Okay. Please be sure to reply to the thread with the ComboFix log.

This post has been edited by SweetTech: 16 June 2011 - 10:25 AM

#9 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 16 June 2011 - 10:28 AM

And now for Combofix

ComboFix 11-06-15.04 - William 16/06/2011 16:12:11.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2046.1426 [GMT 1:00]
Running from: c:\users\William\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\William\AppData\Roaming\Adobe\plugs
c:\users\William\AppData\Roaming\Adobe\shed
c:\users\William\AppData\Roaming\GalileoCleaner
c:\users\William\AppData\Roaming\GalileoCleaner\_001.png
c:\users\William\AppData\Roaming\GalileoCleaner\_002.png
c:\users\William\AppData\Roaming\GalileoCleaner\_005.png
c:\users\William\AppData\Roaming\GalileoCleaner\_006.png
c:\users\William\AppData\Roaming\GalileoCleaner\_007.png
c:\users\William\AppData\Roaming\GalileoCleaner\_ico1.png
c:\users\William\AppData\Roaming\GalileoCleaner\_ico2.png
c:\users\William\AppData\Roaming\GalileoCleaner\_ico3.png
c:\users\William\AppData\Roaming\GalileoCleaner\activate_01.png
c:\users\William\AppData\Roaming\GalileoCleaner\activate_02.png
c:\users\William\AppData\Roaming\GalileoCleaner\activate_03.png
c:\users\William\AppData\Roaming\GalileoCleaner\activate_hdr_1.png
c:\users\William\AppData\Roaming\GalileoCleaner\activate_hdr_2.png
c:\users\William\AppData\Roaming\GalileoCleaner\activate_hdr_bg.png
c:\users\William\AppData\Roaming\GalileoCleaner\at.png
c:\users\William\AppData\Roaming\GalileoCleaner\balloon_174.png
c:\users\William\AppData\Roaming\GalileoCleaner\balloon_201.png
c:\users\William\AppData\Roaming\GalileoCleaner\bg_button_a.png
c:\users\William\AppData\Roaming\GalileoCleaner\bg_button_span.png
c:\users\William\AppData\Roaming\GalileoCleaner\blank.gif
c:\users\William\AppData\Roaming\GalileoCleaner\block_p_01.png
c:\users\William\AppData\Roaming\GalileoCleaner\block_p_03.png
c:\users\William\AppData\Roaming\GalileoCleaner\blue.png
c:\users\William\AppData\Roaming\GalileoCleaner\critical_202.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_001.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_002.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_003.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_004.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_005.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_006.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_007.png
c:\users\William\AppData\Roaming\GalileoCleaner\defender_008.png
c:\users\William\AppData\Roaming\GalileoCleaner\filder.png
c:\users\William\AppData\Roaming\GalileoCleaner\header.png
c:\users\William\AppData\Roaming\GalileoCleaner\i_1.png
c:\users\William\AppData\Roaming\GalileoCleaner\i_2.png
c:\users\William\AppData\Roaming\GalileoCleaner\i_3.png
c:\users\William\AppData\Roaming\GalileoCleaner\level.png
c:\users\William\AppData\Roaming\GalileoCleaner\loading.gif
c:\users\William\AppData\Roaming\GalileoCleaner\logo.png
c:\users\William\AppData\Roaming\GalileoCleaner\m.png
c:\users\William\AppData\Roaming\GalileoCleaner\off.png
c:\users\William\AppData\Roaming\GalileoCleaner\on.png
c:\users\William\AppData\Roaming\GalileoCleaner\progressbar.gif
c:\users\William\AppData\Roaming\GalileoCleaner\progressbar_bg_1.gif
c:\users\William\AppData\Roaming\GalileoCleaner\prot.png
c:\users\William\AppData\Roaming\GalileoCleaner\scan_res_icon.png
c:\users\William\AppData\Roaming\GalileoCleaner\t01.png
c:\users\William\AppData\Roaming\GalileoCleaner\t02.png
c:\users\William\AppData\Roaming\GalileoCleaner\update.png
c:\users\William\AppData\Roaming\GalileoCleaner\w1.png
c:\users\William\AppData\Roaming\GalileoCleaner\w2.png
c:\users\William\AppData\Roaming\GalileoCleaner\w3.png
c:\users\William\AppData\Roaming\GalileoCleaner\w4.png
c:\users\William\AppData\Roaming\GalileoCleaner\w5.png
c:\users\William\AppData\Roaming\GalileoCleaner\warning_popup_072.png
c:\users\William\AppData\Roaming\GalileoCleaner\warning_popup_200.png
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 15:19 . 2011-06-16 15:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-16 14:59 . 2011-06-16 14:59 -------- d-----w- C:\_OTL
2011-06-12 22:24 . 2011-06-12 22:24 -------- d-----w- c:\programdata\Adobe Systems
2011-06-12 22:21 . 2011-06-12 22:21 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2011-06-12 21:55 . 2011-06-12 21:55 -------- d-----w- c:\program files\uTorrent
2011-06-12 21:54 . 2011-06-12 22:20 -------- d-----w- c:\users\William\AppData\Roaming\uTorrent
2011-06-12 21:15 . 2011-06-12 21:15 32768 ----a-r- c:\users\William\AppData\Roaming\Microsoft\Installer\{E518C80C-C549-40E1-844C-669ED64195D3}\_2A43A261E660_4D89_9812_E0B6AEBBE4CE.exe
2011-06-12 21:15 . 2011-06-12 21:15 -------- d-----w- c:\program files\Whisper Technology
2011-06-12 14:06 . 2011-06-12 14:06 -------- d-----w- c:\program files\Common Files\Macromedia
2011-06-12 14:05 . 2011-06-12 14:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-06-12 14:05 . 2011-06-12 14:06 -------- d-----w- c:\program files\Macromedia
2011-06-12 14:04 . 2011-06-12 14:04 -------- d-----w- c:\program files\Common Files\InstallShield
2011-06-07 13:11 . 2011-06-07 13:11 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-06-07 13:10 . 2011-06-07 13:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-06-07 13:06 . 2011-06-07 13:06 -------- d-----r- C:\MSOCache
2011-06-07 12:05 . 2011-06-07 12:05 -------- d-----w- c:\program files\VS Revo Group
2011-06-07 09:32 . 2011-06-07 09:32 -------- d-----w- c:\users\Christine\AppData\Local\Microsoft Help
2011-06-07 08:52 . 2011-06-07 08:52 -------- d-----w- c:\users\Christine\AppData\Roaming\AVG10
2011-06-06 14:19 . 2011-06-06 14:19 -------- d-----w- c:\users\William\AppData\Roaming\TrojanHunter
2011-06-06 12:40 . 2011-06-06 12:40 -------- d-----w- c:\program files\ESET
2011-06-06 11:09 . 2011-06-06 11:09 -------- d-----w- C:\$AVG
2011-06-06 11:08 . 2011-06-06 11:08 388096 ----a-r- c:\users\William\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-06 11:07 . 2011-06-06 11:07 -------- d-----w- c:\users\William\AppData\Roaming\AVG10
2011-06-06 11:07 . 2011-06-06 11:07 -------- d--h--w- c:\programdata\Common Files
2011-06-06 11:03 . 2011-06-16 15:07 -------- d-----w- c:\programdata\AVG10
2011-06-06 11:02 . 2011-06-06 18:26 -------- d-----w- c:\program files\AVG
2011-06-06 10:55 . 2011-06-16 15:05 -------- d-----w- c:\programdata\MFAData
2011-06-04 23:41 . 2009-04-10 22:32 226280 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-06-03 19:13 . 2011-06-03 16:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-03 16:53 . 2011-06-03 16:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-03 16:50 . 2011-06-03 16:50 -------- d--h--w- c:\windows\PIF
2011-06-03 16:39 . 2011-06-03 16:39 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-03 16:32 . 2011-05-25 01:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-03 16:32 . 2011-06-04 23:16 -------- d-----w- c:\programdata\Lavasoft
2011-06-03 16:32 . 2011-06-03 16:32 -------- d-----w- c:\program files\Lavasoft
2011-06-03 16:31 . 2011-06-06 10:50 -------- d-----w- c:\program files\SpywareBlaster
2011-06-03 16:31 . 2010-01-10 18:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-06-03 03:28 . 2011-06-03 03:28 -------- d-----w- c:\users\Christine\AppData\Roaming\Malwarebytes
2011-06-02 22:37 . 2011-06-02 22:37 -------- d-----w- c:\users\William\AppData\Roaming\SUPERAntiSpyware.com
2011-06-02 22:37 . 2011-06-02 22:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-06-02 21:18 . 2010-07-16 13:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-06-02 21:18 . 2010-07-16 13:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-06-02 21:18 . 2010-11-17 09:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-06-02 21:18 . 2010-11-17 09:19 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-06-02 21:17 . 2010-11-25 09:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-06-02 21:17 . 2010-11-25 09:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-06-02 21:17 . 2010-11-25 09:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-06-02 21:16 . 2011-06-02 21:20 -------- d-----w- c:\program files\Common Files\PC Tools
2011-06-02 21:16 . 2011-06-06 14:09 -------- d-----w- c:\program files\PC Tools Security
2011-06-02 21:16 . 2011-06-02 21:16 -------- d-----w- c:\users\William\AppData\Roaming\PC Tools
2011-06-02 20:55 . 2011-06-02 20:55 -------- d-----w- c:\programdata\Alwil Software
2011-06-02 20:54 . 2011-06-02 21:24 -------- d-----w- c:\programdata\Immunet
2011-06-02 20:54 . 2011-06-02 20:54 -------- d-----w- c:\users\William\AppData\Local\Immunet
2011-06-02 20:53 . 2011-06-04 23:09 -------- dc----w- c:\windows\system32\DRVSTORE
2011-06-02 20:53 . 2011-06-04 23:09 -------- d-----w- c:\program files\Google
2011-06-02 20:48 . 2011-06-06 14:13 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-02 20:48 . 2011-06-02 20:48 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-06-02 20:47 . 2011-06-06 14:12 -------- d-----w- c:\programdata\Hitman Pro
2011-06-02 18:52 . 2011-06-02 18:52 -------- d-----w- C:\Windows Vista Recovery
2011-06-02 18:46 . 2011-06-02 18:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-06-02 17:58 . 2011-06-04 23:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-02 17:58 . 2011-06-02 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-02 17:32 . 2011-06-02 21:17 -------- d-----w- c:\programdata\PC Tools
2011-06-02 16:30 . 2011-06-02 16:30 -------- d-----w- c:\users\William\AppData\Roaming\Malwarebytes
2011-06-02 16:30 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 16:30 . 2011-06-02 16:30 -------- d-----w- c:\programdata\Malwarebytes
2011-06-02 16:29 . 2011-06-02 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-01 16:59 . 2011-06-04 23:09 -------- d-----w- c:\program files\Common Files\Java
2011-06-01 16:59 . 2011-06-04 23:09 -------- d-----w- c:\program files\Java
2011-05-31 09:28 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9D45007E-662A-4C30-8186-04B1BEDDBF7C}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-01 16:59 . 2011-05-08 21:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-08 23:37 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-05-08 23:37 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2011-05-08 21:45 . 2011-05-08 21:45 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-05-08 21:45 . 2011-05-08 21:45 44768 ----a-w- c:\windows\system32\wups2.dll
2011-05-08 21:45 . 2011-05-08 21:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-05-08 21:45 . 2011-05-08 21:45 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2011-05-08 21:44 . 2011-05-08 21:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-05-08 21:44 . 2011-05-08 21:44 575704 ----a-w- c:\windows\system32\wuapi.dll
2011-05-08 21:44 . 2011-05-08 21:44 35552 ----a-w- c:\windows\system32\wups.dll
2011-05-08 21:44 . 2011-05-08 21:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-05-08 21:44 . 2011-05-08 21:44 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-05-08 20:51 . 2011-05-08 20:51 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-08 20:51 . 2011-05-08 20:51 102400 ----a-w- c:\windows\system32\OpenAL32.dll
2011-05-08 20:22 . 2011-05-08 20:22 40320 ----a-w- c:\windows\system32\drivers\steth.sys
2011-05-08 20:22 . 2011-05-08 20:22 30464 ----a-w- c:\windows\system32\drivers\st330.sys
2011-05-08 20:22 . 2011-05-08 20:22 16128 ----a-w- c:\windows\system32\drivers\lpwdm.sys
2011-05-08 20:22 . 2011-05-08 20:22 12672 ----a-w- c:\windows\system32\drivers\stbus.sys
2011-04-14 16:26 . 2011-05-08 21:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-23 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2011-05-08 557149]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Users^William^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^systemcleaner.lnk]
path=c:\users\William\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemcleaner.lnk
backup=c:\windows\pss\systemcleaner.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio8788GX]
2008-07-11 14:04 200704 ------w- c:\windows\system\HsMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-18 22:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-870028525-2106275989-2371673209-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-870028525-2106275989-2371673209-1001]
"EnableNotificationsRef"=dword:00000002
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-05-25 64512]
R4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R4 mtecdj;mtecdj;c:\windows\system32\drivers\flat.sys [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-10-28 1505280]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2011-05-08 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2011-05-08 12672]
S3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\DRIVERS\steth.sys [2011-05-08 40320]
S4 Micorsoft Windows Service;Micorsoft Windows Service;c:\windows\TEMP\kmhwevtm.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-15 c:\windows\Tasks\User_Feed_Synchronization-{5FDA335F-8ABF-4218-B870-523004112855}.job
- c:\windows\system32\msfeedssync.exe [2011-05-11 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
TCP: Interfaces\{5FD25954-5610-49AA-A949-CB19D5792C43}: NameServer = 92.31.242.21 92.31.241.20
FF - ProfilePath - c:\users\William\AppData\Roaming\Mozilla\Firefox\Profiles\qm5yqr5q.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Lavasoft Ad-Aware Service
MSConfigStartUp-Cmaudio8788 - cmicnfgp.cpl
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 16:19
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:80,97,58,ff,06,23,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,0e,ea,e1,16,1e,92,4d,a8,69,31,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,0e,ea,e1,16,1e,92,4d,a8,69,31,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,0e,ea,e1,16,1e,92,4d,a8,69,31,\
.
Completion time: 2011-06-16 16:22:54
ComboFix-quarantined-files.txt 2011-06-16 15:22
.
Pre-Run: 45,389,987,840 bytes free
Post-Run: 45,145,280,512 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 1127A88122B12793F583E4AD0D136997

#10 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 16 June 2011 - 11:02 AM

Problems!

I restarted the computer after posting the last message and it would NOT start up again. I kept getting blue screens every time I tried. The blue screen said "page fault in not paged area" or something like that. I think it mentioned win32k.sys. Anyway, I had to start in Safe Mode and run a System Restore. The computer is restored to the point I uninstalled AVG. Which is AFTER the OTL Fix but BEFORE the Combofix. How should we proceed?

#11 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 16 June 2011 - 11:04 AM

EDIT:

Instructions coming soon.

This post has been edited by SweetTech: 16 June 2011 - 11:05 AM

#12 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 16 June 2011 - 11:08 AM

Hi!

Sorry to hear you experienced issues with booting up after running ComboFix.

Lets try the following:

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
mtecdj
Micorsoft Windows Service

:Reg

:Files
c:\users\William\AppData\Roaming\Adobe\plugs
c:\users\William\AppData\Roaming\Adobe\shed
c:\users\William\AppData\Roaming\GalileoCleaner
c:\windows\system32\drivers\flat.sys
c:\windows\TEMP\kmhwevtm.sys
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform quick scan, then click on Scan
Leave the default options as it is and click on Start Scan
When done, you will be prompted. Click OK, then click on Show Results
Checked (ticked) all items and click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
- Enable Anti-Stealth technology
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NEXT:

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

#13 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 16 June 2011 - 12:31 PM

Hi ST,

Here are the logs.

1. OTL

========== SERVICES/DRIVERS ==========
Service mtecdj stopped successfully!
Service mtecdj deleted successfully!
Service Micorsoft Windows Service stopped successfully!
Service\Driver key Micorsoft Windows Service not found.
========== REGISTRY ==========
========== FILES ==========
File\Folder c:\users\William\AppData\Roaming\Adobe\plugs not found.
File\Folder c:\users\William\AppData\Roaming\Adobe\shed not found.
File\Folder c:\users\William\AppData\Roaming\GalileoCleaner not found.
File\Folder c:\windows\system32\drivers\flat.sys not found.
File\Folder c:\windows\TEMP\kmhwevtm.sys not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\William\Desktop\cmd.bat deleted successfully.
C:\Users\William\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.24.0 log created on 06162011_171126

2. MBAM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6871

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

16/06/2011 17:16:21
mbam-log-2011-06-16 (17-16-21).txt

Scan type: Quick scan
Objects scanned: 162716
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3. ESET

C:\Windows\temp\444.tmp a variant of Win32/Kryptik.ONW trojan
C:\Windows\temp\57CF.tmp a variant of Win32/Kryptik.ONW trojan
C:\Windows\temp\62B8.tmp a variant of Win32/Kryptik.ONW trojan
C:\Windows\temp\9E7F.tmp a variant of Win32/Kryptik.ONW trojan

4. SecurityCheck

Results of screen317's Security Check version 0.99.13
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
ESET Online Scanner v3
Spyware Doctor with AntiVirus 8.0
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 22
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.2.159.1
Adobe Reader X (10.0.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

#14 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 16 June 2011 - 06:21 PM

Hi!

These threat(s) below will be removed very shortly:

Quote

C:\Windows\temp\444.tmp a variant of Win32/Kryptik.ONW trojan
C:\Windows\temp\57CF.tmp a variant of Win32/Kryptik.ONW trojan
C:\Windows\temp\62B8.tmp a variant of Win32/Kryptik.ONW trojan
C:\Windows\temp\9E7F.tmp a variant of Win32/Kryptik.ONW trojan

____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.

Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Platform, Standard Edition".
Click the "Download JRE" button to the right.
Read the License Agreement, and then check the box that says: "Accept License Agreement".
From the list, select your OS and Platform.
- 32-bit Select: Windows x86 Offline.
- 64-bit Select: Windows x64.
If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to

> Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

NEXT

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:OTL

:Reg

:Files
C:\Windows\temp\444.tmp
C:\Windows\temp\57CF.tmp
C:\Windows\temp\62B8.tmp
C:\Windows\temp\9E7F.tmp
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

OTL Custom Scan

We need to run an OTL Custom Scan

Please reopen on your desktop.
Copy and Paste the following code into the textbox.

netsvcs
drivers32
hklm\software\clients\startmenuinternet|command /rs
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Push the button.
A report will open. Copy and Paste that report in your next reply.

NEXT:

What outstanding issues (if any) are you still experiencing with your computer?

#15 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 17 June 2011 - 11:12 AM

After I ran the OTL Fix I was unable to boot. Constant blue screens. Again I had to use Safe Mode and System Restore. It is restored to the same point as last time, post #10.

None of the steps removed the virus however so I suggest we try something different or we may be going in circles.

By the way. Before I started this topic I had deleted the entire Temp folder, yet after reboot the virus files reappeared in Temp. This leads me to believe the virus must reside somewhere else also. Therefore, even if we had allowed ESET to remove the files it found, the problem would not have been resolved.