Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect, disabled firewall, network issues, etc.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Rivndellelf

Rivndellelf

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 01 December 2011 - 03:15 PM

Hi. I've been having issues for the past few days. Sometimes when I search for something in Google, Yahoo, etc., I will get a popup when I click on the link. Sometimes it redirects me to other sites, but it only does that if I open the search link in my current tab. If I open it in a new tab, it never redirects. Again, it only redirects some of the time, too. Sometimes, it takes me to the actual linked site without a problem. Some of the redirects have been to sites starting with the following:
63.209.69.107
logged.xe.cx
star.feedsmixer.org

Recently, my computer was giving me a blue screen when I would try to put it to sleep, but I could never see the actual message because it would reboot immediately. That seems to have stopped now, so I don't know if it was part of the problem or not.

I went to check on Windows Firewall only to find that it has been disabled, and I'm being prevented from re-enabling it. I know it was enabled before.

I'm having issues when I try to view my network. I can connect to the internet just fine, but when I go to the actual network folder, all I see is the router, not the other computer on the network or the printer that I installed recently. Because of that (I'm assuming), I can't print anything. Again, I don't know if that's a symptom of this infection or if it's something else. Also, often when I go to the network folder, it won’t load anything in the window at all. On the program bar, it just shows that the open program is Windows Explorer; it doesn’t actually say Network. The window itself is totally blank. There are no words or images anywhere at all.

I've run full scans with Microsoft Forefront, MalwareBytes, Ad-Aware, and SUPERAntiSpyware. MalwareBytes hasn't found anything. Forefront has popped up at various times and alerted me to the presence of the following:
TrojanDownloader:Win32/Karagany.G
Trojan:Win32/Alureon.Fe
Rogue:Win32/FakeRean
I removed them. The full system scan didn't find anything. Ad-Aware found cookies, but that's about it. SUPERAntiSpyware found the following:
Rogue.AntivirusSoft
HKU\.DEFAULT\Software\avsoft
HKU\S-1-5-18\Software\avsoft
Malware.Trace
HKU\.DEFAULT\SOFTWARE\AVSUITE
HKU\S-1-5-18\SOFTWARE\AVSUITE
I quarantined them. It also found a bunch of tracking cookies, but that didn't seem unusual.

I ran the first three programs' full scans after Forefront found Alureon.Fe and FakeRean randomly while I was using the internet. Karagany.G popped up randomly sometime after all those scans had been run. That's when I ran SUPERAntiSpyware, but even after that I'm still having most of these issues. Like I said above, the sleep mode problem seems to be fixed, but that's it.

Oh, also, when I ran Defogger, I had trouble restarting. Twice on restart it just sat on the Microsoft loading screen, not actually loading Windows. I had to turn it off and try again. On the third try, I tried to launch Windows Startup Repair instead. I'd never done that before today (or even seen that option before), so I don't know if this is normal or not--when I would try to select it and hit enter, it would just reload the same screen asking me to either launch Windows Startup Repair or start Windows normally. I assumed it should actually take me somewhere else, but it didn't. After several times of it doing just that, I just gave up and chose to start Windows normally, and then it finally did actually start Windows.

Anyway... I have no idea what the actual cause of the infection is, so your help would be greatly appreciated.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Run by Jenkys at 10:53:28 on 2011-12-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1661 [GMT -5:00]
.
AV: Microsoft Forefront Client Security *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Forefront Client Security *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Rosewill\Common\RegistryWriter.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\Rosewill\Common\RaUI.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcrobatInfo.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [HP Deskjet 3050A J611 series (NET)] "c:\program files\hp\hp deskjet 3050a j611 series\bin\ScanToPCActivationApp.exe" -deviceID "CN18P445SJ05PJ:NW" -scfn "HP Deskjet 3050A J611 series (NET)" -AutoStart 1
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 3.0.30729)" -"http://www.shockwave.com/gamelanding/figureskating.jsp"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rosewi~1.lnk - c:\program files\rosewill\common\RaUI.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5E0D332A-98F8-44EE-B0FD-581058957D1E} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E2AA177C-DC54-42F1-BF70-5C81BCB1AF30} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jenkys\appdata\roaming\mozilla\firefox\profiles\b23zttfk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\jenkys\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\jenkys\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\jenkys\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Texpertension: texpertension@texperts.com - %profile%\extensions\texpertension@texperts.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\jenkys\appdata\roaming\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-10 64512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/02/01 15:09:47];c:\program files\cyberlink\powerdvd dx\000.fcl [2010-2-1 87536]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-7-20 16896]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-8-20 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\rosewill\common\RegistryWriter.exe [2011-3-11 185632]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-9-3 71424]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-3-11 724992]
S3 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
.
=============== Created Last 30 ================
.
2011-12-01 15:46:46 56200 ----a-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{1fed9320-b6fa-43fe-aebd-33c53822557e}\offreg.dll
2011-12-01 15:46:42 6823496 ----a-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{1fed9320-b6fa-43fe-aebd-33c53822557e}\mpengine.dll
2011-12-01 03:19:16 -------- d-----w- c:\users\jenkys\appdata\roaming\SUPERAntiSpyware.com
2011-12-01 03:18:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-01 03:18:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-29 05:39:56 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-27 04:51:25 -------- d-----w- c:\program files\Amazon
2011-11-27 03:38:58 -------- d-----w- c:\users\jenkys\appdata\roaming\HpUpdate
2011-11-27 03:38:28 544616 ------w- c:\windows\system32\HPDiscoPMa011.dll
2011-11-27 03:32:40 -------- d-----w- c:\program files\HP
2011-11-27 03:17:20 -------- d-----w- c:\users\jenkys\{01150966-ed00-43d6-8619-7199a4ea27ce}
2011-11-27 03:05:18 -------- d-----w- c:\users\jenkys\{05e2bb3a-9580-44b1-96cc-5195269d1fa4}
2011-11-27 03:03:22 -------- d-----w- c:\users\jenkys\appdata\local\HP
2011-11-26 20:39:26 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-11-26 20:35:48 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-11-10 14:48:48 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-10 14:48:24 -------- d-----w- c:\program files\Lavasoft
2011-11-09 22:22:53 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 22:22:49 707584 ----a-w- c:\program files\common files\system\wab32.dll
.
==================== Find3M ====================
.
2011-11-10 14:50:42 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 10:53:41.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:49 PM

Posted 02 December 2011 - 03:04 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Looks like we maybe dealing with a case of ZeroAccess here.

Please run a scan with TDSSKiller by when it detects something choose to SKIP it rather than take an action on it.

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:


OTS Scan
Download OTS to your Desktop
  • Double-click on OTS.exe to start the program. Make sure you close all other programs.
  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please copy and paste the contents of the OTS report into your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 Rivndellelf

Rivndellelf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 02 December 2011 - 09:55 AM

Hi. Thanks for your quick reply. Question: Can I run these in the opposite order, or should I definitely run TDSSKiller before OTS? The reason I ask is because I had a lot of trouble getting my computer booted this morning. It went through the same process as before where it gets stuck on the Microsoft loading screen, and then I cut the power, turn it back on, select Launch Windows Startup Repair (which still does nothing), and then choose to start Windows normally. It took about ten tries to get that process to actually result in booting Windows. Therefore, I'd like to minimize restarting my computer as much as possible. I'm just afraid that next time I restart, I won't be able to get it booted again.

Thoughts? If you think I should definitely run them in the order you stated, I will--I just wanted to check first. Thanks!

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:49 PM

Posted 03 December 2011 - 02:25 AM

Hi!

Thanks for posting that information for me before proceeding.

I'd actually like to have you run a scan with OTS for right now, and then we can see where we stand once I see that log file.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 Rivndellelf

Rivndellelf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 03 December 2011 - 10:10 AM


OTS logfile created on: 12/3/2011 9:34:14 AM - Run 1

OTS by OldTimer - Version 3.1.46.0     Folder = C:\Users\Jenkys\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type 



= NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: 



M/d/yyyy

 

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 47.00% 



Memory free

7.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File 



free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program 



Files

Drive C: | 455.71 Gb Total Space | 108.48 Gb Free Space | 23.81% Space Free | 



Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 9.92 Gb Free Space | 99.23% Space Free | 



Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

 

Computer Name: PHOTOLICIOUS

Current User Name: Jenkys

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

 

[Processes - Safe List]

ots.exe -> C:\Users\Jenkys\Desktop\OTS.exe -> [2011/12/02 09:50:11 | 



000,646,144 | ---- | M] (OldTimer Tools)

aawservice.exe -> C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -> 



[2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited)

aawtray.exe -> C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe -> [2011/11/03 



12:06:56 | 001,187,072 | ---- | M] (Lavasoft Limited)

awsc.exe -> C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe -> [2011/11/03 



12:06:56 | 001,101,960 | ---- | M] ()

sascore.exe -> C:\Program Files\SUPERAntiSpyware\SASCore.exe -> [2011/08/11 



18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com)

scantopcactivationapp.exe -> C:\Program Files\HP\HP Deskjet 3050A J611 



series\Bin\ScanToPCActivationApp.exe -> [2011/06/08 18:15:06 | 001,804,648 | 



---- | M] (Hewlett-Packard Co.)

hpnetworkcommunicator.exe -> C:\Program Files\HP\HP Deskjet 3050A J611 



series\Bin\HPNetworkCommunicator.exe -> [2011/06/08 18:01:52 | 000,643,944 | 



---- | M] (Hewlett-Packard Co.)

msascui.exe -> C:\Program Files\Microsoft Forefront\Client 



Security\Client\Antimalware\MSASCui.exe -> [2010/07/20 11:12:02 | 001,033,600 



| ---- | M] (Microsoft Corporation)

msmpeng.exe -> c:\Program Files\Microsoft Forefront\Client 



Security\Client\Antimalware\MsMpEng.exe -> [2010/07/20 11:09:42 | 000,016,896 



| ---- | M] (Microsoft Corporation)

seagatedashboardservice.exe -> C:\Program Files\Seagate\Seagate 



Dashboard\SeagateDashboardService.exe -> [2010/04/30 09:47:00 | 000,014,088 | 



---- | M] (Memeo)

nvscpapisvr.exe -> C:\Program Files\NVIDIA Corporation\3D 



Vision\nvSCPAPISvr.exe -> [2009/07/14 11:28:00 | 000,239,648 | ---- | M] 



(NVIDIA Corporation)

raui.exe -> C:\Program Files\Rosewill\Common\RaUI.exe -> [2009/06/24 11:26:48 



| 001,839,104 | ---- | M] (Rosewill Inc.)

registrywriter.exe -> C:\Program Files\Rosewill\Common\RegistryWriter.exe -> 



[2009/04/29 20:15:40 | 000,185,632 | ---- | M] (Ralink Technology, Corp.)

explorer.exe -> C:\Windows\explorer.exe -> [2009/04/10 22:27:38 | 002,926,592 



| ---- | M] (Microsoft Corporation)

pdvddxsrv.exe -> C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe -> 



[2008/10/27 21:19:26 | 000,128,296 | ---- | M] (CyberLink Corp.)

rthdvcpl.exe -> C:\Windows\RtHDVCpl.exe -> [2008/01/17 06:22:20 | 004,907,008 



| ---- | M] (Realtek Semiconductor)

aertsrv.exe -> C:\Windows\System32\AERTSrv.exe -> [2007/12/05 05:17:24 | 



000,077,824 | ---- | M] (Andrea Electronics Corporation)

dtsrvc.exe -> C:\Program Files\Common Files\Portrait 



Displays\Shared\DTSRVC.exe -> [2007/06/29 16:54:16 | 000,073,728 | ---- | M] 



()

fcssas.exe -> C:\Program Files\Microsoft Forefront\Client 



Security\Client\SSA\FcsSas.exe -> [2007/04/06 03:12:48 | 000,073,120 | ---- | 



M] (Microsoft Corporation)

floater.exe -> C:\Program Files\Portrait Displays\Pivot Software\Floater.exe 



-> [2007/02/09 11:17:30 | 000,694,008 | ---- | M] ()

wpctrl.exe -> C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe -> 



[2007/02/09 11:17:26 | 000,694,008 | ---- | M] ()

 

[Modules - No Company Name]

zlib1.dll -> C:\Program Files\Common Files\Apple\Apple Application 



Support\zlib1.dll -> [2010/06/03 12:46:00 | 000,067,872 | ---- | M] ()

rarext.dll -> C:\Program Files\WinRAR\RarExt.dll -> [2009/07/20 13:16:09 | 



000,141,312 | ---- | M] ()

mswsock.dll -> \\.\globalroot\systemroot\system32\mswsock.dll -> [2009/04/10 



22:28:24 | 000,223,232 | ---- | M] ()

floater.exe -> C:\Program Files\Portrait Displays\Pivot Software\Floater.exe 



-> [2007/02/09 11:17:30 | 000,694,008 | ---- | M] ()

wpctrl.exe -> C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe -> 



[2007/02/09 11:17:26 | 000,694,008 | ---- | M] ()

winphook.dll -> C:\Program Files\Portrait Displays\Pivot Software\Winphook.dll 



-> [2007/02/09 11:16:08 | 000,245,760 | ---- | M] ()

 

[Win32 Services - Safe List]

(Lavasoft Ad-Aware Service) Lavasoft Ad-Aware Service [Auto | Running] -> 



C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -> [2011/11/03 12:06:56 | 



002,152,152 | ---- | M] (Lavasoft Limited)

(!SASCORE) SAS Core Service [Auto | Running] -> C:\Program 



Files\SUPERAntiSpyware\SASCORE.EXE -> [2011/08/11 18:38:07 | 000,116,608 | --



-- | M] (SUPERAntiSpyware.com)

(FCSAM) Microsoft Forefront Client Security Antimalware Service [Auto | 



Running] -> c:\Program Files\Microsoft Forefront\Client 



Security\Client\Antimalware\MsMpEng.exe -> [2010/07/20 11:09:42 | 000,016,896 



| ---- | M] (Microsoft Corporation)

(SeagateDashboardService) Seagate Dashboard Service [Auto | Running] -> 



C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe -> 



[2010/04/30 09:47:00 | 000,014,088 | ---- | M] (Memeo)

(MemeoBackgroundService) MemeoBackgroundService [On_Demand | Stopped] -> 



C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe -> [2010/04/22 



19:33:04 | 000,025,824 | ---- | M] (Memeo)

(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> 



C:\Program Files\Common Files\Macrovision Shared\FLEXnet 



Publisher\FNPLicensingService.exe -> [2009/08/20 10:25:42 | 000,655,624 | ---- 



| M] (Acresso Software Inc.)

(Stereo Service) NVIDIA Stereoscopic 3D Driver Service [Auto | Running] -> 



C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -> [2009/07/14 



11:28:00 | 000,239,648 | ---- | M] (NVIDIA Corporation)

(RalinkRegistryWriter) Ralink Registry Writer [Auto | Running] -> C:\Program 



Files\Rosewill\Common\RegistryWriter.exe -> [2009/04/29 20:15:40 | 000,185,632 



| ---- | M] (Ralink Technology, Corp.)

(AERTFilters) Andrea RT Filters Service [Auto | Running] -> 



C:\Windows\System32\AERTSrv.exe -> [2007/12/05 05:17:24 | 000,077,824 | ---- | 



M] (Andrea Electronics Corporation)

(DTSRVC) Portrait Displays Display Tune Service [Auto | Running] -> C:\Program 



Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -> [2007/06/29 16:54:16 



| 000,073,728 | ---- | M] ()

(FcsSas) Microsoft Forefront Client Security State Assessment Service [Auto | 



Running] -> C:\Program Files\Microsoft Forefront\Client 



Security\Client\SSA\FcsSas.exe -> [2007/04/06 03:12:48 | 000,073,120 | ---- | 



M] (Microsoft Corporation)

 

[Driver Services - Safe List]

(Lbd) Lbd [File_System | Boot | Running] -> C:\Windows\system32



\DRIVERS\Lbd.sys -> [2011/11/03 12:06:56 | 000,064,512 | ---- | M] (Lavasoft 



AB)

(Lavasoft Kernexplorer) Lavasoft helper driver [Kernel | On_Demand | Stopped] 



-> C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -> [2011/11/03 12:06:56 



| 000,015,232 | ---- | M] ()

(SASDIFSV) SASDIFSV [Kernel | System | Running] -> C:\Program 



Files\SUPERAntiSpyware\sasdifsv.sys -> [2011/07/22 11:27:02 | 000,012,880 | -



--- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

(SASKUTIL) SASKUTIL [Kernel | System | Running] -> C:\Program 



Files\SUPERAntiSpyware\SASKUTIL.SYS -> [2011/07/12 16:55:22 | 000,067,664 | -



--- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

(sptd) sptd [Kernel | Disabled | Stopped] -> C:\Windows\System32



\Drivers\sptd.sys -> [2011/02/01 22:18:30 | 000,721,904 | ---- | M] (Duplex 



Secure Ltd.)

(netr28u) RT2870 USB Wireless LAN Card Driver for Vista [Kernel | On_Demand | 



Stopped] -> C:\Windows\System32\drivers\netr28u.sys -> [2009/04/28 18:23:52 | 



000,724,992 | ---- | M] (Ralink Technology Corp.)

(tdx) NetIO Legacy TDI Support Driver [Kernel | System | Running] -> 



C:\Windows\System32\drivers\tdx.sys -> [2009/04/10 20:45:58 | 000,072,192 | -



--- | M] ()

({1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}) Power Control [2010/02/01 15:09:47] 



[Kernel | Auto | Running] -> C:\Program Files\CyberLink\PowerDVD DX\000.fcl -> 



[2008/10/27 21:34:26 | 000,087,536 | ---- | M] (CyberLink Corp.)

(BVRPMPR5) BVRPMPR5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> 



C:\Windows\System32\drivers\BVRPMPR5.SYS -> [2008/05/13 18:08:04 | 000,049,904 



| R--- | M] (Avanquest Software)

(nvlddmkm) nvlddmkm [Kernel | On_Demand | Running] -> C:\Windows\System32



\drivers\nvlddmkm.sys -> [2007/09/17 07:07:00 | 007,624,192 | ---- | M] 



(NVIDIA Corporation)

(e1express) Intel(R) PRO/1000 PCI Express Network Connection Driver [Kernel | 



On_Demand | Running] -> C:\Windows\System32\drivers\e1e6032.sys -> [2007/04/13 



12:22:56 | 000,228,224 | ---- | M] (Intel Corporation)

(PdiPorts) Portrait Displays low level device driver [Kernel | On_Demand | 



Running] -> C:\Windows\System32\drivers\PdiPorts.sys -> [2006/11/16 16:20:48 | 



000,015,920 | ---- | M] (Portrait Displays, Inc.)

 

[Registry - Safe List]

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\"Start Page" -> http://my.msn.com/ -> 

HKEY_CURRENT_USER\: Main\\"StartPageCache" -> 1 -> 

HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 

HKEY_CURRENT_USER\: "ProxyOverride" -> *.local -> 

< FireFox Settings [Prefs.js] > -> 



C:\Users\Jenkys\AppData\Roaming\Mozilla\FireFox\Profiles\b23zttfk.default\pref



s.js -> 

browser.search.selectedEngine -> "Yahoo" ->

browser.search.useDBForOrder -> true ->

browser.startup.homepage -> "http://my.msn.com/" ->

extensions.enabledItems -> moveplayer@movenetworks.com:7 ->

extensions.enabledItems -> texpertension@texperts.com:1.0.9 ->

extensions.enabledItems -> {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 ->

extensions.enabledItems -> {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 ->

extensions.enabledItems -> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 ->

< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla

HKLM\software\mozilla\Firefox\Extensions ->  -> 

HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions ->  -> 

HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components -> 



C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA 



FIREFOX\COMPONENTS] -> [2011/01/01 20:27:31 | 000,000,000 | ---D | M]

HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins -> C:\Program 



Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> 



[2011/11/26 15:35:49 | 000,000,000 | ---D | M]

< FireFox Extensions [User Folders] > -> 

  -> C:\Users\Jenkys\AppData\Roaming\Mozilla\Extensions -> [2009/08/26 



00:28:29 | 000,000,000 | ---D | M]

  -> 



C:\Users\Jenkys\AppData\Roaming\Mozilla\Firefox\Profiles\b23zttfk.default\exte



nsions -> [2011/03/16 13:57:29 | 000,000,000 | ---D | M]

Microsoft .NET Framework Assistant   -> 



C:\Users\Jenkys\AppData\Roaming\Mozilla\Firefox\Profiles\b23zttfk.default\exte



nsions\{20a82645-c095-46ed-80e3-08825760534b} -> [2009/09/02 10:21:32 | 



000,000,000 | ---D | M]

  -> 



C:\Users\Jenkys\AppData\Roaming\Mozilla\Firefox\Profiles\b23zttfk.default\exte



nsions\texpertension@texperts.com -> [2010/03/24 12:44:16 | 000,000,000 | ---D 



| M]

< FireFox SearchPlugins [User Folders] > -> 

 swagbuckscom.xml -> 



C:\Users\Jenkys\AppData\Roaming\Mozilla\FireFox\Profiles\b23zttfk.default\sear



chplugins\swagbuckscom.xml -> [2011/03/16 14:07:26 | 000,001,551 | ---- | M] 



()

< FireFox Extensions [Program Folders] > -> 

  -> C:\Program Files\Mozilla Firefox\extensions -> [2011/03/16 14:07:26 | 



000,000,000 | ---D | M]

Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-



0000-0020-ABCDEFFEDCBA} -> [2010/05/13 13:49:30 | 000,000,000 | ---D | M]

Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-



0000-0021-ABCDEFFEDCBA} -> [2010/08/22 22:38:31 | 000,000,000 | ---D | M]

Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-



0000-0022-ABCDEFFEDCBA} -> [2010/11/12 09:29:11 | 000,000,000 | ---D | M]

No name found   -> C:\Program Files\Mozilla Firefox\extensions\{FD2FD708-1F6F



-4B68-B141-C5778F0C19BB} -> [2010/02/03 01:02:58 | 000,000,000 | ---D | M]

Move Media Player -> C:\USERS\JENKYS\APPDATA\ROAMING\MOVE NETWORKS -> 



[2009/10/27 12:10:17 | 000,000,000 | ---D | M]

Texpertension -> 



C:\USERS\JENKYS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\B23ZTTFK.DEFAULT\EXTE



NSIONS\TEXPERTENSION@TEXPERTS.COM -> [2010/03/24 12:44:16 | 000,000,000 | ---D 



| M]

Hosts file not found -> -> 

< BHO's [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser 



Helper Objects\ -> 

{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar 



Helper] -> [2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems 



Incorporated)

{F4971EE7-DAA0-4053-9964-665D8EE6A077} [HKLM] -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [SmartSelect Class] -> 



[2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF] -> [2010/09/22 



18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> 



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program 



Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF] -> 



[2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

< Run [HKEY_LOCAL_MACHINE\] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

"" ->  [] -> File not found

"Microsoft Forefront Client Security Antimalware Service" -> c:\Program 



Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe 



["c:\Program Files\Microsoft Forefront\Client 



Security\Client\Antimalware\MSASCui.exe" -hide] -> [2010/07/20 11:12:02 | 



001,033,600 | ---- | M] (Microsoft Corporation)

"NvCplDaemon" -> C:\Windows\System32\NvCpl.dll [RUNDLL32.EXE 



C:\Windows\system32\NvCpl.dll,NvStartup] -> [2007/09/17 07:07:00 | 008,497,696 



| ---- | M] (NVIDIA Corporation)

"NvMediaCenter" -> C:\Windows\System32\NvMcTray.dll [RUNDLL32.EXE 



C:\Windows\system32\NvMcTray.dll,NvTaskbarInit] -> [2007/09/17 07:07:00 | 



000,081,920 | ---- | M] (NVIDIA Corporation)

"NvSvc" -> C:\Windows\System32\nvsvc.dll [RUNDLL32.EXE C:\Windows\system32



\nvsvc.dll,nvsvcStart] -> [2007/09/17 07:07:00 | 000,086,016 | ---- | M] 



(NVIDIA Corporation)

"PDVDDXSrv" -> C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe 



["C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"] -> [2008/10/27 



21:19:26 | 000,128,296 | ---- | M] (CyberLink Corp.)

"PivotSoftware" -> C:\Program Files\Portrait Displays\Pivot 



Software\wpctrl.exe ["C:\Program Files\Portrait Displays\Pivot 



Software\wpctrl.exe"] -> [2007/02/09 11:17:26 | 000,694,008 | ---- | M] ()

"RtHDVCpl" -> C:\Windows\RtHDVCpl.exe [RtHDVCpl.exe] -> [2008/01/17 06:22:20 | 



004,907,008 | ---- | M] (Realtek Semiconductor)

< Run [HKEY_CURRENT_USER\] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

"HP Deskjet 3050A J611 series (NET)" -> C:\Program Files\HP\HP Deskjet 3050A 



J611 series\Bin\ScanToPCActivationApp.exe ["C:\Program Files\HP\HP Deskjet 



3050A J611 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN18P445SJ05PJ:NW" 



-scfn "HP Deskjet 3050A J611 series (NET)" -AutoStart 1] -> [2011/06/08 



18:15:06 | 001,804,648 | ---- | M] (Hewlett-Packard Co.)

< RunOnce [HKEY_CURRENT_USER\] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 

"Shockwave Updater" ->  [C:\Windows\system32\Adobe\Shockwave 11



\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; 



Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 



3.5.30729; InfoPath.2; .NET CLR 3.0.30729)" 



-"http://www.shockwave.com/gamelanding/figureskating.jsp"] -> File not found

< Software Policy Settings [HKEY_CURRENT_USER] > -> 



HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 

< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer 



-> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

\\"NoDrives" ->  [0] -> File not found

< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System 



-> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

\\"EnableLUA" ->  [0] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\U



IPI\Clipboard\ExceptionFormats

< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer 



-> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

\\"NoDrives" ->  [0] -> File not found

< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> 



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 

Append Link Target to Existing PDF -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html] -> 



[2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

Append to Existing PDF -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html] -> 



[2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

Convert Link Target to Adobe PDF -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html] -> 



[2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

Convert to Adobe PDF -> C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common 



Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html] -> 



[2010/09/22 18:09:18 | 000,349,640 | ---- | M] (Adobe Systems Incorporated)

< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 

{76c5fb99-dd0a-4186-9e75-65d1bf3da283}:C:\Program Files\Amazon\Add to Wish 



List IE Extension\run.htm [HKLM] -> C:\Program Files\Amazon\Add to Wish List 



IE Extension\run.htm [Button: Add to Wish List] -> [2011/10/04 11:50:26 | 



000,000,846 | ---- | M] ()

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

< Default Prefix > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

"" -> http://

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 



Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code 



Store Database\Distribution Units\ -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> 



http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java 



Plug-in 1.6.0_22] -> 

{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> 



http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java 



Plug-in 1.6.0_22] -> 

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> 



http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java 



Plug-in 1.6.0_22] -> 

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> 



http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.] 



-> 

< Name Servers [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 

DhcpNameServer -> 192.168.1.1 -> 

< Name Servers [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters



\ -> 

{5E0D332A-98F8-44EE-B0FD-581058957D1E}\\DhcpNameServer -> 192.168.1.1   



(802.11n USB Wireless LAN Card) -> 

{E2AA177C-DC54-42F1-BF70-5C81BCB1AF30}\\DhcpNameServer -> 192.168.1.1   



(802.11n USB Wireless LAN Card) -> 

IE Styles -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles

"Use My Stylesheet" -> Reg Error: Invalid data type.

"User Stylesheet" -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 



NT\CurrentVersion\Winlogon\\Shell -> 

Explorer.exe -> C:\Windows\explorer.exe -> [2009/04/10 22:27:38 | 002,926,592 



| ---- | M] (Microsoft Corporation)

*MultiFile Done* -> -> 

*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 



NT\CurrentVersion\Winlogon\\UserInit -> 

C:\Windows\system32\userinit.exe -> C:\Windows\System32\userinit.exe -> 



[2008/01/18 22:33:34 | 000,025,088 | ---- | M] (Microsoft Corporation)

*MultiFile Done* -> -> 

< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 



NT\CurrentVersion\Winlogon\Notify\ -> 

!SASWinLogon -> C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL -> [2011/05/04 



12:54:14 | 000,551,296 | ---- | M] (SUPERAntiSpyware.com)

< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExe



cuteHooks -> 

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" [HKLM] -> C:\Program 



Files\SUPERAntiSpyware\SASSEH.DLL [] -> [2011/07/18 19:02:18 | 000,113,024 | 



---- | M] (SuperAdBlocker.com)

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> Reg Error: Key error. [] -> 



File not found

< Domain Profile Authorized Applications List > -> 



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F



irewallPolicy\DomainProfile\AuthorizedApplications\List -> 

< Standard Profile Authorized Applications List > -> 



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F



irewallPolicy\StandardProfile\AuthorizedApplications\List -> 

< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 

< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> 



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->

"AutoRun" -> 1 -> 

"DisplayName" -> CD-ROM Driver -> 

"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found

< Drives with AutoRun files > ->  -> 

C:\autoexec.bat [REM Dummy file for NTVDM | ] -> C:\autoexec.bat [ NTFS ] -> 



[2006/09/18 16:43:36 | 000,000,024 | ---- | M] ()

< MountPoints2 [HKEY_CURRENT_USER] > -> 



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoin



ts2 -> 

\{90d739a0-fa44-11df-9d35-001d099074ac}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoin



ts2\{90d739a0-fa44-11df-9d35-001d099074ac}\shell

\{90d739a0-fa44-11df-9d35-001d099074ac}\shell\\"" ->  [AutoRun] -> File not 



found

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoin



ts2\{90d739a0-fa44-11df-9d35-001d099074ac}\shell\AutoRun\command

\{90d739a0-fa44-11df-9d35-001d099074ac}\shell\AutoRun\command\\"" ->  [L:\TL-



Bootstrap.exe] -> File not found

\{9a917e85-e62d-11de-b718-001d099074ac}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoin



ts2\{9a917e85-e62d-11de-b718-001d099074ac}\shell

\{9a917e85-e62d-11de-b718-001d099074ac}\shell\\"" ->  [AutoRun] -> File not 



found

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoin



ts2\{9a917e85-e62d-11de-b718-001d099074ac}\shell\AutoRun\command

\{9a917e85-e62d-11de-b718-001d099074ac}\shell\AutoRun\command\\"" ->  



[L:\LaunchU3.exe -a] -> File not found

< Registry Shell Spawning - Select to Repair > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 

comfile [open] -> "%1" %* -> 

exefile [open] -> "%1" %* -> 

< AppCertDlls [HKEY_LOCAL_MACHINE] > -> 



HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session 



Manager\AppCertDlls -> 

< File Associations - Select to Repair > -> 



HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 

.com [@ = comfile] -> "%1" %* -> 

.exe [@ = exefile] -> "%1" %* -> 

 

 

[Files/Folders - Created Within 30 Days]

 OTS.exe -> C:\Users\Jenkys\Desktop\OTS.exe -> [2011/12/02 09:49:53 | 



000,646,144 | ---- | C] (OldTimer Tools)

 tdsskiller.exe -> C:\Users\Jenkys\Desktop\tdsskiller.exe -> [2011/12/02 



09:49:34 | 001,566,512 | ---- | C] (Kaspersky Lab ZAO)

 gmer -> C:\Users\Jenkys\Desktop\gmer -> [2011/12/01 10:56:11 | 000,000,000 | 



---D | C]

 dds.scr -> C:\Users\Jenkys\Desktop\dds.scr -> [2011/12/01 10:46:18 | 



000,607,260 | R--- | C] (Swearware)

 SUPERAntiSpyware.com -> C:\Users\Jenkys\AppData\Roaming\SUPERAntiSpyware.com 



-> [2011/11/30 22:19:16 | 000,000,000 | ---D | C]

 SUPERAntiSpyware -> C:\ProgramData\Microsoft\Windows\Start 



Menu\Programs\SUPERAntiSpyware -> [2011/11/30 22:18:50 | 000,000,000 | ---D | 



C]

 SUPERAntiSpyware.com -> C:\ProgramData\SUPERAntiSpyware.com -> [2011/11/30 



22:18:45 | 000,000,000 | ---D | C]

 SUPERAntiSpyware -> C:\Program Files\SUPERAntiSpyware -> [2011/11/30 22:18:45 



| 000,000,000 | ---D | C]

 Amazon -> C:\Program Files\Amazon -> [2011/11/26 23:51:25 | 000,000,000 | --



-D | C]

 HpUpdate -> C:\Users\Jenkys\AppData\Roaming\HpUpdate -> [2011/11/26 22:38:58 



| 000,000,000 | ---D | C]

 HPDiscoPMa011.dll -> C:\Windows\System32\HPDiscoPMa011.dll -> [2011/11/26 



22:38:28 | 000,544,616 | ---- | C] (Hewlett-Packard Co.)

 HP -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP -> [2011/11/26 



22:38:24 | 000,000,000 | ---D | C]

 HP -> C:\ProgramData\HP -> [2011/11/26 22:32:53 | 000,000,000 | ---D | C]

 HP -> C:\Program Files\HP -> [2011/11/26 22:32:40 | 000,000,000 | ---D | C]

 {01150966-ed00-43d6-8619-7199a4ea27ce} -> C:\Users\Jenkys\{01150966-ed00-



43d6-8619-7199a4ea27ce} -> [2011/11/26 22:17:20 | 000,000,000 | ---D | C]

 {05e2bb3a-9580-44b1-96cc-5195269d1fa4} -> C:\Users\Jenkys\{05e2bb3a-9580-



44b1-96cc-5195269d1fa4} -> [2011/11/26 22:05:18 | 000,000,000 | ---D | C]

 HP -> C:\Users\Jenkys\AppData\Local\HP -> [2011/11/26 22:03:22 | 000,000,000 



| ---D | C]

 AdobePDFUI.dll -> C:\Windows\System32\AdobePDFUI.dll -> [2011/11/26 15:39:26 



| 000,022,872 | R--- | C] (Adobe Systems Inc.)

 Lbd.sys -> C:\Windows\System32\drivers\Lbd.sys -> [2011/11/10 09:48:48 | 



000,064,512 | ---- | C] (Lavasoft AB)

 Lavasoft -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft -> 



[2011/11/10 09:48:24 | 000,000,000 | ---D | C]

 Lavasoft -> C:\Program Files\Lavasoft -> [2011/11/10 09:48:24 | 000,000,000 | 



---D | C]

 IUPUI -> C:\Users\Jenkys\Desktop\IUPUI -> [2011/11/07 10:11:57 | 000,000,000 



| ---D | C]

 2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> 

 

[Files/Folders - Modified Within 30 Days]

 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-



601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-



1.C7483456-A289-439d-8115-601632D005A0 -> [2011/12/03 07:47:10 | 000,003,664 | 



-H-- | M] ()

 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-



601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-



0.C7483456-A289-439d-8115-601632D005A0 -> [2011/12/03 07:47:10 | 000,003,664 | 



-H-- | M] ()

 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2011/12/02 09:54:02 | 



000,598,350 | ---- | M] ()

 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2011/12/02 09:54:02 | 



000,101,988 | ---- | M] ()

 OTS.exe -> C:\Users\Jenkys\Desktop\OTS.exe -> [2011/12/02 09:50:11 | 



000,646,144 | ---- | M] (OldTimer Tools)

 tdsskiller.exe -> C:\Users\Jenkys\Desktop\tdsskiller.exe -> [2011/12/02 



09:49:38 | 001,566,512 | ---- | M] (Kaspersky Lab ZAO)

 Ad-Aware Update (Weekly).job -> C:\Windows\tasks\Ad-Aware Update (Weekly).job 



-> [2011/12/02 09:47:10 | 000,000,384 | ---- | M] ()

 bootstat.dat -> C:\Windows\bootstat.dat -> [2011/12/02 09:46:58 | 000,067,584 



| --S- | M] ()

 hiberfil.sys -> C:\hiberfil.sys -> [2011/12/02 09:46:55 | 3487,748,096 | -HS- 



| M] ()

 MEMORY.DMP -> C:\Windows\MEMORY.DMP -> [2011/12/02 09:46:53 | 673,217,166 | 



---- | M] ()

 gmer.zip -> C:\Users\Jenkys\Desktop\gmer.zip -> [2011/12/01 10:46:47 | 



000,294,216 | ---- | M] ()

 dds.scr -> C:\Users\Jenkys\Desktop\dds.scr -> [2011/12/01 10:46:19 | 



000,607,260 | R--- | M] (Swearware)

 defogger_reenable -> C:\Users\Jenkys\defogger_reenable -> [2011/12/01 



10:27:41 | 000,000,020 | ---- | M] ()

 Defogger.exe -> C:\Users\Jenkys\Desktop\Defogger.exe -> [2011/12/01 10:18:27 



| 000,050,477 | ---- | M] ()

 rp_stats.dat -> C:\Windows\System32\rp_stats.dat -> [2011/12/01 09:50:12 | 



000,000,064 | ---- | M] ()

 rp_rules.dat -> C:\Windows\System32\rp_rules.dat -> [2011/12/01 09:50:12 | 



000,000,044 | ---- | M] ()

 d3d9caps.dat -> C:\Users\Jenkys\AppData\Local\d3d9caps.dat -> [2011/11/30 



10:10:59 | 000,008,268 | ---- | M] ()

 Ament.ini -> C:\ProgramData\Ament.ini -> [2011/11/26 22:04:20 | 000,000,057 | 



---- | M] ()

 SBREDrv.sys -> C:\Windows\System32\drivers\SBREDrv.sys -> [2011/11/10 



09:50:42 | 000,101,720 | ---- | M] (Sunbelt Software)

 lsdelete.exe -> C:\Windows\System32\lsdelete.exe -> [2011/11/10 09:50:41 | 



000,016,432 | ---- | M] ()

 Lbd.sys -> C:\Windows\System32\drivers\Lbd.sys -> [2011/11/03 12:06:56 | 



000,064,512 | ---- | M] (Lavasoft AB)

 82 C:\Users\Jenkys\AppData\Local\temp\*.tmp files -> 



C:\Users\Jenkys\AppData\Local\temp\*.tmp -> 

 2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> 

 

[Files - No Company Name]

 Ad-Aware Update (Weekly).job -> C:\Windows\tasks\Ad-Aware Update (Weekly).job 



-> [2011/12/02 09:47:08 | 000,000,384 | ---- | C] ()

 gmer.zip -> C:\Users\Jenkys\Desktop\gmer.zip -> [2011/12/01 10:46:47 | 



000,294,216 | ---- | C] ()

 defogger_reenable -> C:\Users\Jenkys\defogger_reenable -> [2011/12/01 



10:27:24 | 000,000,020 | ---- | C] ()

 Defogger.exe -> C:\Users\Jenkys\Desktop\Defogger.exe -> [2011/12/01 10:18:27 



| 000,050,477 | ---- | C] ()

 MEMORY.DMP -> C:\Windows\MEMORY.DMP -> [2011/11/29 01:05:34 | 673,217,166 | 



---- | C] ()

 lsdelete.exe -> C:\Windows\System32\lsdelete.exe -> [2011/11/29 00:39:56 | 



000,016,432 | ---- | C] ()

 Ament.ini -> C:\ProgramData\Ament.ini -> [2011/11/26 22:04:20 | 000,000,057 | 



---- | C] ()

 rp_stats.dat -> C:\Windows\System32\rp_stats.dat -> [2011/11/13 09:51:42 | 



000,000,064 | ---- | C] ()

 rp_rules.dat -> C:\Windows\System32\rp_rules.dat -> [2011/11/13 09:51:42 | 



000,000,044 | ---- | C] ()

 HPScanTRDrv_DJ3050A_J611.dll -> C:\Windows\System32



\HPScanTRDrv_DJ3050A_J611.dll -> [2011/06/08 16:57:22 | 001,929,576 | ---- | 



C] ()

 RaCoInst.dat -> C:\Windows\System32\RaCoInst.dat -> [2011/03/11 17:39:27 | 



000,013,931 | ---- | C] ()

 RT2870_{E2AA177C-DC54-42F1-BF70-5C81BCB1AF30}_sta -> 



C:\Users\Jenkys\AppData\Local\RT2870_{E2AA177C-DC54-42F1-BF70-5C81BCB1AF30}



_sta -> [2011/01/09 16:39:52 | 000,000,753 | ---- | C] ()

 RT2870_{E2AA177C-DC54-42F1-BF70-5C81BCB1AF30}_prof -> 



C:\Users\Jenkys\AppData\Local\RT2870_{E2AA177C-DC54-42F1-BF70-5C81BCB1AF30}



_prof -> [2011/01/09 16:39:35 | 000,000,763 | ---- | C] ()

 mlfcache.dat -> C:\Windows\System32\mlfcache.dat -> [2009/12/18 17:14:09 | 



000,223,308 | -H-- | C] ()

 asr.INI -> C:\Windows\asr.INI -> [2009/11/09 14:55:17 | 000,000,408 | ---- | 



C] ()

 EhStorAuthn.dll -> C:\Windows\System32\EhStorAuthn.dll -> [2009/09/03 



17:19:12 | 000,117,248 | ---- | C] ()

 StructuredQuerySchema.bin -> C:\Windows\System32\StructuredQuerySchema.bin -> 



[2009/09/03 17:17:26 | 000,107,612 | ---- | C] ()

 StructuredQuerySchemaTrivial.bin -> C:\Windows\System32



\StructuredQuerySchemaTrivial.bin -> [2009/09/03 17:17:26 | 000,018,904 | ---- 



| C] ()

 tdx.sys -> C:\Windows\System32\drivers\tdx.sys -> [2009/09/03 17:17:18 | 



000,072,192 | ---- | C] ()

 RT2870_{38026E24-7795-4204-AB17-827608174A59}_sta -> 



C:\Users\Jenkys\AppData\Local\RT2870_{38026E24-7795-4204-AB17-827608174A59}



_sta -> [2009/09/03 16:37:28 | 000,000,776 | ---- | C] ()

 RT2870_{38026E24-7795-4204-AB17-827608174A59}_prof -> 



C:\Users\Jenkys\AppData\Local\RT2870_{38026E24-7795-4204-AB17-827608174A59}



_prof -> [2009/09/03 16:37:27 | 000,000,763 | ---- | C] ()

 nsreg.dat -> C:\Windows\nsreg.dat -> [2009/08/26 00:28:25 | 000,000,000 | --



-- | C] ()

 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> 



C:\Users\Jenkys\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> 



[2009/08/19 19:25:57 | 000,021,504 | ---- | C] ()

 Machnm32.sys -> C:\Windows\System32\Machnm32.sys -> [2009/08/19 14:49:21 | 



000,002,304 | ---- | C] ()

 d3d9caps.dat -> C:\Users\Jenkys\AppData\Local\d3d9caps.dat -> [2009/08/19 



13:27:24 | 000,008,268 | ---- | C] ()

 OGACheckControl.dll -> C:\Windows\System32\OGACheckControl.dll -> [2009/08/03 



14:07:42 | 000,403,816 | ---- | C] ()

 OGAEXEC.exe -> C:\Windows\System32\OGAEXEC.exe -> [2009/08/03 14:07:42 | 



000,230,768 | ---- | C] ()

 WebRecDLg.dll -> C:\Windows\System32\WebRecDLg.dll -> [2008/10/12 01:28:15 | 



000,413,696 | ---- | C] ()

 physxcudart_20.dll -> C:\Windows\System32\physxcudart_20.dll -> [2008/10/07 



08:13:30 | 000,197,912 | ---- | C] ()

 AgCPanelTraditionalChinese.dll -> C:\Windows\System32



\AgCPanelTraditionalChinese.dll -> [2008/10/07 08:13:22 | 000,058,648 | ---- | 



C] ()

 AgCPanelSwedish.dll -> C:\Windows\System32\AgCPanelSwedish.dll -> [2008/10/07 



08:13:20 | 000,058,648 | ---- | C] ()

 AgCPanelSpanish.dll -> C:\Windows\System32\AgCPanelSpanish.dll -> [2008/10/07 



08:13:20 | 000,058,648 | ---- | C] ()

 AgCPanelSimplifiedChinese.dll -> C:\Windows\System32



\AgCPanelSimplifiedChinese.dll -> [2008/10/07 08:13:20 | 000,058,648 | ---- | 



C] ()

 AgCPanelPortugese.dll -> C:\Windows\System32\AgCPanelPortugese.dll -> 



[2008/10/07 08:13:20 | 000,058,648 | ---- | C] ()

 AgCPanelKorean.dll -> C:\Windows\System32\AgCPanelKorean.dll -> [2008/10/07 



08:13:20 | 000,058,648 | ---- | C] ()

 AgCPanelJapanese.dll -> C:\Windows\System32\AgCPanelJapanese.dll -> 



[2008/10/07 08:13:20 | 000,058,648 | ---- | C] ()

 AgCPanelGerman.dll -> C:\Windows\System32\AgCPanelGerman.dll -> [2008/10/07 



08:13:20 | 000,058,648 | ---- | C] ()

 AgCPanelFrench.dll -> C:\Windows\System32\AgCPanelFrench.dll -> [2008/10/07 



08:13:20 | 000,058,648 | ---- | C] ()

 bootstat.dat -> C:\Windows\bootstat.dat -> [2006/11/02 07:57:28 | 000,067,584 



| --S- | C] ()

 FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2006/11/02 07:47:37 | 



002,600,632 | ---- | C] ()

 sysprepMCE.dll -> C:\Windows\System32\sysprepMCE.dll -> [2006/11/02 07:35:32 



| 000,005,632 | ---- | C] ()

 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2006/11/02 05:33:01 | 



000,598,350 | ---- | C] ()

 perfi009.dat -> C:\Windows\System32\perfi009.dat -> [2006/11/02 05:33:01 | 



000,287,440 | ---- | C] ()

 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2006/11/02 05:33:01 | 



000,101,988 | ---- | C] ()

 perfd009.dat -> C:\Windows\System32\perfd009.dat -> [2006/11/02 05:33:01 | 



000,030,674 | ---- | C] ()

 dssec.dat -> C:\Windows\System32\dssec.dat -> [2006/11/02 05:23:21 | 



000,215,943 | ---- | C] ()

 mib.bin -> C:\Windows\mib.bin -> [2006/11/02 03:58:30 | 000,043,131 | ---- | 



C] ()

 NOISE.DAT -> C:\Windows\System32\NOISE.DAT -> [2006/11/02 03:19:00 | 



000,000,741 | ---- | C] ()

 pacerprf.ini -> C:\Windows\System32\pacerprf.ini -> [2006/11/02 02:40:29 | 



000,013,750 | ---- | C] ()

 mlang.dat -> C:\Windows\System32\mlang.dat -> [2006/11/02 02:25:31 | 



000,673,088 | ---- | C] ()

 Recapr.dll -> C:\Windows\System32\Recapr.dll -> [2002/03/20 23:38:14 | 



000,208,896 | ---- | C] ()

 lame_enc.dll -> C:\Windows\System32\lame_enc.dll -> [2002/03/20 23:38:14 | 



000,208,896 | ---- | C] ()

 

[Alternate Data Streams]

@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:60954489

@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:3B5038B1

@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:3C340A64

@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:58D2A680

@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:60516BC3

@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:2AEB42F1

@Alternate Data Stream - 154 bytes -> C:\ProgramData\TEMP:679ABA25

@Alternate Data Stream - 161 bytes -> C:\ProgramData\TEMP:766442E5

@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:9A953997

@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:B4DCBA8B

@Alternate Data Stream - 170 bytes -> C:\ProgramData\TEMP:E23C405D

< End of report >



#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:49 PM

Posted 04 December 2011 - 01:28 AM

It appears you may have Word Wrap enabled in Notepad. I'd like to have you check to ensure that this feature is not checked, and if it is to please uncheck it.

  • You have word wrap turned on, this is making your logs difficult to read
  • Run notepad
  • Goto Format and untick Word Wrap


Please attempt to post the OTS log again for me after checking the setting above.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:49 PM

Posted 11 December 2011 - 06:51 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users