Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Diagnosed with zeroaccess - trouble with the log process


  • This topic is locked This topic is locked
20 replies to this topic

#1 TCsparks

TCsparks

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 03 March 2012 - 09:23 AM

After some research, Narenxp pronounced that I have zeroaccess on my system, in this post.

I have attempted to follow the prep guide instructions but cannot get DDS to complete execution. It appears to hang near the end of completion. I have downloaded twice, run each version twice, in both normal and safe mode. I have let these run for up to 30 minutes with no effect. All times I have had to reboot.

GMER log below.
Thank you in advance.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-03 07:57:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\SiSRaid1Port2Path0Target0Lun0 ST316081 rev.____
Running: 9wmdjwyqGMER.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdipog.sys


---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB16533$\2719857594 0 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349 0 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\cfg.ini 279 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\L 0 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\L\akygdmgo 57600 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\oemid 197 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U 0 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB16533$\72369349\version 847 bytes

---- EOF - GMER 1.0.15 ----

Edited by TCsparks, 03 March 2012 - 09:25 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 02:09 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 12:13 PM

Thank you for your time.

No problems running unhide or OTL.

OTL.txt as follows:

OTL logfile created on: 3/4/2012 11:00:56 AM - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Documents and Settings\Jerri\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 79.12% Memory free
5.85 Gb Paging File | 5.61 Gb Available in Paging File | 95.88% Paging File free
Paging file location(s): D:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.94 Gb Total Space | 26.78 Gb Free Space | 47.88% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 19.42 Gb Free Space | 48.54% Space Free | Partition Type: NTFS
Drive E: | 93.10 Gb Total Space | 22.71 Gb Free Space | 24.39% Space Free | Partition Type: NTFS
Drive F: | 53.35 Gb Total Space | 16.35 Gb Free Space | 30.64% Space Free | Partition Type: NTFS
Drive I: | 14.94 Gb Total Space | 14.94 Gb Free Space | 99.99% Space Free | Partition Type: FAT32
Drive Y: | 833.83 Gb Total Space | 651.69 Gb Free Space | 78.16% Space Free | Partition Type: NTFS

Computer Name: T001 | User Name: Jerri | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Jerri\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Zune\ZuneBusEnum.exe (Microsoft Corporation)
PRC - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
PRC - C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe ()
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe (NVIDIA)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (No Company Name) ==========

MOD - c:\Program Files\Common Files\Akamai\netsession_win_7de0ed9.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe ()
MOD - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.DEU ()
MOD - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.FRA ()


========== Win32 Services (SafeList) ==========

SRV - (swupdtmr) -- File not found
SRV - (sony_ssm.sys) -- File not found
SRV - (ROB_V) -- File not found
SRV - (pinnaclemarvinusb) -- File not found
SRV - (NWUSBModem) -- File not found
SRV - (HidServ) -- File not found
SRV - (dlcf_device) -- File not found
SRV - (CnxTrLan) -- File not found
SRV - (Akamai) -- c:\program files\common files\akamai/netsession_win_7de0ed9.dll ()
SRV - (ZuneWlanCfgSvc) -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (WMZuneComm) -- C:\Program Files\Zune\WMZuneComm.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- C:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- C:\Program Files\Zune\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (LeapFrog Connect Device Service) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (nTuneService) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (UpdateCenterService) -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe (NVIDIA)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)
SRV - (KodakCCS) -- C:\WINDOWS\system32\drivers\KodakCCS.exe (Eastman Kodak Company)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (RivaTuner32) -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys ()
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows ® 2000 DDK provider)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (NVR0Dev) -- C:\WINDOWS\nvoclock.sys (NVidia Corp.)
DRV - (NVR0FLASHDev) -- C:\WINDOWS\nvflash.sys (NVidia Corp.)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (DcCam) -- C:\WINDOWS\system32\drivers\DcCam.sys (Eastman Kodak Company)
DRV - (Exportit) -- C:\WINDOWS\system32\drivers\ExportIt.sys (Eastman Kodak Company)
DRV - (DcPTP) -- C:\WINDOWS\system32\drivers\DcPtp.sys (Eastman Kodak Company)
DRV - (DcLps) -- C:\WINDOWS\system32\drivers\DcLps.sys (Eastman Kodak Company)
DRV - (DCFS2K) -- C:\WINDOWS\system32\drivers\DCFS2k.sys (Eastman Kodak Company)
DRV - (DcFpoint) -- C:\WINDOWS\system32\drivers\DcFpoint.sys (Eastman Kodak Company)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (SiSRaid) -- C:\WINDOWS\system32\drivers\SiSRaid.sys (Silicon Integrated Systems)
DRV - (SISNIC) -- C:\WINDOWS\system32\drivers\sisnic.sys (SiS Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{59fff9c0-e120-4a0c-90aa-bc861dc05adc}: "URL" = http://search.rumo.com/search?ourmark=1&fr=freecause&ei=utf-8&type=60353&p={searchTerms}


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes,DefaultScope = {49577A30-17FA-4F6C-AEF0-EF77D224F1F2}
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{22D6450F-8039-4823-BD4B-3D36CC06B8DE}: "URL" = http://www.flickr.com/search/?q={searchTerms}
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{3AA7C864-B99C-4674-8C24-2F3DBB136875}: "URL" = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{49577A30-17FA-4F6C-AEF0-EF77D224F1F2}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{59fff9c0-e120-4a0c-90aa-bc861dc05adc}: "URL" = http://search.rumo.com/search?ourmark=1&fr=freecause&ei=utf-8&type=60353&p={searchTerms}
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{80CD10BB-E44D-4725-8F05-DE6AD6CBDC15}: "URL" = http://delicious.com/search?p={searchTerms}
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\SearchScopes\{F1856996-02AD-45A6-8B62-C0A3AE13D019}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2011/09/10 21:25:56 | 000,000,000 | ---D | M]

[2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll

========== Chrome ==========

CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome NaCl (Enabled) = C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Chrome\Application\plugins\npMozCouponPrinter.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Jerri\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {F1F7419C-23DD-4D88-A1A2-499CCD3D9324} - No CLSID value found.
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [RivaTuner] C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe ()
O4 - HKLM..\Run: [RivaTunerStartupDaemon] C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe ()
O4 - HKU\S-1-5-21-839522115-1343024091-2147252035-1004..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 3.0.04506.30; Zune 3.0)" -"http://pbskids.org/barney/children/games/manners_game.html" File not found
O4 - HKLM..\RunOnceEx: [] File not found
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1330209750156 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7E109729-3A86-47E9-9208-EE48D5A0B3A9}: NameServer = 209.18.47.61,209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/06 13:01:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/04 10:46:00 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jerri\Desktop\OTL.exe
[2012/03/04 10:45:56 | 000,389,024 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Jerri\Desktop\unhide.exe
[2012/02/29 21:33:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jerri\Start Menu\Programs\Administrative Tools
[2012/02/29 21:32:39 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Jerri\Desktop\dds.scr
[2012/02/27 20:44:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/02/26 20:30:48 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/26 16:43:33 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2012/02/25 17:03:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2012/02/25 17:02:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jerri\Local Settings\Application Data\PCHealth
[2012/02/25 16:50:45 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2012/02/25 16:49:25 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2012/02/25 16:49:25 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2012/02/25 16:49:12 | 000,105,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2012/02/25 16:48:11 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2012/02/25 16:48:07 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2012/02/25 16:48:02 | 000,590,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll
[2012/02/25 16:47:57 | 000,978,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2012/02/25 16:47:57 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2012/02/25 16:47:49 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2012/02/25 16:47:34 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2012/02/25 16:47:24 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2012/02/25 16:46:26 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll
[2012/02/25 16:46:26 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll
[2012/02/25 16:44:47 | 000,730,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2012/02/25 16:42:58 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/02/25 16:42:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2012/02/25 12:25:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2012/02/25 11:22:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/02/25 11:22:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/02/24 15:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
[2012/02/24 15:42:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2012/02/24 13:37:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/02/24 09:16:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2012/02/22 21:41:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-CN
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ru-RU
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-PT
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pl-PL
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ms-MY
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ja-JP
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\hu-HU
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2012/02/22 21:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\cs-CZ
[2012/02/22 21:40:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2012/02/22 21:38:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Zune
[2012/02/22 21:24:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/22 21:24:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/22 21:02:18 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/04 10:56:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/04 10:56:07 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/04 10:55:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/04 10:44:24 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jerri\Desktop\OTL.exe
[2012/03/04 10:44:08 | 000,389,024 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Jerri\Desktop\unhide.exe
[2012/03/03 14:17:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1343024091-2147252035-1004UA.job
[2012/03/03 11:17:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1343024091-2147252035-1004Core.job
[2012/02/29 21:19:22 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Jerri\Desktop\9wmdjwyqGMER.exe
[2012/02/29 21:18:16 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Jerri\Desktop\dds.scr
[2012/02/26 21:57:11 | 000,000,371 | ---- | M] () -- C:\Documents and Settings\Jerri\Desktop\Shortcut to Jerri2012Desktop.lnk
[2012/02/26 17:39:30 | 000,054,156 | ---- | M] () -- C:\WINDOWS\QTFont.qfn
[2012/02/26 17:07:46 | 000,444,016 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/26 17:07:46 | 000,072,274 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/26 16:42:43 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/02/26 12:08:15 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/26 00:43:43 | 001,565,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/25 18:23:49 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2012/02/24 15:38:27 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\B84AL74gL.dat
[2012/02/22 21:42:03 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2012/02/22 21:42:03 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2012/02/22 21:39:06 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2012/02/22 21:38:57 | 000,000,628 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2012/02/22 21:15:31 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/17 19:18:16 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Jerri\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/02/17 19:18:15 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Jerri\Desktop\Google Chrome.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/29 21:32:44 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Jerri\Desktop\9wmdjwyqGMER.exe
[2012/02/26 21:57:11 | 000,000,371 | ---- | C] () -- C:\Documents and Settings\Jerri\Desktop\Shortcut to Jerri2012Desktop.lnk
[2012/02/25 18:23:49 | 000,054,156 | ---- | C] () -- C:\WINDOWS\QTFont.qfn
[2012/02/25 18:23:49 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2012/02/25 16:50:37 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/25 16:50:37 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/24 09:16:42 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\B84AL74gL.dat
[2012/02/22 21:42:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
[2012/02/22 21:42:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2012/02/22 21:39:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01009.Wdf
[2012/02/22 21:38:57 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2012/02/22 21:15:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/22 21:02:58 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2011/07/13 11:25:43 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Jerri\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/20 18:05:26 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/20 16:45:02 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/02/20 16:45:00 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/02/20 16:45:00 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/02/20 16:44:53 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/10/14 19:39:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/07 13:46:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

========== Custom Scans ==========


< %TEMP%\smtmp\*.* /s >

< End of report >

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 12:35 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 02:10 PM

Started Combofix about an hour ago.
It downloaded Recovery Console.
After continuing, a window popped up stating that Zeroaccess was found and had compromised the TCP/IP stack, and that this was 'bad'.
I clicked ok and this window popped up again.

I clicked ok again, and Combofix has been running since.
Is it hung or should I continue to wait for Combofix to finish?

The message on the screen says it should take 10 minutes, but that this could double for badly infected machines.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 02:21 PM

Hello


I want you to end combofix and restart the computer and then I want you to do this



  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 02:54 PM

For starters, when I restarted the machine, the windows security icon has reappeared in the system tray. Haven't seen that since this started.

Same popups for Combofix this time: Zeroaccess, Rootkit detected.
Combofix ran to completion, required a reboot.



ComboFix 12-03-04.01 - Jerri 03/04/2012 13:32:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1666 [GMT -6:00]
Running from: c:\documents and settings\Jerri\Desktop\ComboFix.exe
Command switches used :: /nombr
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\c627b56b-18fb-4afc-bc1d-e8dc4488e090.ico
c:\documents and settings\Tom\WINDOWS
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\msssc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-04 to 2012-03-04 )))))))))))))))))))))))))))))))
.
.
2012-02-28 02:44 . 2012-02-28 02:44 -------- d-----w- c:\program files\ESET
2012-02-27 02:30 . 2012-02-27 02:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-27 00:09 . 2012-02-27 00:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-02-26 22:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-02-26 00:23 . 2012-02-26 00:23 1409 ----a-w- c:\windows\QTFont.for
2012-02-25 23:03 . 2012-02-25 23:03 -------- d-----w- c:\windows\ie8updates
2012-02-25 23:02 . 2012-02-25 23:02 -------- d-----w- c:\documents and settings\Jerri\Local Settings\Application Data\PCHealth
2012-02-25 22:50 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-02-25 22:50 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-02-25 22:50 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-02-25 22:50 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-25 22:50 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-25 22:49 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-02-25 22:49 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-02-25 22:49 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-02-25 22:48 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-02-25 22:48 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-02-25 22:48 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-02-25 22:47 . 2011-02-08 13:33 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-02-25 22:47 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-02-25 22:47 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-02-25 22:47 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-02-25 22:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-02-25 22:46 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-02-25 22:46 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-02-25 22:44 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-02-25 22:44 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-02-25 22:44 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-02-25 22:44 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-02-25 22:44 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-02-25 22:44 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-02-25 22:44 . 2010-12-20 17:26 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2012-02-25 22:44 . 2010-12-09 15:15 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-02-25 22:44 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-02-25 22:44 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-02-25 22:44 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2012-02-25 22:42 . 2009-08-07 01:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-02-25 18:25 . 2012-02-25 18:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-02-25 16:12 . 2012-02-25 16:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-24 21:43 . 2012-02-24 21:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2012-02-24 21:43 . 2012-02-24 21:43 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-02-24 21:42 . 2012-02-24 21:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2012-02-24 15:16 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-02-23 03:40 . 2012-02-23 03:40 -------- d-----w- c:\windows\system32\drivers\UMDF\ko-KR
2012-02-23 03:38 . 2012-02-23 03:38 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2012-02-23 03:05 . 2012-02-23 03:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-02-23 03:02 . 2012-02-26 18:08 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-23 03:02 . 2012-02-23 03:02 -------- d-----w- C:\spoolerlogs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-27 02:31 . 2008-12-06 12:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-01-12 16:53 . 2001-08-23 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-01 21:54 . 2011-09-21 02:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2001-08-23 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-12-10 21:24 . 2011-05-03 00:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"RivaTuner"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-16 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2012-02-02 08:44 3329824 ----a-w- c:\documents and settings\Jerri\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-15 02:15 136176 ----atw- c:\documents and settings\Jerri\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA System Monitor]
2008-08-18 15:30 846368 ----a-w- c:\program files\NVIDIA Corporation\NVIDIA System Monitor\NVMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-16 19:53 77824 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 18:29 159456 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Jerri\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 6:00 AM 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [8/5/2011 12:30 PM 268512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NWUSBModem
dlcf_device
LUsbFilt
xcomm
swupdtmr
CnxTrLan
pinnaclemarvinusb
roxmediadb
ROB_V
sony_ssm.sys
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1343024091-2147252035-1004Core.job
- c:\documents and settings\Jerri\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-15 02:15]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1343024091-2147252035-1004UA.job
- c:\documents and settings\Jerri\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-15 02:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{7E109729-3A86-47E9-9208-EE48D5A0B3A9}: NameServer = 209.18.47.61,209.18.47.62
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{F1F7419C-23DD-4D88-A1A2-499CCD3D9324} - (no file)
SafeBoot-29785859.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-c627b56b-18fb-4afc-bc1d-e8dc4488e090 - c:\documents and settings\All Users\Application Data\c627b56b-18fb-4afc-bc1d-e8dc4488e090.dat
MSConfigStartUp-Internet Security - c:\documents and settings\All Users\Application Data\isecurity.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-04 13:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,a9,52,7c,cb,04,5f,44,9f,fb,f5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f0,a9,52,7c,cb,04,5f,44,9f,fb,f5,\
.
Completion time: 2012-03-04 13:46:23
ComboFix-quarantined-files.txt 2012-03-04 19:46
.
Pre-Run: 28,570,525,696 bytes free
Post-Run: 29,908,078,592 bytes free
.
- - End Of File - - 6D889A200BC299CFEB4E0D20B4C7AD33

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 03:53 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 04:27 PM

No hiccups, no prompt windows...

TDSS log:
15:00:49.0281 3484 TDSS rootkit removing tool 2.7.18.0 Mar 2 2012 09:40:07
15:00:49.0718 3484 ============================================================
15:00:49.0718 3484 Current date / time: 2012/03/04 15:00:49.0718
15:00:49.0718 3484 SystemInfo:
15:00:49.0718 3484
15:00:49.0718 3484 OS Version: 5.1.2600 ServicePack: 3.0
15:00:49.0718 3484 Product type: Workstation
15:00:49.0718 3484 ComputerName: T001
15:00:49.0718 3484 UserName: Jerri
15:00:49.0718 3484 Windows directory: C:\WINDOWS
15:00:49.0718 3484 System windows directory: C:\WINDOWS
15:00:49.0718 3484 Processor architecture: Intel x86
15:00:49.0718 3484 Number of processors: 2
15:00:49.0718 3484 Page size: 0x1000
15:00:49.0718 3484 Boot type: Normal boot
15:00:49.0718 3484 ============================================================
15:00:50.0390 3484 Drive \Device\Harddisk0\DR0 - Size: 0x25433D4000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
15:00:50.0406 3484 Drive \Device\Harddisk1\DR1 - Size: 0x1757ACFE00 (93.37 Gb), SectorSize: 0x200, Cylinders: 0x2F9C, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
15:00:50.0406 3484 \Device\Harddisk0\DR0:
15:00:50.0406 3484 MBR used
15:00:50.0406 3484 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x6FE3388
15:00:50.0437 3484 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x6FE3406, BlocksNum 0xBA356BB
15:00:50.0437 3484 \Device\Harddisk1\DR1:
15:00:50.0437 3484 MBR used
15:00:50.0437 3484 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x50014A7
15:00:50.0437 3484 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x5001525, BlocksNum 0x6AB58B6
15:00:50.0640 3484 Initialize success
15:00:50.0640 3484 ============================================================
15:01:00.0609 3540 ============================================================
15:01:00.0609 3540 Scan started
15:01:00.0609 3540 Mode: Manual;
15:01:00.0609 3540 ============================================================
15:01:00.0718 3540 Abiosdsk - ok
15:01:00.0734 3540 abp480n5 - ok
15:01:00.0796 3540 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:01:00.0796 3540 ACPI - ok
15:01:00.0828 3540 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:01:00.0828 3540 ACPIEC - ok
15:01:00.0843 3540 adpu160m - ok
15:01:00.0906 3540 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
15:01:00.0906 3540 aeaudio - ok
15:01:00.0921 3540 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:01:00.0921 3540 aec - ok
15:01:00.0968 3540 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:01:00.0968 3540 AFD - ok
15:01:00.0984 3540 Aha154x - ok
15:01:01.0000 3540 aic78u2 - ok
15:01:01.0062 3540 aic78xx - ok
15:01:01.0125 3540 AliIde - ok
15:01:01.0171 3540 amsint - ok
15:01:01.0187 3540 asc - ok
15:01:01.0234 3540 asc3350p - ok
15:01:01.0281 3540 asc3550 - ok
15:01:01.0312 3540 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:01:01.0312 3540 AsyncMac - ok
15:01:01.0343 3540 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:01:01.0343 3540 atapi - ok
15:01:01.0359 3540 Atdisk - ok
15:01:01.0390 3540 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:01:01.0390 3540 Atmarpc - ok
15:01:01.0468 3540 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:01:01.0468 3540 audstub - ok
15:01:01.0531 3540 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:01:01.0531 3540 Beep - ok
15:01:01.0656 3540 catchme - ok
15:01:01.0687 3540 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:01:01.0687 3540 cbidf2k - ok
15:01:01.0703 3540 cd20xrnt - ok
15:01:01.0718 3540 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:01:01.0718 3540 Cdaudio - ok
15:01:01.0781 3540 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:01:01.0781 3540 Cdfs - ok
15:01:01.0828 3540 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:01:01.0843 3540 Cdrom - ok
15:01:01.0859 3540 Changer - ok
15:01:01.0921 3540 CmdIde - ok
15:01:01.0968 3540 Cpqarray - ok
15:01:01.0984 3540 dac2w2k - ok
15:01:02.0000 3540 dac960nt - ok
15:01:02.0078 3540 DcCam (1b269ed3eb2d81ec11cd5b0544e89962) C:\WINDOWS\system32\DRIVERS\DcCam.sys
15:01:02.0078 3540 DcCam - ok
15:01:02.0125 3540 DcFpoint (bd6ce20068159f9714ebe9e76decab2c) C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
15:01:02.0140 3540 DcFpoint - ok
15:01:02.0156 3540 DCFS2K (1315e0b5b6fc1fe930ee3498309700bd) C:\WINDOWS\system32\drivers\dcfs2k.sys
15:01:02.0156 3540 DCFS2K - ok
15:01:02.0203 3540 DcLps (5f5055efb3e0820f349924e7c5bd5af4) C:\WINDOWS\system32\DRIVERS\DcLps.sys
15:01:02.0203 3540 DcLps - ok
15:01:02.0250 3540 DcPTP (31689427da60a724b31a622b35ed21ec) C:\WINDOWS\system32\DRIVERS\DcPTP.sys
15:01:02.0250 3540 DcPTP - ok
15:01:02.0312 3540 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:01:02.0312 3540 Disk - ok
15:01:02.0359 3540 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:01:02.0390 3540 dmboot - ok
15:01:02.0421 3540 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:01:02.0421 3540 dmio - ok
15:01:02.0437 3540 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:01:02.0437 3540 dmload - ok
15:01:02.0484 3540 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:01:02.0484 3540 DMusic - ok
15:01:02.0515 3540 dpti2o - ok
15:01:02.0546 3540 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:01:02.0546 3540 drmkaud - ok
15:01:02.0593 3540 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
15:01:02.0593 3540 ENTECH - ok
15:01:02.0671 3540 Exportit (f85ffdeae43f9e9a7c3f4e3cc5ef09eb) C:\WINDOWS\system32\DRIVERS\exportit.sys
15:01:02.0671 3540 Exportit - ok
15:01:02.0718 3540 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:01:02.0734 3540 Fastfat - ok
15:01:02.0781 3540 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:01:02.0781 3540 Fdc - ok
15:01:02.0828 3540 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:01:02.0828 3540 Fips - ok
15:01:02.0859 3540 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:01:02.0859 3540 Flpydisk - ok
15:01:02.0937 3540 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:01:02.0937 3540 FltMgr - ok
15:01:02.0968 3540 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:01:02.0968 3540 Fs_Rec - ok
15:01:02.0984 3540 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:01:03.0000 3540 Ftdisk - ok
15:01:03.0031 3540 gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
15:01:03.0593 3540 gdrv - ok
15:01:03.0687 3540 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:01:03.0687 3540 GEARAspiWDM - ok
15:01:03.0750 3540 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:01:03.0750 3540 Gpc - ok
15:01:03.0781 3540 hpn - ok
15:01:03.0828 3540 hpt3xx - ok
15:01:03.0921 3540 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:01:03.0921 3540 HTTP - ok
15:01:03.0968 3540 i2omgmt - ok
15:01:04.0000 3540 i2omp - ok
15:01:04.0093 3540 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:01:04.0093 3540 i8042prt - ok
15:01:04.0140 3540 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:01:04.0140 3540 Imapi - ok
15:01:04.0171 3540 ini910u - ok
15:01:04.0187 3540 IntelIde - ok
15:01:04.0218 3540 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:01:04.0218 3540 intelppm - ok
15:01:04.0234 3540 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:01:04.0234 3540 ip6fw - ok
15:01:04.0296 3540 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:01:04.0296 3540 IpFilterDriver - ok
15:01:04.0343 3540 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:01:04.0343 3540 IpInIp - ok
15:01:04.0375 3540 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:01:04.0375 3540 IpNat - ok
15:01:04.0406 3540 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:01:04.0406 3540 IPSec - ok
15:01:04.0437 3540 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:01:04.0437 3540 IRENUM - ok
15:01:04.0468 3540 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:01:04.0468 3540 isapnp - ok
15:01:04.0500 3540 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:01:04.0500 3540 Kbdclass - ok
15:01:04.0515 3540 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:01:04.0515 3540 kmixer - ok
15:01:04.0578 3540 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:01:04.0578 3540 KSecDD - ok
15:01:04.0609 3540 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
15:01:04.0625 3540 L8042pr2 - ok
15:01:04.0640 3540 lbrtfdc - ok
15:01:04.0656 3540 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
15:01:04.0656 3540 LMouFlt2 - ok
15:01:04.0703 3540 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:01:04.0703 3540 mnmdd - ok
15:01:04.0750 3540 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:01:04.0750 3540 Modem - ok
15:01:04.0796 3540 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:01:04.0812 3540 Mouclass - ok
15:01:04.0828 3540 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:01:04.0828 3540 MountMgr - ok
15:01:04.0843 3540 mraid35x - ok
15:01:04.0859 3540 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:01:04.0859 3540 MRxDAV - ok
15:01:04.0906 3540 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:01:04.0906 3540 MRxSmb - ok
15:01:04.0921 3540 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:01:04.0921 3540 Msfs - ok
15:01:04.0953 3540 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:01:04.0953 3540 MSKSSRV - ok
15:01:05.0000 3540 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:01:05.0015 3540 MSPCLOCK - ok
15:01:05.0046 3540 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:01:05.0046 3540 MSPQM - ok
15:01:05.0109 3540 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:01:05.0109 3540 mssmbios - ok
15:01:05.0156 3540 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:01:05.0156 3540 Mup - ok
15:01:05.0171 3540 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:01:05.0171 3540 NDIS - ok
15:01:05.0218 3540 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:01:05.0218 3540 NdisTapi - ok
15:01:05.0234 3540 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:01:05.0234 3540 Ndisuio - ok
15:01:05.0250 3540 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:01:05.0250 3540 NdisWan - ok
15:01:05.0281 3540 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:01:05.0281 3540 NDProxy - ok
15:01:05.0328 3540 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:01:05.0328 3540 NetBIOS - ok
15:01:05.0359 3540 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:01:05.0359 3540 NetBT - ok
15:01:05.0453 3540 nmwcd (cfe3462a9e94a57dcd9676f6b7fe7f67) C:\WINDOWS\system32\drivers\ccdcmb.sys
15:01:05.0453 3540 nmwcd - ok
15:01:05.0515 3540 nmwcdc (8f2a94f991f8c73cec26b4b5620d1edc) C:\WINDOWS\system32\drivers\ccdcmbo.sys
15:01:05.0515 3540 nmwcdc - ok
15:01:05.0593 3540 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:01:05.0593 3540 Npfs - ok
15:01:05.0640 3540 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:01:05.0640 3540 Ntfs - ok
15:01:05.0734 3540 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:01:05.0734 3540 Null - ok
15:01:06.0015 3540 nv (18c9b152da7bea76b2f9e4b6412e0aaf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:01:06.0218 3540 nv - ok
15:01:06.0281 3540 NVR0Dev (9ce1b0e5cfa8223cec3be1c7616e9f63) C:\WINDOWS\nvoclock.sys
15:01:06.0343 3540 NVR0Dev - ok
15:01:06.0375 3540 NVR0FLASHDev (a73f918ec995dddbfb0d0cf1f546089a) C:\WINDOWS\nvflash.sys
15:01:06.0390 3540 NVR0FLASHDev - ok
15:01:06.0437 3540 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:01:06.0437 3540 NwlnkFlt - ok
15:01:06.0484 3540 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:01:06.0484 3540 NwlnkFwd - ok
15:01:06.0562 3540 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:01:06.0562 3540 Parport - ok
15:01:06.0625 3540 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:01:06.0625 3540 PartMgr - ok
15:01:06.0671 3540 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:01:06.0671 3540 ParVdm - ok
15:01:06.0718 3540 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
15:01:06.0718 3540 pccsmcfd - ok
15:01:06.0750 3540 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:01:06.0750 3540 PCI - ok
15:01:06.0765 3540 PCIDump - ok
15:01:06.0843 3540 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:01:06.0843 3540 PCIIde - ok
15:01:06.0890 3540 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:01:06.0890 3540 Pcmcia - ok
15:01:06.0906 3540 PDCOMP - ok
15:01:06.0921 3540 PDFRAME - ok
15:01:06.0953 3540 PDRELI - ok
15:01:06.0953 3540 PDRFRAME - ok
15:01:07.0000 3540 perc2 - ok
15:01:07.0015 3540 perc2hib - ok
15:01:07.0125 3540 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:01:07.0125 3540 PptpMiniport - ok
15:01:07.0156 3540 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
15:01:07.0156 3540 Processor - ok
15:01:07.0187 3540 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:01:07.0187 3540 PSched - ok
15:01:07.0218 3540 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:01:07.0218 3540 Ptilink - ok
15:01:07.0281 3540 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:01:07.0281 3540 PxHelp20 - ok
15:01:07.0312 3540 ql1080 - ok
15:01:07.0343 3540 Ql10wnt - ok
15:01:07.0359 3540 ql12160 - ok
15:01:07.0390 3540 ql1240 - ok
15:01:07.0406 3540 ql1280 - ok
15:01:07.0437 3540 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:01:07.0437 3540 RasAcd - ok
15:01:07.0515 3540 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:01:07.0515 3540 Rasl2tp - ok
15:01:07.0546 3540 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:01:07.0546 3540 RasPppoe - ok
15:01:07.0562 3540 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:01:07.0562 3540 Raspti - ok
15:01:07.0593 3540 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:01:07.0593 3540 Rdbss - ok
15:01:07.0640 3540 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:01:07.0640 3540 RDPCDD - ok
15:01:07.0703 3540 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:01:07.0703 3540 rdpdr - ok
15:01:07.0750 3540 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:01:07.0750 3540 RDPWD - ok
15:01:07.0796 3540 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:01:07.0796 3540 redbook - ok
15:01:07.0859 3540 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
15:01:07.0875 3540 RivaTuner32 - ok
15:01:07.0953 3540 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:01:07.0953 3540 Secdrv - ok
15:01:08.0015 3540 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:01:08.0015 3540 serenum - ok
15:01:08.0046 3540 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:01:08.0046 3540 Serial - ok
15:01:08.0093 3540 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:01:08.0093 3540 Sfloppy - ok
15:01:08.0125 3540 Simbad - ok
15:01:08.0171 3540 SISNIC (8204c49cde112f7b9c2f15707fe2cc5a) C:\WINDOWS\system32\DRIVERS\sisnic.sys
15:01:08.0171 3540 SISNIC - ok
15:01:08.0218 3540 SiSRaid (4c597e4de6edf6453990059ba0eac7d0) C:\WINDOWS\system32\drivers\SiSRaid.sys
15:01:08.0218 3540 SiSRaid - ok
15:01:08.0250 3540 smwdm (bf208c85119770e6a9b6577019a3d810) C:\WINDOWS\system32\drivers\smwdm.sys
15:01:08.0265 3540 smwdm - ok
15:01:08.0281 3540 Sparrow - ok
15:01:08.0328 3540 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:01:08.0328 3540 splitter - ok
15:01:08.0343 3540 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:01:08.0343 3540 sr - ok
15:01:08.0390 3540 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:01:08.0390 3540 Srv - ok
15:01:08.0453 3540 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
15:01:08.0453 3540 StillCam - ok
15:01:08.0500 3540 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:01:08.0500 3540 swenum - ok
15:01:08.0531 3540 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:01:08.0531 3540 swmidi - ok
15:01:08.0578 3540 symc810 - ok
15:01:08.0593 3540 symc8xx - ok
15:01:08.0625 3540 sym_hi - ok
15:01:08.0640 3540 sym_u3 - ok
15:01:08.0671 3540 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:01:08.0671 3540 sysaudio - ok
15:01:08.0750 3540 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:01:08.0750 3540 Tcpip - ok
15:01:08.0796 3540 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:01:08.0796 3540 TDPIPE - ok
15:01:08.0843 3540 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:01:08.0843 3540 TDTCP - ok
15:01:08.0890 3540 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:01:08.0890 3540 TermDD - ok
15:01:08.0921 3540 TosIde - ok
15:01:09.0015 3540 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
15:01:09.0015 3540 uagp35 - ok
15:01:09.0046 3540 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:01:09.0046 3540 Udfs - ok
15:01:09.0062 3540 ultra - ok
15:01:09.0109 3540 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:01:09.0109 3540 Update - ok
15:01:09.0156 3540 upperdev (ec01da44b090d2651fc032c8b9257232) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
15:01:09.0156 3540 upperdev - ok
15:01:09.0218 3540 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
15:01:09.0234 3540 USBAAPL - ok
15:01:09.0281 3540 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
15:01:09.0281 3540 usbaudio - ok
15:01:09.0343 3540 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:01:09.0343 3540 usbccgp - ok
15:01:09.0390 3540 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:01:09.0390 3540 usbehci - ok
15:01:09.0406 3540 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:01:09.0406 3540 usbhub - ok
15:01:09.0421 3540 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
15:01:09.0421 3540 usbohci - ok
15:01:09.0468 3540 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:01:09.0468 3540 usbscan - ok
15:01:09.0515 3540 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
15:01:09.0515 3540 usbser - ok
15:01:09.0546 3540 UsbserFilt (4abd37cfbd710e64f01f9da8710c73f7) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
15:01:09.0546 3540 UsbserFilt - ok
15:01:09.0625 3540 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:01:09.0625 3540 USBSTOR - ok
15:01:09.0687 3540 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:01:09.0687 3540 VgaSave - ok
15:01:09.0718 3540 ViaIde - ok
15:01:09.0765 3540 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:01:09.0765 3540 VolSnap - ok
15:01:09.0812 3540 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:01:09.0812 3540 Wanarp - ok
15:01:09.0859 3540 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
15:01:09.0859 3540 Wdf01000 - ok
15:01:09.0875 3540 WDICA - ok
15:01:09.0906 3540 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:01:09.0906 3540 wdmaud - ok
15:01:09.0968 3540 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
15:01:09.0968 3540 WinUSB - ok
15:01:10.0031 3540 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:01:10.0031 3540 WpdUsb - ok
15:01:10.0078 3540 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:01:10.0093 3540 WS2IFSL - ok
15:01:10.0156 3540 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:01:10.0156 3540 WudfPf - ok
15:01:10.0171 3540 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:01:10.0171 3540 WudfRd - ok
15:01:10.0234 3540 zumbus (ae279cd76b38fc079eec3ca6d65a5926) C:\WINDOWS\system32\DRIVERS\zumbus.sys
15:01:10.0234 3540 zumbus - ok
15:01:10.0265 3540 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:01:10.0406 3540 \Device\Harddisk0\DR0 - ok
15:01:10.0437 3540 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
15:01:10.0781 3540 \Device\Harddisk1\DR1 - ok
15:01:10.0781 3540 Boot (0x1200) (12c9e7216cd3a21200f45885158fbeaf) \Device\Harddisk0\DR0\Partition0
15:01:10.0781 3540 \Device\Harddisk0\DR0\Partition0 - ok
15:01:10.0796 3540 Boot (0x1200) (3a9d1a1d122764181514c95ef875f874) \Device\Harddisk0\DR0\Partition1
15:01:10.0812 3540 \Device\Harddisk0\DR0\Partition1 - ok
15:01:10.0812 3540 Boot (0x1200) (ef0972b6d2a337678eb86944c07fe683) \Device\Harddisk1\DR1\Partition0
15:01:10.0812 3540 \Device\Harddisk1\DR1\Partition0 - ok
15:01:10.0843 3540 Boot (0x1200) (5f8cd8021a093a55becca2f3ea5baadb) \Device\Harddisk1\DR1\Partition1
15:01:10.0843 3540 \Device\Harddisk1\DR1\Partition1 - ok
15:01:10.0843 3540 ============================================================
15:01:10.0843 3540 Scan finished
15:01:10.0843 3540 ============================================================
15:01:10.0843 3532 Detected object count: 0
15:01:10.0843 3532 Actual detected object count: 0
15:02:34.0781 3480 Deinitialize success


aswMBR log:
aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-04 15:02:55
-----------------------------
15:02:55.328 OS Version: Windows 5.1.2600 Service Pack 3
15:02:55.328 Number of processors: 2 586 0x401
15:02:55.328 ComputerName: T001 UserName:
15:02:55.578 Initialize success
15:03:36.171 AVAST engine defs: 12030401
15:04:00.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\SiSRaid1Port2Path0Target0Lun0
15:04:00.546 Disk 0 Vendor: ST316081 ____ Size: 152627MB BusType: 1
15:04:00.546 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SiSRaid1Port2Path0Target2Lun0
15:04:00.562 Disk 1 Vendor: Maxtor_6 ____ Size: 95610MB BusType: 1
15:04:00.562 Device \Driver\SiSRaid -> DriverStartIo SCSIPORT.SYS f748540e
15:04:00.562 Disk 0 MBR read successfully
15:04:00.578 Disk 0 MBR scan
15:04:00.625 Disk 0 Windows XP default MBR code
15:04:00.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 57286 MB offset 63
15:04:00.625 Disk 0 Partition - 00 0F Extended LBA 95338 MB offset 117322695
15:04:00.640 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 95338 MB offset 117322758
15:04:00.656 Disk 0 scanning sectors +312576705
15:04:00.718 Disk 0 scanning C:\WINDOWS\system32\drivers
15:04:10.515 Service scanning
15:04:27.000 Modules scanning
15:04:32.062 Disk 0 trace - called modules:
15:04:32.093 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll SiSRaid.sys
15:04:32.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8ea030]
15:04:32.093 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\Scsi\SiSRaid1Port2Path0Target0Lun0[0x8a93fa38]
15:04:32.390 AVAST engine scan C:\WINDOWS
15:04:45.453 AVAST engine scan C:\WINDOWS\system32
15:07:13.453 AVAST engine scan C:\WINDOWS\system32\drivers
15:07:29.421 AVAST engine scan C:\Documents and Settings\Jerri
15:11:41.921 AVAST engine scan C:\Documents and Settings\All Users
15:12:23.296 Scan finished successfully
15:22:22.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jerri\Desktop\MBR.dat"
15:22:22.203 The log file has been saved successfully to "C:\Documents and Settings\Jerri\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 04:44 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    IE - HKU\S-1-5-21-839522115-1343024091-2147252035-1004\..\URLSearchHook: - No CLSID value found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O2 - BHO: (no name) - {F1F7419C-23DD-4D88-A1A2-499CCD3D9324} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-21-839522115-1343024091-2147252035-1004..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 3.0.04506.30; Zune 3.0)" -"http://pbskids.org/barney/children/games/manners_game.html" File not found
    O4 - HKLM..\RunOnceEx: [] File not found
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    [2012/02/22 21:02:58 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [emptyjava]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 05:07 PM

No apparent problems with this

OTL output log:
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-839522115-1343024091-2147252035-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1F7419C-23DD-4D88-A1A2-499CCD3D9324}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1F7419C-23DD-4D88-A1A2-499CCD3D9324}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_USERS\S-1-5-21-839522115-1343024091-2147252035-1004\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Shockwave Updater not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\ not found.
Starting removal of ActiveX control {406B5949-7190-4245-91A9-30A17DE16AD0}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{406B5949-7190-4245-91A9-30A17DE16AD0}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{406B5949-7190-4245-91A9-30A17DE16AD0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{406B5949-7190-4245-91A9-30A17DE16AD0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{406B5949-7190-4245-91A9-30A17DE16AD0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{406B5949-7190-4245-91A9-30A17DE16AD0}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
C:\WINDOWS\system32\dds_trash_log.cmd moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Jerri\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jerri\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 9113 bytes
->FireFox cache emptied: 16867646 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Jerri
->Temp folder emptied: 52382596 bytes
->Temporary Internet Files folder emptied: 52134044 bytes
->Java cache emptied: 2323293 bytes
->Google Chrome cache emptied: 16151502 bytes
->Flash cache emptied: 2641 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4243590 bytes
->Flash cache emptied: 4382 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 100119 bytes
->Flash cache emptied: 29619 bytes

User: Tom
->Temp folder emptied: 15511518 bytes
->Temporary Internet Files folder emptied: 1858085158 bytes
->Java cache emptied: 33400934 bytes
->FireFox cache emptied: 85311519 bytes
->Flash cache emptied: 17017 bytes

User: Visitor
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 57485196 bytes
->Flash cache emptied: 8108 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1302515 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66019 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,094.00 mb


[EMPTYJAVA]

User: Administrator
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: Jerri
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

User: Tom
->Java cache emptied: 0 bytes

User: Visitor

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Jerri
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Tom
->Flash cache emptied: 0 bytes

User: Visitor
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.35.1 log created on 03042012_155546

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 08:47 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 09:30 PM

copy below.

Having read up on some info on the site here, it's only just occurred to me to mention that I've been having graphics trouble throughout the scanning steps - particularly during long scans.
In some instances the screen would go blank, other times the desktop 'expands' to outside the physical screen area.
In both cases I end up having to reboot. I've ruled out any setting issues with the monitor.
Only other options are drivers and hardware...
If some graphics drivers were compromised I'd like to reinstall/update as soon as you pronounce that I'm able to do so...since I don't have a spare AGP card around here.

"Nero SoundTrax Help
µTorrent
3DMark06
7300
7300_Help
7300Trb
Add or Remove Adobe Creative Suite 3 Design Standard
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9.5.0 - CPSID_83708
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Standard
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Shockwave Player
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advertising Center
AHV content for Acrobat and Flash
AiO_Scan
AiOSoftware
Akamai NetSession Interface
Akamai NetSession Interface Service
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
CardRd81
CCScore
Copy
Coupon Printer for Windows
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CR2
CreativeProjects
CreativeProjectsTemplates
CueTour
Delta Force - Black Hawk Down
Delta Force Black Hawk Down Team Sabre
Destinations
DH Driver Cleaner Professional Edition
Director
DocProc
DocumentViewer
DolbyFiles
ESET Online Scanner v3
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
Fax
G-Force
Google Chrome
Half-Life® 2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
ImagXpress
InstantShare
IsoBuster 2.5
iTunes
Java Auto Updater
Java™ 6 Update 26
Kodak EasyShare software
KSU
LeapFrog Connect
LeapFrog My Pals Plugin
Logitech MouseWare 9.79.1
Malwarebytes Anti-Malware version 1.60.1.1000
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
Movie Templates - Starter Kit
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
Nero 9
Nero Burning ROM Help
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Suite
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
NeroLiveGadget
NeroLiveGadget Help
neroxml
Nokia Connectivity Cable Driver
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
Notifier
NVIDIA Control Panel 266.58
NVIDIA Drivers
NVIDIA Graphics Driver 266.58
NVIDIA Install Application
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
NVIDIA Performance
NVIDIA System Monitor
NVIDIA System Update
OfotoXMI
OTtBP
OTtBPSDK
Ovi Desktop Sync Engine
OviMPlatform
PanoStandAlone
PC Connectivity Solution
PDF Settings
PhotoGallery
ProductContext
QFolder
QuickTime
Readme
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SFR
SHASTA
SiS 900 PCI Fast Ethernet Adapter Driver
SKIN0001
SkinsHP1
SKINXSDK
SoundMAX
SoundTrax
Spybot - Search & Destroy
Steam™
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
TrayApp
Tron 2.0
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
Ventrilo Client
VPRINTOL
WebFldrs XP
WebReg
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Mobile Device Updater Component
Windows Presentation Foundation
Windows XP Service Pack 3
WIRELESS
XML Paper Specification Shared Components Pack 1.0
Yahoo! Software Update
Yahoo! Toolbar
Zune
Zune Language Pack (CHS)
Zune Language Pack (CHT)
Zune Language Pack (CSY)
Zune Language Pack (DAN)
Zune Language Pack (DEU)
Zune Language Pack (ELL)
Zune Language Pack (ESP)
Zune Language Pack (FIN)
Zune Language Pack (FRA)
Zune Language Pack (HUN)
Zune Language Pack (IND)
Zune Language Pack (ITA)
Zune Language Pack (JPN)
Zune Language Pack (KOR)
Zune Language Pack (MSL)
Zune Language Pack (NLD)
Zune Language Pack (NOR)
Zune Language Pack (PLK)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
Zune Language Pack (RUS)
Zune Language Pack (SVE)

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:26 AM

Posted 04 March 2012 - 09:44 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
Advertising Center
Java™ 6 Update 26
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 TCsparks

TCsparks
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 04 March 2012 - 11:12 PM

so far so good
never saw an option to uninstall the Advertiser program...


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.05.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jerri :: T001 [administrator]

3/4/2012 9:31:03 PM
mbam-log-2012-03-04 (21-31-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245685
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


**********************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:07:43 PM, on 3/4/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /T
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1330209750156
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E109729-3A86-47E9-9208-EE48D5A0B3A9}: NameServer = 209.18.47.61,209.18.47.62
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9767 bytes

Edited by TCsparks, 04 March 2012 - 11:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users