Jump to content

Scan closed after running for a few seconds


wintery

Recommended Posts

What happened:

Start menu is bare

all files and folders icons on desktop are translucent( I am using vista home)

all folders icons on desktop are shown as empty with my mouse over them but are in fact not when I actually opened them

Random redirects to ads when I use firefox

What I managed to do:

Succesful install/run using the random installer and random EXE. But scan window closes itself awhile after I initiate quick scan.

What I have tried:

running everything from safe mode with networking

using RKILL. I got an access denied message from the RKILL application

also tried the other methods listed that seem relevant but no use

Please help. I know there isn't much here to work with. Please tell me what to do so I can get more information for your investigation. Thanks in advance!

Link to post
Share on other sites

I just installed hijackthis. The program terminated after I initiated the scan. When I tried to run it again, I get "Windows cannot access the specified devine, path or file. You may not have appropriate permission to access the item". This happened when I tried to run mbam the second time after each fresh install too.

So I reinstall hijackthis again, reboot the computer to boot in safemode, and tried to run hijackthis again. No termination this time and I got this log which doesnt look very useful. Thank you all for looking into this:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:40:20 PM, on 20/09/2011

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18498)

Boot mode: Safe mode

Running processes:

C:\Windows\Explorer.EXE

C:\Program Files\hjt\hjt\Trend Micro\HiJackThis\asfsaf.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9000/application.pac

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLive\PPVA\DownloaderManager.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [bigPondWirelessBroadbandCM] "C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" -tsr

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [{A5DE5A1C-A947-F753-7C95-6D9A926831CF}] C:\Users\jjj\AppData\Roaming\Uvu\ydykvim.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [pkFViCiTefh.exe] C:\ProgramData\pkFViCiTefh.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [pkFViCiTefh.exe] C:\ProgramData\pkFViCiTefh.exe (User 'Default user')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: QQ - C:\Program Files\Tencent\QQIntl\Bin\AddEmotion.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe

O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe

O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 5853 bytes

Link to post
Share on other sites

Tried running mbam in Safe mode (without networking) and managed to run quickscan twice. Abort the first scan after getting two objects and deleting them. Second scan was ran to completion.

However, nothign is solved when I ran windows in normal mode. Both Mbam and HJT still terminate awhile after started. All other problems still remains. Here are the two logs I got while running mbam in safe mode :

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 7.0.6001.18000

20/09/2011 4:03:01 PM

mbam-log-2011-09-20 (16-03-01).txt

Scan type: Quick scan

Objects scanned: 686

Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkFViCiTefh.exe (Trojan.FakeAlert) -> Value: pkFViCiTefh.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\pkfvicitefh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

===========

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7751

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 7.0.6001.18000

20/09/2011 4:18:20 PM

mbam-log-2011-09-20 (16-18-20).txt

Scan type: Quick scan

Objects scanned: 180375

Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\jjj\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

c:\Users\jjj\downloads\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I tried to get more information about the problem(from tdss and ddr), hope they prove useful. Thanks!

2011/09/20 18:54:56.0249 2896 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10

2011/09/20 18:54:57.0247 2896 ================================================================================

2011/09/20 18:54:57.0247 2896 SystemInfo:

2011/09/20 18:54:57.0247 2896

2011/09/20 18:54:57.0247 2896 OS Version: 6.0.6001 ServicePack: 1.0

2011/09/20 18:54:57.0247 2896 Product type: Workstation

2011/09/20 18:54:57.0247 2896 ComputerName: JJJ-LP

2011/09/20 18:54:57.0247 2896 UserName: jjj

2011/09/20 18:54:57.0247 2896 Windows directory: C:\Windows

2011/09/20 18:54:57.0247 2896 System windows directory: C:\Windows

2011/09/20 18:54:57.0247 2896 Processor architecture: Intel x86

2011/09/20 18:54:57.0247 2896 Number of processors: 1

2011/09/20 18:54:57.0247 2896 Page size: 0x1000

2011/09/20 18:54:57.0247 2896 Boot type: Normal boot

2011/09/20 18:54:57.0247 2896 ================================================================================

2011/09/20 18:54:57.0684 2896 Initialize success

2011/09/20 18:55:00.0008 2168 ================================================================================

2011/09/20 18:55:00.0008 2168 Scan started

2011/09/20 18:55:00.0008 2168 Mode: Manual;

2011/09/20 18:55:00.0008 2168 ================================================================================

2011/09/20 18:55:03.0253 2168 2296e03d (a510f1992fadd06d12c0f7300d88e58e) C:\Windows\1038128674:3714654146.exe

2011/09/20 18:55:03.0253 2168 Suspicious file (Hidden): C:\Windows\1038128674:3714654146.exe. md5: a510f1992fadd06d12c0f7300d88e58e

2011/09/20 18:55:03.0253 2168 2296e03d - detected HiddenFile.Multi.Generic (1)

2011/09/20 18:55:03.0394 2168 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys

2011/09/20 18:55:03.0596 2168 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys

2011/09/20 18:55:03.0768 2168 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys

2011/09/20 18:55:03.0815 2168 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys

2011/09/20 18:55:03.0862 2168 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys

2011/09/20 18:55:04.0049 2168 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys

2011/09/20 18:55:04.0252 2168 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys

2011/09/20 18:55:04.0408 2168 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys

2011/09/20 18:55:04.0470 2168 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

2011/09/20 18:55:04.0517 2168 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys

2011/09/20 18:55:04.0673 2168 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys

2011/09/20 18:55:04.0688 2168 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys

2011/09/20 18:55:04.0720 2168 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys

2011/09/20 18:55:04.0782 2168 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys

2011/09/20 18:55:04.0860 2168 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys

2011/09/20 18:55:04.0954 2168 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys

2011/09/20 18:55:05.0016 2168 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/09/20 18:55:05.0094 2168 atapi (0d83c87a801a3dfcd1bf73893fe7518c) C:\Windows\system32\drivers\atapi.sys

2011/09/20 18:55:05.0219 2168 athr (997e25f5b7d53c94c0ad2dc080f6868e) C:\Windows\system32\DRIVERS\athr.sys

2011/09/20 18:55:05.0546 2168 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

2011/09/20 18:55:05.0640 2168 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys

2011/09/20 18:55:05.0687 2168 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys

2011/09/20 18:55:05.0780 2168 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

2011/09/20 18:55:05.0812 2168 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

2011/09/20 18:55:05.0874 2168 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

2011/09/20 18:55:05.0968 2168 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

2011/09/20 18:55:05.0999 2168 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

2011/09/20 18:55:06.0014 2168 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

2011/09/20 18:55:06.0061 2168 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

2011/09/20 18:55:06.0092 2168 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

2011/09/20 18:55:06.0139 2168 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys

2011/09/20 18:55:06.0233 2168 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys

2011/09/20 18:55:06.0280 2168 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys

2011/09/20 18:55:06.0420 2168 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys

2011/09/20 18:55:06.0451 2168 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys

2011/09/20 18:55:06.0498 2168 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys

2011/09/20 18:55:06.0529 2168 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys

2011/09/20 18:55:06.0560 2168 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys

2011/09/20 18:55:06.0685 2168 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys

2011/09/20 18:55:06.0748 2168 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys

2011/09/20 18:55:06.0872 2168 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

2011/09/20 18:55:06.0950 2168 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys

2011/09/20 18:55:07.0106 2168 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys

2011/09/20 18:55:07.0200 2168 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys

2011/09/20 18:55:07.0418 2168 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys

2011/09/20 18:55:07.0481 2168 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys

2011/09/20 18:55:07.0590 2168 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys

2011/09/20 18:55:07.0652 2168 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys

2011/09/20 18:55:07.0699 2168 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys

2011/09/20 18:55:07.0762 2168 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

2011/09/20 18:55:07.0840 2168 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

2011/09/20 18:55:07.0871 2168 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/09/20 18:55:07.0902 2168 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys

2011/09/20 18:55:07.0933 2168 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys

2011/09/20 18:55:08.0011 2168 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys

2011/09/20 18:55:08.0089 2168 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys

2011/09/20 18:55:08.0167 2168 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys

2011/09/20 18:55:08.0354 2168 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/09/20 18:55:08.0386 2168 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

2011/09/20 18:55:08.0401 2168 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

2011/09/20 18:55:08.0510 2168 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys

2011/09/20 18:55:08.0604 2168 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys

2011/09/20 18:55:08.0713 2168 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys

2011/09/20 18:55:08.0885 2168 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys

2011/09/20 18:55:09.0010 2168 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/09/20 18:55:09.0134 2168 iaStor (db0cc620b27a928d968c1a1e9cd9cb87) C:\Windows\system32\DRIVERS\iaStor.sys

2011/09/20 18:55:09.0353 2168 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys

2011/09/20 18:55:09.0649 2168 igfx (6fb1858d1f0923d122b0331865695041) C:\Windows\system32\DRIVERS\igdkmd32.sys

2011/09/20 18:55:09.0852 2168 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

2011/09/20 18:55:09.0992 2168 IntcAzAudAddService (b9cbd3dea7ca02868621173bf7a2af9f) C:\Windows\system32\drivers\RTKVHDA.sys

2011/09/20 18:55:10.0117 2168 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys

2011/09/20 18:55:10.0180 2168 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys

2011/09/20 18:55:10.0273 2168 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/09/20 18:55:10.0398 2168 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys

2011/09/20 18:55:10.0429 2168 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

2011/09/20 18:55:10.0476 2168 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

2011/09/20 18:55:10.0492 2168 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys

2011/09/20 18:55:10.0554 2168 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/09/20 18:55:10.0648 2168 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

2011/09/20 18:55:10.0663 2168 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

2011/09/20 18:55:10.0726 2168 jswpslwf (11ad410f41af42ba12e63187e3ec141a) C:\Windows\system32\DRIVERS\jswpslwf.sys

2011/09/20 18:55:10.0757 2168 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/09/20 18:55:10.0850 2168 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys

2011/09/20 18:55:10.0897 2168 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys

2011/09/20 18:55:10.0991 2168 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

2011/09/20 18:55:11.0116 2168 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys

2011/09/20 18:55:11.0147 2168 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys

2011/09/20 18:55:11.0225 2168 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys

2011/09/20 18:55:11.0334 2168 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

2011/09/20 18:55:11.0412 2168 massfilter (6490fe1b088c7199a9b6ce0e04a98a8b) C:\Windows\system32\drivers\massfilter.sys

2011/09/20 18:55:11.0584 2168 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys

2011/09/20 18:55:11.0630 2168 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys

2011/09/20 18:55:11.0724 2168 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

2011/09/20 18:55:11.0818 2168 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

2011/09/20 18:55:11.0880 2168 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

2011/09/20 18:55:11.0911 2168 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

2011/09/20 18:55:11.0942 2168 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

2011/09/20 18:55:12.0036 2168 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys

2011/09/20 18:55:12.0098 2168 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

2011/09/20 18:55:12.0145 2168 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

2011/09/20 18:55:12.0254 2168 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys

2011/09/20 18:55:12.0348 2168 mrxsmb (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/09/20 18:55:12.0457 2168 mrxsmb10 (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/09/20 18:55:12.0504 2168 mrxsmb20 (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/09/20 18:55:12.0582 2168 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys

2011/09/20 18:55:12.0676 2168 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys

2011/09/20 18:55:12.0722 2168 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

2011/09/20 18:55:12.0769 2168 msisadrv (1e00b9b8601f24a96ad71a7d0fc5f136) C:\Windows\system32\drivers\msisadrv.sys

2011/09/20 18:55:12.0878 2168 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

2011/09/20 18:55:12.0941 2168 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/09/20 18:55:12.0972 2168 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

2011/09/20 18:55:13.0066 2168 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys

2011/09/20 18:55:13.0128 2168 mssmbios (215634cf935b696e3ebca813d02e9165) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/09/20 18:55:13.0268 2168 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

2011/09/20 18:55:13.0346 2168 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys

2011/09/20 18:55:13.0440 2168 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys

2011/09/20 18:55:13.0565 2168 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys

2011/09/20 18:55:13.0643 2168 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/09/20 18:55:13.0768 2168 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/09/20 18:55:13.0830 2168 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/09/20 18:55:13.0892 2168 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

2011/09/20 18:55:13.0986 2168 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

2011/09/20 18:55:14.0017 2168 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys

2011/09/20 18:55:14.0111 2168 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

2011/09/20 18:55:14.0236 2168 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys

2011/09/20 18:55:14.0376 2168 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

2011/09/20 18:55:14.0501 2168 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys

2011/09/20 18:55:14.0594 2168 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

2011/09/20 18:55:14.0641 2168 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

2011/09/20 18:55:14.0657 2168 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys

2011/09/20 18:55:14.0704 2168 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys

2011/09/20 18:55:14.0719 2168 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys

2011/09/20 18:55:14.0844 2168 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys

2011/09/20 18:55:14.0906 2168 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

2011/09/20 18:55:14.0953 2168 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys

2011/09/20 18:55:14.0984 2168 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

2011/09/20 18:55:15.0094 2168 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\Windows\system32\Drivers\PCASp50.sys

2011/09/20 18:55:15.0203 2168 pci (eca39351296d905baa4fa3244c152b00) C:\Windows\system32\drivers\pci.sys

2011/09/20 18:55:15.0250 2168 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\DRIVERS\pciide.sys

2011/09/20 18:55:15.0328 2168 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

2011/09/20 18:55:15.0468 2168 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

2011/09/20 18:55:15.0655 2168 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

2011/09/20 18:55:15.0811 2168 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys

2011/09/20 18:55:15.0936 2168 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys

2011/09/20 18:55:16.0092 2168 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys

2011/09/20 18:55:16.0217 2168 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

2011/09/20 18:55:16.0279 2168 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

2011/09/20 18:55:16.0326 2168 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

2011/09/20 18:55:16.0373 2168 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/09/20 18:55:16.0435 2168 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/09/20 18:55:16.0607 2168 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys

2011/09/20 18:55:16.0638 2168 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys

2011/09/20 18:55:16.0654 2168 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/09/20 18:55:16.0700 2168 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys

2011/09/20 18:55:16.0794 2168 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

2011/09/20 18:55:16.0825 2168 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys

2011/09/20 18:55:16.0903 2168 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

2011/09/20 18:55:16.0981 2168 RTL8169 (7157e70a90cce49deb8885d23a073a39) C:\Windows\system32\DRIVERS\Rtlh86.sys

2011/09/20 18:55:17.0090 2168 RTSTOR (9ff7d9cf3a5f296613588b0e8db83afe) C:\Windows\system32\drivers\RTSTOR.SYS

2011/09/20 18:55:17.0168 2168 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

2011/09/20 18:55:17.0231 2168 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2011/09/20 18:55:17.0324 2168 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys

2011/09/20 18:55:17.0340 2168 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys

2011/09/20 18:55:17.0371 2168 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

2011/09/20 18:55:17.0449 2168 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys

2011/09/20 18:55:17.0512 2168 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys

2011/09/20 18:55:17.0527 2168 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys

2011/09/20 18:55:17.0558 2168 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

2011/09/20 18:55:17.0590 2168 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys

2011/09/20 18:55:17.0636 2168 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys

2011/09/20 18:55:17.0683 2168 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys

2011/09/20 18:55:17.0746 2168 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys

2011/09/20 18:55:17.0824 2168 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

2011/09/20 18:55:17.0902 2168 srv (9a0163e7fbe59da0591bb1ad77d92e63) C:\Windows\system32\DRIVERS\srv.sys

2011/09/20 18:55:18.0026 2168 srv2 (c7da26d2c7d480b1dd38ca19cc90b821) C:\Windows\system32\DRIVERS\srv2.sys

2011/09/20 18:55:18.0136 2168 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys

2011/09/20 18:55:18.0276 2168 swenum (97e089971a6aba49ad5592bd6298e416) C:\Windows\system32\DRIVERS\swenum.sys

2011/09/20 18:55:18.0323 2168 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

2011/09/20 18:55:18.0370 2168 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

2011/09/20 18:55:18.0401 2168 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

2011/09/20 18:55:18.0463 2168 SynTP (55f6e55cc2430ca8713387106fa79817) C:\Windows\system32\DRIVERS\SynTP.sys

2011/09/20 18:55:18.0604 2168 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys

2011/09/20 18:55:18.0760 2168 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys

2011/09/20 18:55:18.0869 2168 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys

2011/09/20 18:55:18.0931 2168 tdcmdpst (6fdfba25002ce4bac463ac866ae71405) C:\Windows\system32\DRIVERS\tdcmdpst.sys

2011/09/20 18:55:19.0040 2168 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

2011/09/20 18:55:19.0056 2168 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

2011/09/20 18:55:19.0103 2168 tdx (79e8ddf0738305e02b175b8addbb4433) C:\Windows\system32\DRIVERS\tdx.sys

2011/09/20 18:55:19.0103 2168 Suspicious file (Forged): C:\Windows\system32\DRIVERS\tdx.sys. Real md5: 79e8ddf0738305e02b175b8addbb4433, Fake md5: d09276b1fab033ce1d40dcbdf303d10f

2011/09/20 18:55:19.0103 2168 tdx - detected ForgedFile.Multi.Generic (1)

2011/09/20 18:55:19.0134 2168 TermDD (718b2f4355cd8eb2844741addac0e622) C:\Windows\system32\DRIVERS\termdd.sys

2011/09/20 18:55:19.0368 2168 tos_sps32 (4399a9bf7d8f49991a07fd86590a1619) C:\Windows\system32\DRIVERS\tos_sps32.sys

2011/09/20 18:55:19.0462 2168 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/09/20 18:55:19.0586 2168 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

2011/09/20 18:55:19.0633 2168 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys

2011/09/20 18:55:19.0664 2168 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS

2011/09/20 18:55:19.0696 2168 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys

2011/09/20 18:55:19.0805 2168 udfs (c985b36e127ea9b8a92396120bff52d8) C:\Windows\system32\DRIVERS\udfs.sys

2011/09/20 18:55:19.0867 2168 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys

2011/09/20 18:55:19.0914 2168 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys

2011/09/20 18:55:20.0008 2168 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

2011/09/20 18:55:20.0039 2168 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

2011/09/20 18:55:20.0070 2168 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

2011/09/20 18:55:20.0148 2168 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/09/20 18:55:20.0242 2168 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

2011/09/20 18:55:20.0304 2168 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys

2011/09/20 18:55:20.0413 2168 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys

2011/09/20 18:55:20.0444 2168 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

2011/09/20 18:55:20.0491 2168 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys

2011/09/20 18:55:20.0600 2168 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys

2011/09/20 18:55:20.0678 2168 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/09/20 18:55:20.0710 2168 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/09/20 18:55:20.0803 2168 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys

2011/09/20 18:55:20.0866 2168 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/09/20 18:55:20.0912 2168 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

2011/09/20 18:55:20.0990 2168 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys

2011/09/20 18:55:21.0006 2168 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys

2011/09/20 18:55:21.0053 2168 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys

2011/09/20 18:55:21.0068 2168 volmgr (bdd98bbe7323fc0975a26373d8050471) C:\Windows\system32\drivers\volmgr.sys

2011/09/20 18:55:21.0100 2168 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys

2011/09/20 18:55:21.0146 2168 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys

2011/09/20 18:55:21.0178 2168 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys

2011/09/20 18:55:21.0318 2168 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

2011/09/20 18:55:21.0349 2168 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2011/09/20 18:55:21.0396 2168 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

2011/09/20 18:55:21.0458 2168 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys

2011/09/20 18:55:21.0614 2168 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

2011/09/20 18:55:21.0802 2168 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys

2011/09/20 18:55:21.0880 2168 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

2011/09/20 18:55:21.0942 2168 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/09/20 18:55:22.0082 2168 ZTEusbmdm6k (508d4d5fcf20693a5373d8bd2e2b65f2) C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys

2011/09/20 18:55:22.0114 2168 ZTEusbnet (453a60f8dc22fc296bc482cbf3eff213) C:\Windows\system32\DRIVERS\ZTEusbnet.sys

2011/09/20 18:55:22.0160 2168 ZTEusbnmea (508d4d5fcf20693a5373d8bd2e2b65f2) C:\Windows\system32\DRIVERS\ZTEusbnmea.sys

2011/09/20 18:55:22.0301 2168 ZTEusbser6k (508d4d5fcf20693a5373d8bd2e2b65f2) C:\Windows\system32\DRIVERS\ZTEusbser6k.sys

2011/09/20 18:55:22.0348 2168 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0

2011/09/20 18:55:22.0363 2168 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)

2011/09/20 18:55:22.0379 2168 Boot (0x1200) (4e5ffc1a59db61cf118a24356d6df448) \Device\Harddisk0\DR0\Partition0

2011/09/20 18:55:22.0379 2168 ================================================================================

2011/09/20 18:55:22.0379 2168 Scan finished

2011/09/20 18:55:22.0379 2168 ================================================================================

2011/09/20 18:55:22.0410 2628 Detected object count: 3

2011/09/20 18:55:22.0410 2628 Actual detected object count: 3

2011/09/20 18:55:37.0916 2628 HiddenFile.Multi.Generic(2296e03d) - User select action: Skip

2011/09/20 18:55:37.0916 2628 ForgedFile.Multi.Generic(tdx) - User select action: Skip

2011/09/20 18:55:38.0041 2628 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot

2011/09/20 18:55:38.0041 2628 \Device\Harddisk0\DR0 - ok

2011/09/20 18:55:38.0041 2628 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure

2011/09/20 18:55:42.0534 2156 Deinitialize success

==== and also from the ddr script =====

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_22

Run by jjj at 15:06:48 on 2011-09-21

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2939.2167 [GMT 10:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\1038128674:3714654146.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\conhost.exe

C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\conime.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com.au/

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:63919

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Download_Bho Class: {a986e409-30cc-4185-89bb-ab212c104524} - c:\program files\pplive\ppva\DownloaderManager.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [sidebar]

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [{A5DE5A1C-A947-F753-7C95-6D9A926831CF}] c:\users\jjj\appdata\roaming\uvu\ydykvim.exe

uRun: [{498A74AA-59C6-D849-B246-365E3CEFF1B1}] c:\users\jjj\appdata\roaming\muysy\ropekyx.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [NDSTray.exe] NDSTray.exe

mRun: [cfFncEnabler.exe] cfFncEnabler.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [bigPondWirelessBroadbandCM] "c:\program files\telstra\mobile broadband manager\TelstraUCM.exe" -tsr

mRun: [conhost] c:\users\jjj\appdata\roaming\microsoft\conhost.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: QQ - c:\program files\tencent\qqintl\bin\AddEmotion.htm

IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{27469EA3-9744-485D-820F-815E082A5E7E} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{C280E5BA-131A-4635-9D81-A66E6A8D87D8} : DhcpNameServer = 139.130.4.4 203.50.2.71

TCP: Interfaces\{E7CFAE61-1E75-4656-AF7F-AF34FD0BF5DD} : DhcpNameServer = 192.168.0.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jjj\appdata\roaming\mozilla\firefox\profiles\qcp7pi1i.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\users\jjj\appdata\roaming\mozilla\firefox\profiles\qcp7pi1i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-2-24 20384]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]

R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-7-25 7168]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-2-24 954368]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-9-27 7168]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-9-27 114688]

.

=============== File Associations ===============

.

txtfile=c:\windows\notepad.exe %1

.

=============== Created Last 30 ================

.

2011-09-21 05:02:37 180736 ----a-w- c:\users\jjj\appdata\roaming\microsoft\conhost.exe

2011-09-21 01:10:13 -------- d-----w- c:\users\jjj\appdata\roaming\OpenCloud Security

2011-09-21 00:50:52 -------- d-----w- c:\users\jjj\appdata\roaming\Muysy

2011-09-21 00:50:52 -------- d-----w- c:\users\jjj\appdata\roaming\Huran

2011-09-20 09:02:07 -------- d-----w- C:\TDSSKiller_Quarantine

2011-09-20 06:54:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4

2011-09-20 06:25:32 388096 ----a-r- c:\users\jjj\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-20 05:53:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3

2011-09-20 05:28:52 -------- d-----w- c:\program files\Trend Micro

2011-09-20 05:14:01 -------- d--h--w- c:\windows\PIF

2011-09-20 05:10:51 -------- d-----w- c:\program files\hjt

2011-09-20 04:32:16 -------- d-----w- c:\users\jjj\appdata\roaming\Uvu

2011-09-20 04:32:16 -------- d-----w- c:\users\jjj\appdata\roaming\Aqt

2011-09-20 03:56:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2011-09-20 03:07:52 -------- d-s---w- C:\ComboFix

2011-09-20 02:27:16 -------- d-----w- c:\users\jjj\appdata\roaming\QuickScan

2011-09-20 02:13:53 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-09-20 02:03:18 -------- d-----w- c:\program files\common files\Symantec Shared

2011-09-20 01:57:26 -------- d-----w- c:\programdata\Symantec

2011-09-20 01:57:21 -------- d-----w- c:\windows\system32\drivers\nss\0305020.009

2011-09-20 01:57:21 -------- d-----w- c:\windows\system32\drivers\NSS

2011-09-20 01:57:21 -------- d-----w- c:\program files\Norton Security Scan

2011-09-20 01:57:20 -------- d-----w- c:\programdata\Norton

2011-09-20 01:57:19 -------- d-----w- c:\programdata\NortonInstaller

2011-09-20 01:57:19 -------- d-----w- c:\program files\NortonInstaller

.

==================== Find3M ====================

.

2011-08-18 13:03:32 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 09:52:42 22712 ---ha-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 15:08:16.85 ===============

Link to post
Share on other sites

Hello wintery ! Welcome to Malwarebytes Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:

STEP 1

Please download DummyCreator.zip and unzip it.

  • Run the tool.
  • Copy and paste the following into the edit box:
    C:\Windows\1038128674
  • Press Create button and post the content of the Result.txt.
    Important: Restart the computer.

STEP 2

Next please:

Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Notes: Skip the Recovery Console part as you're running Vista. You can use the Windows DVD to boot into the Vista Recovery Environment if something goes awry.
  • Click on Yes, to continue scanning for malware.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.

-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi, thank you so much for helping me with this. I have read your warnings and advice and have decided to try cleaning this up first. Here are the logs for dummycreator and combofix:

DummyCreator by Farbar

Ran by jjj (administrator) on 21-09-2011 at 23:13:09

**************************************************************

C:\Windows\1038128674 [21-09-2011 23:13:09]

== End of log ==

combofix:

ComboFix 11-09-21.01 - jjj 21/09/2011 23:34:49.1.1 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2939.2384 [GMT 10:00]

Running from: c:\users\jjj\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\favoritevideo\InvisibleFolder

c:\favoritevideo\InvisibleFolder\20110522194534_ftzhongwenwang110523zanting15s.gif

c:\favoritevideo\InvisibleFolder\20110523162111_maibaobao110523zanting.swf

c:\favoritevideo\InvisibleFolder\20110523164611_zhengtu2110524zanting.swf

c:\favoritevideo\InvisibleFolder\20110523164822_zhengtu2110524qipao.swf

c:\favoritevideo\InvisibleFolder\20110523165112_zhengtu2110525zhu15s.swf

c:\favoritevideo\InvisibleFolder\20110523171452_shushanshenhua110523zanting.jpg

c:\favoritevideo\InvisibleFolder\20110523182539_dianxin110524zhu15s.swf

c:\favoritevideo\InvisibleFolder\20110523183612_maidong110523jiaobiao.swf

c:\favoritevideo\InvisibleFolder\20110523183704_xiuzheng110523jiao15s.swf

c:\favoritevideo\InvisibleFolder\20110523184944_xiuzheng110523zanting15s.swf

c:\favoritevideo\InvisibleFolder\20110524141607_riyuedongrun110524zanting15s.swf

c:\favoritevideo\InvisibleFolder\videoplayback

c:\favoritevideo\InvisibleFolder\videoplayback(0)

c:\favoritevideo\InvisibleFolder\videoplayback(1)

c:\favoritevideo\InvisibleFolder\videoplayback(10)

c:\favoritevideo\InvisibleFolder\videoplayback(100)

c:\favoritevideo\InvisibleFolder\videoplayback(101)

c:\favoritevideo\InvisibleFolder\videoplayback(102)

c:\favoritevideo\InvisibleFolder\videoplayback(104)

c:\favoritevideo\InvisibleFolder\videoplayback(105)

c:\favoritevideo\InvisibleFolder\videoplayback(108)

c:\favoritevideo\InvisibleFolder\videoplayback(11)

c:\favoritevideo\InvisibleFolder\videoplayback(110)

c:\favoritevideo\InvisibleFolder\videoplayback(112)

c:\favoritevideo\InvisibleFolder\videoplayback(113)

c:\favoritevideo\InvisibleFolder\videoplayback(114)

c:\favoritevideo\InvisibleFolder\videoplayback(115)

c:\favoritevideo\InvisibleFolder\videoplayback(116)

c:\favoritevideo\InvisibleFolder\videoplayback(117)

c:\favoritevideo\InvisibleFolder\videoplayback(118)

c:\favoritevideo\InvisibleFolder\videoplayback(12)

c:\favoritevideo\InvisibleFolder\videoplayback(123)

c:\favoritevideo\InvisibleFolder\videoplayback(13)

c:\favoritevideo\InvisibleFolder\videoplayback(132)

c:\favoritevideo\InvisibleFolder\videoplayback(134)

c:\favoritevideo\InvisibleFolder\videoplayback(136)

c:\favoritevideo\InvisibleFolder\videoplayback(137)

c:\favoritevideo\InvisibleFolder\videoplayback(138)

c:\favoritevideo\InvisibleFolder\videoplayback(139)

c:\favoritevideo\InvisibleFolder\videoplayback(14)

c:\favoritevideo\InvisibleFolder\videoplayback(140)

c:\favoritevideo\InvisibleFolder\videoplayback(143)

c:\favoritevideo\InvisibleFolder\videoplayback(145)

c:\favoritevideo\InvisibleFolder\videoplayback(15)

c:\favoritevideo\InvisibleFolder\videoplayback(16)

c:\favoritevideo\InvisibleFolder\videoplayback(17)

c:\favoritevideo\InvisibleFolder\videoplayback(18)

c:\favoritevideo\InvisibleFolder\videoplayback(19)

c:\favoritevideo\InvisibleFolder\videoplayback(2)

c:\favoritevideo\InvisibleFolder\videoplayback(20)

c:\favoritevideo\InvisibleFolder\videoplayback(21)

c:\favoritevideo\InvisibleFolder\videoplayback(22)

c:\favoritevideo\InvisibleFolder\videoplayback(23)

c:\favoritevideo\InvisibleFolder\videoplayback(25)

c:\favoritevideo\InvisibleFolder\videoplayback(27)

c:\favoritevideo\InvisibleFolder\videoplayback(29)

c:\favoritevideo\InvisibleFolder\videoplayback(3)

c:\favoritevideo\InvisibleFolder\videoplayback(31)

c:\favoritevideo\InvisibleFolder\videoplayback(33)

c:\favoritevideo\InvisibleFolder\videoplayback(39)

c:\favoritevideo\InvisibleFolder\videoplayback(4)

c:\favoritevideo\InvisibleFolder\videoplayback(41)

c:\favoritevideo\InvisibleFolder\videoplayback(44)

c:\favoritevideo\InvisibleFolder\videoplayback(45)

c:\favoritevideo\InvisibleFolder\videoplayback(46)

c:\favoritevideo\InvisibleFolder\videoplayback(47)

c:\favoritevideo\InvisibleFolder\videoplayback(48)

c:\favoritevideo\InvisibleFolder\videoplayback(49)

c:\favoritevideo\InvisibleFolder\videoplayback(5)

c:\favoritevideo\InvisibleFolder\videoplayback(50)

c:\favoritevideo\InvisibleFolder\videoplayback(51)

c:\favoritevideo\InvisibleFolder\videoplayback(52)

c:\favoritevideo\InvisibleFolder\videoplayback(53)

c:\favoritevideo\InvisibleFolder\videoplayback(54)

c:\favoritevideo\InvisibleFolder\videoplayback(55)

c:\favoritevideo\InvisibleFolder\videoplayback(56)

c:\favoritevideo\InvisibleFolder\videoplayback(57)

c:\favoritevideo\InvisibleFolder\videoplayback(58)

c:\favoritevideo\InvisibleFolder\videoplayback(59)

c:\favoritevideo\InvisibleFolder\videoplayback(6)

c:\favoritevideo\InvisibleFolder\videoplayback(60)

c:\favoritevideo\InvisibleFolder\videoplayback(61)

c:\favoritevideo\InvisibleFolder\videoplayback(62)

c:\favoritevideo\InvisibleFolder\videoplayback(63)

c:\favoritevideo\InvisibleFolder\videoplayback(64)

c:\favoritevideo\InvisibleFolder\videoplayback(65)

c:\favoritevideo\InvisibleFolder\videoplayback(66)

c:\favoritevideo\InvisibleFolder\videoplayback(67)

c:\favoritevideo\InvisibleFolder\videoplayback(68)

c:\favoritevideo\InvisibleFolder\videoplayback(69)

c:\favoritevideo\InvisibleFolder\videoplayback(7)

c:\favoritevideo\InvisibleFolder\videoplayback(70)

c:\favoritevideo\InvisibleFolder\videoplayback(71)

c:\favoritevideo\InvisibleFolder\videoplayback(72)

c:\favoritevideo\InvisibleFolder\videoplayback(73)

c:\favoritevideo\InvisibleFolder\videoplayback(74)

c:\favoritevideo\InvisibleFolder\videoplayback(75)

c:\favoritevideo\InvisibleFolder\videoplayback(76)

c:\favoritevideo\InvisibleFolder\videoplayback(77)

c:\favoritevideo\InvisibleFolder\videoplayback(78)

c:\favoritevideo\InvisibleFolder\videoplayback(79)

c:\favoritevideo\InvisibleFolder\videoplayback(8)

c:\favoritevideo\InvisibleFolder\videoplayback(80)

c:\favoritevideo\InvisibleFolder\videoplayback(81)

c:\favoritevideo\InvisibleFolder\videoplayback(82)

c:\favoritevideo\InvisibleFolder\videoplayback(83)

c:\favoritevideo\InvisibleFolder\videoplayback(84)

c:\favoritevideo\InvisibleFolder\videoplayback(85)

c:\favoritevideo\InvisibleFolder\videoplayback(86)

c:\favoritevideo\InvisibleFolder\videoplayback(87)

c:\favoritevideo\InvisibleFolder\videoplayback(88)

c:\favoritevideo\InvisibleFolder\videoplayback(89)

c:\favoritevideo\InvisibleFolder\videoplayback(9)

c:\favoritevideo\InvisibleFolder\videoplayback(90)

c:\favoritevideo\InvisibleFolder\videoplayback(91)

c:\favoritevideo\InvisibleFolder\videoplayback(93)

c:\favoritevideo\InvisibleFolder\videoplayback(94)

c:\favoritevideo\InvisibleFolder\videoplayback(95)

c:\favoritevideo\InvisibleFolder\videoplayback(96)

c:\favoritevideo\InvisibleFolder\videoplayback(97)

c:\favoritevideo\InvisibleFolder\videoplayback(98)

c:\favoritevideo\InvisibleFolder\videoplayback(99)

c:\users\jjj\AppData\Roaming\76E6.D2E

c:\users\jjj\AppData\Roaming\Adobe\plugs

c:\users\jjj\AppData\Roaming\Adobe\shed

c:\users\jjj\AppData\Roaming\dwm.exe

c:\users\jjj\AppData\Roaming\Microsoft\conhost.exe

c:\users\jjj\AppData\Roaming\OpenCloud Security

c:\users\jjj\AppData\Roaming\OpenCloud Security\csrss.exe

c:\users\jjj\Desktop\Setup.exe

c:\windows\$NtUninstallKB15700$

c:\windows\$NtUninstallKB15700$\580313149\@

c:\windows\$NtUninstallKB15700$\580313149\bckfg.tmp

c:\windows\$NtUninstallKB15700$\580313149\cfg.ini

c:\windows\$NtUninstallKB15700$\580313149\Desktop.ini

c:\windows\$NtUninstallKB15700$\580313149\keywords

c:\windows\$NtUninstallKB15700$\580313149\kwrd.dll

c:\windows\$NtUninstallKB15700$\580313149\L\qnbwvoto

c:\windows\$NtUninstallKB15700$\580313149\U\00000001.@

c:\windows\$NtUninstallKB15700$\580313149\U\00000002.@

c:\windows\$NtUninstallKB15700$\580313149\U\80000000.@

c:\windows\$NtUninstallKB15700$\580313149\U\80000032.@

c:\windows\$NtUninstallKB15700$\749149131

c:\windows\1038128674

c:\windows\system32\config\systemprofile\AppData\Roaming\76E6.D2E

c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\conhost.exe

c:\windows\system32\no

c:\windows\system32\no\toscdspd.cpl.mui

c:\windows\system32\SV

c:\windows\system32\SV\toscdspd.cpl.mui

.

Infected copy of c:\windows\system32\Drivers\tdx.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_2296e03d

.

.

((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))

.

.

2011-09-21 13:42 . 2011-09-21 13:45 -------- d-----w- c:\users\jjj\AppData\Local\temp

2011-09-21 13:42 . 2011-09-21 13:42 -------- d-----w- c:\users\jjjj\AppData\Local\temp

2011-09-21 13:42 . 2011-09-21 13:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-21 13:27 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-09-21 00:51 . 2011-09-21 00:51 218624 ----a-w- c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vome.exe

2011-09-21 00:51 . 2011-09-21 00:51 218624 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qokak.exe

2011-09-21 00:50 . 2011-09-21 13:02 -------- d-----w- c:\users\jjj\AppData\Roaming\Huran

2011-09-21 00:50 . 2011-09-21 00:50 218624 ----a-w- c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\emetb.exe

2011-09-21 00:50 . 2011-09-21 00:50 218624 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\zeizur.exe

2011-09-21 00:50 . 2011-09-21 00:50 -------- d-----w- c:\users\jjj\AppData\Roaming\Muysy

2011-09-20 09:02 . 2011-09-20 09:02 -------- d-----w- C:\TDSSKiller_Quarantine

2011-09-20 06:54 . 2011-09-20 06:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4

2011-09-20 06:25 . 2011-09-20 06:25 388096 ----a-r- c:\users\jjj\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-20 05:53 . 2011-09-20 05:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3

2011-09-20 05:28 . 2011-09-20 05:28 -------- d-----w- c:\program files\Trend Micro

2011-09-20 05:14 . 2011-09-20 05:14 -------- d--h--w- c:\windows\PIF

2011-09-20 05:10 . 2011-09-20 05:33 -------- d-----w- c:\program files\hjt

2011-09-20 04:32 . 2011-09-20 04:32 158720 ----a-w- c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiuz.exe

2011-09-20 04:32 . 2011-09-20 04:32 158720 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\daceer.exe

2011-09-20 04:32 . 2011-09-20 04:32 158720 ----a-w- c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dasi.exe

2011-09-20 04:32 . 2011-09-20 04:32 158720 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ogifb.exe

2011-09-20 04:32 . 2011-09-21 13:27 -------- d-----w- c:\users\jjj\AppData\Roaming\Aqt

2011-09-20 04:32 . 2011-09-20 04:32 -------- d-----w- c:\users\jjj\AppData\Roaming\Uvu

2011-09-20 03:56 . 2011-09-20 04:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2011-09-20 02:27 . 2011-09-20 02:27 -------- d-----w- c:\users\jjj\AppData\Roaming\QuickScan

2011-09-20 02:13 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-09-20 02:03 . 2011-09-20 02:03 -------- d-----w- c:\program files\Common Files\Symantec Shared

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\programdata\Symantec

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\windows\system32\drivers\NSS

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\program files\Norton Security Scan

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\programdata\Norton

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\program files\NortonInstaller

2011-09-20 00:32 . 2011-09-20 00:32 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Toshiba

2011-09-19 19:24 . 2011-09-19 19:25 -------- d--h--w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-18 13:03 . 2011-05-31 16:20 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 09:52 . 2009-07-03 02:22 22712 ---ha-w- c:\windows\system32\drivers\mbam.sys

2011-09-07 23:11 . 2011-05-30 20:48 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"{A5DE5A1C-A947-F753-7C95-6D9A926831CF}"="c:\users\jjj\AppData\Roaming\Uvu\ydykvim.exe" [2010-09-19 158720]

"{498A74AA-59C6-D849-B246-365E3CEFF1B1}"="c:\users\jjj\AppData\Roaming\Muysy\ropekyx.exe" [2009-09-01 218624]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NDSTray.exe"="NDSTray.exe" [bU]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]

"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2010-05-14 4352408]

.

c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

dasi.exe [2011-9-20 158720]

emetb.exe [2011-9-21 218624]

vome.exe [2011-9-21 218624]

xiuz.exe [2011-9-20 158720]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^Users^jjj^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Check for TWS Updates.lnk]

path=c:\users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Check for TWS Updates.lnk

backup=c:\windows\pss\Check for TWS Updates.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^jjj^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-09-13 16:50 1603152 ---ha-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-10-25 16:10 652624 ---ha-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-16 12:12 3872080 ---ha-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]

2010-07-05 02:01 185784 ---ha-w- c:\program files\Common Files\PPLiveNetwork\ppap.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLiveVA]

2010-04-27 03:23 71152 ---ha-w- c:\program files\PPLive\PPVA\PPLiveVA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-09-02 04:27 25623336 ---ha-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2010-04-28 18:15 2633976 ---ha-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]

R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-04-29 7168]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 npkycryp;npkycryp;c:\windows\system32\npkycryp.sys [x]

R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-12-28 114688]

S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]

S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]

S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]

S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-20 c:\windows\Tasks\Norton Security Scan for jjj.job

- c:\progra~1\NORTON~2\Engine\352~1.9\Nss.exe [2011-09-20 09:21]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:63919

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: QQ - c:\program files\Tencent\QQIntl\Bin\AddEmotion.htm

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

------- File Associations -------

.

txtfile=c:\windows\notepad.exe %1

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{EEED57CA-3CBB-DA3D-E11C-12E7DD84BAAE} - c:\users\jjj\AppData\Local\76rbp.dll

HKCU-Run-Sidebar - (no file)

HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe

SafeBoot-38321271.sys

MSConfigStartUp-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe

MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe

.

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????v??Miz????>???>???>? >?H

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\WLANExt.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\windows\system32\conime.exe

c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

c:\windows\system32\TODDSrv.exe

c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\windows\RtHDVCpl.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\System32\rundll32.exe

c:\windows\system32\igfxext.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

.

**************************************************************************

.

Completion time: 2011-09-21 23:55:20 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-21 13:55

.

Pre-Run: 6,084,431,872 bytes free

Post-Run: 6,255,345,664 bytes free

.

- - End Of File - - 3BE9B26CA8328D90B0603122B3E7B929

Link to post
Share on other sites

Hi wintery, :)

Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!

We need to execute a CFScript to clean some remnants.

Please do this:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:


http://forums.malwarebytes.org/index.php?showtopic=95722

KILLALL::
Collect::
c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vome.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qokak.exe
c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\emetb.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\zeizur.exe
c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiuz.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\daceer.exe
c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dasi.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ogifb.exe
c:\users\jjj\AppData\Roaming\Uvu\ydykvim.exe
c:\users\jjj\AppData\Roaming\Muysy\ropekyx.exe
Folder::
c:\users\jjj\AppData\Roaming\Aqt
c:\users\jjj\AppData\Roaming\Uvu
c:\users\jjj\AppData\Roaming\Muysy
c:\users\jjj\AppData\Roaming\Huran
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{A5DE5A1C-A947-F753-7C95-6D9A926831CF}"=-
"{498A74AA-59C6-D849-B246-365E3CEFF1B1}"=-
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:63919
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

3734364_B.gif

4. Close any open browsers.

5. Referring to the picture above, drag CFScript into ComboFix.exe

6. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".

**NOTE**

  • IF for some reason Combofix fails to upload anything you will see that message:
    CF_UploadFailed.gif
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.

7. When Combifix finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Also reply back to let me know how things are going.

Regards,

Georgi

Link to post
Share on other sites

Hello again Georgi, I have followed your instructions, the upload was successful and the new combofix log is as below. Other than some missing shortcuts in Start Programs and firefox crashing when I try to access certain sites(youtube), everything else is fine. No more redirects, all the desktop icons look normal again. Thank you so much.

ComboFix 11-09-21.02 - jjj 22/09/2011 1:37.2.1 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2939.2047 [GMT 10:00]

Running from: c:\users\jjj\Desktop\ComboFix.exe

Command switches used :: c:\users\jjj\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

file zipped: c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\daceer.exe

file zipped: c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ogifb.exe

file zipped: c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qokak.exe

file zipped: c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\zeizur.exe

file zipped: c:\users\jjj\AppData\Roaming\Muysy\ropekyx.exe

file zipped: c:\users\jjj\AppData\Roaming\Uvu\ydykvim.exe

file zipped: c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dasi.exe

file zipped: c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\emetb.exe

file zipped: c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vome.exe

file zipped: c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiuz.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\daceer.exe

c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ogifb.exe

c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qokak.exe

c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\zeizur.exe

c:\users\jjj\AppData\Roaming\Aqt

c:\users\jjj\AppData\Roaming\Aqt\equryxk.tmp

c:\users\jjj\AppData\Roaming\Huran

c:\users\jjj\AppData\Roaming\Huran\osozosk.tmp

c:\users\jjj\AppData\Roaming\Huran\osozosk.ylo

c:\users\jjj\AppData\Roaming\Muysy

c:\users\jjj\AppData\Roaming\Muysy\ropekyx.exe

c:\users\jjj\AppData\Roaming\Uvu

c:\users\jjj\AppData\Roaming\Uvu\ydykvim.exe

c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dasi.exe

c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\emetb.exe

c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vome.exe

c:\users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiuz.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))

.

.

2011-09-21 15:42 . 2011-09-21 15:45 -------- d-----w- c:\users\jjj\AppData\Local\temp

2011-09-21 15:42 . 2011-09-21 15:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-09-21 15:42 . 2011-09-21 15:42 -------- d-----w- c:\users\jjjj\AppData\Local\temp

2011-09-21 15:42 . 2011-09-21 15:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-21 13:27 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-09-20 09:02 . 2011-09-20 09:02 -------- d-----w- C:\TDSSKiller_Quarantine

2011-09-20 06:54 . 2011-09-20 06:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4

2011-09-20 06:25 . 2011-09-20 06:25 388096 ----a-r- c:\users\jjj\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-20 05:53 . 2011-09-20 05:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3

2011-09-20 05:28 . 2011-09-20 05:28 -------- d-----w- c:\program files\Trend Micro

2011-09-20 05:14 . 2011-09-20 05:14 -------- d-----w- c:\windows\PIF

2011-09-20 05:10 . 2011-09-20 05:33 -------- d-----w- c:\program files\hjt

2011-09-20 03:56 . 2011-09-20 04:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2011-09-20 02:27 . 2011-09-20 02:27 -------- d-----w- c:\users\jjj\AppData\Roaming\QuickScan

2011-09-20 02:13 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-09-20 02:03 . 2011-09-20 02:03 -------- d-----w- c:\program files\Common Files\Symantec Shared

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\programdata\Symantec

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\windows\system32\drivers\NSS

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\program files\Norton Security Scan

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\programdata\Norton

2011-09-20 01:57 . 2011-09-20 01:57 -------- d-----w- c:\program files\NortonInstaller

2011-09-20 00:32 . 2011-09-20 00:32 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Toshiba

2011-09-19 19:24 . 2011-09-19 19:25 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-18 13:03 . 2011-05-31 16:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 09:52 . 2009-07-03 02:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-07 23:11 . 2011-05-30 20:48 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NDSTray.exe"="NDSTray.exe" [bU]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]

"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2010-05-14 4352408]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^Users^jjj^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Check for TWS Updates.lnk]

path=c:\users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Check for TWS Updates.lnk

backup=c:\windows\pss\Check for TWS Updates.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^jjj^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

path=c:\users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk

backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-09-13 16:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-10-25 16:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-16 12:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]

2010-07-05 02:01 185784 ----a-w- c:\program files\Common Files\PPLiveNetwork\ppap.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPLiveVA]

2010-04-27 03:23 71152 ----a-w- c:\program files\PPLive\PPVA\PPLiveVA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-09-02 04:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2010-04-28 18:15 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

R3 CFcatchme;CFcatchme;c:\users\jjj\AppData\Local\Temp\CFcatchme.sys [x]

R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]

R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-04-29 7168]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 npkycryp;npkycryp;c:\windows\system32\npkycryp.sys [x]

R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-12-28 114688]

S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]

S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]

S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]

S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-20 c:\windows\Tasks\Norton Security Scan for jjj.job

- c:\progra~1\NORTON~2\Engine\352~1.9\Nss.exe [2011-09-20 09:21]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Settings,ProxyOverride = <local>

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: QQ - c:\program files\Tencent\QQIntl\Bin\AddEmotion.htm

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????v??Miz????>???>???>? >?H

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\WLANExt.exe

c:\windows\system32\conime.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

c:\windows\system32\TODDSrv.exe

c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\windows\RtHDVCpl.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

.

**************************************************************************

.

Completion time: 2011-09-22 01:50:07 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-21 15:50

ComboFix2.txt 2011-09-21 13:55

.

Pre-Run: 6,067,724,288 bytes free

Post-Run: 6,049,071,104 bytes free

.

- - End Of File - - 87EF4663C562EB039633EEA8A749E0E4

Upload was successful

Link to post
Share on other sites

Hello again Georgi, I have followed your instructions, the upload was successful and the new combofix log is as below. Other than some missing shortcuts in Start Programs and firefox crashing when I try to access certain sites(youtube), everything else is fine. No more redirects, all the desktop icons look normal again. Thank you so much.

Hi,

Let's see if this works ... follow the tutorial

Also please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :dir
    %Temp%\smtmp /s


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next:

Please read and follow all these instructions very carefully.

  1. Please download GooredFix and save it to your Desktop.
  2. Double-click GooredFix.exe to run it.
  3. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi,

I found out that my missing shortcuts are only those of my programs, not windows accessories and such. I guess I should just manually create them, thanks for the link to the tutorial though.

Systemlook ran okay but Gooredfix crash when scanning(two tries). Here are the logs below. Much appreciation!

/////////////////////////////////////////////////////////////////////////////////////

SystemLook 30.07.11 by jpshortstuff

Log created at 08:53 on 22/09/2011 by jjj

Administrator - Elevation successful

========== dir ==========

C:\Users\jjj\AppData\Local\Temp\smtmp - Unable to find folder.

-= EOF =-

////////////////////////////////////////////////////////////////////////////////////

GooredFix by jpshortstuff (03.07.10.1)

Log created at 08:57 on 22/09/2011 (jjj)

Firefox version 6.0.2 (en-US)

========== GooredScan ==========

Link to post
Share on other sites

Hello wintery,

Sorry for the delayed response.

Let's see if the shortcuts are there or not.

Please download Unhide.exe to your desktop:

  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

Let me know if you can see them now. If it is not successful, then you will need to recreate them manually.

If Firefox is crashing when you try to view videos on YouTube, it is usually caused by the Flash plugin conflicting with one of your extensions.

Try to install the latest version from here Adobe Flash Player 11.0 RC1 for (Firefox, Safari, Opera) x86 and report back if the crashes still occur.

Let's take a deeper look to see if we can find something hidden.

We need to run an OTL Custom Scan

  1. Please download OTL from the link below:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]OTL should now start. Change the following settings:

- Click on Scan All Users checkbox given at the top.46625204.png

- Under File Scans, change File age to 90

- On the upper right be sure Use Company-Name WhiteList, Skip Microsoft Files and Use No-Company-Name-Whitelist are checked

- Check the boxes beside LOP Check and Purity Check

[*]Copy and Paste the following code into the customFix.png textbox.


netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\AppData\Local\*.*
%USERPROFILE%\AppData\Roaming\*.*
%ProgramData%\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi,

No delay at all on your part. Took me awhile to complete all the steps for this stage though. Thank you again for your continual help. The results for each item are as follows :

Unhide.exe - no changes. I will manually recreate my missing shortcuts

adobe flash player - firefox still crash when trying to access youtube after installing this.

OTL - successfully ran

Gmer - successfully ran with "Device" unchecked(otherwise crashed for both normal and safe mode).

Logs for OTL and Gmer are as follows:

OTL logfile created on: 22/09/2011 11:22:28 PM - Run 1

OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\jjj\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.87 Gb Total Physical Memory | 2.07 Gb Available Physical Memory | 72.25% Memory free

5.94 Gb Paging File | 5.31 Gb Available in Paging File | 89.35% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 101.76 Gb Total Space | 5.58 Gb Free Space | 5.48% Space Free | Partition Type: NTFS

Computer Name: JJJ-LP | User Name: jjj | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: On | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2011/09/22 23:21:04 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\jjj\Desktop\OTL.exe

PRC - [2010/05/14 11:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe

PRC - [2010/05/14 11:01:26 | 004,352,408 | ---- | M] (Telstra) -- C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe

PRC - [2008/10/29 16:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/07/18 19:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

PRC - [2008/06/02 12:26:48 | 000,505,720 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

PRC - [2008/05/09 10:49:30 | 000,716,800 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

PRC - [2008/04/25 06:03:12 | 000,430,080 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

PRC - [2008/04/17 17:21:24 | 001,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

PRC - [2008/04/17 17:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

PRC - [2008/04/17 17:19:16 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

PRC - [2008/04/08 17:14:50 | 006,037,504 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe

PRC - [2008/02/06 12:52:52 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

PRC - [2008/02/06 12:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

PRC - [2008/01/21 12:24:13 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe

PRC - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

PRC - [2007/12/03 16:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

PRC - [2007/11/22 10:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe

PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe

PRC - [2006/08/23 15:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

========== Modules (No Company Name) ==========

MOD - [2010/08/26 19:40:28 | 000,224,768 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\02a85e04cb4b6501ff869f79de5b2222\PresentationFramework.Classic.ni.dll

MOD - [2010/08/26 19:40:27 | 014,327,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\b7b8c64ce7df1036cb272734b89dff4a\PresentationFramework.ni.dll

MOD - [2010/08/26 19:40:02 | 012,216,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\a04387a2fa0aa5ad644db319ea6ce0d0\PresentationCore.ni.dll

MOD - [2010/08/26 19:39:36 | 003,313,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\8dfd20cf2b6b63b8e4ea587a3ccdccb3\WindowsBase.ni.dll

MOD - [2010/08/26 19:39:30 | 007,949,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\e757b4f83931d47c785b0aaacf7cce81\System.ni.dll

MOD - [2010/08/26 19:39:16 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\fb0a3a6e527462455beda91d7ea58de5\mscorlib.ni.dll

MOD - [2008/09/16 20:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

MOD - [2008/03/06 09:14:54 | 005,121,912 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll

MOD - [2007/12/25 11:03:40 | 000,015,184 | ---- | M] () -- C:\Program Files\TOSHIBA\PCDiag\NotifyPCD.dll

MOD - [2007/12/14 20:40:00 | 000,090,112 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\TWarnMsg\TWarnMsg.dll

MOD - [2006/10/11 04:44:16 | 000,009,728 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Assist\NotifyX.dll

MOD - [2006/10/08 04:57:04 | 000,053,248 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll

========== Win32 Services (SafeList) ==========

SRV - [2008/07/18 19:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)

SRV - [2008/04/17 17:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)

SRV - [2008/04/16 14:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)

SRV - [2008/02/06 12:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)

SRV - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)

SRV - [2007/12/03 16:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)

SRV - [2007/11/22 10:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)

SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)

SRV - [2006/08/23 15:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)

========== Driver Services (SafeList) ==========

DRV - [2010/05/03 12:18:12 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)

DRV - [2010/01/27 10:46:40 | 000,105,856 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)

DRV - [2010/01/27 10:46:40 | 000,105,856 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)

DRV - [2010/01/27 10:46:40 | 000,105,856 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)

DRV - [2009/12/28 15:05:06 | 000,114,688 | ---- | M] (ZTE Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnet.sys -- (ZTEusbnet)

DRV - [2008/07/18 17:52:16 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)

DRV - [2008/05/19 18:42:56 | 000,912,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)

DRV - [2008/04/29 11:00:30 | 000,007,168 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)

DRV - [2008/04/28 15:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)

DRV - [2008/04/15 12:05:08 | 000,118,784 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2007/12/15 04:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)

DRV - [2007/11/09 13:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)

DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2006/11/21 07:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:54222

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:54222

IE - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/

IE - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2

FF - prefs.js..extensions.enabledItems: searchrecs@veoh.com:1.5.2

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.4.5

FF - prefs.js..extensions.enabledItems: {5384767E-00D9-40E9-B72F-9CC39D655D6F}:1.4.1.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/08 09:11:29 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/31 06:48:23 | 000,000,000 | ---D | M]

[2009/02/25 22:01:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jjj\AppData\Roaming\Mozilla\Extensions

[2011/09/21 15:07:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\extensions

[2010/06/25 04:20:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/05/21 16:11:28 | 000,000,000 | ---D | M] (EPUBReader) -- C:\Users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}

[2011/09/20 12:26:07 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

[2010/05/22 09:14:52 | 000,000,000 | ---D | M] (Veoh Video Compass) -- C:\Users\jjj\AppData\Roaming\Mozilla\Firefox\Profiles\qcp7pi1i.default\extensions\searchrecs@veoh.com

[2011/05/31 04:39:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/07/23 05:28:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/10/16 01:41:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

() (No name found) -- C:\USERS\JJJ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\QCP7PI1I.DEFAULT\EXTENSIONS\{3D7EB24F-2740-49DF-8937-200B1CC08F8A}.XPI

() (No name found) -- C:\USERS\JJJ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\QCP7PI1I.DEFAULT\EXTENSIONS\{53A03D43-5363-4669-8190-99061B2DEBA5}.XPI

[2011/09/08 09:11:29 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2010/05/25 06:23:28 | 000,064,384 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll

[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2011/08/18 22:04:06 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/22 01:45:01 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Download_Bho Class) - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLive\PPVA\DownloaderManager.dll (PPLive Corporation)

O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [bigPondWirelessBroadbandCM] C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe (Telstra)

O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [smoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)

O4 - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-4184094342-2079622803-2384233876-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: QQ - C:\Program Files\Tencent\QQIntl\Bin\AddEmotion.htm ()

O9 - Extra Button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe (PPLive Corporation)

O9 - Extra 'Tools' menuitem : PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPTV\PPLive.exe (PPLive Corporation)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{27469EA3-9744-485D-820F-815E082A5E7E}: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C280E5BA-131A-4635-9D81-A66E6A8D87D8}: DhcpNameServer = 139.130.4.4 203.50.2.71

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E7CFAE61-1E75-4656-AF7F-AF34FD0BF5DD}: DhcpNameServer = 192.168.0.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\jjj\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\jjj\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/19 07:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^Users^jjj^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Check for TWS Updates.lnk - C:\Jts\WiseUpdt.exe - ()

MsConfig - StartUpFolder: C:^Users^jjj^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe - ()

MsConfig - StartUpReg: CanonMyPrinter - hkey= - key= - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)

MsConfig - StartUpReg: CanonSolutionMenu - hkey= - key= - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)

MsConfig - StartUpReg: msnmsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)

MsConfig - StartUpReg: PPAP - hkey= - key= - C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe (PPLive Corporation)

MsConfig - StartUpReg: PPLiveVA - hkey= - key= - C:\Program Files\PPLive\PPVA\PPLiveVA.exe (Synacast)

MsConfig - StartUpReg: Skype - hkey= - key= - C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)

MsConfig - StartUpReg: VeohPlugin - hkey= - key= - C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)

MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - File not found

SafeBootMin: Base - Driver Group

SafeBootMin: Boot Bus Extender - Driver Group

SafeBootMin: Boot file system - Driver Group

SafeBootMin: File system - Driver Group

SafeBootMin: Filter - Driver Group

SafeBootMin: HelpSvc - Service

SafeBootMin: NTDS - File not found

SafeBootMin: PCI Configuration - Driver Group

SafeBootMin: PNP Filter - Driver Group

SafeBootMin: Primary disk - Driver Group

SafeBootMin: sacsvr - Service

SafeBootMin: SCSI Class - Driver Group

SafeBootMin: System Bus Extender - Driver Group

SafeBootMin: WinDefend - Service

SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers

SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices

SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: AppMgmt - File not found

SafeBootNet: Base - Driver Group

SafeBootNet: Boot Bus Extender - Driver Group

SafeBootNet: Boot file system - Driver Group

SafeBootNet: File system - Driver Group

SafeBootNet: Filter - Driver Group

SafeBootNet: HelpSvc - Service

SafeBootNet: Messenger - Service

SafeBootNet: NDIS Wrapper - Driver Group

SafeBootNet: NetBIOSGroup - Driver Group

SafeBootNet: NetDDEGroup - Driver Group

SafeBootNet: Network - Driver Group

SafeBootNet: NetworkProvider - Driver Group

SafeBootNet: NTDS - File not found

SafeBootNet: PCI Configuration - Driver Group

SafeBootNet: PNP Filter - Driver Group

SafeBootNet: PNP_TDI - Driver Group

SafeBootNet: Primary disk - Driver Group

SafeBootNet: rdsessmgr - Service

SafeBootNet: sacsvr - Service

SafeBootNet: SCSI Class - Driver Group

SafeBootNet: Streams Drivers - Driver Group

SafeBootNet: System Bus Extender - Driver Group

SafeBootNet: TDI - Driver Group

SafeBootNet: WinDefend - Service

SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net

SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient

SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService

SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans

SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers

SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers

SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices

SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

========== Files/Folders - Created Within 90 Days ==========

[2011/09/22 23:20:50 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Users\jjj\Desktop\OTL.exe

[2011/09/22 08:55:09 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\GooredFix Backups

[2011/09/22 08:54:38 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\jjj\Desktop\GooredFix.exe

[2011/09/22 08:50:06 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\Programs

[2011/09/22 01:52:15 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2011/09/22 01:45:03 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN

[2011/09/22 01:42:38 | 000,000,000 | ---D | C] -- C:\Users\jjj\AppData\Local\temp

[2011/09/21 23:20:58 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2011/09/21 23:20:58 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2011/09/21 23:20:58 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2011/09/21 23:19:24 | 004,222,462 | R--- | C] (Swearware) -- C:\Users\jjj\Desktop\ComboFix.exe

[2011/09/21 23:12:06 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\DummyCreator

[2011/09/21 10:57:59 | 001,403,184 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\jjj\Desktop\TDSSKiller.exe

[2011/09/20 19:02:07 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2011/09/20 18:53:48 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\tdss

[2011/09/20 16:54:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware4

[2011/09/20 16:54:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware4

[2011/09/20 15:53:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware3

[2011/09/20 15:53:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware3

[2011/09/20 15:33:30 | 000,000,000 | ---D | C] -- C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis

[2011/09/20 15:28:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2011/09/20 15:27:34 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\stuff

[2011/09/20 15:14:01 | 000,000,000 | ---D | C] -- C:\Windows\PIF

[2011/09/20 15:10:51 | 000,000,000 | ---D | C] -- C:\Program Files\hjt

[2011/09/20 13:59:41 | 001,047,208 | ---- | C] (Malwarebytes Corporation) -- C:\Users\jjj\Desktop\cmo5dq8e2k.exe

[2011/09/20 13:56:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware2

[2011/09/20 13:56:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware2

[2011/09/20 13:55:35 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\jjj\Desktop\6phxu88hm.exe

[2011/09/20 13:07:57 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2011/09/20 13:03:27 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011/09/20 12:45:12 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\jjj\Desktop\dds.scr

[2011/09/20 12:27:16 | 000,000,000 | ---D | C] -- C:\Users\jjj\AppData\Roaming\QuickScan

[2011/09/20 12:13:53 | 000,200,976 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys

[2011/09/20 12:13:11 | 002,002,320 | ---- | C] (Trend Micro Inc.) -- C:\Users\jjj\Desktop\HousecallLauncher.exe

[2011/09/20 12:03:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared

[2011/09/20 11:57:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec

[2011/09/20 11:57:21 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Scan

[2011/09/20 11:57:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS

[2011/09/20 11:57:21 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Scan

[2011/09/20 11:57:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS\0305020.009

[2011/09/20 11:57:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton

[2011/09/20 11:57:19 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller

[2011/09/20 11:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller

[2011/09/20 11:13:32 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\malwarehijack_files

[2011/09/20 11:05:46 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\jjj\Desktop\firefox.exe

[2011/08/28 21:59:52 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\quaero aeris

[2011/08/26 12:57:52 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\quaero scrolls

[2011/08/23 01:54:47 | 000,000,000 | ---D | C] -- C:\Users\jjj\Desktop\quaero department

[2011/08/21 23:18:54 | 000,000,000 | ---D | C] -- C:\logfiles old

[2011/07/15 18:49:41 | 000,000,000 | ---D | C] -- C:\Users\jjj\AppData\Roaming\Fonyaw

[2011/07/15 18:49:41 | 000,000,000 | ---D | C] -- C:\Users\jjj\AppData\Roaming\Etow

[2011/07/06 22:38:03 | 000,000,000 | ---D | C] -- C:\logfiles

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2011/09/22 23:21:04 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\jjj\Desktop\OTL.exe

[2011/09/22 23:07:16 | 000,684,297 | ---- | M] () -- C:\Users\jjj\Desktop\unhide.exe

[2011/09/22 22:42:11 | 000,003,344 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011/09/22 22:42:11 | 000,003,344 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011/09/22 22:42:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/09/22 22:42:00 | 3082,817,536 | -HS- | M] () -- C:\hiberfil.sys

[2011/09/22 08:54:38 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\jjj\Desktop\GooredFix.exe

[2011/09/22 08:53:27 | 000,139,264 | ---- | M] () -- C:\Users\jjj\Desktop\SystemLook.exe

[2011/09/22 08:49:41 | 000,010,817 | ---- | M] () -- C:\Users\jjj\Desktop\Current_User_Start_Menu.zip

[2011/09/22 01:45:01 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2011/09/22 01:34:06 | 000,018,648 | ---- | M] () -- C:\Users\jjj\Desktop\New OpenDocument Text (3).odt

[2011/09/22 01:30:46 | 004,222,462 | R--- | M] (Swearware) -- C:\Users\jjj\Desktop\ComboFix.exe

[2011/09/21 23:11:19 | 000,455,496 | ---- | M] () -- C:\Users\jjj\Desktop\DummyCreator.zip

[2011/09/21 15:47:33 | 000,000,443 | ---- | M] () -- C:\Users\jjj\Desktop\host2.htm

[2011/09/21 15:46:33 | 000,000,386 | ---- | M] () -- C:\Users\jjj\Desktop\hostsss.htm

[2011/09/21 15:26:41 | 000,000,548 | ---- | M] () -- C:\Users\jjj\Desktop\url.htm

[2011/09/20 18:53:39 | 001,386,742 | ---- | M] () -- C:\Users\jjj\Desktop\tdsskiller.zip

[2011/09/20 18:14:21 | 000,001,356 | ---- | M] () -- C:\Users\jjj\AppData\Local\d3d9caps.dat

[2011/09/20 16:25:46 | 000,002,683 | ---- | M] () -- C:\Users\jjj\Desktop\HiJackThis.lnk

[2011/09/20 15:53:55 | 000,000,924 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/09/20 15:33:07 | 001,402,880 | ---- | M] () -- C:\Users\jjj\Desktop\HiJackThis.msi

[2011/09/20 14:52:39 | 215,672,832 | ---- | M] () -- C:\Users\jjj\Desktop\kav_rescue_10.iso

[2011/09/20 13:59:45 | 001,047,208 | ---- | M] (Malwarebytes Corporation) -- C:\Users\jjj\Desktop\cmo5dq8e2k.exe

[2011/09/20 13:55:35 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\jjj\Desktop\6phxu88hm.exe

[2011/09/20 13:11:25 | 000,302,592 | ---- | M] () -- C:\Users\jjj\Desktop\9htykuu4.exe

[2011/09/20 12:44:39 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\jjj\Desktop\dds.scr

[2011/09/20 12:43:22 | 000,000,000 | ---- | M] () -- C:\Users\jjj\defogger_reenable

[2011/09/20 12:42:16 | 000,050,477 | ---- | M] () -- C:\Users\jjj\Desktop\Defogger.exe

[2011/09/20 12:13:22 | 000,000,036 | ---- | M] () -- C:\Users\jjj\AppData\Local\housecall.guid.cache

[2011/09/20 12:13:17 | 002,002,320 | ---- | M] (Trend Micro Inc.) -- C:\Users\jjj\Desktop\HousecallLauncher.exe

[2011/09/20 11:57:26 | 000,001,139 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk

[2011/09/20 11:57:26 | 000,000,432 | ---- | M] () -- C:\Windows\tasks\Norton Security Scan for jjj.job

[2011/09/20 11:35:23 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\jjj\Desktop\firefox.exe

[2011/09/20 11:30:25 | 226,581,204 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2011/09/20 11:20:24 | 001,008,092 | ---- | M] () -- C:\Users\jjj\Desktop\rkill.exe

[2011/09/20 11:13:33 | 000,217,377 | ---- | M] () -- C:\Users\jjj\Desktop\malwarehijack.htm

[2011/09/20 10:57:38 | 003,215,803 | ---- | M] () -- C:\Users\jjj\Desktop\backup4.rar

[2011/09/20 10:36:14 | 000,000,949 | ---- | M] () -- C:\Users\jjj\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk

[2011/09/20 08:54:14 | 001,403,184 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\jjj\Desktop\TDSSKiller.exe

[2011/09/19 17:54:26 | 019,767,296 | ---- | M] () -- C:\Users\jjj\Desktop\backup4.mdb

[2011/08/23 16:39:07 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NSS\0305020.009\isolate.ini

[2011/08/12 20:31:17 | 000,037,376 | ---- | M] () -- C:\Users\jjj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/07/15 19:27:35 | 000,010,076 | -HS- | M] () -- C:\Users\jjj\AppData\Local\6mo4g56006efwb6i5l720x1hnte0i2d326221w26

[2011/07/15 19:27:35 | 000,010,076 | -HS- | M] () -- C:\ProgramData\6mo4g56006efwb6i5l720x1hnte0i2d326221w26

[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2011/06/26 16:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/22 23:07:13 | 000,684,297 | ---- | C] () -- C:\Users\jjj\Desktop\unhide.exe

[2011/09/22 08:53:26 | 000,139,264 | ---- | C] () -- C:\Users\jjj\Desktop\SystemLook.exe

[2011/09/22 08:49:41 | 000,010,817 | ---- | C] () -- C:\Users\jjj\Desktop\Current_User_Start_Menu.zip

[2011/09/22 01:33:34 | 000,018,648 | ---- | C] () -- C:\Users\jjj\Desktop\New OpenDocument Text (3).odt

[2011/09/21 23:20:58 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2011/09/21 23:20:58 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2011/09/21 23:20:58 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2011/09/21 23:20:58 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2011/09/21 23:20:58 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2011/09/21 23:11:16 | 000,455,496 | ---- | C] () -- C:\Users\jjj\Desktop\DummyCreator.zip

[2011/09/21 15:47:33 | 000,000,443 | ---- | C] () -- C:\Users\jjj\Desktop\host2.htm

[2011/09/21 15:46:33 | 000,000,386 | ---- | C] () -- C:\Users\jjj\Desktop\hostsss.htm

[2011/09/21 15:26:40 | 000,000,548 | ---- | C] () -- C:\Users\jjj\Desktop\url.htm

[2011/09/21 11:31:58 | 3082,817,536 | -HS- | C] () -- C:\hiberfil.sys

[2011/09/21 10:57:56 | 001,386,742 | ---- | C] () -- C:\Users\jjj\Desktop\tdsskiller.zip

[2011/09/20 15:53:55 | 000,000,924 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/09/20 15:33:30 | 000,002,683 | ---- | C] () -- C:\Users\jjj\Desktop\HiJackThis.lnk

[2011/09/20 15:07:53 | 001,402,880 | ---- | C] () -- C:\Users\jjj\Desktop\HiJackThis.msi

[2011/09/20 14:52:40 | 215,672,832 | ---- | C] () -- C:\Users\jjj\Desktop\kav_rescue_10.iso

[2011/09/20 13:11:22 | 000,302,592 | ---- | C] () -- C:\Users\jjj\Desktop\9htykuu4.exe

[2011/09/20 12:43:22 | 000,000,000 | ---- | C] () -- C:\Users\jjj\defogger_reenable

[2011/09/20 12:42:47 | 000,050,477 | ---- | C] () -- C:\Users\jjj\Desktop\Defogger.exe

[2011/09/20 12:13:22 | 000,000,036 | ---- | C] () -- C:\Users\jjj\AppData\Local\housecall.guid.cache

[2011/09/20 11:57:26 | 000,001,139 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk

[2011/09/20 11:57:26 | 000,000,432 | ---- | C] () -- C:\Windows\tasks\Norton Security Scan for jjj.job

[2011/09/20 11:57:21 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NSS\0305020.009\isolate.ini

[2011/09/20 11:20:15 | 001,008,092 | ---- | C] () -- C:\Users\jjj\Desktop\rkill.exe

[2011/09/20 11:13:31 | 000,217,377 | ---- | C] () -- C:\Users\jjj\Desktop\malwarehijack.htm

[2011/09/20 10:57:30 | 003,215,803 | ---- | C] () -- C:\Users\jjj\Desktop\backup4.rar

[2011/09/20 10:57:19 | 019,767,296 | ---- | C] () -- C:\Users\jjj\Desktop\backup4.mdb

[2011/07/15 18:50:26 | 000,010,076 | -HS- | C] () -- C:\Users\jjj\AppData\Local\6mo4g56006efwb6i5l720x1hnte0i2d326221w26

[2011/07/15 18:50:26 | 000,010,076 | -HS- | C] () -- C:\ProgramData\6mo4g56006efwb6i5l720x1hnte0i2d326221w26

[2010/12/31 22:01:04 | 000,000,600 | ---- | C] () -- C:\Users\jjj\AppData\Local\PUTTY.RND

[2010/07/23 04:45:18 | 000,000,043 | ---- | C] () -- C:\Windows\ib.ini

[2010/07/23 04:17:11 | 000,253,952 | ---- | C] () -- C:\Windows\ddedll.dll

[2010/06/21 09:47:08 | 000,108,032 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2009/12/28 19:01:56 | 000,018,760 | ---- | C] () -- C:\Windows\System32\QQVistaHelper.dll

[2009/10/11 19:52:26 | 000,000,056 | ---- | C] () -- C:\Windows\System32\ezsidmv.dat

[2009/09/08 09:46:42 | 000,178,176 | ---- | C] () -- C:\Windows\System32\unrar.dll

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe

[2009/02/25 22:01:14 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2009/02/24 19:32:12 | 000,037,376 | ---- | C] () -- C:\Users\jjj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/02/24 17:22:12 | 000,026,624 | ---- | C] () -- C:\Windows\GetIe.dll

[2009/02/24 13:47:08 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009/02/24 13:47:08 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2009/02/24 12:44:23 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll

[2009/02/24 12:44:23 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll

[2009/02/24 12:44:23 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll

[2009/02/24 12:44:23 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll

[2009/02/24 12:44:23 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll

[2009/02/24 12:44:23 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll

[2009/02/24 12:30:18 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini

[2009/02/24 12:30:18 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll

[2009/02/24 12:30:18 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini

[2009/02/24 12:30:18 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini

[2009/02/24 12:27:51 | 000,001,356 | ---- | C] () -- C:\Users\jjj\AppData\Local\d3d9caps.dat

[2008/07/12 05:32:33 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

[2008/07/12 05:25:51 | 002,192,024 | ---- | C] () -- C:\Windows\System32\igkrng500.bin

[2008/07/12 05:25:51 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1502.dll

[2008/07/12 05:25:42 | 000,147,172 | ---- | C] () -- C:\Windows\System32\igfcg550.bin

[2008/07/12 05:25:38 | 000,492,496 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin

[2008/07/12 04:51:37 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI

[2006/11/02 22:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006/11/02 22:47:37 | 000,419,560 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006/11/02 22:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 20:33:01 | 000,696,698 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006/11/02 20:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006/11/02 20:33:01 | 000,141,860 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006/11/02 20:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006/11/02 20:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006/11/02 18:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006/11/02 18:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006/11/02 17:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/11/02 17:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/02/20 12:31:37 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\Babylon

[2009/10/31 14:42:48 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\Canon

[2010/07/31 03:14:26 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\crawl

[2011/07/15 20:43:37 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\Etow

[2011/07/15 20:28:17 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\Fonyaw

[2009/04/03 20:06:00 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\Helios

[2009/06/10 21:52:26 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\minimem

[2010/02/25 00:12:46 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\OpenOffice.org

[2010/01/22 00:23:38 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\PPLive

[2010/04/20 09:02:33 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\PPStream

[2011/09/20 12:27:26 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\QuickScan

[2010/09/27 10:48:00 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\Sierra Wireless

[2009/12/28 19:12:26 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\tencent

[2010/03/08 21:57:15 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\toshiba

[2011/03/03 03:54:57 | 000,000,000 | ---D | M] -- C:\Users\jjj\AppData\Roaming\uTorrent

[2011/09/22 10:15:06 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2006/09/19 07:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat

[2008/01/21 12:24:42 | 000,333,203 | RHS- | M] () -- C:\bootmgr

[2008/07/12 04:57:05 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK

[2007/09/18 18:49:52 | 000,061,440 | ---- | M] (TENCENT) -- C:\ChatRoom.exe

[2011/09/22 01:52:12 | 000,012,346 | ---- | M] () -- C:\ComboFix.txt

[2006/09/19 07:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys

[2010/02/26 00:30:35 | 000,000,595 | ---- | M] () -- C:\default.par

[2011/09/22 22:42:00 | 3082,817,536 | -HS- | M] () -- C:\hiberfil.sys

[2008/07/12 04:08:38 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2007/09/07 20:07:10 | 000,000,000 | ---- | M] () -- C:\key.ini

[2008/07/12 04:08:38 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2011/09/22 22:41:58 | 3396,612,096 | -HS- | M] () -- C:\pagefile.sys

[2011/09/20 11:48:29 | 000,001,610 | ---- | M] () -- C:\rkill.log

[2007/09/07 20:07:13 | 000,000,000 | ---- | M] () -- C:\RoomPanel.dll

[2011/09/20 18:55:42 | 000,062,530 | ---- | M] () -- C:\TDSSKiller.2.5.23.0_20.09.2011_18.54.56_log.txt

[2011/09/20 19:02:59 | 000,182,724 | ---- | M] () -- C:\TDSSKiller.2.5.23.0_20.09.2011_18.59.19_log.txt

[2011/09/20 20:33:19 | 000,061,832 | ---- | M] () -- C:\TDSSKiller.2.5.23.0_20.09.2011_20.32.16_log.txt

[2011/09/21 10:58:45 | 000,061,832 | ---- | M] () -- C:\TDSSKiller.2.5.23.0_21.09.2011_10.58.03_log.txt

[2011/09/21 11:12:10 | 000,063,442 | ---- | M] () -- C:\TDSSKiller.2.5.23.0_21.09.2011_11.11.03_log.txt

< %USERPROFILE%\*.* >

[2010/07/23 05:22:18 | 000,000,108 | ---- | M] () -- C:\Users\jjj\.asadminpass

[2010/07/23 05:22:08 | 000,000,749 | ---- | M] () -- C:\Users\jjj\.asadmintruststore

[2011/09/20 12:43:22 | 000,000,000 | ---- | M] () -- C:\Users\jjj\defogger_reenable

[2010/04/16 10:58:14 | 000,011,101 | ---- | M] () -- C:\Users\jjj\gsview32.ini

[2010/03/12 21:09:22 | 000,000,008 | R--- | M] () -- C:\Users\jjj\hwid

[2011/09/22 23:25:12 | 003,407,872 | -HS- | M] () -- C:\Users\jjj\ntuser.dat

[2011/09/22 23:25:12 | 000,262,144 | ---- | M] () -- C:\Users\jjj\ntuser.dat.LOG1

[2009/02/24 12:27:50 | 000,000,000 | ---- | M] () -- C:\Users\jjj\ntuser.dat.LOG2

[2011/09/22 10:15:04 | 000,065,536 | -HS- | M] () -- C:\Users\jjj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf

[2011/09/22 10:15:04 | 000,524,288 | -HS- | M] () -- C:\Users\jjj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms

[2009/02/24 12:36:25 | 000,524,288 | -HS- | M] () -- C:\Users\jjj\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms

[2009/02/24 12:27:50 | 000,000,020 | -HS- | M] () -- C:\Users\jjj\ntuser.ini

< %USERPROFILE%\AppData\Local\*.* >

[2011/07/15 19:27:35 | 000,010,076 | -HS- | M] () -- C:\Users\jjj\AppData\Local\6mo4g56006efwb6i5l720x1hnte0i2d326221w26

[2011/09/20 18:14:21 | 000,001,356 | ---- | M] () -- C:\Users\jjj\AppData\Local\d3d9caps.dat

[2011/08/12 20:31:17 | 000,037,376 | ---- | M] () -- C:\Users\jjj\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/08/26 19:39:51 | 000,118,368 | ---- | M] () -- C:\Users\jjj\AppData\Local\GDIPFONTCACHEV1.DAT

[2011/09/20 12:13:22 | 000,000,036 | ---- | M] () -- C:\Users\jjj\AppData\Local\housecall.guid.cache

[2011/09/22 10:15:01 | 001,531,406 | ---- | M] () -- C:\Users\jjj\AppData\Local\IconCache.db

[2011/01/05 00:58:23 | 000,000,600 | ---- | M] () -- C:\Users\jjj\AppData\Local\PUTTY.RND

< %USERPROFILE%\AppData\Roaming\*.* >

[2011/09/21 10:50:52 | 000,000,005 | ---- | M] () -- C:\Users\jjj\AppData\Roaming\910874458.log

[2011/09/20 14:32:16 | 000,000,005 | ---- | M] () -- C:\Users\jjj\AppData\Roaming\916894418.log

< %ProgramData%\*.* >

[2011/07/15 19:27:35 | 000,010,076 | -HS- | M] () -- C:\ProgramData\6mo4g56006efwb6i5l720x1hnte0i2d326221w26

< %CommonProgramFiles%\*.* >

< %PROGRAMFILES%\*.* >

[2008/01/21 12:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >

[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\system32\drivers\mbam.sys

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

[2008/02/26 06:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\Windows\system32\Spool\prtprocs\w32x86\CNMPD9I.DLL

[2008/02/26 06:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\Windows\system32\Spool\prtprocs\w32x86\CNMPP9I.DLL

[2006/11/02 22:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\Spool\prtprocs\w32x86\jnwppr.dll

< %systemroot%\*. /mp /s >

< End of report >

/////////////////////////////////////////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

OTL Extras logfile created on: 22/09/2011 11:22:28 PM - Run 1

OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\jjj\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.87 Gb Total Physical Memory | 2.07 Gb Available Physical Memory | 72.25% Memory free

5.94 Gb Paging File | 5.31 Gb Available in Paging File | 89.35% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 101.76 Gb Total Space | 5.58 Gb Free Space | 5.48% Space Free | Partition Type: NTFS

Computer Name: JJJ-LP | User Name: jjj | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: On | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-4184094342-2079622803-2384233876-1000\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\PPStream\PPStream.exe" = C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSÍøÂçµçÊÓ

"C:\Program Files\PPStream\PPSAP.exe" = C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS ÍøÂç¼ÓËÙÆ÷

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{1BFC783F-FAE4-4F3F-9DB9-CFDD91C59794}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

"{5846EF20-0D1A-4B96-83EF-D7AE20F5689E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |

"{8916C3C6-3F8F-4295-BCC8-16A36A796905}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

"{B90A8CAC-CA6F-494E-9816-47DB25A78753}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0C4C8B46-A274-4D62-95DE-3BEFB9D88FF8}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{1157ACE7-47FB-4F70-B450-5D58DA49FFBD}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |

"{221200BC-957B-48E0-B5DD-0411DFEC5F48}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |

"{25BC099D-4A99-433F-9148-91E7B8C31314}" = protocol=6 | dir=in | app=c:\program files\pplive\ppva\flvpick.exe |

"{34DC6557-5D68-435F-B4CF-6E3A4807F24E}" = protocol=6 | dir=in | app=c:\program files\pplive\pptv\pplive.exe |

"{357C3014-A4F5-4C12-B1AF-0CC3297CCC07}" = protocol=17 | dir=in | app=c:\program files\pplive\ppva\downloadprogress.exe |

"{4AE0541D-80A6-4C5F-B832-0C4E417335B5}" = protocol=17 | dir=in | app=c:\program files\common files\pplivenetwork\ppap.exe |

"{4D05CE8D-4F0A-49A5-B5C7-5169196229FA}" = protocol=6 | dir=in | app=c:\program files\common files\pplivenetwork\ppap.exe |

"{563B0964-E67F-48E0-9C81-BE7F71735AAD}" = protocol=6 | dir=in | app=c:\program files\pplive\pptv\ppliveu.exe |

"{5E3F3925-1DA6-4BAC-AD57-42B3F8042CF6}" = protocol=17 | dir=in | app=c:\program files\pplive\pptv\pplive.exe |

"{716C9BC3-D3FA-469C-81E3-4B67F6B1B66A}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{74ED24A5-6704-41B0-B3CF-7C6C063D8A67}" = protocol=17 | dir=in | app=c:\program files\pplive\ppva\ppliveva_u.exe |

"{7B5EAD53-4E8C-47F4-A910-E5A7C6F1C649}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{81962674-D713-498F-9DAC-3F9AE6F10D06}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{886A302C-2526-49E3-9981-972914242261}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |

"{A9EE927D-4CAB-4024-9B5F-2458EF34D361}" = protocol=6 | dir=in | app=c:\program files\pplive\ppva\ppvadownload.exe |

"{AAA8627F-0706-4293-919E-59C585446944}" = protocol=17 | dir=in | app=c:\program files\pplive\ppva\ppvadownload.exe |

"{ABB7CF25-2A0A-4B7D-858F-023748F830A8}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{B826CF60-127F-42C9-AFC4-CAAFF747C814}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{BDFE357C-7B60-429E-9795-403AD23CAED7}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{BE27C54B-ED1C-4E94-9069-2B7C96D7B3BE}" = protocol=17 | dir=in | app=c:\program files\pplive\ppva\flvpick.exe |

"{C05443EE-33AA-4049-A66F-3A0D7FA29BC5}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{C41DFA3D-7DC5-4864-B7D6-DC98C749C48D}" = protocol=17 | dir=in | app=c:\program files\pplive\ppva\ppliveva.exe |

"{D62E0E01-A67E-4845-B223-E38E9BCAB1BC}" = protocol=6 | dir=in | app=c:\program files\pplive\ppva\crashreporter.exe |

"{D9C2593A-EA43-42E2-BC07-A5F7BFFB8C31}" = protocol=17 | dir=in | app=c:\program files\pplive\ppva\crashreporter.exe |

"{E2709A27-A162-408C-9329-B41FEDAF8637}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{EDEEA52B-E6CA-4ADF-8C03-F02DC381F806}" = protocol=6 | dir=in | app=c:\program files\pplive\ppva\downloadprogress.exe |

"{F003F752-B1B7-49F1-B945-036E4A13C5A2}" = protocol=6 | dir=in | app=c:\program files\pplive\ppva\ppliveva_u.exe |

"{FA5CB484-3802-4548-87D9-FECE9925BB72}" = protocol=6 | dir=in | app=c:\program files\pplive\ppva\ppliveva.exe |

"{FA8D3987-2302-405B-93E3-04DBAC1FDAD8}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{FDB34CEA-29F3-401E-9535-BD6BDE1BA5AB}" = protocol=17 | dir=in | app=c:\program files\pplive\pptv\ppliveu.exe |

"TCP Query User{063C6D7B-F0AE-445B-BD87-AAA41E41DEA9}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

"TCP Query User{0F8751DA-607F-4D23-B31C-F2E35FFF8257}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"TCP Query User{16C34FDA-2DE2-4CD0-A973-E28AE5C44FCC}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"TCP Query User{21009C15-4120-4371-9768-975F4B6D0F08}C:\program files\common files\pplivenetwork\ppap.exe" = protocol=6 | dir=in | app=c:\program files\common files\pplivenetwork\ppap.exe |

"TCP Query User{2B5C4DE6-6C96-4EBA-900E-5B9F86A59079}C:\users\jjj\appdata\local\temp\java_ee_sdk-5_01-windows.exe2\package\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\users\jjj\appdata\local\temp\java_ee_sdk-5_01-windows.exe2\package\jre\bin\javaw.exe |

"TCP Query User{2BCA195D-65B0-465E-8500-CD2761B57D25}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |

"TCP Query User{49AF4750-1203-4CD7-9CFF-9B3F250AFBE2}C:\windows\system32\javaw.exe" = protocol=6 | dir=in | app=c:\windows\system32\javaw.exe |

"TCP Query User{69E48AC0-CAFD-4802-9ED7-532C2A5987B0}C:\program files\tencent\qqintl\bin\qq.exe" = protocol=6 | dir=in | app=c:\program files\tencent\qqintl\bin\qq.exe |

"TCP Query User{97228861-97A0-4CBD-82D7-58259FA07933}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |

"TCP Query User{C2FDC152-46E2-4AD9-949C-CAB16AC6B5E3}C:\program files\ppstream\ppstream.exe" = protocol=6 | dir=in | app=c:\program files\ppstream\ppstream.exe |

"TCP Query User{FFB021B8-CCE4-4243-95EA-7A6D90E6E0F3}C:\windows\system32\javaw.exe" = protocol=6 | dir=in | app=c:\windows\system32\javaw.exe |

"UDP Query User{22734AC8-E8CA-4F56-8FA4-3648AD1A9B21}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |

"UDP Query User{388BF8E8-94FD-48AE-9B8C-2E4F6EDECB0C}C:\program files\ppstream\ppstream.exe" = protocol=17 | dir=in | app=c:\program files\ppstream\ppstream.exe |

"UDP Query User{410EE4AB-4918-4146-9EEA-8B4394EC6F12}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |

"UDP Query User{53825AAF-76BE-4372-9AD8-8D241795F70B}C:\windows\system32\javaw.exe" = protocol=17 | dir=in | app=c:\windows\system32\javaw.exe |

"UDP Query User{60199AD9-F0D8-40DF-AFAB-5CB52723D6DF}C:\program files\common files\pplivenetwork\ppap.exe" = protocol=17 | dir=in | app=c:\program files\common files\pplivenetwork\ppap.exe |

"UDP Query User{6630B4A1-9C8C-4FB3-814E-8F24880B2E2A}C:\windows\system32\javaw.exe" = protocol=17 | dir=in | app=c:\windows\system32\javaw.exe |

"UDP Query User{6FC505D2-DCC8-4EA7-8DCE-11268A5DAE7C}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

"UDP Query User{D7ACC12E-B863-4F5D-8E31-A6C573426E38}C:\program files\tencent\qqintl\bin\qq.exe" = protocol=17 | dir=in | app=c:\program files\tencent\qqintl\bin\qq.exe |

"UDP Query User{DFB6815E-1F98-4A85-80EC-9930219342AF}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

"UDP Query User{DFBECBD2-EBC1-44AB-8022-33ECAE5012F1}C:\users\jjj\appdata\local\temp\java_ee_sdk-5_01-windows.exe2\package\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\users\jjj\appdata\local\temp\java_ee_sdk-5_01-windows.exe2\package\jre\bin\javaw.exe |

"UDP Query User{FEBC11F7-1466-4695-AEB7-43F5376F5811}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0

"{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}" = Java DB 10.5.3.0

"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP190_series" = Canon MP190 series MP Drivers

"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist

"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java 6 Update 22

"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition

"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup

"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{32A3A4F4-B792-11D6-A78A-00B0D0160210}" = Java SE Development Kit 6 Update 21

"{3CA54984-A14B-42FE-9FF1-7EA90151D725}" = Tencent QQ

"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0

"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis

"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password

"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies

"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)

"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer

"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator

"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module

"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2

"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER

"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager

"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components

"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007

"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer

"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2

"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger

"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser

"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator

"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5

"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client

"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1

"{D42FD0CF-F36F-42D5-A12F-CE58397FD78A}" = Telstra Mobile Broadband Manager

"{D62C9F08-473A-4AF4-9453-DAD78F46B5D3}" = Network Recording Player

"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader

"{E04E2407-8114-4170-9100-B243616D8346}" = Minimem

"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series

"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call

"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA

"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package

"5E8F128761A9B07EC2DEC909F167D92DB8B3A348" = Windows Driver Package - Cmotech Modem (12/13/2006 2.0.3.5)

"6A032F4180B5A0E8F4BC27384D0A423B2595A785" = Windows Driver Package - Cmotech Ports (12/13/2006 2.0.3.5)

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2

"CanonMyPrinter" = Canon My Printer

"CanonSolutionMenu" = Canon Utilities Solution Menu

"CCleaner" = CCleaner (remove only)

"Crawl" = Dungeon Crawl Stone Soup

"DirectVobSub" = DirectVobSub (remove only)

"E7E257830CD4614E7CF1B3792DF19B85FE5E7BE7" = Windows Driver Package - Cmotech (cmusbnet) Net (06/11/2007 2.0.0.9)

"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX

"ffdshow_is1" = ffdshow v1.1.3452 [2010-05-24]

"GLE" = GLE 4.2.2

"GPL Ghostscript 8.71" = GPL Ghostscript 8.71

"GSview 4.9" = GSview 4.9

"HDMI" = Intel® Graphics Media Accelerator Driver

"ICE Book Reader Professional_is1" = ICE Book Reader Professional v8.10.2

"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center

"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package

"IQFeed Client" = IQFeed Client 4.7.2.0

"KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Basic)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft SQL Server 2005" = Microsoft SQL Server 2005

"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)

"MP Navigator EX 1.2" = Canon MP Navigator EX 1.2

"nbi-nb-base-6.9.0.0.0" = NetBeans IDE 6.9

"NSS" = Norton Security Scan

"Picasa 3" = Picasa 3

"PPLive" = PPTV V2.4.1.0014

"PPLiveVA" = PPLive Video Accelerator(0.6.0.0024)

"PROHYBRIDR" = 2007 Microsoft Office system

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"Telstra Mobile Broadband Manager" = Telstra Mobile Broadband Manager

"TOSHIBA Software Modem" = TOSHIBA Software Modem

"Trader Workstation 4.0" = Trader Workstation 4.0

"TWS Interoperability Components" = TWS Interoperability Components

"Veoh Web Player Beta" = Veoh Web Player

"VLC media player" = VLC media player 1.1.0-rc4

"Windows Grep_is1" = Windows Grep 2.3

"Windows Media Encoder 9" = Windows Media Encoder 9 Series

"WinLiveSuite_Wave3" = Windows Live Essentials

"WinRAR archiver" = WinRAR archiver

"ZLT_is1" = ZLT V3 Build 71

"zMUD" = zMUD 7.21.0.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4184094342-2079622803-2384233876-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"PPLiveVA" = PPLive Video Accelerator

"Trader Workstation" = Trader Workstation

"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 2/05/2011 8:02:52 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 3/05/2011 1:58:50 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 3/05/2011 9:11:45 PM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 4/05/2011 2:46:43 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 5/05/2011 12:23:27 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 6/05/2011 12:31:48 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 7/05/2011 8:04:44 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 7/05/2011 10:47:32 PM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 8/05/2011 1:58:59 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

Error - 8/05/2011 6:27:53 AM | Computer Name = jjj-lp | Source = WinMgmt | ID = 10

Description =

[ System Events ]

Error - 21/09/2011 11:36:40 AM | Computer Name = jjj-lp | Source = Service Control Manager | ID = 7031

Description =

Error - 21/09/2011 11:36:40 AM | Computer Name = jjj-lp | Source = Service Control Manager | ID = 7031

Description =

Error - 21/09/2011 11:36:40 AM | Computer Name = jjj-lp | Source = Service Control Manager | ID = 7031

Description =

Error - 21/09/2011 11:39:54 AM | Computer Name = jjj-lp | Source = Service Control Manager | ID = 7030

Description =

Error - 21/09/2011 11:42:43 AM | Computer Name = jjj-lp | Source = Service Control Manager | ID = 7030

Description =

Error - 21/09/2011 11:42:57 AM | Computer Name = jjj-lp | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10003

Description =

Error - 21/09/2011 11:42:57 AM | Computer Name = jjj-lp | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10003

Description =

Error - 21/09/2011 11:44:44 AM | Computer Name = jjj-lp | Source = HTTP | ID = 15016

Description =

Error - 21/09/2011 6:45:09 PM | Computer Name = jjj-lp | Source = HTTP | ID = 15016

Description =

Error - 22/09/2011 8:42:06 AM | Computer Name = jjj-lp | Source = HTTP | ID = 15016

Description =

< End of report >

//////////////////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-09-23 02:47:48

Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01

Running: 6qgohxv5.exe; Driver: C:\Users\jjj\AppData\Local\Temp\uwtdypow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A359480, 0x3C939, 0xE8000020]

.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A39A900, 0x3CA, 0x48000040]

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello wintery,

STEP 1

Your Adobe Reader 8.1.2 is out of date.

Older versions may have vulnerabilities that malware can use to infect your system.

Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 8.1.2 via Start => Control Panel > Programs => Uninstall a program

* Install the new downloaded updated software.

Note: Note that the Google Chrome is prechecked. You may wish to uncheck it before downloading.

Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 5x instead.

Foxit Reader 5x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Upgrading Java:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 27.
  • Click the JDK 6 Update 27 JRE "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u27-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista users, right click on the jre-6u27-windows-i586.exe and select "Run as an Administrator.")

STEP 2

We need to run an OTL Fix

  1. Please reopen OTL on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:54222
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:54222
    [2011/07/15 19:27:35 | 000,010,076 | -HS- | M] () -- C:\Users\jjj\AppData\Local\6mo4g56006efwb6i5l720x1hnte0i2d326221w26
    [2011/07/15 19:27:35 | 000,010,076 | -HS- | M] () -- C:\ProgramData\6mo4g56006efwb6i5l720x1hnte0i2d326221w26
    :files
    netsh winsock reset catalog /c
    ipconfig /flushdns /c
    :commands
    [emptyflash]
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click OK.
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.

STEP 3

Since you were infected with Rootkit.ZeroAccess we need to scan the system with this special tool:

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

STEP 4

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the Run ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    7. Now click on Advanced Settings and select the following:

        • Scan for potentially unwanted applications
        • Scan for potentially unsafe applications
        • Enable Anti-Stealth Technology

[*]Push the Start button.

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, push esetListThreats.png

[*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Push the esetBack.png button.

[*]Push esetFinish.png

Let me know if you still have the same issue with your browser. If so please try to start it in Safe Mode.

At the top of the Firefox window on the menu bar, click the Help menu. Go over to the Help menu and select Restart with Add-ons Disabled.... Firefox will start up with the Firefox Safe Mode dialog. Click on Continue In Safe Mode button. Now, when the Firefox browser starts in the safe mode, test whether the problem is fixed or not.

Regards,

Georgi

Link to post
Share on other sites

Hi Georgi and Wintery. I don't mean to hijack your thread, but I just wanted to chime in and say that I have a computer (belongs to a friend of mom's) with the exact same symptoms and am following the progress here. I'll try the same steps, and if the computer still has problems I'll start a new thread to post my own Hijack This log etc. Thanks Georgi very much for your help. Good luck with it Wintery.

Chris

Link to post
Share on other sites

Hi chrismdusa,

The steps are individual for each user. They aren't universal for all.

Following them without supervisor's assistance could render your PC unbootable.

Please refrain from doing so.

Please open a new topic instead, naming it properly, describing your issues and someone will be happy to assist you. ;)

Regards,

G.

Link to post
Share on other sites

Hello Georgi,

I have installed foxit reader 5x and Java as per your links

Logs for OTL, junction and ESET(it warns that windows defender might affect results) are below.

After doing everything, I tried firefox on youtube again but it still crashed even when in safe mode with all addons disabled. Another thing I noticed was, when I try to open a webpage locally that is saved on my computer, two thirds of the firefox window is blackened. Also when I try to go to youtube on IE, there is no problem.

Regards.

LOGS:

All processes killed

========== OTL ==========

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

C:\Users\jjj\AppData\Local\6mo4g56006efwb6i5l720x1hnte0i2d326221w26 moved successfully.

C:\ProgramData\6mo4g56006efwb6i5l720x1hnte0i2d326221w26 moved successfully.

========== FILES ==========

< netsh winsock reset catalog /c >

Sucessfully reset the Winsock Catalog.

You must restart the computer in order to complete the reset.

C:\Users\jjj\Desktop\cmd.bat deleted successfully.

C:\Users\jjj\Desktop\cmd.txt deleted successfully.

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\jjj\Desktop\cmd.bat deleted successfully.

C:\Users\jjj\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: jjj

->Flash cache emptied: 27634 bytes

User: jjjj

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Default User

User: jjj

->Temp folder emptied: 21278517 bytes

->Temporary Internet Files folder emptied: 6947288 bytes

->Java cache emptied: 129782188 bytes

->FireFox cache emptied: 56370151 bytes

->Flash cache emptied: 0 bytes

User: jjjj

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->FireFox cache emptied: 3360979 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 2450 bytes

RecycleBin emptied: 1042370 bytes

Total Files Cleaned = 209.00 mb

OTL by OldTimer - Version 3.2.29.1 log created on 09232011_113543

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

////////////////////////////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION

Print Name : E:\Users

Substitute Name: E:\Users

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

...

.

Failed to open \\?\c:\\Program Files\hjt\hjt\Trend Micro\HiJackThis\asfsaf.exe: Access is denied.

Failed to open \\?\c:\\Program Files\hjt\hjt\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.

Failed to open \\?\c:\\Program Files\hjt\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.

..

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\firefox.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware2\cmo5dq8e2k.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware2\mbam.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware3\cmo5dq8e2k.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware3\mbam.exe: Access is denied.

.

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware4\cmo5dq8e2k.exe: Access is denied.

..

...

..

Failed to open \\?\c:\\Program Files\Mozilla Firefox\plugin-container.exe: Access is denied.

.

...

.

Failed to open \\?\c:\\Program Files\Norton Security Scan\Engine\3.5.2.9\Nss.exe: Access is denied.

..

...

...

...

...

..

Failed to open \\?\c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.

.

...

...

...

\\?\c:\\ProgramData\Application Data: JUNCTION

Print Name : E:\ProgramData

Substitute Name: E:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION

Print Name : E:\Users\Public\Desktop

Substitute Name: E:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION

Print Name : E:\Users\Public\Documents

Substitute Name: E:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION

Print Name : E:\Users\Public\Favorites

Substitute Name: E:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION

Print Name : E:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: E:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION

Print Name : E:\ProgramData\Microsoft\Windows\Templates

Substitute Name: E:\ProgramData\Microsoft\Windows\Templates

...

...

...

...

...

...

.

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

\\?\c:\\Qoobox\Quarantine\C\Windows\$NtUninstallKB15700$\749149131.vir: SYMBOLIC LINK

Print Name : c:\windows\system32\config

Substitute Name: \systemroot\system32\config

..

Failed to open \\?\c:\\System Volume Information\{01525000-e349-11e0-8679-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{01525007-e349-11e0-8679-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{0152500d-e349-11e0-8679-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{04aab509-d5af-11e0-a323-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{17222a05-d80d-11e0-9fb6-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{259bd261-e583-11e0-934c-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{35dc6104-dce4-11e0-9d1e-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{59b23804-d8db-11e0-aa56-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{68e22ac5-dff6-11e0-ad8f-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{79f9f983-d9a4-11e0-9047-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{8635f903-de73-11e0-9225-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{94772c63-e57f-11e0-9188-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{94772c8d-e57f-11e0-9188-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{94772c93-e57f-11e0-9188-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{94772c99-e57f-11e0-9188-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{94ee6b84-da81-11e0-a73a-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{9c8dd784-d744-11e0-a0d0-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{ae896483-e19f-11e0-aa4a-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{ae896493-e19f-11e0-aa4a-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{b0e82f03-db9f-11e0-a381-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{b54edd82-e33f-11e0-9b75-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{bd667303-e521-11e0-a2d0-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{c5fc8664-d6aa-11e0-b000-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{c7767764-e0ca-11e0-b23c-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{cad63627-df3a-11e0-980c-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{cfa9d367-e119-11e0-9076-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{fed08305-dda9-11e0-9a51-001e339a3acd}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

...\\?\c:\\Users\All Users: SYMBOLIC LINK

Print Name : E:\ProgramData

Substitute Name: \??\E:\ProgramData

\\?\c:\\Users\Default User: JUNCTION

Print Name : E:\Users\Default

Substitute Name: E:\Users\Default

\\?\c:\\Users\Default\Application Data: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming

Substitute Name: E:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Cookies: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Default\Local Settings: JUNCTION

Print Name : E:\Users\Default\AppData\Local

Substitute Name: E:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION

Print Name : E:\Users\Default\Documents

Substitute Name: E:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION

Print Name : E:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: E:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION

Print Name : E:\Users\Default\AppData\Local

Substitute Name: E:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION

Print Name : E:\Users\Default\AppData\Local\Microsoft\Windows\History

Substitute Name: E:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : E:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: E:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION

Print Name : E:\Users\Default\Music

Substitute Name: E:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION

Print Name : E:\Users\Default\Pictures

Substitute Name: E:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION

Print Name : E:\Users\Default\Videos

Substitute Name: E:\Users\Default\Videos

\\?\c:\\Users\jjj\Application Data: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming

Substitute Name: C:\Users\jjj\AppData\Roaming

\\?\c:\\Users\jjj\Cookies: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\jjj\Local Settings: JUNCTION

Print Name : C:\Users\jjj\AppData\Local

Substitute Name: C:\Users\jjj\AppData\Local

\\?\c:\\Users\jjj\My Documents: JUNCTION

Print Name : C:\Users\jjj\Documents

Substitute Name: C:\Users\jjj\Documents

\\?\c:\\Users\jjj\NetHood: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\jjj\PrintHood: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\jjj\Recent: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\jjj\SendTo: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\jjj\Start Menu: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\jjj\Templates: JUNCTION

Print Name : C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\jjj\AppData\Roaming\Microsoft\Windows\Templates

...

.\\?\c:\\Users\jjj\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\jjj\AppData\Local

Substitute Name: C:\Users\jjj\AppData\Local

\\?\c:\\Users\jjj\AppData\Local\History: JUNCTION

Print Name : C:\Users\jjj\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\jjj\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\jjj\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\jjj\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\jjj\AppData\Local\Microsoft\Windows\Temporary Internet Files

..

Failed to open \\?\c:\\Users\jjj\AppData\Roaming\PPStream: Access is denied.

...

...

...

Failed to open \\?\c:\\Users\jjj\Desktop\9htykuu4.exe: Access is denied.

...

...

...

...

...

...

..\\?\c:\\Users\jjj\Documents\My Music: JUNCTION

Print Name : C:\Users\jjj\Music

Substitute Name: C:\Users\jjj\Music

\\?\c:\\Users\jjj\Documents\My Pictures: JUNCTION

Print Name : C:\Users\jjj\Pictures

Substitute Name: C:\Users\jjj\Pictures

\\?\c:\\Users\jjj\Documents\My Videos: JUNCTION

Print Name : C:\Users\jjj\Videos

Substitute Name: C:\Users\jjj\Videos

.\\?\c:\\Users\jjjj\Application Data: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming

Substitute Name: C:\Users\jjjj\AppData\Roaming

\\?\c:\\Users\jjjj\Cookies: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\jjjj\Local Settings: JUNCTION

Print Name : C:\Users\jjjj\AppData\Local

Substitute Name: C:\Users\jjjj\AppData\Local

\\?\c:\\Users\jjjj\My Documents: JUNCTION

Print Name : C:\Users\jjjj\Documents

Substitute Name: C:\Users\jjjj\Documents

\\?\c:\\Users\jjjj\NetHood: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\jjjj\PrintHood: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\jjjj\Recent: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\jjjj\SendTo: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\jjjj\Start Menu: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\jjjj\Templates: JUNCTION

Print Name : C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\jjjj\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\jjjj\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\jjjj\AppData\Local

Substitute Name: C:\Users\jjjj\AppData\Local

\\?\c:\\Users\jjjj\AppData\Local\History: JUNCTION

Print Name : C:\Users\jjjj\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\jjjj\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\jjjj\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\jjjj\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\jjjj\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\jjjj\Documents\My Music: JUNCTION

Print Name : C:\Users\jjjj\Music

Substitute Name: C:\Users\jjjj\Music

\\?\c:\\Users\jjjj\Documents\My Pictures: JUNCTION

Print Name : C:\Users\jjjj\Pictures

Substitute Name: C:\Users\jjjj\Pictures

\\?\c:\\Users\jjjj\Documents\My Videos: JUNCTION

Print Name : C:\Users\jjjj\Videos

Substitute Name: C:\Users\jjjj\Videos

\\?\c:\\Users\Public\Documents\My Music: JUNCTION

Print Name : E:\Users\Public\Music

Substitute Name: E:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION

Print Name : E:\Users\Public\Pictures

Substitute Name: E:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION

Print Name : E:\Users\Public\Videos

Substitute Name: E:\Users\Public\Videos

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

///////////////////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

C:\ACH\Zmud721Crack.exe a variant of Win32/HackTool.Patcher.A application

C:\Qoobox\Quarantine\[4]-Submit_2011-09-22_01.36.38.zip Win32/Spy.Zbot.YW trojan

C:\Qoobox\Quarantine\C\Users\jjj\AppData\Roaming\dwm.exe.vir a variant of Win32/Kryptik.SZU trojan

C:\Qoobox\Quarantine\C\Users\jjj\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.SYW trojan

C:\Qoobox\Quarantine\C\Users\jjj\AppData\Roaming\OpenCloud Security\csrss.exe.vir a variant of Win32/Kryptik.TBB trojan

C:\Qoobox\Quarantine\C\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.SYW trojan

C:\TDSSKiller_Quarantine\20.09.2011_18.59.20\susp0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.CR trojan

C:\Users\jjj\Desktop\ACH stuff\zmud and acropolis essentials\zMUD 7.21 + crack\Zmud721Crack.exe a variant of Win32/HackTool.Patcher.A application

C:\Users\jjj\Videos\Veoh\VeohWebPlayerSetup_upgrade_eng.exe multiple threats

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\59e884ef-5b4ba5ad Java/Agent.DO trojan

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\2c46df1-5577d9c5 a variant of Java/Agent.DO trojan

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\3ba5531-195939ba a variant of Java/Agent.DO trojan

Link to post
Share on other sites

Hello wintery,

After doing everything, I tried firefox on youtube again but it still crashed even when in safe mode with all addons disabled.

I think I found the culprit. :)

STEP 1

Please download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe

Copy and paste the following in the edit box:

c:\Program Files\hjt\hjt\Trend Micro\HiJackThis\asfsaf.exe
c:\Program Files\hjt\hjt\Trend Micro\HiJackThis\HiJackThis.exe
c:\Program Files\hjt\Trend Micro\HiJackThis\HiJackThis.exe
c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
c:\Program Files\Malwarebytes' Anti-Malware\firefox.exe
c:\Program Files\Malwarebytes' Anti-Malware2\cmo5dq8e2k.exe
c:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe
c:\Program Files\Mozilla Firefox\plugin-container.exe
c:\Program Files\Norton Security Scan\Engine\3.5.2.9\Nss.exe
c:\Users\jjj\Desktop\9htykuu4.exe

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Another thing I noticed was, when I try to open a webpage locally that is saved on my computer, two thirds of the firefox window is blackened.

This is a well know bug within Mozilla. This occur on my system too. So nothing to worry about.

STEP 2

No wonder your computer was so severly infected. You use a lot of cracks. This is playing with fire though.

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

We need to run an OTL Fix again

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :files
    C:\ACH\Zmud721Crack.exe
    C:\Users\jjj\Desktop\ACH stuff\zmud and acropolis essentials\zMUD 7.21 + crack\Zmud721Crack.exe
    C:\Users\jjj\Videos\Veoh\VeohWebPlayerSetup_upgrade_eng.exe
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\59e884ef-5b4ba5ad
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\2c46df1-5577d9c5
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\3ba5531-195939ba
    :commands
    [reboot]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.

STEP 3

Run Scan with Malwarebytes - you should be able to do this after the permission has been restored.

I see you have Malwarebytes' Anti-Malware installed on your computer.

Please start the application by double-click on it's icon.

Once the program has loaded go to the UPDATE tab and check for updates.

When the update is complete, select the Scanner tab

Select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad.

Please save it to a convenient location and post the results in your next reply.

How are things now ? Any problems left ?

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi!

You nailed it. Firefox is working great now. And I will heed your warning and will surely be more careful from now. Below are the logs. Do let me know if I need to do more. Hope you're as happy as I am!

LOGS:

GrantPerms by Farbar

Ran by jjj at 2011-09-23 23:58:18

===============================================

\\?\c:\Program Files\hjt\hjt\Trend Micro\HiJackThis\asfsaf.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\hjt\hjt\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\hjt\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Malwarebytes' Anti-Malware\firefox.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Malwarebytes' Anti-Malware2\cmo5dq8e2k.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Mozilla Firefox\plugin-container.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Norton Security Scan\Engine\3.5.2.9\Nss.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Users\jjj\Desktop\9htykuu4.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

S-1-5-32-547 READ ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

//////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

========== FILES ==========

C:\ACH\Zmud721Crack.exe moved successfully.

C:\Users\jjj\Desktop\ACH stuff\zmud and acropolis essentials\zMUD 7.21 + crack\Zmud721Crack.exe moved successfully.

C:\Users\jjj\Videos\Veoh\VeohWebPlayerSetup_upgrade_eng.exe moved successfully.

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\59e884ef-5b4ba5ad moved successfully.

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\2c46df1-5577d9c5 moved successfully.

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\3ba5531-195939ba moved successfully.

========== COMMANDS ==========

OTL by OldTimer - Version 3.2.29.1 log created on 09242011_000018

//////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7780

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

24/09/2011 12:10:39 AM

mbam-log-2011-09-24 (00-10-39).txt

Scan type: Quick scan

Objects scanned: 187887

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi wintery,

I am glad I could help. :)

Before I give you my final recommendations could you please re-run Gooredfix as instructed before ?

Also please delete your copy of TDSSKiller and download the latest version from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    image001h.png
  • Click the Start Scan button.
    19695967.jpg
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Regards,

Georgi

Link to post
Share on other sites

Hey Georgi,

The scans for gooredfix and tdss went smoothly with no problems, the logs are below:

GooredFix by jpshortstuff (03.07.10.1)

Log created at 11:46 on 24/09/2011 (jjj)

Firefox version 6.0.2 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [12:00 25/02/2009]

{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [19:28 22/07/2010]

{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} [01:30 23/09/2011]

C:\Users\jjj\Application Data\Mozilla\Firefox\Profiles\qcp7pi1i.default\extensions\

searchrecs@veoh.com [15:30 18/05/2010]

{20a82645-c095-46ed-80e3-08825760534b} [18:20 24/06/2010]

{5384767E-00D9-40E9-B72F-9CC39D655D6F} [06:11 21/05/2011]

{e001c731-5e37-4538-a5cb-8168736a2360} [02:26 20/09/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:38 24/02/2009]

---------- Old Logs ----------

GooredFix[22.56.37_21-09-2011].txt

GooredFix[22.57.22_21-09-2011].txt

-=E.O.F=-

////////////////////////////////////////////////////////////////////////////////////////////////

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

11:47:44.0616 3724 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37

11:47:45.0396 3724 ============================================================

11:47:45.0396 3724 Current date / time: 2011/09/24 11:47:45.0396

11:47:45.0396 3724 SystemInfo:

11:47:45.0396 3724

11:47:45.0396 3724 OS Version: 6.0.6001 ServicePack: 1.0

11:47:45.0396 3724 Product type: Workstation

11:47:45.0396 3724 ComputerName: JJJ-LP

11:47:45.0396 3724 UserName: jjj

11:47:45.0396 3724 Windows directory: C:\Windows

11:47:45.0396 3724 System windows directory: C:\Windows

11:47:45.0396 3724 Processor architecture: Intel x86

11:47:45.0396 3724 Number of processors: 1

11:47:45.0396 3724 Page size: 0x1000

11:47:45.0396 3724 Boot type: Normal boot

11:47:45.0396 3724 ============================================================

11:47:45.0864 3724 Initialize success

11:48:14.0927 0780 ============================================================

11:48:14.0927 0780 Scan started

11:48:14.0927 0780 Mode: Manual; SigCheck; TDLFS;

11:48:14.0927 0780 ============================================================

11:48:15.0816 0780 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys

11:48:15.0956 0780 ACPI - ok

11:48:16.0206 0780 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys

11:48:16.0222 0780 adp94xx - ok

11:48:16.0409 0780 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys

11:48:16.0424 0780 adpahci - ok

11:48:16.0471 0780 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys

11:48:16.0471 0780 adpu160m - ok

11:48:16.0627 0780 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys

11:48:16.0627 0780 adpu320 - ok

11:48:16.0877 0780 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys

11:48:17.0111 0780 AFD - ok

11:48:17.0329 0780 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys

11:48:17.0438 0780 AgereSoftModem - ok

11:48:17.0594 0780 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys

11:48:17.0594 0780 agp440 - ok

11:48:17.0641 0780 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

11:48:17.0657 0780 aic78xx - ok

11:48:17.0688 0780 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys

11:48:17.0704 0780 aliide - ok

11:48:17.0844 0780 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys

11:48:17.0844 0780 amdagp - ok

11:48:17.0875 0780 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys

11:48:17.0875 0780 amdide - ok

11:48:17.0938 0780 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys

11:48:17.0984 0780 AmdK7 - ok

11:48:18.0094 0780 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys

11:48:18.0125 0780 AmdK8 - ok

11:48:18.0312 0780 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys

11:48:18.0328 0780 arc - ok

11:48:18.0359 0780 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys

11:48:18.0374 0780 arcsas - ok

11:48:18.0437 0780 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

11:48:18.0484 0780 AsyncMac - ok

11:48:18.0577 0780 atapi (0d83c87a801a3dfcd1bf73893fe7518c) C:\Windows\system32\drivers\atapi.sys

11:48:18.0593 0780 atapi - ok

11:48:18.0702 0780 athr (997e25f5b7d53c94c0ad2dc080f6868e) C:\Windows\system32\DRIVERS\athr.sys

11:48:18.0764 0780 athr - ok

11:48:18.0967 0780 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

11:48:19.0014 0780 Beep - ok

11:48:19.0170 0780 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys

11:48:19.0201 0780 blbdrive - ok

11:48:19.0279 0780 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys

11:48:19.0310 0780 bowser - ok

11:48:19.0451 0780 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

11:48:19.0513 0780 BrFiltLo - ok

11:48:19.0544 0780 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

11:48:19.0576 0780 BrFiltUp - ok

11:48:19.0732 0780 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

11:48:19.0872 0780 Brserid - ok

11:48:19.0997 0780 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

11:48:20.0059 0780 BrSerWdm - ok

11:48:20.0090 0780 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

11:48:20.0137 0780 BrUsbMdm - ok

11:48:20.0215 0780 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

11:48:20.0278 0780 BrUsbSer - ok

11:48:20.0340 0780 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

11:48:20.0387 0780 BTHMODEM - ok

11:48:20.0434 0780 catchme - ok

11:48:20.0558 0780 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

11:48:20.0590 0780 cdfs - ok

11:48:20.0652 0780 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys

11:48:20.0683 0780 cdrom - ok

11:48:20.0824 0780 CFcatchme - ok

11:48:20.0902 0780 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys

11:48:20.0948 0780 circlass - ok

11:48:20.0995 0780 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys

11:48:21.0011 0780 CLFS - ok

11:48:21.0151 0780 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys

11:48:21.0182 0780 CmBatt - ok

11:48:21.0229 0780 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys

11:48:21.0229 0780 cmdide - ok

11:48:21.0260 0780 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys

11:48:21.0276 0780 Compbatt - ok

11:48:21.0385 0780 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys

11:48:21.0401 0780 crcdisk - ok

11:48:21.0416 0780 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys

11:48:21.0448 0780 Crusoe - ok

11:48:21.0541 0780 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys

11:48:21.0588 0780 DfsC - ok

11:48:21.0744 0780 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys

11:48:21.0744 0780 disk - ok

11:48:21.0853 0780 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

11:48:21.0900 0780 drmkaud - ok

11:48:22.0025 0780 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys

11:48:22.0134 0780 DXGKrnl - ok

11:48:22.0306 0780 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys

11:48:22.0368 0780 E1G60 - ok

11:48:22.0540 0780 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys

11:48:22.0555 0780 Ecache - ok

11:48:22.0649 0780 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys

11:48:22.0664 0780 elxstor - ok

11:48:22.0805 0780 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys

11:48:22.0836 0780 ErrDev - ok

11:48:22.0930 0780 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys

11:48:22.0976 0780 exfat - ok

11:48:23.0101 0780 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys

11:48:23.0148 0780 fastfat - ok

11:48:23.0210 0780 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys

11:48:23.0242 0780 fdc - ok

11:48:23.0351 0780 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

11:48:23.0351 0780 FileInfo - ok

11:48:23.0366 0780 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

11:48:23.0413 0780 Filetrace - ok

11:48:23.0429 0780 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

11:48:23.0460 0780 flpydisk - ok

11:48:23.0585 0780 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys

11:48:23.0600 0780 FltMgr - ok

11:48:23.0663 0780 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys

11:48:23.0694 0780 Fs_Rec - ok

11:48:23.0803 0780 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys

11:48:23.0834 0780 FwLnk - ok

11:48:23.0881 0780 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys

11:48:23.0897 0780 gagp30kx - ok

11:48:24.0037 0780 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys

11:48:24.0100 0780 HdAudAddService - ok

11:48:24.0131 0780 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys

11:48:24.0162 0780 HDAudBus - ok

11:48:24.0240 0780 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

11:48:24.0302 0780 HidBth - ok

11:48:24.0334 0780 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

11:48:24.0380 0780 HidIr - ok

11:48:24.0521 0780 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys

11:48:24.0552 0780 HidUsb - ok

11:48:24.0614 0780 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys

11:48:24.0630 0780 HpCISSs - ok

11:48:24.0755 0780 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys

11:48:24.0833 0780 HTTP - ok

11:48:24.0911 0780 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys

11:48:24.0911 0780 i2omp - ok

11:48:25.0036 0780 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

11:48:25.0067 0780 i8042prt - ok

11:48:25.0160 0780 iaStor (db0cc620b27a928d968c1a1e9cd9cb87) C:\Windows\system32\DRIVERS\iaStor.sys

11:48:25.0441 0780 iaStor - ok

11:48:25.0550 0780 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys

11:48:25.0566 0780 iaStorV - ok

11:48:25.0706 0780 igfx (6fb1858d1f0923d122b0331865695041) C:\Windows\system32\DRIVERS\igdkmd32.sys

11:48:25.0862 0780 igfx - ok

11:48:25.0972 0780 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

11:48:25.0987 0780 iirsp - ok

11:48:26.0128 0780 IntcAzAudAddService (b9cbd3dea7ca02868621173bf7a2af9f) C:\Windows\system32\drivers\RTKVHDA.sys

11:48:26.0174 0780 IntcAzAudAddService - ok

11:48:26.0284 0780 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys

11:48:26.0284 0780 intelide - ok

11:48:26.0315 0780 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys

11:48:26.0346 0780 intelppm - ok

11:48:26.0486 0780 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

11:48:26.0533 0780 IpFilterDriver - ok

11:48:26.0549 0780 IpInIp - ok

11:48:26.0580 0780 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys

11:48:26.0596 0780 IPMIDRV - ok

11:48:26.0642 0780 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

11:48:26.0658 0780 IPNAT - ok

11:48:26.0783 0780 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

11:48:26.0814 0780 IRENUM - ok

11:48:26.0830 0780 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys

11:48:26.0845 0780 isapnp - ok

11:48:26.0876 0780 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys

11:48:26.0876 0780 iScsiPrt - ok

11:48:26.0892 0780 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

11:48:26.0908 0780 iteatapi - ok

11:48:26.0923 0780 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

11:48:26.0939 0780 iteraid - ok

11:48:27.0110 0780 jswpslwf (11ad410f41af42ba12e63187e3ec141a) C:\Windows\system32\DRIVERS\jswpslwf.sys

11:48:27.0157 0780 jswpslwf - ok

11:48:27.0188 0780 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

11:48:27.0188 0780 kbdclass - ok

11:48:27.0282 0780 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys

11:48:27.0313 0780 kbdhid - ok

11:48:27.0376 0780 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys

11:48:27.0391 0780 KSecDD - ok

11:48:27.0516 0780 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

11:48:27.0547 0780 lltdio - ok

11:48:27.0610 0780 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys

11:48:27.0610 0780 LSI_FC - ok

11:48:27.0656 0780 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys

11:48:27.0656 0780 LSI_SAS - ok

11:48:27.0797 0780 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys

11:48:27.0797 0780 LSI_SCSI - ok

11:48:27.0828 0780 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

11:48:27.0875 0780 luafv - ok

11:48:27.0968 0780 massfilter (6490fe1b088c7199a9b6ce0e04a98a8b) C:\Windows\system32\drivers\massfilter.sys

11:48:27.0984 0780 massfilter - ok

11:48:28.0078 0780 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys

11:48:28.0078 0780 megasas - ok

11:48:28.0124 0780 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys

11:48:28.0171 0780 MegaSR - ok

11:48:28.0327 0780 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

11:48:28.0358 0780 Modem - ok

11:48:28.0436 0780 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

11:48:28.0483 0780 monitor - ok

11:48:28.0577 0780 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

11:48:28.0577 0780 mouclass - ok

11:48:28.0608 0780 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

11:48:28.0655 0780 mouhid - ok

11:48:28.0717 0780 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

11:48:28.0733 0780 MountMgr - ok

11:48:28.0811 0780 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys

11:48:28.0826 0780 mpio - ok

11:48:28.0873 0780 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

11:48:28.0904 0780 mpsdrv - ok

11:48:29.0014 0780 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

11:48:29.0029 0780 Mraid35x - ok

11:48:29.0076 0780 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys

11:48:29.0138 0780 MRxDAV - ok

11:48:29.0232 0780 mrxsmb (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys

11:48:29.0279 0780 mrxsmb - ok

11:48:29.0341 0780 mrxsmb10 (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys

11:48:29.0357 0780 mrxsmb10 - ok

11:48:29.0450 0780 mrxsmb20 (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys

11:48:29.0482 0780 mrxsmb20 - ok

11:48:29.0591 0780 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys

11:48:29.0606 0780 msahci - ok

11:48:29.0684 0780 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys

11:48:29.0700 0780 msdsm - ok

11:48:29.0762 0780 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

11:48:29.0794 0780 Msfs - ok

11:48:29.0903 0780 msisadrv (1e00b9b8601f24a96ad71a7d0fc5f136) C:\Windows\system32\drivers\msisadrv.sys

11:48:29.0918 0780 msisadrv - ok

11:48:30.0043 0780 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

11:48:30.0074 0780 MSKSSRV - ok

11:48:30.0184 0780 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

11:48:30.0215 0780 MSPCLOCK - ok

11:48:30.0277 0780 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

11:48:30.0308 0780 MSPQM - ok

11:48:30.0386 0780 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys

11:48:30.0402 0780 MsRPC - ok

11:48:30.0480 0780 mssmbios (215634cf935b696e3ebca813d02e9165) C:\Windows\system32\DRIVERS\mssmbios.sys

11:48:30.0480 0780 mssmbios - ok

11:48:30.0620 0780 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

11:48:30.0652 0780 MSTEE - ok

11:48:30.0730 0780 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys

11:48:30.0730 0780 Mup - ok

11:48:30.0886 0780 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys

11:48:30.0932 0780 NativeWifiP - ok

11:48:31.0088 0780 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys

11:48:31.0120 0780 NDIS - ok

11:48:31.0151 0780 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

11:48:31.0182 0780 NdisTapi - ok

11:48:31.0291 0780 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

11:48:31.0322 0780 Ndisuio - ok

11:48:31.0385 0780 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys

11:48:31.0416 0780 NdisWan - ok

11:48:31.0525 0780 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

11:48:31.0556 0780 NDProxy - ok

11:48:31.0588 0780 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

11:48:31.0619 0780 NetBIOS - ok

11:48:31.0728 0780 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys

11:48:31.0775 0780 netbt - ok

11:48:31.0822 0780 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

11:48:31.0822 0780 nfrd960 - ok

11:48:31.0915 0780 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys

11:48:31.0946 0780 Npfs - ok

11:48:31.0993 0780 npkcrypt - ok

11:48:32.0024 0780 npkycryp - ok

11:48:32.0087 0780 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

11:48:32.0118 0780 nsiproxy - ok

11:48:32.0352 0780 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys

11:48:32.0399 0780 Ntfs - ok

11:48:32.0570 0780 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

11:48:32.0602 0780 ntrigdigi - ok

11:48:32.0617 0780 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

11:48:32.0695 0780 Null - ok

11:48:32.0726 0780 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys

11:48:32.0742 0780 nvraid - ok

11:48:32.0867 0780 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys

11:48:32.0867 0780 nvstor - ok

11:48:32.0945 0780 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys

11:48:32.0945 0780 nv_agp - ok

11:48:32.0960 0780 NwlnkFlt - ok

11:48:32.0976 0780 NwlnkFwd - ok

11:48:33.0070 0780 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys

11:48:33.0101 0780 ohci1394 - ok

11:48:33.0148 0780 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

11:48:33.0210 0780 Parport - ok

11:48:33.0319 0780 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys

11:48:33.0319 0780 partmgr - ok

11:48:33.0397 0780 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

11:48:33.0475 0780 Parvdm - ok

11:48:33.0631 0780 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\Windows\system32\Drivers\PCASp50.sys

11:48:33.0631 0780 PCASp50 - ok

11:48:33.0756 0780 pci (eca39351296d905baa4fa3244c152b00) C:\Windows\system32\drivers\pci.sys

11:48:33.0772 0780 pci - ok

11:48:33.0818 0780 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\DRIVERS\pciide.sys

11:48:33.0834 0780 pciide - ok

11:48:33.0959 0780 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

11:48:33.0974 0780 pcmcia - ok

11:48:34.0208 0780 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

11:48:34.0318 0780 PEAUTH - ok

11:48:34.0676 0780 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

11:48:34.0723 0780 PptpMiniport - ok

11:48:34.0754 0780 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys

11:48:34.0801 0780 Processor - ok

11:48:35.0020 0780 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys

11:48:35.0113 0780 PSched - ok

11:48:35.0285 0780 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys

11:48:35.0332 0780 ql2300 - ok

11:48:35.0488 0780 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

11:48:35.0503 0780 ql40xx - ok

11:48:35.0550 0780 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

11:48:35.0566 0780 QWAVEdrv - ok

11:48:35.0597 0780 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

11:48:35.0628 0780 RasAcd - ok

11:48:35.0675 0780 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

11:48:35.0737 0780 Rasl2tp - ok

11:48:35.0940 0780 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys

11:48:35.0956 0780 RasPppoe - ok

11:48:36.0002 0780 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys

11:48:36.0018 0780 RasSstp - ok

11:48:36.0065 0780 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys

11:48:36.0143 0780 rdbss - ok

11:48:36.0236 0780 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

11:48:36.0314 0780 RDPCDD - ok

11:48:36.0361 0780 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys

11:48:36.0392 0780 rdpdr - ok

11:48:36.0408 0780 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

11:48:36.0455 0780 RDPENCDD - ok

11:48:36.0548 0780 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys

11:48:36.0642 0780 RDPWD - ok

11:48:36.0720 0780 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

11:48:36.0751 0780 rspndr - ok

11:48:36.0923 0780 RTL8169 (7157e70a90cce49deb8885d23a073a39) C:\Windows\system32\DRIVERS\Rtlh86.sys

11:48:36.0970 0780 RTL8169 - ok

11:48:37.0172 0780 RTSTOR (9ff7d9cf3a5f296613588b0e8db83afe) C:\Windows\system32\drivers\RTSTOR.SYS

11:48:37.0235 0780 RTSTOR - ok

11:48:37.0328 0780 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

11:48:37.0344 0780 sbp2port - ok

11:48:37.0484 0780 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

11:48:37.0531 0780 secdrv - ok

11:48:37.0578 0780 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys

11:48:37.0625 0780 Serenum - ok

11:48:37.0734 0780 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys

11:48:37.0843 0780 Serial - ok

11:48:37.0874 0780 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

11:48:37.0921 0780 sermouse - ok

11:48:38.0077 0780 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys

11:48:38.0093 0780 sffdisk - ok

11:48:38.0186 0780 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys

11:48:38.0264 0780 sffp_mmc - ok

11:48:38.0311 0780 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys

11:48:38.0342 0780 sffp_sd - ok

11:48:38.0358 0780 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

11:48:38.0420 0780 sfloppy - ok

11:48:38.0576 0780 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys

11:48:38.0576 0780 sisagp - ok

11:48:38.0639 0780 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys

11:48:38.0654 0780 SiSRaid2 - ok

11:48:38.0670 0780 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys

11:48:38.0686 0780 SiSRaid4 - ok

11:48:38.0732 0780 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys

11:48:38.0764 0780 Smb - ok

11:48:38.0951 0780 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

11:48:38.0951 0780 spldr - ok

11:48:39.0091 0780 srv (9a0163e7fbe59da0591bb1ad77d92e63) C:\Windows\system32\DRIVERS\srv.sys

11:48:40.0402 0780 srv - ok

11:48:40.0573 0780 srv2 (c7da26d2c7d480b1dd38ca19cc90b821) C:\Windows\system32\DRIVERS\srv2.sys

11:48:40.0620 0780 srv2 - ok

11:48:40.0698 0780 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys

11:48:40.0729 0780 srvnet - ok

11:48:40.0932 0780 swenum (97e089971a6aba49ad5592bd6298e416) C:\Windows\system32\DRIVERS\swenum.sys

11:48:40.0948 0780 swenum - ok

11:48:40.0994 0780 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

11:48:40.0994 0780 Symc8xx - ok

11:48:41.0041 0780 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

11:48:41.0041 0780 Sym_hi - ok

11:48:41.0197 0780 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

11:48:41.0197 0780 Sym_u3 - ok

11:48:41.0322 0780 SynTP (55f6e55cc2430ca8713387106fa79817) C:\Windows\system32\DRIVERS\SynTP.sys

11:48:41.0322 0780 SynTP - ok

11:48:41.0416 0780 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys

11:48:41.0447 0780 Tcpip - ok

11:48:41.0696 0780 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys

11:48:41.0743 0780 Tcpip6 - ok

11:48:41.0899 0780 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys

11:48:41.0977 0780 tcpipreg - ok

11:48:42.0102 0780 tdcmdpst (6fdfba25002ce4bac463ac866ae71405) C:\Windows\system32\DRIVERS\tdcmdpst.sys

11:48:42.0102 0780 tdcmdpst - ok

11:48:42.0274 0780 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

11:48:42.0352 0780 TDPIPE - ok

11:48:42.0461 0780 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

11:48:42.0476 0780 TDTCP - ok

11:48:42.0554 0780 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys

11:48:42.0617 0780 tdx - ok

11:48:42.0695 0780 TermDD (718b2f4355cd8eb2844741addac0e622) C:\Windows\system32\DRIVERS\termdd.sys

11:48:42.0710 0780 TermDD - ok

11:48:42.0898 0780 tos_sps32 (4399a9bf7d8f49991a07fd86590a1619) C:\Windows\system32\DRIVERS\tos_sps32.sys

11:48:42.0913 0780 tos_sps32 - ok

11:48:42.0976 0780 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

11:48:43.0007 0780 tssecsrv - ok

11:48:43.0116 0780 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

11:48:43.0163 0780 tunmp - ok

11:48:43.0210 0780 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys

11:48:43.0241 0780 tunnel - ok

11:48:43.0412 0780 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS

11:48:43.0412 0780 TVALZ - ok

11:48:43.0490 0780 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys

11:48:43.0506 0780 uagp35 - ok

11:48:43.0537 0780 udfs (c985b36e127ea9b8a92396120bff52d8) C:\Windows\system32\DRIVERS\udfs.sys

11:48:43.0584 0780 udfs - ok

11:48:43.0849 0780 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys

11:48:43.0849 0780 uliagpkx - ok

11:48:43.0896 0780 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys

11:48:43.0912 0780 uliahci - ok

11:48:44.0192 0780 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

11:48:44.0208 0780 UlSata - ok

11:48:44.0239 0780 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

11:48:44.0255 0780 ulsata2 - ok

11:48:44.0302 0780 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

11:48:44.0380 0780 umbus - ok

11:48:44.0458 0780 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

11:48:44.0504 0780 usbccgp - ok

11:48:44.0567 0780 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

11:48:44.0614 0780 usbcir - ok

11:48:44.0754 0780 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys

11:48:44.0801 0780 usbehci - ok

11:48:44.0848 0780 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys

11:48:44.0863 0780 usbhub - ok

11:48:45.0019 0780 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

11:48:45.0050 0780 usbohci - ok

11:48:45.0128 0780 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys

11:48:45.0175 0780 usbprint - ok

11:48:45.0362 0780 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys

11:48:45.0409 0780 usbscan - ok

11:48:45.0456 0780 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS

11:48:45.0487 0780 USBSTOR - ok

11:48:45.0659 0780 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys

11:48:45.0690 0780 usbuhci - ok

11:48:45.0721 0780 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys

11:48:45.0768 0780 usbvideo - ok

11:48:45.0940 0780 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys

11:48:45.0971 0780 vga - ok

11:48:46.0002 0780 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

11:48:46.0049 0780 VgaSave - ok

11:48:46.0252 0780 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys

11:48:46.0267 0780 viaagp - ok

11:48:46.0283 0780 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys

11:48:46.0298 0780 ViaC7 - ok

11:48:46.0314 0780 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys

11:48:46.0330 0780 viaide - ok

11:48:46.0361 0780 volmgr (bdd98bbe7323fc0975a26373d8050471) C:\Windows\system32\drivers\volmgr.sys

11:48:46.0376 0780 volmgr - ok

11:48:46.0423 0780 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys

11:48:46.0439 0780 volmgrx - ok

11:48:46.0517 0780 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys

11:48:46.0517 0780 volsnap - ok

11:48:46.0564 0780 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys

11:48:46.0579 0780 vsmraid - ok

11:48:46.0642 0780 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

11:48:46.0673 0780 WacomPen - ok

11:48:46.0751 0780 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

11:48:46.0782 0780 Wanarp - ok

11:48:46.0829 0780 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

11:48:46.0844 0780 Wanarpv6 - ok

11:48:46.0969 0780 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys

11:48:46.0985 0780 Wd - ok

11:48:47.0188 0780 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

11:48:47.0219 0780 Wdf01000 - ok

11:48:47.0531 0780 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys

11:48:47.0546 0780 WmiAcpi - ok

11:48:47.0718 0780 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

11:48:47.0765 0780 ws2ifsl - ok

11:48:47.0874 0780 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

11:48:47.0890 0780 WUDFRd - ok

11:48:48.0139 0780 ZTEusbmdm6k (508d4d5fcf20693a5373d8bd2e2b65f2) C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys

11:48:48.0186 0780 ZTEusbmdm6k - ok

11:48:48.0248 0780 ZTEusbnet (453a60f8dc22fc296bc482cbf3eff213) C:\Windows\system32\DRIVERS\ZTEusbnet.sys

11:48:48.0280 0780 ZTEusbnet - ok

11:48:48.0451 0780 ZTEusbnmea (508d4d5fcf20693a5373d8bd2e2b65f2) C:\Windows\system32\DRIVERS\ZTEusbnmea.sys

11:48:48.0467 0780 ZTEusbnmea - ok

11:48:48.0576 0780 ZTEusbser6k (508d4d5fcf20693a5373d8bd2e2b65f2) C:\Windows\system32\DRIVERS\ZTEusbser6k.sys

11:48:48.0576 0780 ZTEusbser6k - ok

11:48:48.0623 0780 MBR (0x1B8) (5b5e648d12fcadc244c1ec30318e1eb9) \Device\Harddisk0\DR0

11:48:48.0670 0780 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

11:48:48.0670 0780 \Device\Harddisk0\DR0 - detected TDSS File System (1)

11:48:48.0685 0780 Boot (0x1200) (4e5ffc1a59db61cf118a24356d6df448) \Device\Harddisk0\DR0\Partition0

11:48:48.0685 0780 \Device\Harddisk0\DR0\Partition0 - ok

11:48:48.0685 0780 ============================================================

11:48:48.0685 0780 Scan finished

11:48:48.0685 0780 ============================================================

11:48:48.0701 3788 Detected object count: 1

11:48:48.0701 3788 Actual detected object count: 1

11:49:04.0160 3788 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

11:49:04.0160 3788 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

11:49:54.0658 3448 Deinitialize success

Link to post
Share on other sites

Hi wintery, :)

I am sorry for the delayed response.

I had some personal issues to resolve.

11:48:48.0701 3788 Detected object count: 1

11:48:48.0701 3788 Actual detected object count: 1

11:49:04.0160 3788 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

11:49:04.0160 3788 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

After removing active TDSS infection it file system poses no threat.

Knowing Kaspersky I would tend to believe they wouldn't have added this option if it wasn't reasonably safe. However, it is a file system, so pretty advanced and things can go wrong, so I am going to skip that part.

Nicely done !

I have some final words for you.

All Clean ! :D

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

STEP 1 CLEANUP

1. Uninstall Combofix - The following will implement some cleanup procedures as well as reset System Restore points:

  • Right-click on the Windows "Start" button.
  • Click "Properties."
  • Click "Customize" on the "Taskbar and Start Menu Properties" screen.
  • Place a check mark next to "Run" command on the list of options.
  • Click "OK."
  • Click the Windows logo to open the Start menu. The "Run" command is now present and can be clicked to open a "Run" dialog.
  • Click Start > Run and copy/paste the following bolded text into the Run box and click OK => ComboFix /Uninstall and hit Enter

.

2. To remove all of the tools we used and the files and folders they created, please do the following:

Please reopen otlDesktopIcon.png on your desktop.

In the upper right click CleanUp

35hfp21.jpg

This will delete OTL and will clean up after it.

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

You can uninstall now - ESET Online Scanner v3.

STEP 2 SECURITY ADVICES

Change all your passwords !

Since your computer was infected with a rootkit for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).

Keep your antivirus software turned on and up-to-date

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Install an AntiSpyware Program

An effective scanner that you already have is Malwarebytes Anti-Malware.

Other highly recommended AntiSpyware program is SuperAntiSpyware.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection.

You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Be sure to check for and download any definition updates prior to performing a scan.

Get Full Control Over Windows Firewall with one of these applications

Windows Firewall Notifier 1.2.0 or Windows Firewall Control 3.0

windowsfirewallcontrol.jpg

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:

  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit Windows Update regularly.

This will ensure your computer has always the latest security updates available installed on your computer.

If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.

Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.

You can check these by scanning with Secunia Software Inspector.

Create an image of your system

It is always a good idea to do a backup of all important files just in case something happens it.

Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.

The download link is here => http://www.macrium.com/reflectfree.asp

The tutorials can be found here => http://kb.macrium.com/KnowledgebaseArticle50039.aspx

Be sure to read the tutorial first.

Follow this list and your potential for being infected again will reduce dramatically. ;)

Regards,

Georgi

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.