Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google/Yahoo Redirect, Internet Security virus [Solved]


  • This topic is locked This topic is locked

#1
kyn

kyn

    Member

  • Member
  • PipPip
  • 37 posts
I don't know what site I or anyone else used to cause this virus. For about a month now, using Google and most currently Yahoo, has been a pain. Must have clicked something, because a blue screen with a bunch of words pops up. I didn't get a chance to read it, because it closed and restarted the PC on its own. I've used malwarebytes, and the Google redirect removal tip on this site, and nothing. Out of nowhere, this Internet Security icon pops up on the desktop. I used Super Anti Spyware to remove it, but it came back 2 days later...which is today, so I removed it again with Super Anti Spyware... but I'm sure it will be back. I tried to restore it to factory settings, but it asks me for an 'Other User' name and password, that I do not have, or created. I am stuck!

Thank you in advance! OTL and Extras below


OTL:
OTL logfile created on: 3/22/2012 6:58:28 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = F:\
Windows Vista Home Basic Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 181.00 Mb Available Physical Memory | 18.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 32.51 Gb Total Space | 7.37 Gb Free Space | 22.68% Space Free | Partition Type: NTFS
Drive D: | 32.26 Gb Total Space | 12.42 Gb Free Space | 38.52% Space Free | Partition Type: NTFS
Drive F: | 1.89 Gb Total Space | 1.31 Gb Free Space | 69.25% Space Free | Partition Type: FAT

Computer Name: STOREY-PC | User Name: Storey | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/18 15:41:06 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/09/10 04:34:25 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/08/11 16:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/04/23 17:37:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2007/04/25 11:35:56 | 000,323,584 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
PRC - [2007/02/09 06:35:54 | 000,397,312 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe


========== Modules (SafeList) ==========

MOD - [2011/04/23 17:37:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2006/11/02 02:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/08/11 16:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2007/09/03 14:07:55 | 001,174,152 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2007/09/03 13:09:42 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/06/21 18:25:46 | 000,118,464 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2007/06/21 18:25:44 | 000,257,736 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2007/06/21 18:24:12 | 001,076,832 | ---- | M] (Cyberlink) [Auto | Stopped] -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2007/05/22 15:00:02 | 000,135,168 | ---- | M] (Acer Inc.) [Auto | Stopped] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2007/05/16 22:15:22 | 000,163,840 | ---- | M] (acer) [Auto | Stopped] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007/05/10 14:05:36 | 000,024,576 | ---- | M] () [Auto | Stopped] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/04/25 16:34:30 | 000,457,512 | ---- | M] (HiTRSUT) [Auto | Stopped] -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe -- (eDataSecurity Service)
SRV - [2007/03/14 10:52:30 | 000,024,576 | ---- | M] (Acer Inc.) [Auto | Stopped] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007/02/13 06:26:50 | 000,053,248 | ---- | M] (Acer Inc.) [Auto | Stopped] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2006/11/24 12:57:54 | 000,107,008 | ---- | M] () [Auto | Stopped] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2006/11/20 21:44:32 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2006/11/20 21:44:32 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2006/11/20 21:44:32 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2006/11/20 21:43:42 | 000,046,736 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- (SymAppCore)
SRV - [2006/11/20 21:42:52 | 000,049,296 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)
SRV - [2006/11/20 21:42:12 | 000,080,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Norton Internet Security\isPwdSvc.exe -- (ISPwdSvc)


========== Driver Services (SafeList) ==========

DRV - [2012/03/16 18:27:42 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/02/13 01:38:53 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2011/07/22 09:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007/09/03 14:09:17 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/06/18 03:03:32 | 000,737,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/06/13 19:33:26 | 000,154,624 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/01/29 22:23:30 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/12/07 18:12:02 | 000,076,584 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2006/11/20 21:45:42 | 000,275,576 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2006/11/20 21:45:42 | 000,245,880 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2006/11/20 21:45:42 | 000,024,184 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2006/11/20 21:45:36 | 000,406,672 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/11/20 21:44:14 | 000,831,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20061106.064\NAVEX15.SYS -- (NAVEX15)
DRV - [2006/11/20 21:44:12 | 000,079,240 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20061106.064\NAVENG.SYS -- (NAVENG)
DRV - [2006/11/20 21:44:10 | 000,387,432 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2006/11/20 21:42:22 | 000,202,872 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\SymcData\idsdefs\20061025.029\IDSvix86.sys -- (IDSvix86)
DRV - [2006/11/02 06:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Stopped] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SEARCH PAGE = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 15:41:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/09/09 14:09:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Storey\AppData\Roaming\Mozilla\Extensions
[2012/03/16 20:05:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Storey\AppData\Roaming\Mozilla\Firefox\Profiles\xlmh055o.default\extensions
[2011/09/09 14:09:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\USERS\STOREY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XLMH055O.DEFAULT\EXTENSIONS\[email protected]
[2012/03/18 15:41:06 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2012/02/17 14:23:39 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2012/02/17 14:23:39 | 000,002,040 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/03/21 21:52:24 | 000,000,884 | RH-- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 87.229.126.54 www.google.com
O1 - Hosts: 87.229.126.55 www.bing.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll (Symantec Corporation)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\System32\ActiveToolBand.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer Registration\ACE1.exe (Leader Technologies)
O4 - HKLM..\Run: [Acer Tour] File not found
O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (Acer Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [dplaysvr] File not found
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe (HiTRUST)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe (Symantec Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [osCheck] C:\Program Files\Norton Internet Security\osCheck.exe (Symantec Corporation)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Acer\Acer Arcade\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SetPanel] File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [4Y3Y0C3A5V0FVFUBOIQWEKBIMO] File not found
O4 - HKCU..\Run: [Acer Tour Reminder] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Update] C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\hmlxkn.dll (eMajix.com, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (eNetHook.dll) - C:\Windows\System32\eNetHook.dll (acer)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/21 21:16:36 | 000,000,000 | ---D | C] -- C:\Users\Storey\AppData\Roaming\SUPERAntiSpyware.com
[2012/03/21 21:15:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/03/21 21:13:20 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/03/21 21:13:20 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/03/21 21:09:46 | 015,495,768 | ---- | C] (SUPERAntiSpyware.com) -- C:\Users\Storey\Desktop\SUPERAntiSpyware.exe
[2012/03/19 21:24:29 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/19 21:11:32 | 000,000,000 | ---D | C] -- C:\Users\Storey\Desktop\tdsskiller
[2012/03/19 21:10:49 | 000,000,000 | ---D | C] -- C:\Users\Storey\Desktop\GooredFix Backups
[2012/03/19 14:25:32 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/03/19 13:02:39 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/03/16 21:42:56 | 000,523,264 | ---- | C] (OldTimer Tools) -- C:\Users\Storey\Desktop\OTM.exe
[2012/03/16 21:42:26 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/03/16 21:40:51 | 000,000,000 | ---D | C] -- C:\Users\Storey\Desktop\erunt
[2012/03/16 21:13:45 | 000,000,000 | ---D | C] -- C:\837da32dd9c9cd86454c236e
[2012/03/16 18:27:42 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2012/03/06 16:43:14 | 000,000,000 | ---D | C] -- C:\Users\Storey\Desktop\New Folder
[2011/09/08 10:03:58 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2007/09/03 13:38:09 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\Interop.Shell32.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/22 06:57:50 | 000,617,662 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/22 06:57:50 | 000,103,440 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/22 06:42:50 | 000,001,356 | ---- | M] () -- C:\Users\Storey\AppData\Local\d3d9caps.dat
[2012/03/22 06:41:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/22 06:32:11 | 129,751,823 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/03/21 22:36:53 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/21 22:36:52 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/21 21:52:24 | 000,000,884 | RH-- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/03/21 21:15:24 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/21 21:11:15 | 015,495,768 | ---- | M] (SUPERAntiSpyware.com) -- C:\Users\Storey\Desktop\SUPERAntiSpyware.exe
[2012/03/20 06:47:45 | 000,000,000 | ---- | M] () -- C:\ProgramData\SoPVUcLB1.dat
[2012/03/19 21:07:13 | 002,044,822 | ---- | M] () -- C:\Users\Storey\Desktop\tdsskiller.zip
[2012/03/16 21:43:19 | 000,523,264 | ---- | M] (OldTimer Tools) -- C:\Users\Storey\Desktop\OTM.exe
[2012/03/16 21:40:46 | 000,513,320 | ---- | M] () -- C:\Users\Storey\Desktop\erunt.zip
[2012/03/16 18:27:42 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/21 21:15:23 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/20 06:47:45 | 000,000,000 | ---- | C] () -- C:\ProgramData\SoPVUcLB1.dat
[2012/03/19 21:06:53 | 002,044,822 | ---- | C] () -- C:\Users\Storey\Desktop\tdsskiller.zip
[2012/03/19 13:02:03 | 129,751,823 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/03/16 21:39:15 | 000,513,320 | ---- | C] () -- C:\Users\Storey\Desktop\erunt.zip
[2011/12/12 09:52:20 | 000,001,356 | ---- | C] () -- C:\Users\Storey\AppData\Local\d3d9caps.dat
[2011/10/15 17:14:36 | 000,003,584 | ---- | C] () -- C:\Users\Storey\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/08 10:27:46 | 000,000,030 | ---- | C] () -- C:\Windows\SETPANEL.INI
[2011/09/08 10:27:38 | 000,000,092 | ---- | C] () -- C:\Windows\CLEANUP.INI
[2011/09/08 10:03:58 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2011/09/08 09:59:49 | 000,000,000 | ---- | C] () -- C:\Windows\SETUP.INI
[2007/09/03 14:53:39 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2007/09/03 13:44:52 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2007/09/03 13:39:01 | 000,076,584 | ---- | C] () -- C:\Windows\System32\drivers\int15.sys
[2007/09/03 13:39:01 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2007/09/03 13:38:06 | 000,331,776 | ---- | C] () -- C:\Windows\System32\ScrollBarLib.dll
[2007/09/03 12:05:59 | 000,000,115 | ---- | C] () -- C:\Windows\Alaunch.ini
[2007/09/03 12:05:10 | 000,910,720 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/03 12:05:10 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2007/09/03 12:05:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1280.dll
[2007/04/25 16:33:22 | 000,266,240 | ---- | C] () -- C:\Windows\System32\NotesExtmngr.dll
[2007/04/25 16:32:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\NotesActnMenu.dll
[2007/04/25 16:32:46 | 000,086,016 | ---- | C] () -- C:\Windows\System32\MSNSpook.dll
[2007/04/25 16:31:00 | 000,028,672 | ---- | C] () -- C:\Windows\System32\BatchCrypto.dll
[2007/04/25 16:30:52 | 000,073,728 | ---- | C] () -- C:\Windows\System32\APISlice.dll
[2007/04/25 16:30:44 | 000,063,488 | ---- | C] () -- C:\Windows\System32\ShowErrMsg.dll
[2006/12/25 15:44:48 | 000,022,016 | ---- | C] () -- C:\Windows\System32\MailFormat_U.dll
[2006/11/13 05:50:06 | 000,071,680 | ---- | C] () -- C:\Windows\System32\HTCA_SelfExtract.bin
[2006/11/02 05:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:44:53 | 000,231,952 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 03:33:01 | 000,617,662 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,103,440 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 00:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 00:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2001/12/26 16:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2011/09/08 10:08:45 | 000,000,000 | ---D | M] -- C:\Users\Storey\AppData\Roaming\Acer
[2011/09/09 15:50:54 | 000,000,000 | ---D | M] -- C:\Users\Storey\AppData\Roaming\FrostWire
[2011/09/08 10:08:40 | 000,000,000 | ---D | M] -- C:\Users\Storey\AppData\Roaming\Leadertech
[2012/02/12 18:38:33 | 000,000,000 | ---D | M] -- C:\Users\Storey\AppData\Roaming\redsn0w
[2011/09/09 15:27:08 | 000,000,000 | ---D | M] -- C:\Users\Storey\AppData\Roaming\uTorrent
[2012/03/21 22:14:07 | 000,028,138 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Extras.txt

OTL Extras logfile created on: 3/22/2012 6:58:28 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = F:\
Windows Vista Home Basic Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 181.00 Mb Available Physical Memory | 18.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 32.51 Gb Total Space | 7.37 Gb Free Space | 22.68% Space Free | Partition Type: NTFS
Drive D: | 32.26 Gb Total Space | 12.42 Gb Free Space | 38.52% Space Free | Partition Type: NTFS
Drive F: | 1.89 Gb Total Space | 1.31 Gb Free Space | 69.25% Space Free | Partition Type: FAT

Computer Name: STOREY-PC | User Name: Storey | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0F828659-4DAB-4822-9943-252CC29ADB5B}" = dir=in | app=c:\program files\acer\acer arcade\pcmservice.exe |
"{53AD4B13-818B-4B87-8363-0057E88EC423}" = protocol=6 | dir=in | app=f:\frostwire\frostwire.exe |
"{55C14A23-9AAD-4F73-A3A8-2A79FBCB81E0}" = protocol=17 | dir=in | app=f:\frostwire\frostwire.exe |
"{6878582E-3701-4E21-90D4-4593E7F10913}" = dir=in | app=c:\program files\acer\acer arcade\kernel\dmp\clbrowserengine.exe |
"{8BA27141-9D2F-4010-8382-A353B5B43E8C}" = dir=in | app=c:\program files\acer\acer arcade\kernel\dms\clmsservice.exe |
"{8FE30D6F-6995-4FEE-A424-3575CCAF2CD3}" = dir=in | app=c:\program files\acer\homemedia\homemedia.exe |
"{B02BC39E-A77B-48C0-BF0E-4325D84CD4E0}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{BD8E64B6-AB60-4D0B-9C84-8028A557EFD9}" = dir=in | app=c:\program files\acer\acer arcade\powercinema.exe |
"{BFE2C213-006B-422E-B884-467C5964241E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E4B5F236-1B69-41D5-8CD7-D3C13AD6B268}" = protocol=17 | dir=in | app=f:\frostwire 5\frostwire.exe |
"{F07B1F17-BAEF-4F04-9E11-3E5305DD5F34}" = protocol=6 | dir=in | app=f:\frostwire 5\frostwire.exe |
"{FCE52F62-E454-468F-B846-DDD17F1E5681}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{B31FA4A5-49F6-4568-8465-795F1A609977}F:\frostwire 5\frostwire.exe" = protocol=6 | dir=in | app=f:\frostwire 5\frostwire.exe |
"UDP Query User{A4E9C675-789C-4462-A634-D96ACEF4F707}F:\frostwire 5\frostwire.exe" = protocol=17 | dir=in | app=f:\frostwire 5\frostwire.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon
"{48185814-A224-447A-81DA-71BD20580E1B}" = Norton Internet Security
"{4843B611-8FCB-4428-8C23-31D0A5EAE164}" = Norton Confidential Browser Component
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11170417}" = Luxor 2
"{830D8CBD-C668-49e2-A969-C2C2106332E0}" = Norton AntiVirus
"{94389919-B0AA-4882-9BE8-9F0B004ECA35}" = Acer Tour
"{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}" = Norton Protection Center
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{AEEAE013-92F1-4515-B278-139F1A692A36}" = Acer eDataSecurity Management
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer 3.72
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{BF839132-BD43-4056-ACBF-4377F4A88E2A}" = Acer ePresentation Management
"{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management
"{D353CC51-430D-4C6F-9B7E-52003DA1E05A}" = Norton Confidential Web Protection Component
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Try And Buy
"{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}" = Symantec Real Time Storage Protection Component
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4DB525F-A986-4249-B98B-42A8066251CA}" = AV
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"Acer Assist" = Acer Assist
"Acer Registration" = Acer Registration
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"GridVista" = Acer GridVista
"HDMI" = Intel® Graphics Media Accelerator Driver
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SymSetup.{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security (Symantec Corporation)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/20/2012 11:18:50 PM | Computer Name = Storey-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 3/20/2012 11:18:50 PM | Computer Name = Storey-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 7313311

Error - 3/20/2012 11:18:50 PM | Computer Name = Storey-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7313311

Error - 3/22/2012 12:25:01 AM | Computer Name = Storey-PC | Source = EventSystem | ID = 4609
Description =

Error - 3/22/2012 12:37:00 AM | Computer Name = Storey-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Common
Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe". Dependent Assembly
Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 3/22/2012 12:39:48 AM | Computer Name = Storey-PC | Source = WerSvc | ID = 5007
Description =

Error - 3/22/2012 1:01:31 AM | Computer Name = Storey-PC | Source = System Restore | ID = 8193
Description =

Error - 3/22/2012 1:03:24 AM | Computer Name = Storey-PC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4549adc4, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9,
exception code 0xc000071b, fault offset 0x0008ac88, process id 0x440, application
start time 0x01cd07e559aadb31.

Error - 3/22/2012 9:33:43 AM | Computer Name = Storey-PC | Source = EventSystem | ID = 4609
Description =

Error - 3/22/2012 9:42:11 AM | Computer Name = Storey-PC | Source = EventSystem | ID = 4609
Description =

[ System Events ]
Error - 2/22/2012 9:49:02 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 9:49:11 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 9:49:16 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 9:49:16 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 10:04:13 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 10:04:22 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 10:04:27 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =

Error - 2/22/2012 10:05:16 PM | Computer Name = Storey-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 2/22/2012 10:05:16 PM | Computer Name = Storey-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 2/22/2012 10:23:52 PM | Computer Name = Storey-PC | Source = DCOM | ID = 10005
Description =


< End of report >

Edited by kyn, 22 March 2012 - 08:31 AM.

  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello kyn and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\Run: [4Y3Y0C3A5V0FVFUBOIQWEKBIMO] File not found
    O4 - HKCU..\Run: [Update] C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\hmlxkn.dll (eMajix.com, Inc.)
    [2012/03/16 21:13:45 | 000,000,000 | ---D | C] -- C:\837da32dd9c9cd86454c236e
    [2012/03/20 06:47:45 | 000,000,000 | ---- | M] () -- C:\ProgramData\SoPVUcLB1.dat

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

  • OTL fix log
  • GMER log
It would be helpful if you could post each log in separate post
  • 0

#3
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello mailprog, Thank you so much for your time!

Here is what's happening since my last post...All of my icons have disappeared from the desktop. I click on the 'Start' button, and everything in empty. I was able to download GMER to the desktop, but I cannot locate the C folder.

I ran OTL and in the middle of the scan, an error came up that says:
Cannot create file C:\Windows\System32\drivers\etc\Hosts

At the bottom of the OTL window it says: Resetting HOST file, do not interrupt...

It's been there for a while. (I am posting from another computer)
  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Restart your PC and do this set of instructions.

Step 1

We need to disable malware processes on your system first
  • Download TheKiller to your Desktop
  • Note that TheKiller is renamed as explorer.exe
  • Run it by double click (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  • Press OK button after program finish
  • Do not restart your system after this step
NOTE: If malware blocks TheKiller from running please try to run it several more times

Step 2

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\Run: [4Y3Y0C3A5V0FVFUBOIQWEKBIMO] File not found
    O4 - HKCU..\Run: [Update] C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\hmlxkn.dll (eMajix.com, Inc.)
    [2012/03/16 21:13:45 | 000,000,000 | ---D | C] -- C:\837da32dd9c9cd86454c236e
    [2012/03/20 06:47:45 | 000,000,000 | ---- | M] () -- C:\ProgramData\SoPVUcLB1.dat

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles
Step 3


Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • Malwarebytes log
It would be helpful if you could post each log in separate post
  • 0

#5
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I ran TheKiller, and it brought my icons back, However, when I run OTL..I get the same error message as above. Also when I try to run Malwarebytes it says :
Run time error 5: Invalid procedure call or argument.

Edited by kyn, 31 March 2012 - 07:54 PM.

  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Try this fix instead and let me know results.

Step 2

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\Run: [4Y3Y0C3A5V0FVFUBOIQWEKBIMO] File not found
    O4 - HKCU..\Run: [Update] C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\hmlxkn.dll (eMajix.com, Inc.)
    [2012/03/16 21:13:45 | 000,000,000 | ---D | C] -- C:\837da32dd9c9cd86454c236e
    [2012/03/20 06:47:45 | 000,000,000 | ---- | M] () -- C:\ProgramData\SoPVUcLB1.dat

    :Files
    ipconfig /flushdns /c

    :Commands
    [resethosts]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

  • 0

#7
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I get the same error message as before...
When I opened OTL again, this is the text document that popped up:


Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot...
  • 0

#8
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi kyn,

Download Combofix from the link below but rename it to explorer.exe before saving it to your desktop. To do this you must right click on link and choose Save as... . Now enter explorer.exe for the name and save it to your desktop.


Combofix

==================================

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • 0

#9
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello,

I did not get a Combofix.txt report, instead a little window popped up after it finished, that said I had a dangerous virus with rootkit, and it asked me to reboot...I did, and that is all. The Combofix folder is empty.
  • 0

#10
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Report should be in C:\ComboFix.txt. Please restart one more time and see it Combofix would create it.

If you cant find report please run Combofix again as you did first time and post log after the scan. Hope this time it would create it.
  • 0

Advertisements


#11
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
After restarting the computer, I noticed the Internet Security icon was back on the desktop, then the computer would just restart itself after 5 minutes. I am only able to use Safe Mode, so I ran ComboFix again, and got the same message: 'Rootkit.Zero Access' and something about 'tcp/ic stack', I was prompted to reboot. I did not locate a log. Actually when I went to the C drive, ComboFix was not even a folder. It was like a little icon, and when I clicked on it, it just brought me to the other drives.
  • 0

#12
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Okay, when I go to C: ComboFix shows up as a folder now, there is a long list of things inside, but no ComboFix.txt
  • 0

#13
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let's try this step instead.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
  • 0

#14
kyn

kyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 14-03-2012
Ran by Storey at 04-04-2012 22:52:32
Running from F:\
(X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

========================== Registry (Whitelisted) =============

HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]

================================ Services (Whitelisted) ==================


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-04 22:52 - 2012-04-04 22:52 - 0000000 ___DC C:\FRST
2012-04-04 17:02 - 2012-04-04 17:13 - 0000000 __SDC C:\ComboFix
2012-04-04 16:22 - 2008-01-18 22:55 - 0071680 ___AC (Microsoft Corporation) C:\Windows\System32\Drivers\tdx.svs
2012-04-04 09:18 - 2012-04-04 09:18 - 0866304 ___AC C:\Users\All Users\isecurity.exe
2012-04-04 09:18 - 2012-04-04 09:18 - 0866304 ___AC C:\ProgramData\isecurity.exe
2012-04-04 09:18 - 2012-04-04 09:18 - 0000594 ___AC C:\Users\Public\Desktop\Internet Security.lnk
2012-04-04 06:14 - 2011-09-10 04:16 - 0054784 ___AC (Microsoft Corporation) C:\Windows\System32\Drivers\i8042prt.svs
2012-04-04 05:12 - 2008-01-18 22:28 - 0075264 ___AC (Microsoft Corporation) C:\Windows\System32\Drivers\dfsc.svs
2012-04-04 05:03 - 2011-06-25 23:45 - 0256000 ___AC C:\Windows\PEV.exe
2012-04-04 05:03 - 2010-11-07 10:20 - 0208896 ___AC C:\Windows\MBR.exe
2012-04-04 05:03 - 2009-04-19 21:56 - 0060416 ___AC (NirSoft) C:\Windows\NIRCMD.exe
2012-04-04 05:03 - 2000-08-30 17:00 - 0518144 ___AC (SteelWerX) C:\Windows\SWREG.exe
2012-04-04 05:03 - 2000-08-30 17:00 - 0406528 ___AC (SteelWerX) C:\Windows\SWSC.exe
2012-04-04 05:03 - 2000-08-30 17:00 - 0212480 ___AC (SteelWerX) C:\Windows\SWXCACLS.exe
2012-04-04 05:03 - 2000-08-30 17:00 - 0098816 ___AC C:\Windows\sed.exe
2012-04-04 05:03 - 2000-08-30 17:00 - 0080412 ___AC C:\Windows\grep.exe
2012-04-04 05:03 - 2000-08-30 17:00 - 0068096 ___AC C:\Windows\zip.exe
2012-04-04 05:02 - 2012-04-04 05:02 - 0000000 ___DC C:\Qoobox
2012-04-03 11:20 - 2012-04-03 12:27 - 0087552 ___AC (Kaspersky Lab) C:\Windows\clipmmc.dll
2012-03-31 10:04 - 2012-03-30 12:21 - 0000822 __AHC C:\Users\Storey\Desktop\Malwarebytes' Anti-Malware.lnk
2012-03-31 09:53 - 2012-03-31 09:53 - 0000822 ___AC C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2012-03-31 07:36 - 2012-03-31 09:53 - 0001579 __AHC C:\Users\Storey\Desktop\firefox - Shortcut (2).lnk
2012-03-31 07:20 - 2012-03-31 07:20 - 0000000 RASHC C:\MSDOS.SYS
2012-03-31 07:20 - 2012-03-31 07:20 - 0000000 RASHC C:\IO.SYS
2012-03-30 22:04 - 2012-03-30 22:02 - 0316928 ___AC ( ) C:\Users\All Users\JiKJGqSIsOjjAl.exe
2012-03-30 22:04 - 2012-03-30 22:02 - 0316928 ___AC ( ) C:\ProgramData\JiKJGqSIsOjjAl.exe
2012-03-30 13:08 - 2012-03-30 13:08 - 0000336 __AHC C:\Users\Storey\Desktop\03302012_130532.log
2012-03-30 12:26 - 2012-03-31 10:22 - 0000813 __AHC C:\Users\Storey\Desktop\TheKiller.txt
2012-03-30 12:21 - 2011-04-23 17:37 - 0580608 __AHC (OldTimer Tools) C:\Users\Storey\Desktop\OTL.exe
2012-03-30 12:20 - 2012-04-04 04:55 - 4455902 ___RC (Swearware) C:\Users\Storey\Desktop\ComboFix.exe
2012-03-30 12:20 - 2009-11-20 08:06 - 4045528 __AHC (Malwarebytes Corporation ) C:\Users\Storey\Desktop\mbam-setup.exe
2012-03-30 04:52 - 2012-03-30 04:52 - 0001579 __AHC C:\Users\Storey\Desktop\firefox - Shortcut.lnk
2012-03-29 10:27 - 2012-03-29 10:27 - 0000000 ___DC C:\_OTL
2012-03-28 05:04 - 2012-03-28 05:04 - 0451584 ___AC ( ) C:\Users\All Users\IjtjvlPnQVXOTsL.exe
2012-03-28 05:04 - 2012-03-28 05:04 - 0451584 ___AC ( ) C:\ProgramData\IjtjvlPnQVXOTsL.exe
2012-03-27 04:25 - 2012-04-04 15:47 - 0000000 _ASHC C:\Windows\System32\dds_trash_log.cmd
2012-03-26 22:25 - 2012-03-26 22:21 - 0451072 ___AC C:\Users\All Users\MuhNyVLeVoL.exe
2012-03-26 22:25 - 2012-03-26 22:21 - 0451072 ___AC C:\ProgramData\MuhNyVLeVoL.exe
2012-03-26 22:00 - 2012-03-26 22:00 - 0182788 ___AC C:\Windows\System32\c_7265170.nls
2012-03-26 21:58 - 2012-03-26 21:58 - 0000000 __SHD C:\found.000
2012-03-25 16:46 - 2012-03-25 23:37 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\Remote
2012-03-22 08:14 - 2012-03-22 08:14 - 0090624 ___AC (Kaspersky Lab) C:\Windows\System32\clipmmc.dll
2012-03-22 06:32 - 2012-03-22 06:33 - 0138744 ___AC C:\Windows\Minidump\Mini032212-01.dmp
2012-03-21 21:16 - 2012-03-21 21:16 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\SUPERAntiSpyware.com
2012-03-21 21:13 - 2012-03-21 21:16 - 0000000 ___DC C:\Program Files\SUPERAntiSpyware
2012-03-21 21:13 - 2012-03-21 21:13 - 0000000 __HDC C:\Users\All Users\SUPERAntiSpyware.com
2012-03-21 21:13 - 2012-03-21 21:13 - 0000000 __HDC C:\ProgramData\SUPERAntiSpyware.com
2012-03-21 21:09 - 2012-03-21 21:11 - 15495768 __AHC (SUPERAntiSpyware.com) C:\Users\Storey\Desktop\SUPERAntiSpyware.exe
2012-03-19 21:24 - 2012-03-19 21:24 - 0000000 ___DC C:\TDSSKiller_Quarantine
2012-03-19 21:21 - 2012-03-19 21:24 - 0076348 ___AC C:\TDSSKiller.2.7.20.0_19.03.2012_21.21.24_log.txt
2012-03-19 21:11 - 2012-03-19 21:19 - 0000000 __HDC C:\Users\Storey\Desktop\tdsskiller
2012-03-19 21:10 - 2012-03-19 21:11 - 0001266 __AHC C:\Users\Storey\Desktop\GooredFix.txt
2012-03-19 21:10 - 2012-03-19 21:10 - 0000000 __HDC C:\Users\Storey\Desktop\GooredFix Backups
2012-03-19 21:06 - 2012-03-19 21:07 - 2044822 __AHC C:\Users\Storey\Desktop\tdsskiller.zip
2012-03-19 14:38 - 2012-03-19 14:39 - 0000274 __AHC C:\Users\Storey\Desktop\03192012_142532.log
2012-03-19 14:25 - 2012-03-19 14:25 - 0000000 ___DC C:\_OTM
2012-03-19 13:02 - 2012-03-22 06:32 - 129751823 ____A C:\Windows\MEMORY.DMP
2012-03-19 13:02 - 2012-03-22 06:32 - 0000000 ___DC C:\Windows\Minidump
2012-03-19 13:02 - 2012-03-19 13:02 - 0138744 ___AC C:\Windows\Minidump\Mini031912-01.dmp
2012-03-16 21:42 - 2012-04-04 05:02 - 0000000 ___DC C:\Windows\ERDNT
2012-03-16 21:42 - 2012-03-16 21:43 - 0523264 __AHC (OldTimer Tools) C:\Users\Storey\Desktop\OTM.exe
2012-03-16 21:40 - 2012-03-16 21:41 - 0000000 __HDC C:\Users\Storey\Desktop\erunt
2012-03-16 21:39 - 2012-03-16 21:40 - 0513320 __AHC C:\Users\Storey\Desktop\erunt.zip
2012-03-16 18:27 - 2009-09-10 14:54 - 0038224 ___AC (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-03-06 16:43 - 2012-03-06 16:47 - 0000000 __HDC C:\Users\Storey\Desktop\New Folder

============ 3 Months Modified Files and Folders ===============

2012-04-04 22:52 - 2011-09-08 10:37 - 2986728 ___AC C:\Windows\ntbtlog.txt
2012-04-04 22:45 - 2006-11-02 05:58 - 0000006 __AHC C:\Windows\Tasks\SA.DAT
2012-04-04 22:45 - 2006-11-02 05:45 - 0003072 ___AC C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-04 22:45 - 2006-11-02 05:45 - 0003072 ___AC C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-04 17:55 - 2011-12-12 09:52 - 0001356 ___AC C:\Users\Storey\AppData\Local\d3d9caps.dat
2012-04-04 17:33 - 2012-02-17 14:19 - 0001472 ___AC C:\Windows\setupact.log
2012-04-04 17:33 - 2006-11-02 05:58 - 0032552 ___AC C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-04 17:13 - 2012-04-04 17:02 - 0000000 __SDC C:\ComboFix
2012-04-04 17:13 - 2011-09-08 09:29 - 0031686 ___AC C:\Windows\PFRO.log
2012-04-04 15:50 - 2006-11-02 03:33 - 0750084 ___AC C:\Windows\System32\PerfStringBackup.INI
2012-04-04 15:47 - 2012-03-27 04:25 - 0000000 _ASHC C:\Windows\System32\dds_trash_log.cmd
2012-04-04 09:18 - 2012-04-04 09:18 - 0866304 ___AC C:\Users\All Users\isecurity.exe
2012-04-04 09:18 - 2012-04-04 09:18 - 0866304 ___AC C:\ProgramData\isecurity.exe
2012-04-04 09:18 - 2012-04-04 09:18 - 0000594 ___AC C:\Users\Public\Desktop\Internet Security.lnk
2012-04-04 06:52 - 2011-09-08 09:33 - 1987270 ___AC C:\Windows\WindowsUpdate.log
2012-04-04 05:02 - 2012-04-04 05:02 - 0000000 ___DC C:\Qoobox
2012-04-04 05:02 - 2012-03-16 21:42 - 0000000 ___DC C:\Windows\ERDNT
2012-04-04 04:55 - 2012-03-30 12:20 - 4455902 ___RC (Swearware) C:\Users\Storey\Desktop\ComboFix.exe
2012-04-03 12:27 - 2012-04-03 11:20 - 0087552 ___AC (Kaspersky Lab) C:\Windows\clipmmc.dll
2012-03-31 10:28 - 2012-02-18 19:19 - 0000000 ___DC C:\Program Files\Malwarebytes' Anti-Malware
2012-03-31 10:22 - 2012-03-30 12:26 - 0000813 __AHC C:\Users\Storey\Desktop\TheKiller.txt
2012-03-31 09:53 - 2012-03-31 09:53 - 0000822 ___AC C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2012-03-31 09:53 - 2012-03-31 07:36 - 0001579 __AHC C:\Users\Storey\Desktop\firefox - Shortcut (2).lnk
2012-03-31 07:32 - 2011-09-08 09:54 - 0000000 __HDC C:\users\Storey
2012-03-31 07:20 - 2012-03-31 07:20 - 0000000 RASHC C:\MSDOS.SYS
2012-03-31 07:20 - 2012-03-31 07:20 - 0000000 RASHC C:\IO.SYS
2012-03-30 22:02 - 2012-03-30 22:04 - 0316928 ___AC ( ) C:\Users\All Users\JiKJGqSIsOjjAl.exe
2012-03-30 22:02 - 2012-03-30 22:04 - 0316928 ___AC ( ) C:\ProgramData\JiKJGqSIsOjjAl.exe
2012-03-30 22:02 - 2006-11-02 03:23 - 0000761 RASHC C:\Windows\System32\Drivers\etc\hosts
2012-03-30 13:08 - 2012-03-30 13:08 - 0000336 __AHC C:\Users\Storey\Desktop\03302012_130532.log
2012-03-30 12:21 - 2012-03-31 10:04 - 0000822 __AHC C:\Users\Storey\Desktop\Malwarebytes' Anti-Malware.lnk
2012-03-30 04:52 - 2012-03-30 04:52 - 0001579 __AHC C:\Users\Storey\Desktop\firefox - Shortcut.lnk
2012-03-29 10:27 - 2012-03-29 10:27 - 0000000 ___DC C:\_OTL
2012-03-28 05:04 - 2012-03-28 05:04 - 0451584 ___AC ( ) C:\Users\All Users\IjtjvlPnQVXOTsL.exe
2012-03-28 05:04 - 2012-03-28 05:04 - 0451584 ___AC ( ) C:\ProgramData\IjtjvlPnQVXOTsL.exe
2012-03-26 22:29 - 2007-09-03 14:05 - 0000000 __HDC C:\Users\All Users\Symantec
2012-03-26 22:29 - 2007-09-03 14:05 - 0000000 __HDC C:\ProgramData\Symantec
2012-03-26 22:21 - 2012-03-26 22:25 - 0451072 ___AC C:\Users\All Users\MuhNyVLeVoL.exe
2012-03-26 22:21 - 2012-03-26 22:25 - 0451072 ___AC C:\ProgramData\MuhNyVLeVoL.exe
2012-03-26 22:00 - 2012-03-26 22:00 - 0182788 ___AC C:\Windows\System32\c_7265170.nls
2012-03-26 21:58 - 2012-03-26 21:58 - 0000000 __SHD C:\found.000
2012-03-25 23:37 - 2012-03-25 16:46 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\Remote
2012-03-22 08:14 - 2012-03-22 08:14 - 0090624 ___AC (Kaspersky Lab) C:\Windows\System32\clipmmc.dll
2012-03-22 06:33 - 2012-03-22 06:32 - 0138744 ___AC C:\Windows\Minidump\Mini032212-01.dmp
2012-03-22 06:32 - 2012-03-19 13:02 - 129751823 ____A C:\Windows\MEMORY.DMP
2012-03-22 06:32 - 2012-03-19 13:02 - 0000000 ___DC C:\Windows\Minidump
2012-03-21 21:16 - 2012-03-21 21:16 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\SUPERAntiSpyware.com
2012-03-21 21:16 - 2012-03-21 21:13 - 0000000 ___DC C:\Program Files\SUPERAntiSpyware
2012-03-21 21:13 - 2012-03-21 21:13 - 0000000 __HDC C:\Users\All Users\SUPERAntiSpyware.com
2012-03-21 21:13 - 2012-03-21 21:13 - 0000000 __HDC C:\ProgramData\SUPERAntiSpyware.com
2012-03-21 21:11 - 2012-03-21 21:09 - 15495768 __AHC (SUPERAntiSpyware.com) C:\Users\Storey\Desktop\SUPERAntiSpyware.exe
2012-03-20 07:15 - 2006-11-02 04:18 - 0000000 ___DC C:\Windows\System32\config\TxR
2012-03-20 07:11 - 2006-11-02 03:22 - 28311552 ____A C:\Windows\System32\config\components_previous
2012-03-20 07:11 - 2006-11-02 03:22 - 25427968 ____A C:\Windows\System32\config\software_previous
2012-03-20 07:11 - 2006-11-02 03:22 - 14680064 ____A C:\Windows\System32\config\system_previous
2012-03-20 07:11 - 2006-11-02 03:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2012-03-20 07:11 - 2006-11-02 03:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2012-03-20 07:11 - 2006-11-02 03:22 - 0262144 ____A C:\Windows\System32\config\default_previous
2012-03-20 07:08 - 2006-11-02 04:18 - 0000000 ___DC C:\Windows\System32\spool
2012-03-20 07:07 - 2006-11-02 04:18 - 0000000 ___DC C:\Windows\registration
2012-03-19 21:24 - 2012-03-19 21:24 - 0000000 ___DC C:\TDSSKiller_Quarantine
2012-03-19 21:24 - 2012-03-19 21:21 - 0076348 ___AC C:\TDSSKiller.2.7.20.0_19.03.2012_21.21.24_log.txt
2012-03-19 21:19 - 2012-03-19 21:11 - 0000000 __HDC C:\Users\Storey\Desktop\tdsskiller
2012-03-19 21:11 - 2012-03-19 21:10 - 0001266 __AHC C:\Users\Storey\Desktop\GooredFix.txt
2012-03-19 21:10 - 2012-03-19 21:10 - 0000000 __HDC C:\Users\Storey\Desktop\GooredFix Backups
2012-03-19 21:07 - 2012-03-19 21:06 - 2044822 __AHC C:\Users\Storey\Desktop\tdsskiller.zip
2012-03-19 14:39 - 2012-03-19 14:38 - 0000274 __AHC C:\Users\Storey\Desktop\03192012_142532.log
2012-03-19 14:25 - 2012-03-19 14:25 - 0000000 ___DC C:\_OTM
2012-03-19 13:40 - 2011-09-08 10:07 - 0000248 ___AC C:\Windows\MBRWR.LOG
2012-03-19 13:02 - 2012-03-19 13:02 - 0138744 ___AC C:\Windows\Minidump\Mini031912-01.dmp
2012-03-18 15:41 - 2011-09-09 14:09 - 0000000 ___DC C:\Program Files\Mozilla Firefox
2012-03-16 21:43 - 2012-03-16 21:42 - 0523264 __AHC (OldTimer Tools) C:\Users\Storey\Desktop\OTM.exe
2012-03-16 21:41 - 2012-03-16 21:40 - 0000000 __HDC C:\Users\Storey\Desktop\erunt
2012-03-16 21:40 - 2012-03-16 21:39 - 0513320 __AHC C:\Users\Storey\Desktop\erunt.zip
2012-03-15 16:57 - 2007-09-03 13:59 - 0000000 __HDC C:\Users\Public\Documents\.GamesData
2012-03-15 16:57 - 2007-09-03 13:59 - 0000000 ___DC C:\Program Files\Acer GameZone
2012-03-15 16:53 - 2007-09-03 12:46 - 0000000 ___DC C:\Program Files\InstallShield Installation Information
2012-03-06 16:47 - 2012-03-06 16:43 - 0000000 __HDC C:\Users\Storey\Desktop\New Folder
2012-03-06 07:33 - 2006-11-02 05:35 - 0000000 ___DC C:\Windows\DigitalLocker
2012-03-05 22:40 - 2011-09-08 11:42 - 0000000 ___DC C:\Program Files\Common Files\Apple
2012-03-05 22:35 - 2007-09-03 14:05 - 0000000 ___DC C:\Program Files\Symantec
2012-02-23 10:18 - 2011-09-09 14:27 - 0237072 ____C (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 19:41 - 2006-11-02 04:18 - 0000000 ___DC C:\Windows\tapi
2012-02-22 18:25 - 2011-09-08 09:29 - 138545903 ____A C:\Windows\DUMP3cf0.tmp
2012-02-18 19:19 - 2012-02-18 19:19 - 9502424 __AHC (Malwarebytes Corporation ) C:\Users\Storey\Desktop\mbam--setup-1.60.1.1000.exe
2012-02-18 19:19 - 2012-02-18 19:19 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\Malwarebytes
2012-02-18 19:19 - 2012-02-18 19:19 - 0000000 __HDC C:\Users\All Users\Malwarebytes
2012-02-18 19:19 - 2012-02-18 19:19 - 0000000 __HDC C:\ProgramData\Malwarebytes
2012-02-17 14:19 - 2012-02-17 14:19 - 0000000 ___AC C:\Windows\setuperr.log
2012-02-17 14:18 - 2006-11-02 05:44 - 0231952 ___AC C:\Windows\System32\FNTCACHE.DAT
2012-02-13 01:38 - 2012-02-13 01:38 - 0010344 ___AC (Symantec Corporation) C:\Windows\System32\Drivers\symlcbrd.sys
2012-02-12 18:38 - 2012-02-12 18:37 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\redsn0w
2012-02-12 18:03 - 2011-09-08 11:48 - 0000000 __HDC C:\Users\Storey\AppData\Roaming\Apple Computer
2012-02-12 17:58 - 2012-02-12 17:55 - 0000000 ___DC C:\Program Files\iTunes
2012-02-12 17:56 - 2012-02-12 17:56 - 0000000 ___DC C:\Program Files\iPod
2012-02-12 17:55 - 2011-09-08 11:45 - 0000000 __HDC C:\Users\All Users\Apple Computer
2012-02-12 17:55 - 2011-09-08 11:45 - 0000000 __HDC C:\ProgramData\Apple Computer
2012-02-12 15:26 - 2012-02-12 15:26 - 0000000 ___DC C:\Program Files\Bonjour
2012-02-12 14:21 - 2011-09-08 11:42 - 0000000 __HDC C:\Users\All Users\Apple
2012-02-12 14:21 - 2011-09-08 11:42 - 0000000 __HDC C:\ProgramData\Apple


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 1013.4 MB
Available physical RAM: 780.28 MB
Total Pagefile: 2279.06 MB
Available Pagefile: 2138.19 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.82 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:32.51 GB) (Free:14.5 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (DATA) (Fixed) (Total:32.26 GB) (Free:12.42 GB) NTFS
4 Drive f: (KINGSTON) (Removable) (Total:1.89 GB) (Free:1.3 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 1 Online 1937 MB 0 B

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1933 MB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F KINGSTON FAT Removable 1933 MB Healthy

======================================================================================================
==========================================================
TDL4: custom:26000022


==========================================================

Last Boot: 2012-04-04 17:53

======================= End Of Log ==========================
  • 0

#15
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
This scan also had problems but at least I see some problems that we can fix now.

Step 1

NOTE: You have very nasty infection! I would strongly advice you to backup all your important data from your system before you begin with the fix.

This malware tends to disable you whole system and let you with nothing. Please backup your data.

Step 2

Download

Attached File  fixlist.txt   927bytes   47 downloads

and copy/paste fixlist.txt in same folder where is FRST.exe is located. In your case it will be in F:\

Run FRST.exe as you did before, except that this time around, click on the Fix button and wait.

The tool will make a log on the F:\ (Fixlog.txt) please post it to your reply.

Step 3

Please do another FRST.exe scan as you did first time and post scan log here for me.

Step 4

Please don't forget to include these items in your reply:

  • FRST fix log
  • FRST new scan log
It would be helpful if you could post each log in separate post
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP