Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

A Redirect Virus [Solved]


  • This topic is locked This topic is locked

#1
Ben T

Ben T

    Member

  • Member
  • PipPipPip
  • 128 posts
My friend has a redirect virus on her computer. It won't allow updates, installation of software, or activation of Windows Defender. It redirects some searches, there is sometimes noise in the background like a UTube video playing (music and/or voices), and the cursor shows something is constantly running somewhere on the machine. I can uninstall programs through the Uninstall a Program section though.

It has Hijack This, Trojan Remover, Malwarebytes, and Superantispyware installed on her computer but not operating in real time.

I first ran Malwarebytes and removed all the infected files but then the computer wouldn't run normally so I restored it back to the nearest restore point (4 days ago).
I then ran Superantispyware and removed all the tracing cookies that it found. No change.

Next, I ran OTL with these settings: Minimal Output, Standard Registery-All, and with LOP Check and Purity Check. (see below)
TDSSKiller found Rootkit.Boot.Piharb. The physical drive: \Device\Harddisk0\DRO. I removed it.

The full scan of Malwarebytes was run next. I didn't remove anything. (see below)
Lastly, I ran Superantispyware again. (see below)

OTL Results
OTL Extras logfile created on: 3/21/2012 4:09:48 PM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = E:\
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.94 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 46.10% Memory free
5.87 Gb Paging File | 4.26 Gb Available in Paging File | 72.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 199.40 Gb Free Space | 85.66% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 3.72 Gb Free Space | 99.93% Space Free | Partition Type: FAT32

Computer Name: TRUDY-PC | User Name: Trudy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{0479A0AB-F49E-4768-AA60-90DE026B0E1A}" = HP Photosmart 7510 series Basic Device Software
"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{097CDB1E-07C9-40F1-9972-F0F9F3A287E4}" = Network
"{0E52A52C-E120-461C-AA1B-21B045BEE842}" = bpd_scan
"{1458BB78-1DC5-4BC0-B9A3-2B644F5A8105}" = DeviceDiscovery
"{150B6201-E9E6-4DFB-960E-CCBD53FBDDED}" = HPProductAssistant
"{16FCDD97-AE09-476B-88CD-261D852BD34C}" = Marketsplash Shortcuts
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java™ 6 Update 26
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{29ED20C9-5E15-4969-9279-25BF3727A3DA}" = iTunes
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{3AE5A1B4-D6AE-48D4-A07F-46A806CD53E6}" = HP Officejet Pro 8500 A910 Basic Device Software
"{3BE02281-FCCF-44BB-8413-AC4A633059EB}" = BPDSoftware
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E901875-0F15-44BA-89DE-94AA41A7F507}" = Clear Cache feature for Internet Explorer
"{5335DADB-34BA-4AE8-A519-648D78498846}" = Skype™ 5.3
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{58D79E62-CFC8-4331-8469-3A1B16E1769C}" = HP Officejet 6500 E709 Series
"{5B025634-7D5B-4B8D-BE2A-7943C1CF2D5D}" = Status
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{623B8278-8CAD-45C1-B844-58B687C07805}" = Bing Bar Platform
"{68654483-9629-4CF5-88FF-9FB70B3BECDE}" = ProductContext
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{871B2A9D-0F12-44B3-88C1-E0CB10A232E4}" = HP Officejet Pro 8500 A910 Help
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}" = InstallIQ Updater
"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{928B06E4-DDAA-476A-926A-641620326327}" = Microsoft Search Enhancement Pack
"{9294F169-72EE-4D74-AE92-CA25F64B4FF8}" = Fax
"{92A51949-EE4C-466D-AAF0-99E74A49A63F}" = DocMgr
"{99F67894-9486-413F-94E1-8B12B1606EAB}" = BPDSoftware_Ini
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C55C629-6C4F-48A9-8840-C897DF6187ED}" = HP Officejet Pro 8600 Basic Device Software
"{A00B9A50-3090-4CFF-9CDA-82DA0BEDAA21}" = Apple Mobile Device Support
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AA787E05-E835-4812-AA3D-4048C8A46587}" = 6500_E709_eDocs
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{BB3447F6-9553-4AA9-960E-0DB5310C5779}" = GPBaseService2
"{BB558CDC-C7BE-44D0-9260-B810D66702C4}" = 6500_E709n
"{BC5DD87B-0143-4D14-AAE6-97109614DC6B}" = SolutionCenter
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CD31E63D-47FD-491C-8117-CF201D0AFAB5}" = TrayApp
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D360FA88-17C8-4F14-B67F-13AAF9607B12}" = MarketResearch
"{F53B432E-BD19-4400-BFA0-2BBD16410F8F}" = 6500_E709_Help
"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CCleaner" = CCleaner
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 14.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 14.0
"HPExtendedCapabilities" = HP Customer Participation Program 14.0
"HPOCR" = OCR Software by I.R.I.S. 14.0
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Drivers" = NVIDIA Drivers
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Trojan Remover_is1" = Trojan Remover 6.8.2
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/19/2012 4:58:36 AM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: jvm.dll, version: 20.1.0.2, time stamp:
0x4dc14bf1 Exception code: 0xc0000005 Fault offset: 0x0005e5c2 Faulting process id:
0x3b4 Faulting application start time: 0x01cd05961d4513c0 Faulting application path:
C:\Windows\system32\svchost.exe Faulting module path: C:\PROGRA~1\Java\jre6\bin\client\jvm.dll
Report
Id: b63b52c0-71a1-11e1-90bf-001e6854395c

Error - 3/20/2012 9:05:00 PM | Computer Name = Trudy-PC | Source = Application Hang | ID = 1002
Description = The program SoftwareUpdate.exe version 2.1.3.127 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: b48 Start
Time: 01cd06fa52cf1878 Termination Time: 15 Application Path: C:\Program Files\Apple
Software Update\SoftwareUpdate.exe Report Id:

Error - 3/20/2012 9:53:52 PM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: Flash11e.ocx, version: 11.1.102.55, time
stamp: 0x4eaf89fc Exception code: 0xc0000005 Fault offset: 0x001b10cc Faulting process
id: 0x3d0 Faulting application start time: 0x01cd06f8d9303660 Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\system32\Macromed\Flash\Flash11e.ocx
Report
Id: b4f8d024-72f8-11e1-991e-001e6854395c

Error - 3/20/2012 11:15:13 PM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: Flash11e.ocx, version: 11.1.102.55, time
stamp: 0x4eaf89fc Exception code: 0xc0000005 Fault offset: 0x001b10d5 Faulting process
id: 0x1fb8 Faulting application start time: 0x01cd0705e55fc664 Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\system32\Macromed\Flash\Flash11e.ocx
Report
Id: 123e8868-7304-11e1-991e-001e6854395c

Error - 3/20/2012 11:39:07 PM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: MSHTML.dll, version: 9.0.8112.16430, time
stamp: 0x4db210c4 Exception code: 0xc0000005 Fault offset: 0x001d9792 Faulting process
id: 0x1644 Faulting application start time: 0x01cd0711197e6e18 Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\system32\MSHTML.dll
Report
Id: 690eee28-7307-11e1-991e-001e6854395c

Error - 3/21/2012 12:27:18 AM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: jvm.dll, version: 20.1.0.2, time stamp:
0x4dc14bf1 Exception code: 0xc0000005 Fault offset: 0x0005e5c2 Faulting process id:
0xe30 Faulting application start time: 0x01cd0714454781f8 Faulting application path:
C:\Windows\system32\svchost.exe Faulting module path: C:\PROGRA~1\Java\jre6\bin\client\jvm.dll
Report
Id: 241f5c88-730e-11e1-991e-001e6854395c

Error - 3/21/2012 3:47:15 AM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x25706800 Faulting process id: 0x1820 Faulting application
start time: 0x01cd071b7e9e7248 Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: 135d6108-732a-11e1-991e-001e6854395c

Error - 3/21/2012 4:39:02 AM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x75436b2d Faulting process id: 0x1520 Faulting application
start time: 0x01cd07372d7f7968 Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: 4ef63aa8-7331-11e1-991e-001e6854395c

Error - 3/21/2012 7:07:32 AM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: MSHTML.dll, version: 9.0.8112.16430, time
stamp: 0x4db210c4 Exception code: 0xc0000005 Fault offset: 0x002bfb96 Faulting process
id: 0x3c4 Faulting application start time: 0x01cd074a0f22c660 Faulting application
path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\system32\MSHTML.dll
Report
Id: 0e0fe254-7346-11e1-8ec7-001e6854395c

Error - 3/21/2012 7:15:32 AM | Computer Name = Trudy-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x46513843 Faulting process id: 0x1024 Faulting application
start time: 0x01cd075330470294 Faulting application path: C:\Windows\system32\svchost.exe
Faulting
module path: unknown Report Id: 2bbfded4-7347-11e1-8ec7-001e6854395c

[ System Events ]
Error - 11/27/2011 3:11:32 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 11/27/2011 3:25:24 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 256 Processor ID: 1 The details view of this entry
contains further information.

Error - 11/27/2011 3:25:24 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 9 Processor ID: 1 The details view of this entry contains
further information.

Error - 11/27/2011 4:09:47 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 256 Processor ID: 1 The details view of this entry
contains further information.

Error - 11/27/2011 11:32:42 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 11/28/2011 8:54:29 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 11/29/2011 6:50:30 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 11/29/2011 10:55:09 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 256 Processor ID: 1 The details view of this entry
contains further information.

Error - 11/30/2011 1:42:54 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 11/30/2011 8:20:58 PM | Computer Name = Trudy-PC | Source = Microsoft-Windows-WHEA-Logger | ID = 18
Description = A fatal hardware error has occurred. Reported by component: Processor
Core Error Source: 3 Error Type: 256 Processor ID: 1 The details view of this entry
contains further information.


< End of report >

OTL logfile created on: 3/21/2012 4:09:48 PM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = E:\
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.94 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 46.10% Memory free
5.87 Gb Paging File | 4.26 Gb Available in Paging File | 72.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 199.40 Gb Free Space | 85.66% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 3.72 Gb Free Space | 99.93% Space Free | Partition Type: FAT32

Computer Name: TRUDY-PC | User Name: Trudy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Trudy\Librarys\wgesdwx\svchost.exe ()
PRC - E:\OTL.exe (OldTimer Tools)
PRC - C:\ProgramData\grafmore.exe ()
PRC - C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE ()
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Users\Trudy\Librarys\wgesdwx\svchost.exe ()
MOD - C:\ProgramData\grafmore.exe ()


========== Win32 Services (SafeList) ==========

SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HsfXAudioService) -- C:\Windows\System32\XAudio32.dll (Conexant Systems, Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Driver Services (SafeList) ==========

DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (tsusbhub) -- system32\drivers\tsusbhub.sys File not found
DRV - (Synth3dVsc) -- System32\drivers\synth3dvsc.sys File not found
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio32.sys (Conexant Systems, Inc.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebs...r={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Trudy\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Trudy\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/10 10:46:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2012/03/20 18:51:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2012/03/20 18:51:53 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/10 10:46:47 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Trudy\AppData\Local\Google\Chrome\Application\16.0.912.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Trudy\AppData\Local\Google\Chrome\Application\16.0.912.77\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Trudy\AppData\Local\Google\Chrome\Application\16.0.912.77\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Trudy\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: YouTube = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Google Search = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\
CHR - Extension: Gmail = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/11 12:55:10 | 000,000,882 | RH-- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 94.63.147.16 www.google.com
O1 - Hosts: 94.63.147.17 www.bing.com
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (@C:\Program Files\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [autocert] C:\ProgramData\autocert.exe ()
O4 - HKLM..\Run: [binenroll] C:\ProgramData\binenroll.exe ()
O4 - HKLM..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found
O4 - HKLM..\Run: [fmtsrv] C:\Windows\system32\config\systemprofile\AppData\Roaming\fmtsrv.exe File not found
O4 - HKLM..\Run: [grafmore] C:\ProgramData\grafmore.exe ()
O4 - HKLM..\Run: [imigbin] C:\Windows\system32\config\systemprofile\AppData\Roaming\imigbin.exe File not found
O4 - HKLM..\Run: [imigdevice] C:\ProgramData\imigdevice.exe ()
O4 - HKLM..\Run: [mapbin] C:\Windows\system32\config\systemprofile\AppData\Roaming\mapbin.exe File not found
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [mslivemsn] C:\Users\Trudy\Librarys\wgesdwx\svchost.exe ()
O4 - HKLM..\Run: [notifydxp] C:\Users\Trudy\AppData\Roaming\notifydxp.exe ()
O4 - HKCU..\Run: [binenroll] C:\ProgramData\binenroll.exe ()
O4 - HKCU..\Run: [fmtsrv] C:\Users\Trudy\AppData\Roaming\fmtsrv.exe ()
O4 - HKCU..\Run: [Google Update] C:\Users\Trudy\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [grafmore] C:\ProgramData\grafmore.exe ()
O4 - HKCU..\Run: [HP Officejet Pro 8600 (NET)] C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
O4 - HKCU..\Run: [notifydxp] C:\Users\Trudy\AppData\Roaming\notifydxp.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8DCACB2C-4E01-4B1A-B01A-2845E84099DB}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/02/06 08:22:40 | 000,000,016 | -H-- | M] () - E:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{0fcf82ff-4c5e-11e1-a415-001e6854395c}\Shell - "" = AutoRun
O33 - MountPoints2\{0fcf82ff-4c5e-11e1-a415-001e6854395c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{88226f63-739c-11e1-997a-001e6854395c}\Shell - "" = AutoRun
O33 - MountPoints2\{88226f63-739c-11e1-997a-001e6854395c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/21 15:49:31 | 000,000,000 | ---D | C] -- C:\Users\Trudy\AppData\Roaming\U3
[2012/03/21 03:05:04 | 000,000,000 | ---D | C] -- C:\Users\Trudy\Librarys
[2012/03/20 18:49:38 | 000,527,208 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\System32\HPDiscoPM5312.dll
[2012/03/20 16:15:15 | 000,000,000 | ---D | C] -- C:\Users\Trudy\AppData\Local\ElevatedDiagnostics
[2012/03/20 14:04:17 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2012/03/20 13:13:58 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2012/03/20 13:13:47 | 000,000,000 | ---D | C] -- C:\Program Files\Bing Bar Installer
[2012/03/08 13:41:00 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[6 C:\Users\Trudy\Documents\*.tmp files -> C:\Users\Trudy\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/21 16:12:03 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/21 16:12:03 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/21 15:52:01 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3077647079-1696286186-2504579196-1000UA.job
[2012/03/21 15:10:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/21 14:32:33 | 000,010,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/21 14:32:33 | 000,010,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/21 14:26:42 | 2364,727,296 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/21 03:05:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2012/03/21 03:05:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/03/20 18:49:36 | 000,002,116 | ---- | M] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Officejet Pro 8500 A910.lnk
[2012/03/20 18:40:11 | 000,001,999 | ---- | M] () -- C:\Users\Trudy\Desktop\HP Officejet Pro 8600 (Network) - Shortcut.lnk
[2012/03/20 18:20:45 | 000,000,136 | ---- | M] () -- C:\Users\Trudy\Desktop\Hearts - Shortcut.lnk
[2012/03/15 23:52:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3077647079-1696286186-2504579196-1000Core.job
[2012/03/12 15:40:54 | 000,002,401 | ---- | M] () -- C:\Users\Trudy\Desktop\Google Chrome.lnk
[2012/03/11 13:44:03 | 000,072,728 | ---- | M] () -- C:\ProgramData\autocert.exe
[2012/03/10 17:24:36 | 000,072,216 | ---- | M] () -- C:\ProgramData\imigdevice.exe
[2012/03/10 04:50:36 | 000,050,688 | ---- | M] () -- C:\Windows\System32\sname
[2012/03/09 19:04:18 | 000,072,696 | ---- | M] () -- C:\Users\Trudy\AppData\Roaming\fmtsrv.exe
[2012/03/09 19:04:18 | 000,072,696 | ---- | M] () -- C:\ProgramData\binenroll.exe
[2012/03/08 14:53:11 | 000,066,040 | ---- | M] () -- C:\Users\Trudy\AppData\Roaming\notifydxp.exe
[2012/03/08 14:53:11 | 000,066,040 | ---- | M] () -- C:\ProgramData\grafmore.exe
[2012/03/08 13:41:27 | 000,050,688 | ---- | M] () -- C:\Windows\System32\mdhcp32.dll
[2012/02/23 12:10:30 | 000,857,594 | ---- | M] () -- C:\Users\Trudy\Documents\realdose30dayfatlossfaststart.pdf
[6 C:\Users\Trudy\Documents\*.tmp files -> C:\Users\Trudy\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/21 03:05:05 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2012/03/21 03:05:05 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2012/03/20 18:51:54 | 000,001,338 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Default Manager.lnk
[2012/03/20 18:49:36 | 000,002,116 | ---- | C] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Officejet Pro 8500 A910.lnk
[2012/03/20 18:40:11 | 000,001,999 | ---- | C] () -- C:\Users\Trudy\Desktop\HP Officejet Pro 8600 (Network) - Shortcut.lnk
[2012/03/20 18:20:45 | 000,000,136 | ---- | C] () -- C:\Users\Trudy\Desktop\Hearts - Shortcut.lnk
[2012/03/11 13:44:03 | 000,072,728 | ---- | C] () -- C:\ProgramData\autocert.exe
[2012/03/10 17:24:36 | 000,072,216 | ---- | C] () -- C:\ProgramData\imigdevice.exe
[2012/03/10 04:50:36 | 000,050,688 | ---- | C] () -- C:\Windows\System32\sname
[2012/03/10 03:38:42 | 000,072,696 | ---- | C] () -- C:\Users\Trudy\AppData\Roaming\fmtsrv.exe
[2012/03/09 19:04:19 | 000,072,696 | ---- | C] () -- C:\ProgramData\binenroll.exe
[2012/03/08 15:03:15 | 000,066,040 | ---- | C] () -- C:\Users\Trudy\AppData\Roaming\notifydxp.exe
[2012/03/08 14:53:11 | 000,066,040 | ---- | C] () -- C:\ProgramData\grafmore.exe
[2012/03/08 13:41:27 | 000,050,688 | ---- | C] () -- C:\Windows\System32\mdhcp32.dll
[2012/02/23 12:10:30 | 000,857,594 | ---- | C] () -- C:\Users\Trudy\Documents\realdose30dayfatlossfaststart.pdf
[2012/02/04 00:43:13 | 000,412,464 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/03 14:39:12 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2012/02/03 13:47:44 | 000,709,968 | ---- | C] () -- C:\Windows\is-5GATR.exe
[2012/02/03 13:42:39 | 000,169,928 | ---- | C] () -- C:\Program Files\64res.dll
[2012/02/03 13:39:32 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2012/02/03 13:39:32 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2012/02/03 13:39:32 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2012/02/03 13:39:32 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2011/06/10 11:27:54 | 000,002,075 | ---- | C] () -- C:\Windows\hpwmdl23.dat.temp
[2011/06/10 10:41:22 | 000,228,988 | ---- | C] () -- C:\Windows\hpwins23.dat
[2011/06/10 10:41:22 | 000,002,075 | ---- | C] () -- C:\Windows\hpwmdl23.dat
[2011/06/08 16:08:07 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2011/06/08 13:56:32 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/06/08 13:55:36 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe

========== LOP Check ==========

[2012/02/03 13:39:15 | 000,000,000 | ---D | M] -- C:\Users\Trudy\AppData\Roaming\Simply Super Software
[2012/03/21 04:16:38 | 000,032,652 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Malwarebytes Results)

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.21.07

Windows 7 Service Pack 1 x86 FAT32
Internet Explorer 9.0.8112.16421
Trudy :: TRUDY-PC [administrator]

3/21/2012 4:24:12 PM
mbam-log-2012-03-21 (16-58-05).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281003
Time elapsed: 33 minute(s), 30 second(s)

Memory Processes Detected: 2
C:\ProgramData\grafmore.exe (Trojan.Agent.UAGen) -> 2044 -> No action taken.
C:\Users\Trudy\Librarys\wgesdwx\svchost.exe (Trojan.Agent) -> 1368 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|grafmore (Trojan.Agent.UAGen) -> Data: C:\ProgramData\grafmore.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|grafmore (Trojan.Agent.UAGen) -> Data: C:\ProgramData\grafmore.exe -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|grafmore (Trojan.Agent.UAGen) -> Data: C:\ProgramData\grafmore.exe -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|imigdevice (Trojan.Agent.UAGen) -> Data: C:\ProgramData\imigdevice.exe -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|imigdevice (Trojan.Agent.UAGen) -> Data: C:\ProgramData\imigdevice.exe -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|notifydxp (Backdoor.Agent) -> Data: C:\Users\Trudy\AppData\Roaming\notifydxp.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|notifydxp (Backdoor.Agent) -> Data: C:\Users\Trudy\AppData\Roaming\notifydxp.exe -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|mslivemsn (Trojan.Agent) -> Data: C:\Users\Trudy\Librarys\wgesdwx\svchost.exe -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:\ProgramData\grafmore.exe (Trojan.Agent.UAGen) -> No action taken.
C:\ProgramData\imigdevice.exe (Trojan.Agent.UAGen) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20120203-123638-870.dll (PUP.MyWebSearch) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20120203-123638-918.dll (PUP.MyWebSearch) -> No action taken.
C:\TDSSKiller_Quarantine\21.03.2012_16.15.43\mbr0000\tdlfs0000\tsk0005.dta (Rootkit.Agent.Gen) -> No action taken.
C:\Windows\System32\mdhcp32.dll (Spyware.Agent) -> No action taken.
C:\Windows\Temp\64BB.tmp (Rootkit.TDSS) -> No action taken.
C:\Windows\Temp\80E2.tmp (Rootkit.TDSS) -> No action taken.
C:\Windows\Temp\0.4623905156970931 (Exploit.Drop.9) -> No action taken.
C:\Windows\Temp\0.04052764490951222 (Exploit.Drop.9) -> No action taken.
C:\Users\Trudy\AppData\Roaming\notifydxp.exe (Backdoor.Agent) -> No action taken.
C:\Users\Trudy\Librarys\wgesdwx\svchost.exe (Trojan.Agent) -> No action taken.

(end)

Superantispyware Results

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/21/2012 at 05:04 PM

Application Version : 5.0.1146

Core Rules Database Version : 8199
Trace Rules Database Version: 6011

Scan type : Quick Scan
Total Scan Time : 00:03:45

Operating System Information
Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 605
Memory threats detected : 0
Registry items scanned : 15780
Registry threats detected : 0
File items scanned : 8301
File threats detected : 5

Adware.Tracking Cookie
C:\Users\Trudy\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt [ /apmebf ]
C:\Users\Trudy\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt [ /doubleclick ]
C:\Users\Trudy\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt [ /fastclick ]
C:\USERS\TRUDY\Cookies\[email protected][1].txt [ Cookie:[email protected]/ ]
C:\USERS\TRUDY\Cookies\[email protected][2].txt [ Cookie:[email protected]/ ]
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets give this a quick whirl

Download aswMBR.exe ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    C:\Users\Trudy\Librarys\wgesdwx\svchost.exe
    C:\ProgramData\grafmore.exe ()
    IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebs...r={searchTerms}
    O4 - HKLM..\Run: [autocert] C:\ProgramData\autocert.exe ()
    O4 - HKLM..\Run: [binenroll] C:\ProgramData\binenroll.exe ()
    O4 - HKLM..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found
    O4 - HKLM..\Run: [fmtsrv] C:\Windows\system32\config\systemprofile\AppData\Roaming\fmtsrv.exe File not found
    O4 - HKLM..\Run: [grafmore] C:\ProgramData\grafmore.exe ()
    O4 - HKLM..\Run: [imigbin] C:\Windows\system32\config\systemprofile\AppData\Roaming\imigbin.exe File not found
    O4 - HKLM..\Run: [imigdevice] C:\ProgramData\imigdevice.exe ()
    O4 - HKLM..\Run: [mapbin] C:\Windows\system32\config\systemprofile\AppData\Roaming\mapbin.exe File not found
    O4 - HKLM..\Run: [mslivemsn] C:\Users\Trudy\Librarys\wgesdwx\svchost.exe ()
    O4 - HKLM..\Run: [notifydxp] C:\Users\Trudy\AppData\Roaming\notifydxp.exe ()
    O4 - HKCU..\Run: [binenroll] C:\ProgramData\binenroll.exe ()
    O4 - HKCU..\Run: [fmtsrv] C:\Users\Trudy\AppData\Roaming\fmtsrv.exe ()
    O4 - HKCU..\Run: [Google Update] C:\Users\Trudy\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
    O4 - HKCU..\Run: [grafmore] C:\ProgramData\grafmore.exe ()
    O4 - HKCU..\Run: [notifydxp] C:\Users\Trudy\AppData\Roaming\notifydxp.exe ()
    [2012/03/11 13:44:03 | 000,072,728 | ---- | M] () -- C:\ProgramData\autocert.exe
    [2012/03/10 17:24:36 | 000,072,216 | ---- | M] () -- C:\ProgramData\imigdevice.exe
    [2012/03/10 04:50:36 | 000,050,688 | ---- | M] () -- C:\Windows\System32\sname
    [2012/03/09 19:04:18 | 000,072,696 | ---- | M] () -- C:\Users\Trudy\AppData\Roaming\fmtsrv.exe
    [2012/03/09 19:04:18 | 000,072,696 | ---- | M] () -- C:\ProgramData\binenroll.exe
    [2012/03/08 14:53:11 | 000,066,040 | ---- | M] () -- C:\Users\Trudy\AppData\Roaming\notifydxp.exe
    [2012/03/08 14:53:11 | 000,066,040 | ---- | M] () -- C:\ProgramData\grafmore.exe
    [2012/03/08 13:41:27 | 000,050,688 | ---- | M] () -- C:\Windows\System32\mdhcp32.dll

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#3
Ben T

Ben T

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
aswMBR.exe won't run on infected machine. I used a flash drive because it doesn't allow programs to be downloaded from the internet. Do you want me to still run OTL?
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes run OTL and on the infected system

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Or make a note of the partition names and sizes for me please
  • 0

#5
Ben T

Ben T

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
OTL logfile created on: 3/22/2012 2:15:45 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = E:\
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.94 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 80.17% Memory free
5.87 Gb Paging File | 5.27 Gb Available in Paging File | 89.70% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 200.18 Gb Free Space | 85.99% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 3.72 Gb Free Space | 99.84% Space Free | Partition Type: FAT32

Computer Name: TRUDY-PC | User Name: Trudy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - E:\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HsfXAudioService) -- C:\Windows\System32\XAudio32.dll (Conexant Systems, Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Driver Services (SafeList) ==========

DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (tsusbhub) -- system32\drivers\tsusbhub.sys File not found
DRV - (Synth3dVsc) -- System32\drivers\synth3dvsc.sys File not found
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio32.sys (Conexant Systems, Inc.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Trudy\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Trudy\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/10 10:46:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2012/03/20 18:51:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2012/03/20 18:51:53 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/10 10:46:47 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Trudy\AppData\Local\Google\Chrome\Application\17.0.963.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Trudy\AppData\Local\Google\Chrome\Application\17.0.963.79\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Trudy\AppData\Local\Google\Chrome\Application\17.0.963.79\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Trudy\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Users\Trudy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/22 14:10:03 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.27.35.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8DCACB2C-4E01-4B1A-B01A-2845E84099DB}: DhcpNameServer = 172.27.35.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/02/06 08:22:40 | 000,000,016 | -H-- | M] () - E:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{0fcf82ff-4c5e-11e1-a415-001e6854395c}\Shell - "" = AutoRun
O33 - MountPoints2\{0fcf82ff-4c5e-11e1-a415-001e6854395c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{88226f63-739c-11e1-997a-001e6854395c}\Shell - "" = AutoRun
O33 - MountPoints2\{88226f63-739c-11e1-997a-001e6854395c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/21 16:45:04 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2012/03/21 16:20:00 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/21 16:15:33 | 000,000,000 | ---D | C] -- C:\Users\Trudy\Documents\tdsskiller
[2012/03/21 15:49:31 | 000,000,000 | ---D | C] -- C:\Users\Trudy\AppData\Roaming\U3
[2012/03/21 03:05:04 | 000,000,000 | ---D | C] -- C:\Users\Trudy\Librarys
[2012/03/20 16:15:15 | 000,000,000 | ---D | C] -- C:\Users\Trudy\AppData\Local\ElevatedDiagnostics
[2012/03/20 14:04:17 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2012/03/20 13:13:58 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2012/03/20 13:13:47 | 000,000,000 | ---D | C] -- C:\Program Files\Bing Bar Installer
[2012/03/08 13:41:00 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[6 C:\Users\Trudy\Documents\*.tmp files -> C:\Users\Trudy\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/22 14:13:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/22 14:13:19 | 2364,739,584 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/22 14:12:30 | 000,010,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/22 14:12:30 | 000,010,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/22 14:10:03 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/03/22 13:52:01 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3077647079-1696286186-2504579196-1000UA.job
[2012/03/22 13:47:44 | 000,627,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/22 13:47:44 | 000,107,366 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/21 16:50:05 | 000,007,605 | ---- | M] () -- C:\Users\Trudy\AppData\Local\Resmon.ResmonCfg
[2012/03/21 03:05:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2012/03/21 03:05:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/03/20 18:49:36 | 000,002,116 | ---- | M] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Officejet Pro 8500 A910.lnk
[2012/03/20 18:40:11 | 000,001,999 | ---- | M] () -- C:\Users\Trudy\Desktop\HP Officejet Pro 8600 (Network) - Shortcut.lnk
[2012/03/20 18:20:45 | 000,000,136 | ---- | M] () -- C:\Users\Trudy\Desktop\Hearts - Shortcut.lnk
[2012/03/15 23:52:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3077647079-1696286186-2504579196-1000Core.job
[2012/03/12 15:40:54 | 000,002,401 | ---- | M] () -- C:\Users\Trudy\Desktop\Google Chrome.lnk
[2012/02/23 12:10:30 | 000,857,594 | ---- | M] () -- C:\Users\Trudy\Documents\realdose30dayfatlossfaststart.pdf
[6 C:\Users\Trudy\Documents\*.tmp files -> C:\Users\Trudy\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/21 16:50:05 | 000,007,605 | ---- | C] () -- C:\Users\Trudy\AppData\Local\Resmon.ResmonCfg
[2012/03/21 03:05:05 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2012/03/21 03:05:05 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2012/03/20 18:51:54 | 000,001,338 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Default Manager.lnk
[2012/03/20 18:49:36 | 000,002,116 | ---- | C] () -- C:\Users\Public\Desktop\HP ePrintCenter - HP Officejet Pro 8500 A910.lnk
[2012/03/20 18:40:11 | 000,001,999 | ---- | C] () -- C:\Users\Trudy\Desktop\HP Officejet Pro 8600 (Network) - Shortcut.lnk
[2012/03/20 18:20:45 | 000,000,136 | ---- | C] () -- C:\Users\Trudy\Desktop\Hearts - Shortcut.lnk
[2012/02/23 12:10:30 | 000,857,594 | ---- | C] () -- C:\Users\Trudy\Documents\realdose30dayfatlossfaststart.pdf
[2012/02/04 00:43:13 | 000,412,464 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/03 14:39:12 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2012/02/03 13:47:44 | 000,709,968 | ---- | C] () -- C:\Windows\is-5GATR.exe
[2012/02/03 13:42:39 | 000,169,928 | ---- | C] () -- C:\Program Files\64res.dll
[2012/02/03 13:39:32 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2012/02/03 13:39:32 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2012/02/03 13:39:32 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2012/02/03 13:39:32 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2011/06/10 11:27:54 | 000,002,075 | ---- | C] () -- C:\Windows\hpwmdl23.dat.temp
[2011/06/10 10:41:22 | 000,228,988 | ---- | C] () -- C:\Windows\hpwins23.dat
[2011/06/10 10:41:22 | 000,002,075 | ---- | C] () -- C:\Windows\hpwmdl23.dat
[2011/06/08 16:08:07 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2011/06/08 13:56:32 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/06/08 13:55:36 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe

========== LOP Check ==========

[2012/02/03 13:39:15 | 000,000,000 | ---D | M] -- C:\Users\Trudy\AppData\Roaming\Simply Super Software
[2012/03/21 04:16:38 | 000,032,652 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Partitions- C: 232.79 GB 200.18 GB free System Reserved: 100 MB 72 MB free
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you now retry aswMBR please
  • 0

#7
Ben T

Ben T

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-22 14:31:11
-----------------------------
14:31:11.093 OS Version: Windows 6.1.7601 Service Pack 1
14:31:11.093 Number of processors: 2 586 0x6802
14:31:11.093 ComputerName: TRUDY-PC UserName: Trudy
14:31:11.857 Initialize success
14:31:23.707 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
14:31:23.707 Disk 0 Vendor: WDC_WD2500BEVS-60UST0 01.01A01 Size: 238475MB BusType: 3
14:31:23.723 Disk 0 MBR read successfully
14:31:23.739 Disk 0 MBR scan
14:31:23.754 Disk 0 Windows 7 default MBR code
14:31:23.754 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:31:23.770 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 238373 MB offset 206848
14:31:23.785 Disk 0 scanning sectors +488394752
14:31:23.863 Disk 0 scanning C:\Windows\system32\drivers
14:31:30.805 Service scanning
14:31:45.579 Modules scanning
14:31:55.110 Disk 0 trace - called modules:
14:31:55.141 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys dxgkrnl.sys nvlddmkm.sys dxgmms1.sys watchdog.sys
14:31:55.141 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d060f8]
14:31:55.656 3 CLASSPNP.SYS[8af9e59e] -> nt!IofCallDriver -> [0x85830918]
14:31:55.672 5 ACPI.sys[8a9b43d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x858ab908]
14:31:55.687 Scan finished successfully
14:32:15.094 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
14:32:15.109 The log file has been saved successfully to "E:\aswMBR scan.txt"
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you now update and run Malwarebytes please posting the resultant log

Also how is the computer behaving now ?
  • 0

#9
Ben T

Ben T

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.22.04

Windows 7 Service Pack 1 x86 FAT32
Internet Explorer 9.0.8112.16421
Trudy :: TRUDY-PC [administrator]

3/22/2012 2:53:01 PM
mbam-log-2012-03-22 (15-31-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256656
Time elapsed: 31 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\$Recycle.Bin\S-1-5-21-3077647079-1696286186-2504579196-1000\$RO8GXFQ\backups\backup-20120203-123638-870.dll (PUP.MyWebSearch) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-3077647079-1696286186-2504579196-1000\$RO8GXFQ\backups\backup-20120203-123638-918.dll (PUP.MyWebSearch) -> No action taken.
C:\TDSSKiller_Quarantine\21.03.2012_16.15.43\mbr0000\tdlfs0000\tsk0005.dta (Rootkit.Agent.Gen) -> No action taken.

(end)

Removed 3 malicious items. Computer seems to be running well now.
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

I can see no evidence of an antivirus - would you like some links to some free ones ?

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:
  • 0

#11
Ben T

Ben T

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Looks like the computer is running as it should. I installed MSE as an antivirus. Also ran all the software to cleanup machine that you suggested. Thanks for your time and expertise.
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP