[Benkle]

Hi,
Tonight I noticed that my browser (firefox, I don't use chrome much, and IE only to download one of the other two) was redirecting to other sites. I downloaded malwarebytes anti malware and ran it. The first time it removed about 7 or so files and I thought that would be all, I restarted and ran it again just to confirm but I always have 3 items appearing, attached as malwarebytes issues.jpg
After this I basically went on a spree of googling how to remove these and have tried several programs however none have been effective and so now I am posting here.
Looking through my downloads folder I have tried:
mbam
roguekiller
attk_far_gui_x64
aswMBR (only one which seemed to find files I couldn't then fix, screenshot attached aswmbr.jpg apparently desktop.ini is infected?)
Superantispyware
ComboFix (which i didnt realise I wasn't supposed to run unless upon request, but I don't think it installed properly as I never got a txt file)

now I have run OTL too (OTL.txt attached).

They don't seem to be causing any noticeable issues (beyond web page redirect) but as it is a rootkit I would like them removed.

OTL logfile created on: 30/08/2012 1:18:35 AM - Run 1
OTL by OldTimer - Version 3.2.59.1 Folder = O:\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

7.90 Gb Total Physical Memory | 4.10 Gb Available Physical Memory | 51.87% Memory free
15.79 Gb Paging File | 11.34 Gb Available in Paging File | 71.84% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 119.14 Gb Total Space | 85.41 Gb Free Space | 71.68% Space Free | Partition Type: NTFS
Drive M: | 488.28 Gb Total Space | 305.92 Gb Free Space | 62.65% Space Free | Partition Type: NTFS
Drive O: | 398.05 Gb Total Space | 211.36 Gb Free Space | 53.10% Space Free | Partition Type: NTFS
Drive T: | 976.56 Gb Total Space | 390.72 Gb Free Space | 40.01% Space Free | Partition Type: NTFS

Computer Name: BENKLE | User Name: Ben | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/30 01:17:24 | 000,598,528 | ---- | M] (OldTimer Tools) -- O:\Downloads\OTL.exe
PRC - [2012/08/25 00:30:43 | 000,529,744 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2012/08/22 19:37:41 | 001,807,560 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
PRC - [2012/08/07 20:11:40 | 001,353,080 | ---- | M] (Valve Corporation) -- O:\Steam\Steam.exe
PRC - [2012/07/28 06:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/07/14 10:17:11 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012/07/03 13:46:42 | 000,973,488 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/05/15 20:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012/05/15 02:21:40 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe


========== Modules (No Company Name) ==========

MOD - [2012/08/25 00:30:43 | 020,317,008 | ---- | M] () -- O:\Steam\bin\libcef.dll
MOD - [2012/08/25 00:30:43 | 001,099,616 | ---- | M] () -- O:\Steam\bin\avcodec-53.dll
MOD - [2012/08/25 00:30:43 | 000,902,480 | ---- | M] () -- O:\Steam\bin\chromehtml.dll
MOD - [2012/08/25 00:30:43 | 000,190,816 | ---- | M] () -- O:\Steam\bin\avformat-53.dll
MOD - [2012/08/25 00:30:43 | 000,123,232 | ---- | M] () -- O:\Steam\bin\avutil-51.dll
MOD - [2012/08/22 19:37:41 | 009,813,704 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
MOD - [2012/07/14 10:17:14 | 002,003,424 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2012/05/15 02:21:26 | 000,368,448 | ---- | M] () -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll
MOD - [2010/11/21 13:24:09 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll


========== Services (SafeList) ==========

SRV:64bit: - [2011/08/12 09:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2009/07/14 11:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/08/25 00:30:43 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/07/28 06:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/14 10:17:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/05/15 20:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/05/15 02:21:40 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/06/11 07:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/04/19 03:08:03 | 000,188,736 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2012/03/01 16:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/07/23 02:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/13 07:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2010/12/03 11:08:42 | 001,918,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athurx.sys -- (athur)
DRV:64bit: - [2010/11/21 13:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 13:23:47 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/21 13:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 13:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/21 13:23:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/11/18 07:12:00 | 000,032,344 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBfilt64.sys -- (MBfilt)
DRV:64bit: - [2009/07/14 11:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 11:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 11:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/11 06:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/11 06:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/11 06:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/11 06:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/14 11:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1D 30 75 7F 7C 74 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = about:blank

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/"
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_265.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: O:\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Ben\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Ben\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/08/07 19:11:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{4B87D757-F1C9-11E1-8270-B8AC6F996F26}: C:\Users\Ben\AppData\Local\{4B87D757-F1C9-11E1-8270-B8AC6F996F26}\ [2012/08/29 21:04:34 | 000,000,000 | ---D | M]

[2012/08/07 19:11:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ben\AppData\Roaming\Mozilla\Extensions
[2012/08/27 22:53:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\wml186ac.default\extensions
[2012/08/07 19:11:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/08/29 21:04:34 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\BEN\APPDATA\LOCAL\{4B87D757-F1C9-11E1-8270-B8AC6F996F26}
[2012/07/14 10:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/07/14 10:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/07/14 10:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Ben\AppData\Local\Google\Chrome\Application\21.0.1180.79\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Ben\AppData\Local\Google\Chrome\Application\21.0.1180.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Ben\AppData\Local\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Ben\AppData\Local\Google\Chrome\Application\21.0.1180.83\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
CHR - plugin: Java™ Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Ben\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: VLC Web Plugin (Enabled) = O:\VLC\npvlc.dll
CHR - Extension: YouTube = C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009/06/11 07:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKCU..\Run: [sdmdl] C:\Users\Ben\AppData\Roaming\sdmdl.dll (EFD Software)
O4 - HKCU..\Run: [Steam] O:\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung SSD Magician.lnk = C:\Program Files (x86)\Samsung SSD Magician\Samsung SSD Magician.exe (Samsung Electronics.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2AB0B600-D97F-4EDC-829C-198183247F52}: DhcpNameServer = 10.1.1.1
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/30 00:53:56 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\SUPERAntiSpyware.com
[2012/08/30 00:53:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/08/30 00:53:45 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/08/30 00:53:45 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/08/30 00:45:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/30 00:35:48 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/08/30 00:29:15 | 000,167,696 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmcomm.sys
[2012/08/29 23:50:03 | 000,027,256 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\FixZeroAccess.sys
[2012/08/29 23:30:20 | 000,000,000 | ---D | C] -- C:\Users\Ben\Desktop\RK_Quarantine
[2012/08/29 23:00:06 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Malwarebytes
[2012/08/29 22:59:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/29 22:59:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/08/29 22:59:58 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/08/29 22:59:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/08/29 21:09:56 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/08/29 21:04:34 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\{4B87D757-F1C9-11E1-8270-B8AC6F996F26}
[2012/08/29 21:04:29 | 000,531,456 | ---- | C] (EFD Software) -- C:\Users\Ben\AppData\Roaming\sdmdl.dll
[2012/08/29 21:03:37 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\xsecva
[2012/08/20 21:46:20 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/08/20 21:42:45 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Adobe
[2012/08/20 21:41:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2012/08/20 21:41:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
[2012/08/20 21:41:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2012/08/19 18:43:10 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Google
[2012/08/15 21:28:02 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\GNE
[2012/08/14 21:52:50 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Chromium
[2012/08/14 21:52:17 | 000,000,000 | ---D | C] -- C:\Users\Ben\Documents\My Games
[2012/08/14 21:51:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Chart Controls
[2012/08/14 21:49:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hi-Rez Studios
[2012/08/14 21:49:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Hi-Rez Studios
[2012/08/14 20:53:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/08/14 20:53:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Oracle
[2012/08/09 23:55:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PeerBlock
[2012/08/09 23:53:16 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\uTorrent
[2012/08/09 22:03:54 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Diagnostics
[2012/08/09 20:23:44 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Ventrilo
[2012/08/09 20:23:36 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Microsoft Games
[2012/08/09 20:22:55 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ventrilo
[2012/08/09 20:22:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012/08/08 10:57:40 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2012/08/07 22:17:15 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
[2012/08/07 22:02:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\RTCOM
[2012/08/07 22:02:09 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2012/08/07 22:02:06 | 002,603,864 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\WavesGUILib.dll
[2012/08/07 22:02:06 | 000,518,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSX64.dll
[2012/08/07 22:02:06 | 000,211,184 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSH64.dll
[2012/08/07 22:02:06 | 000,198,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSHP64.dll
[2012/08/07 22:02:06 | 000,155,888 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSWOW64.dll
[2012/08/07 22:02:05 | 002,131,288 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioEQ.dll
[2012/08/07 22:02:05 | 000,958,296 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPOShell64.dll
[2012/08/07 22:02:05 | 000,375,128 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEP64A.dll
[2012/08/07 22:02:05 | 000,318,808 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPO20.dll
[2012/08/07 22:02:05 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DHT64.dll
[2012/08/07 22:02:05 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DAA64.dll
[2012/08/07 22:02:05 | 000,204,120 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEED64A.dll
[2012/08/07 22:02:05 | 000,101,208 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEL64A.dll
[2012/08/07 22:02:05 | 000,078,680 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEG64A.dll
[2012/08/07 22:02:04 | 002,528,832 | ---- | C] (Fortemedia Corporation) -- C:\Windows\SysNative\FMAPO64.dll
[2012/08/07 22:02:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Realtek
[2012/08/07 22:02:01 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Temp
[2012/08/07 22:02:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\InstallShield
[2012/08/07 22:01:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
[2012/08/07 22:00:32 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2012/08/07 22:00:22 | 000,068,928 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.dll
[2012/08/07 22:00:22 | 000,061,248 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.dll
[2012/08/07 22:00:20 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2012/08/07 22:00:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2012/08/07 21:59:53 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2012/08/07 21:58:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung SSD Magician
[2012/08/07 21:58:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Samsung SSD Magician
[2012/08/07 21:58:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
[2012/08/07 20:49:40 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Macromedia
[2012/08/07 20:49:40 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Macromedia
[2012/08/07 20:49:40 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Adobe
[2012/08/07 20:11:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012/08/07 20:11:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
[2012/08/07 20:10:47 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2012/08/07 20:10:00 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2012/08/07 20:09:59 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012/08/07 20:08:10 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\vlc
[2012/08/07 20:07:54 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\WinRAR
[2012/08/07 20:07:54 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2012/08/07 20:07:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2012/08/07 20:07:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2012/08/07 19:11:45 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Mozilla
[2012/08/07 19:11:45 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Mozilla
[2012/08/07 19:11:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/08/07 19:11:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2012/08/07 19:11:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/08/07 19:07:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TP-LINK
[2012/08/07 19:07:13 | 001,918,976 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\SysNative\drivers\athurx.sys
[2012/08/07 19:07:13 | 001,918,976 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\SysNative\athurx.sys
[2012/08/07 19:07:13 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2012/08/07 19:06:10 | 000,000,000 | ---D | C] -- C:\ProgramData\TP-LINK
[2012/08/07 19:03:48 | 000,000,000 | R--D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/08/07 19:03:48 | 000,000,000 | R--D | C] -- C:\Users\Ben\Searches
[2012/08/07 19:03:48 | 000,000,000 | R--D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/08/07 19:03:48 | 000,000,000 | -H-D | C] -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/08/07 19:03:42 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Identities
[2012/08/07 19:03:41 | 000,000,000 | R--D | C] -- C:\Users\Ben\Contacts
[2012/08/07 19:03:41 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\VirtualStore
[2012/08/07 19:03:39 | 000,000,000 | --SD | C] -- C:\Users\Ben\AppData\Roaming\Microsoft
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Videos
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Saved Games
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Pictures
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Music
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Links
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Favorites
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Downloads
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Documents
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\Desktop
[2012/08/07 19:03:39 | 000,000,000 | R--D | C] -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\AppData\Local\Temporary Internet Files
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Templates
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Start Menu
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\SendTo
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Recent
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\PrintHood
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\NetHood
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Documents\My Videos
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Documents\My Pictures
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Documents\My Music
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\My Documents
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Local Settings
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\AppData\Local\History
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Cookies
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\Application Data
[2012/08/07 19:03:39 | 000,000,000 | -HSD | C] -- C:\Users\Ben\AppData\Local\Application Data
[2012/08/07 19:03:39 | 000,000,000 | -H-D | C] -- C:\Users\Ben\AppData
[2012/08/07 19:03:39 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Temp
[2012/08/07 19:03:39 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\Microsoft
[2012/08/07 19:03:39 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\Media Center Programs
[2012/08/07 19:03:37 | 000,000,000 | -HSD | C] -- C:\Recovery
[2012/08/07 17:02:57 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/08/07 16:58:00 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2012/08/07 16:57:52 | 000,000,000 | -HSD | C] -- C:\System Volume Information

========== Files - Modified Within 30 Days ==========

[2012/08/30 01:16:47 | 000,000,000 | ---- | M] () -- C:\Users\Ben\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/08/30 01:13:25 | 000,021,856 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/30 01:13:25 | 000,021,856 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/30 01:12:35 | 000,713,714 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/08/30 01:12:35 | 000,619,206 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/08/30 01:12:35 | 000,107,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/08/30 01:06:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/30 01:06:10 | 2064,134,143 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/30 00:55:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1862684139-277524484-329249885-1000UA.job
[2012/08/30 00:53:46 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/08/30 00:31:17 | 000,000,512 | ---- | M] () -- C:\Users\Ben\Desktop\MBR.dat
[2012/08/30 00:29:15 | 000,167,696 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmcomm.sys
[2012/08/30 00:01:39 | 000,129,024 | ---- | M] () -- C:\Windows\RegBootClean64.exe
[2012/08/29 23:59:06 | 000,000,036 | ---- | M] () -- C:\Users\Ben\AppData\Local\housecall.guid.cache
[2012/08/29 23:50:03 | 000,027,256 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\FixZeroAccess.sys
[2012/08/29 21:55:00 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1862684139-277524484-329249885-1000Core.job
[2012/08/29 21:04:34 | 000,531,456 | ---- | M] (EFD Software) -- C:\Users\Ben\AppData\Roaming\sdmdl.dll
[2012/08/20 21:41:59 | 000,002,019 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012/08/09 23:54:28 | 000,000,525 | ---- | M] () -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/08/09 20:22:55 | 000,000,248 | ---- | M] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2012/08/07 21:58:42 | 000,001,209 | ---- | M] () -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung SSD Magician.lnk
[2012/08/07 21:57:20 | 000,001,437 | ---- | M] () -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/07 21:57:06 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/07 21:06:42 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/08/07 19:48:57 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/08/07 19:48:57 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2012/08/07 16:59:09 | 000,108,227 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2012/08/07 16:59:09 | 000,108,227 | ---- | M] () -- C:\Windows\SysNative\license.rtf

========== Files Created - No Company Name ==========

[2012/08/30 00:53:46 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/08/30 00:25:31 | 000,000,512 | ---- | C] () -- C:\Users\Ben\Desktop\MBR.dat
[2012/08/30 00:01:37 | 000,129,024 | ---- | C] () -- C:\Windows\RegBootClean64.exe
[2012/08/29 23:59:06 | 000,000,036 | ---- | C] () -- C:\Users\Ben\AppData\Local\housecall.guid.cache
[2012/08/29 21:04:34 | 000,000,000 | ---- | C] () -- C:\Users\Ben\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/08/20 21:45:48 | 000,000,900 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1862684139-277524484-329249885-1000UA.job
[2012/08/20 21:45:48 | 000,000,848 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1862684139-277524484-329249885-1000Core.job
[2012/08/20 21:41:59 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/08/20 21:41:59 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012/08/09 23:54:28 | 000,000,525 | ---- | C] () -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/08/09 20:22:55 | 000,000,248 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2012/08/07 22:02:06 | 002,261,764 | ---- | C] () -- C:\Windows\SysNative\drivers\rtvienna.dat
[2012/08/07 22:02:05 | 000,223,608 | ---- | C] () -- C:\Windows\SysNative\drivers\RTAIODAT.DAT
[2012/08/07 22:00:24 | 002,621,723 | ---- | C] () -- C:\Windows\SysNative\nvcoproc.bin
[2012/08/07 22:00:13 | 000,014,324 | ---- | C] () -- C:\Windows\SysNative\nvinfo.pb
[2012/08/07 21:58:42 | 000,001,209 | ---- | C] () -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung SSD Magician.lnk
[2012/08/07 21:06:42 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/08/07 19:48:57 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/08/07 19:48:57 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2012/08/07 19:11:42 | 000,001,142 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/08/07 19:10:29 | 000,001,437 | ---- | C] () -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/08/07 19:07:13 | 000,021,215 | ---- | C] () -- C:\Windows\SysNative\netathurx.inf
[2012/08/07 19:07:13 | 000,007,492 | ---- | C] () -- C:\Windows\SysNative\athurextx.cat
[2012/08/07 19:03:49 | 000,001,409 | ---- | C] () -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2012/08/07 19:03:48 | 000,001,443 | ---- | C] () -- C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/08/07 19:03:39 | 000,000,290 | ---- | C] () -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/08/07 19:03:39 | 000,000,272 | ---- | C] () -- C:\Users\Ben\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/08/07 16:59:04 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/08/07 16:59:04 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/08/07 16:57:52 | 2064,134,143 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe

========== LOP Check ==========

[2012/08/26 19:54:41 | 000,000,000 | ---D | M] -- C:\Users\Ben\AppData\Roaming\uTorrent
[2012/08/29 23:09:12 | 000,000,000 | ---D | M] -- C:\Users\Ben\AppData\Roaming\xsecva
[2009/07/14 15:08:49 | 000,008,944 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Attached Thumbnails

• 
• 

Attached Files

•  OTL.Txt   79.55KB   95 downloads

[Advertisements]

This is the latest zero Access infection.

Copy the text in the code box by highlighting and Ctrl + c

:OTL
O4 - HKCU..\Run: [sdmdl] C:\Users\Ben\AppData\Roaming\sdmdl.dll (EFD Software)
[2012/08/29 21:09:56 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/08/29 21:04:34 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\{4B87D757-F1C9-11E1-8270-B8AC6F996F26}
[2012/08/29 21:04:29 | 000,531,456 | ---- | C] (EFD Software) -- C:\Users\Ben\AppData\Roaming\sdmdl.dll
[2012/08/29 21:03:37 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\xsecva
[2012/08/30 01:16:47 | 000,000,000 | ---- | M] () -- C:\Users\Ben\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ

:files
C:\Windows\Installer\{c03b9899adfe7dcef56af34e4c87c5ce}
C:\Users\Ben\AppData\Local\{c03b9899adfe7dcef56af34e4c87c5ce}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Ben\AppData\Roaming\xsecva
C:\Users\Ben\AppData\Roaming\sdmdl.dll

:reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{c03b9899adfe7dcef56af34e4c87c5ce}]

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save, Copy and Paste the log into a reply.
It appears that Old Timer is now hiding the log in c:\_OTL\RemovedFiles\082292012-some number.log so if you don't see it then look there.


This bug usually infects the services.exe file. Let's see if windows can fix it now that the rest of the infection is gone:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

sfc  /scannow

Does it complain that it can't fix something?


Download, Save and Run (win 7 or Vista => Right click and Run as Admin.) farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Right click on TDSSKiller.exe and select Run As Administrator to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.





Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

[RKinner]

This is the latest zero Access infection.

Copy the text in the code box by highlighting and Ctrl + c

:OTL
O4 - HKCU..\Run: [sdmdl] C:\Users\Ben\AppData\Roaming\sdmdl.dll (EFD Software)
[2012/08/29 21:09:56 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/08/29 21:04:34 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Local\{4B87D757-F1C9-11E1-8270-B8AC6F996F26}
[2012/08/29 21:04:29 | 000,531,456 | ---- | C] (EFD Software) -- C:\Users\Ben\AppData\Roaming\sdmdl.dll
[2012/08/29 21:03:37 | 000,000,000 | ---D | C] -- C:\Users\Ben\AppData\Roaming\xsecva
[2012/08/30 01:16:47 | 000,000,000 | ---- | M] () -- C:\Users\Ben\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ

:files
C:\Windows\Installer\{c03b9899adfe7dcef56af34e4c87c5ce}
C:\Users\Ben\AppData\Local\{c03b9899adfe7dcef56af34e4c87c5ce}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Ben\AppData\Roaming\xsecva
C:\Users\Ben\AppData\Roaming\sdmdl.dll

:reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{c03b9899adfe7dcef56af34e4c87c5ce}]

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save, Copy and Paste the log into a reply.
It appears that Old Timer is now hiding the log in c:\_OTL\RemovedFiles\082292012-some number.log so if you don't see it then look there.


This bug usually infects the services.exe file. Let's see if windows can fix it now that the rest of the infection is gone:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

sfc  /scannow

Does it complain that it can't fix something?


Download, Save and Run (win 7 or Vista => Right click and Run as Admin.) farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Right click on TDSSKiller.exe and select Run As Administrator to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.





Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

[Benkle]

Thanks a lot for your help, here are the requested files.

sfc did complain that it couldn't open something screenshot attached.
Neither TDSSKiller run said it found any issues nor did it ask me to reboot.
The two OTL files are appended OTL1 and OTL2 respectively.

Ben.

Attached Thumbnails

• 

Attached Files

•  08302012_074704 OTL1.log   5.65KB   105 downloads
•  OTL2.Txt   255.88KB   87 downloads
•  FSS.txt   3.58KB   85 downloads
•  TDSSKiller.2.8.8.0_30.08.2012_08.06.20_log.txt   228.94KB   106 downloads

[RKinner]

There are a lot of services broken but no point in fixing them until we figure out how this thing is working. It appears to be a bit different from the usual Zero Access.

The error you got is because we managed to delete a bad file but not the registry entry that calls it. Normally both would have been removed.


The two bad desktop.ini files both came back so the infection is still active. Can you attach one of them? They are supposed to be text files.

Can you try Combofix again. Disable the anti-virus before downloading and rename it to george.exe before running it.

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt or C:\combofix\combofix.txt. I'll need to see that in your reply.

[Benkle]

Hi, when I started the pc the same error occurred as when I ran the sfc command.

I downloaded combofix and renamed it to george.exe.
I closed down every program i had running and then and then ran it (i don't have any anti virus as I am usually careful and don't remember the last time I had an issue. I am still trying to work out where i got this from). I left the pc for 30 mins and came back the screens had gone to sleep. i couldn't see any lights flashing on the case and the only noise was the fan on the rear of it. i hit ctrl shift esc and there was no george or combofix processes running. I cannot find a combofix.txt file anywhere on my computer. I feel silly not being able to get this to work.
When I ran it there was a disclaimer, then the decompressing dialog box, then i didn't see anything else appear on the screen at all. Should I be waiting longer?

As for the desktop.ini files, there was one i could open which was small with 3 lines in it, and one i couldn't open or attach until i made a copy of it which is significantly bigger (it has (2) in brackets after the name). I changed the extension of both to .txt as i was getting the error "You do not have permission to upload files of that type".

Sorry for not getting combofix to work, i really can't work out what I'm doing wrong, If I don't hear back before i go to bed ill save a fresh copy as bob.exe and let it run overnight (surely 8 hours is long enough!).

Ben.

Attached Files

•  desktop (2).txt   2.52KB   202 downloads
•  desktop.txt   282bytes   83 downloads

[Benkle]

I found some screenshots of what Combofix should look like when it is run and it is definitely just extracting and then doing nothing. There is no blue command window appearing. I tried once more by going to safe mode and downloading it in chrome, it still didnt work but left a shortcut named 32788R22FWJFW in c: that when clicked on goes back to My computer drives. It also left a folder called chromecombo (what i renamed the exe to) in C: with a bunch of files in it.

I have done some searching but no one else seems to have had this issue.

Ben.

EDIT: Now I have tried so many things I want to get this fixed without having to resort to this, but if I were to reformat C: which is basically just my OS would this be hidden somewhere on my other drives or can i be sure that would fix it?

Edited by Benkle, 30 August 2012 - 08:13 AM.

[RKinner]

http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
Look in C:\ProgramData\Avast Software\Avast\report\aswboot.txt for a text copy of the report that you can copy and paste.

[Benkle]

Attached as requested.

Ben.

Attached Files

•  aswBoot.txt   3.44KB   125 downloads

[RKinner]

Now we are getting somewhere.
I'm going to let OTL delete the files it found on drives M and O. When it says they are corrupt it means that they do not follow the standard rar or zip formats so no telling what is going to happen if you try to unpack them. We will also delete the folders in C:\$Recycle.Bin and the two .ini files in case they are still there.

Please uninstall Malwarebytes' Anti-Malware as it will interfere and cause OTL to hang.


Copy the text in the code box by highlighting and Ctrl + c

:files
C:\$Recycle.Bin\S-1-5-18\$c03b9899adfe7dcef56af34e4c87c5ce
C:\$Recycle.Bin\S-1-5-21-1862684139-277524484-329249885-1000\$c03b9899adfe7dcef56af34e4c87c5ce
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
File M:\Basketball\Baker\GB_30_Finishing_Moves_RSFG.part1.rar
File O:\Steam\Backups\Dota 2\Disk_1\573_depotcache_1.csd
File O:\Stuff\Porn Star Secrets of Sex  Over 100 Mind\Porn Star Secrets of Sex _ Over 100 Mind - Jeni West.epub

:reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"

:Commands
[EMPTYTEMP]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply. This will also create a file winsock2.reg on your desktop. It is an insurance file. If you can't get on the Internet after the fix, try right clicking on the winsock2.reg and Merge then reboot. If that doesn't help then do a System Restore.
It appears that Old Timer is now hiding the log in c:\_OTL\RemovedFiles\08312012-some number.log.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.


Are you still getting redirected?

[Benkle]

I haven't noticed anymore redirects, but still get the error from sfc when i boot up.

I had gone and manually deleted the files on O: and M: hope that didn't screw anything up.

Thanks for all the help so far, I really appreciate it.

Ben.

Attached Files

•  09012012_073229.log   5.47KB   80 downloads
•  OTL.Txt   267.22KB   99 downloads

[RKinner]

Get RegSeeker.
http://www.hoverdesk.net/freeware.htm
The download is where it says:
DOWNLOAD RegSeeker 1.55 (>20 languages included !)
It's a zip file so you have to save it then right click on it and Extract All then run regseeker.exe by right clicking and Run As Admin.

Select Find in Registry then have it look for sdmdl.dll. Wait until the STOP button goes away. You can then select all and then right click and Export selected items. It puts a file of the stuff it exports in the backups folder which it creates below the folder it is in. Attach the file that it creates.

RegSeeker also has a registry cleaner but I don't really trust registry cleaners so I'd rather you didn't use it.

I have a new OTL scan I want to try to see if there are any remnants of the malware

Copy the text in the code box:

%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%systemdrive%\$Recycle.Bin|@;true;true;true
C:\$Recycle.Bin\S-1-5-18 /s
C:\$Recycle.Bin\S-1-5-21-1862684139-277524484-329249885-1000 /s

hen Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN SCAN button (NOT THE QUICK SCAN or RUN FIX button!) at the top
Let the program run unhindered, it should not need to reboot and there should just be one log. Please copy and paste it.

[Benkle]

Attached are the two files, i forgot to turn off steam etc before running OTL (as you can see in the log) do you want me to shut it all down and run it again?

Ben.

Attached Files

•  OTL.Txt   203.67KB   104 downloads
•  sdmdl.dll-1-09-2012-12.40.04 PM.reg   196bytes   202 downloads

[RKinner]

No need it worked fine.

Don't know why I couldn't see it but sdmdl.dll was in the OTL log the whole time:


Copy the text in the code box by highlighting and Ctrl + c

:OTL
O4 - HKU\S-1-5-21-1862684139-277524484-329249885-1000..\Run: [sdmdl] "C:\Windows\System32\rundll32.exe" "C:\Users\Ben\AppData\Roaming\sdmdl.dll",ImportModuleLevel File not found

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will not need to reboot but please reboot to make sure that the error is gone.

[Benkle]

No error on boot.
log file attached.

Ben.

Attached Files

•  09012012_131208.log   490bytes   109 downloads

[RKinner]

We need to cleanup System Restore:

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That should get the last of the malware off the system.

I wonder if you download combofix again and try to run it if it would run now? Before you run it we need to tell Avast not to stick it in the sandbox.


Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

To pause Avast:

Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted


While I am thinking about Avast:
Some people object to the voice notification of updates. To turn it off, click on the Avast ball then on Settings. Then on Sounds and uncheck Automatic Updates OK. (It will still update it just won't tell you about in a loud voice in the middle of the night.)

They have also started using their info popup to try and get you to upgrade so I go into Settings, Popups and change the first two to 1 second.

The registration is good for 12-14 months then you will need to register again. They will, of course, try to talk you into buying the product but you can always register again for another year free tho it won't be the default.

If you feel you need a firewall then the free Online Armor http://www.online-ar...-armor-free.php can be used with Avast.