TechSpot

System infected: ZeroAccess Rootkit Activity 4 and TidServ Activity 2

Inactive
By paulisofi
Feb 6, 2012
  1. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    ok... I will... I'm sorry but I'm on the verge of a heart attack here... and I truly can't lose my computer or the docs in it... So then it doesn't matter that it "booted" as windows xp and this machine is vista?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    No. You're fine.
     
  3. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    I double clicked on OTLPE icon and now I have a pop up that says: (Note: I had to delete the final parenthesis of all indicated drives because this post was not being allowed like that).

    Browse for folder

    Choose Windows Directory

    My computer

    RAM Disk (B:
    HP (C:
    HP_PAVILION (D:
    Removable Disk (E:
    Removable Disk (F:
    Removable Disk (G:
    Removable Disk (H:
    Removable Disk (I:
    ReatogoPE (X:
    Shared documents

    Folder: My Computer

    OK Cancel
     
  4. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    I don't know what to do because this is not mentioned in the instructions.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    This is not the best news if the tool can't find Windows folder.

    Navigate to a folder where Windows is normally installed.
    That'd be C:\Windows
     
  6. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    I went to HP (C:) and I found one of the folders there is WINDOWS. i went in there and it has a lot of subfolders. What shall I do?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Just stop at "Windows" folder.
    Click ok or whatever accepting button you have there.
     
  8. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Would you like me to list all these subfolders within WINDOWS folder?
     
  9. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Sorry, posted at the same time..
     
  10. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    ok, now it's asking me the first question posted in your instructions. I'll proceed as indicated.
     
  11. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Sorry, that wasn't the first question in your instructions, but the one that I got first is listed second in your instructions. Shall I proceed?
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    What question is it?
     
  13. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    The first question that popped up on the infected pc is:

    Do you wish to load remote user profile(s) for scanning?

    According to your instructions, that question should be second, after Do you wish to load the remote registry? which I've never had so far.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Yes to that question.
     
  15. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Yes, yes. I wasn't sure if it was ok that it was not following the supposed order. Now, I clicked Yes there and I got another pop up that says:

    Select User Profile

    IUSR_NMPR
    LocalService
    NetworkService
    paulisofi
    systemprofile

    Automatically load all remaining users? (-----> this one has a checkmark to the left of it)

    OK CANCEL
     
  16. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    One more thing: the very first profile listed is the one that came highlighted.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Just click OK.
     
  18. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Running the scan now...
     
  19. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Scan has just finished running. i see the OTL.txt in notepad but I don't think it's been saved to C:|. I already looked for it there and didn't find it. Shall I manually save it somewhere first and then save a copy in the usb flash drive?
     
  20. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Save it straight to USB flash drive.
     
  21. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    Here's the OTL.txt:

    OTL logfile created on: 2/12/2012 4:45:06 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 289.28 Gb Total Space | 198.80 Gb Free Space | 68.72% Space Free | Partition Type: NTFS
    Drive D: | 298.09 Gb Total Space | 288.94 Gb Free Space | 96.93% Space Free | Partition Type: NTFS
    Drive I: | 8.81 Gb Total Space | 0.85 Gb Free Space | 9.67% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/02/06 12:56:00 | 000,156,672 | ---- | M] (Intel Corporation ) [Auto] -- C:\WINDOWS\System32\NCUSBw32.dll -- (NecUsb3)
    SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/08/19 11:26:50 | 000,450,848 | ---- | M] (Logitech Inc.) [Disabled] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
    SRV - [2011/02/28 20:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
    SRV - [2011/02/25 12:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
    SRV - [2010/09/27 17:49:10 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Disabled] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
    SRV - [2010/09/27 17:47:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Disabled] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2010/05/31 14:31:10 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Disabled] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
    SRV - [2009/06/24 13:57:04 | 000,136,704 | ---- | M] (HP) [Disabled] -- C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe -- (HP LaserJet Service)
    SRV - [2008/01/19 02:33:32 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto] -- C:\WINDOWS\System32\NVXBAR.dll -- (se44mgmt)
    SRV - [2007/06/27 13:18:08 | 000,223,448 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel(R)
    SRV - [2007/06/27 13:17:26 | 000,272,600 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe -- (QualityManager) Intel(R)
    SRV - [2007/06/27 13:17:12 | 000,446,680 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel(R)
    SRV - [2007/06/27 13:16:02 | 000,157,912 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel(R)
    SRV - [2007/06/27 13:15:28 | 000,039,640 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe -- (DHTRACE) Intel(R)
    SRV - [2007/06/27 13:15:14 | 000,059,096 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM) Intel(R)
    SRV - [2007/06/27 13:14:46 | 000,317,656 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe -- (NMSCore) Intel(R)
    SRV - [2007/06/27 13:13:56 | 000,268,504 | ---- | M] () [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel(R) Viiv(TM)
    SRV - [2007/05/29 10:19:08 | 000,198,240 | ---- | M] () [Disabled] -- C:\hp\HPEZBTN\HPBtnSrv.exe -- (HPBtnSrv)
    SRV - [2007/02/12 14:46:34 | 000,208,896 | ---- | M] () [Disabled] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService)
    SRV - [2007/01/18 15:02:06 | 000,094,208 | ---- | M] (EMC Corporation) [Disabled] -- C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrorun.exe -- (RetroExpLauncher)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
    DRV - File not found [File_System | System] -- -- (DfsC)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - File not found [Kernel | System] -- -- (AFD)
    DRV - [2012/02/06 03:59:00 | 000,072,192 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\drivers\tdx.sys -- (tdx)
    DRV - [2011/12/07 23:22:38 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
    DRV - [2011/12/07 23:22:38 | 000,080,184 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
    DRV - [2011/08/19 11:26:50 | 004,334,624 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\lvuvc.sys -- (LVUVC) Logitech HD Pro Webcam C910(UVC)
    DRV - [2011/08/19 11:26:46 | 000,315,808 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\lvrs.sys -- (LVRS)
    DRV - [2011/08/19 11:26:34 | 000,022,176 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\lvbusflt.sys -- (CompFilter)
    DRV - [2011/05/03 02:43:00 | 010,525,288 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2010/11/15 02:18:42 | 000,005,632 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\IntelDH.sys -- (IntelDH)
    DRV - [2010/09/27 17:50:44 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2010/05/31 14:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
    DRV - [2010/05/31 14:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2010/05/07 21:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2010/03/05 18:40:57 | 000,017,408 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\mvusbews.sys -- (mvusbews)
    DRV - [2008/02/26 20:17:30 | 000,493,568 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\netr73.sys -- (netr73)
    DRV - [2008/01/19 01:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
    DRV - [2008/01/15 02:56:30 | 000,218,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2007/12/18 16:18:52 | 000,039,408 | ---- | M] (Cyberlink Corp.) [Kernel | Auto] -- C:\Program Files\HP\DVDPlay\000.fcl -- ({22D78859-9CE9-4B77-BF18-AC83E81A9263})
    DRV - [2007/09/07 09:36:08 | 000,156,928 | ---- | M] (ViXS Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\xcbda.sys -- (xcbdaNtsc) ViXS Tuner Card (NTSC)
    DRV - [2007/06/27 13:17:46 | 000,014,552 | ---- | M] () [File_System | On_Demand] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys -- (TSHWMDTCP)
    DRV - [2007/05/09 05:52:26 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
    DRV - [2007/04/26 12:18:18 | 000,206,336 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\HSXHWBS3.sys -- (HSXHWBS3)
    DRV - [2007/04/26 12:17:02 | 000,984,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\HSX_DP.sys -- (HSF_DP)
    DRV - [2007/02/18 23:34:50 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\nmsunidr.sys -- (nmsunidr)
    DRV - [2005/12/12 12:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\PS2.sys -- (Ps2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




    IE - HKU\paulisofi_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\paulisofi_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\System32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/09/04 20:16:19 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/06 01:34:06 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/11 02:33:04 | 000,000,000 | ---D | M]

    [2012/02/06 01:34:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/01/29 10:55:53 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/05/04 06:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2009/08/03 18:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll
    [2012/01/29 08:36:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/01/29 08:36:35 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/02/07 12:27:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No CLSID value found.
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKU\paulisofi_ON_C\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O4 - HKU\IUSR_NMPR_ON_C..\Run: [Power2GoExpress] File not found
    O4 - HKU\IUSR_NMPR_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\System32\WerFault.exe (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [Launcher] C:\WINDOWS\SMINST\Launcher.exe (soft thinks)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\IUSR_NMPR_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\paulisofi_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000042 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000043 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000044 - File not found
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\img24.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/10/17 15:38:04 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/12 16:03:05 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    [2012/02/12 16:03:04 | 000,000,000 | R--D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    [2012/02/12 16:03:04 | 000,000,000 | R--D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    [2012/02/12 16:02:54 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Identities
    [2012/02/12 16:02:48 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Local\Temp
    [2012/02/08 15:55:06 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2012/02/08 13:52:55 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netbt.svs
    [2012/02/07 12:34:27 | 000,000,000 | ---D | C] -- C:\Users\IUSR_NMPR\AppData\Local\temp
    [2012/02/07 12:27:15 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012/02/07 12:23:31 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/02/07 12:23:31 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\temp
    [2012/02/07 11:56:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/02/07 11:56:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/02/07 11:56:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/02/07 11:56:14 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/02/06 23:00:38 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\shutdown right after NIS needs to be disconnected
    [2012/02/06 22:54:42 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/02/06 14:42:25 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\LOGS1
    [2012/02/06 12:56:00 | 000,156,672 | ---- | C] (Intel Corporation ) -- C:\Windows\System32\NCUSBw32.dll
    [2012/02/06 11:51:01 | 000,100,864 | ---- | C] (GMER) -- C:\pxtcypod.sys
    [2012/02/06 11:23:13 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\Malwarebytes
    [2012/02/06 11:23:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/06 11:23:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/02/06 11:23:04 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/02/06 11:23:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/02/06 03:57:35 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/02/05 23:32:37 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Documents\MISCELLANEOUS (DESKTOP)
    [2012/02/05 21:45:49 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\NPE
    [2012/02/05 21:42:59 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\LogMeIn Rescue Applet
    [2012/02/05 16:45:51 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Macromedia
    [2012/02/05 16:45:47 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe
    [2012/02/05 15:58:49 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\FixZeroAccess
    [2012/01/28 01:09:17 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\Temp
    [2012/01/28 00:33:13 | 000,000,000 | ---D | C] -- C:\Temp
    [2012/01/28 00:25:59 | 000,181,432 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudmdm.sys
    [2012/01/28 00:25:59 | 000,080,184 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudbus.sys
    [2012/01/27 23:53:54 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\SAMSUNG GALAXY S II SKYROCKET backup and other features
    [2012/01/27 23:03:17 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\Samsung
    [2012/01/27 23:02:59 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Documents\samsung
    [2012/01/27 22:57:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
    [2012/01/27 22:56:52 | 004,659,712 | ---- | C] (Dmitry Streblechenko) -- C:\Windows\System32\Redemption.dll
    [2012/01/27 22:56:29 | 000,020,032 | ---- | C] (Devguru Co., Ltd) -- C:\Windows\System32\drivers\dgderdrv.sys
    [2012/01/27 22:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\MarkAny
    [2012/01/27 22:56:28 | 000,821,824 | ---- | C] (Devguru Co., Ltd.) -- C:\Windows\System32\dgderapi.dll
    [2012/01/27 22:54:47 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\Samsung
    [2012/01/27 22:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
    [2012/01/27 22:54:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
    [2012/01/27 22:52:49 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\Downloaded Installations
    [2012/01/25 18:10:26 | 001,259,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
    [2012/01/22 04:11:28 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\NEW CELL PHONE MANUAL

    ========== Files - Modified Within 30 Days ==========

    [2012/02/12 18:38:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/02/12 16:14:42 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/02/12 16:14:42 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/02/12 16:14:29 | 221,697,415 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/02/12 16:12:54 | 000,007,680 | ---- | M] () -- C:\Windows\System\svchost.exe
    [2012/02/08 16:12:58 | 000,320,120 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/02/08 13:41:40 | 000,603,516 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/02/08 13:41:40 | 000,103,586 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/02/07 12:27:11 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/02/07 12:13:29 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
    [2012/02/06 22:01:29 | 000,000,910 | ---- | M] () -- C:\Users\paulisofi\Desktop\ComboFix - Shortcut.lnk
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At9.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At7.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At5.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At47.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At45.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At43.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At41.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At39.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At37.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At35.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At33.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At31.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At3.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At29.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At27.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At25.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At23.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At21.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At19.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At17.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At15.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At13.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At11.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At1.job
    [2012/02/06 17:19:40 | 000,000,112 | ---- | M] () -- C:\ProgramData\eR42x5S0l.dat
    [2012/02/06 16:55:59 | 000,029,696 | ---- | M] () -- C:\Windows\System32\ByV7O4X.com
    [2012/02/06 14:45:32 | 000,000,574 | ---- | M] () -- C:\Users\paulisofi\Desktop\bootkit_remover - Shortcut.lnk
    [2012/02/06 14:15:26 | 000,000,876 | ---- | M] () -- C:\Users\paulisofi\Desktop\aswMBR - Shortcut.lnk
    [2012/02/06 13:01:09 | 000,103,733 | ---- | M] () -- C:\Windows\System32\itusbcore.dat
    [2012/02/06 13:01:09 | 000,000,196 | ---- | M] () -- C:\Windows\System32\itlsvc.dat
    [2012/02/06 12:56:00 | 000,156,672 | ---- | M] (Intel Corporation ) -- C:\Windows\System32\NCUSBw32.dll
    [2012/02/06 12:08:56 | 000,000,857 | ---- | M] () -- C:\Users\paulisofi\Desktop\dds - Shortcut.lnk
    [2012/02/06 11:55:18 | 000,001,229 | ---- | M] () -- C:\Users\paulisofi\Desktop\oi9st45y - Shortcut.lnk
    [2012/02/06 11:51:01 | 000,100,864 | ---- | M] (GMER) -- C:\pxtcypod.sys
    [2012/02/06 11:23:05 | 000,000,868 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/06 11:23:05 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/06 03:59:00 | 000,072,192 | ---- | M] () -- C:\Windows\System32\drivers\tdx.sys
    [2012/02/06 01:34:09 | 000,000,832 | ---- | M] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2012/02/06 01:34:08 | 000,000,820 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    [2012/02/06 01:34:08 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012/02/06 01:15:36 | 001,272,728 | ---- | M] () -- C:\Users\paulisofi\Documents\bookmarks.html
    [2012/02/05 21:44:54 | 000,001,356 | ---- | M] () -- C:\Users\paulisofi\AppData\Local\d3d9caps.dat
    [2012/02/05 16:31:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\afd.sys_backup
    [2012/02/05 15:53:07 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
    [2012/01/27 22:57:07 | 000,001,720 | ---- | M] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
    [2012/01/27 22:57:07 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung

    ========== Files Created - No Company Name ==========

    [2012/02/12 16:03:05 | 000,000,879 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    [2012/02/12 16:03:03 | 000,000,874 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
    [2012/02/12 16:02:50 | 000,000,845 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
    [2012/02/07 12:30:01 | 000,007,680 | ---- | C] () -- C:\Windows\System\svchost.exe
    [2012/02/07 11:56:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/02/07 11:56:18 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/02/07 11:56:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/02/07 11:56:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/02/07 11:56:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/02/06 22:01:29 | 000,000,910 | ---- | C] () -- C:\Users\paulisofi\Desktop\ComboFix - Shortcut.lnk
    [2012/02/06 16:56:27 | 000,000,112 | ---- | C] () -- C:\ProgramData\eR42x5S0l.dat
    [2012/02/06 16:56:26 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At47.job
    [2012/02/06 16:56:25 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At45.job
    [2012/02/06 16:56:24 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At43.job
    [2012/02/06 16:56:23 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At41.job
    [2012/02/06 16:56:22 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At39.job
    [2012/02/06 16:56:21 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At37.job
    [2012/02/06 16:56:20 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At35.job
    [2012/02/06 16:56:19 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At33.job
    [2012/02/06 16:56:18 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At31.job
    [2012/02/06 16:56:17 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At29.job
    [2012/02/06 16:56:16 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At27.job
    [2012/02/06 16:56:16 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At25.job
    [2012/02/06 16:56:15 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At23.job
    [2012/02/06 16:56:14 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At21.job
    [2012/02/06 16:56:13 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At19.job
    [2012/02/06 16:56:12 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At17.job
    [2012/02/06 16:56:11 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At15.job
    [2012/02/06 16:56:10 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At13.job
    [2012/02/06 16:56:08 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At11.job
    [2012/02/06 16:56:07 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At9.job
    [2012/02/06 16:56:05 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At7.job
    [2012/02/06 16:56:03 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At5.job
    [2012/02/06 16:56:02 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At3.job
    [2012/02/06 16:56:00 | 000,029,696 | ---- | C] () -- C:\Windows\System32\ByV7O4X.com
    [2012/02/06 16:56:00 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At1.job
    [2012/02/06 14:45:32 | 000,000,574 | ---- | C] () -- C:\Users\paulisofi\Desktop\bootkit_remover - Shortcut.lnk
    [2012/02/06 14:15:26 | 000,000,876 | ---- | C] () -- C:\Users\paulisofi\Desktop\aswMBR - Shortcut.lnk
    [2012/02/06 13:01:09 | 000,103,733 | ---- | C] () -- C:\Windows\System32\itusbcore.dat
    [2012/02/06 13:01:09 | 000,000,196 | ---- | C] () -- C:\Windows\System32\itlsvc.dat
    [2012/02/06 12:08:56 | 000,000,857 | ---- | C] () -- C:\Users\paulisofi\Desktop\dds - Shortcut.lnk
    [2012/02/06 11:52:35 | 000,001,229 | ---- | C] () -- C:\Users\paulisofi\Desktop\oi9st45y - Shortcut.lnk
    [2012/02/06 11:23:05 | 000,000,868 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/06 01:34:08 | 000,000,832 | ---- | C] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2012/02/06 01:34:08 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012/02/06 01:34:07 | 000,000,820 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    [2012/02/06 01:15:36 | 001,272,728 | ---- | C] () -- C:\Users\paulisofi\Documents\bookmarks.html
    [2012/02/05 16:34:12 | 221,697,415 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2012/02/05 15:54:03 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
    [2012/01/27 22:57:06 | 000,001,720 | ---- | C] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
    [2011/09/16 14:54:48 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
    [2011/09/16 14:54:44 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
    [2011/09/16 14:54:44 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
    [2011/09/16 14:54:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
    [2011/09/16 14:54:44 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
    [2011/08/19 11:26:20 | 010,898,456 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll
    [2011/08/19 11:26:20 | 000,336,408 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll
    [2011/08/19 11:26:20 | 000,104,472 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe
    [2011/08/15 02:43:55 | 000,001,356 | ---- | C] () -- C:\Users\paulisofi\AppData\Local\d3d9caps.dat
    [2011/08/12 14:20:14 | 000,015,896 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
    [2011/07/26 08:48:54 | 000,028,418 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
    [2011/06/25 17:40:58 | 000,005,632 | ---- | C] () -- C:\Users\paulisofi\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/06/15 21:28:01 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\afd.sys_backup
    [2011/05/29 17:54:24 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2011/01/21 03:35:05 | 000,284,160 | ---- | C] () -- C:\Windows\System32\mvhlewsi.DLL
    [2010/12/21 16:55:46 | 000,023,103 | ---- | C] () -- C:\Windows\hpqins15.dat.temp
    [2010/11/22 22:53:27 | 000,023,128 | ---- | C] () -- C:\Windows\hpqins15.dat
    [2010/11/22 22:21:29 | 000,081,920 | ---- | C] () -- C:\Windows\System32\mvusbews.dll
    [2010/11/14 20:07:04 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2010/11/14 18:58:20 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2010/11/14 18:58:20 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2010/11/14 18:57:55 | 000,072,192 | ---- | C] () -- C:\Windows\System32\drivers\tdx.sys
    [2010/05/07 21:43:30 | 000,025,824 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
    [2009/08/03 18:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
    [2009/08/03 18:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
    [2009/04/01 13:48:16 | 000,053,478 | ---- | C] () -- C:\Windows\mvtcpui.ini
    [2007/10/17 15:34:20 | 000,107,026 | ---- | C] () -- C:\Windows\hpqins13.dat
    [2007/10/17 15:18:24 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
    [2007/10/17 15:15:59 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
    [2007/10/17 15:15:59 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
    [2006/11/02 08:02:10 | 000,000,680 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
    [2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:47:37 | 000,320,120 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 05:33:01 | 000,603,516 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 05:33:01 | 000,103,586 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2006/06/23 13:09:34 | 000,019,968 | R--- | C] () -- C:\Windows\System32\cpuinf32.dll

    ========== LOP Check ==========

    [2012/02/05 15:58:49 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\FixZeroAccess
    [2011/02/11 12:39:33 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Leadertech
    [2011/06/05 22:08:20 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\mjusbsp
    [2012/01/27 22:54:47 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Samsung
    [2011/02/04 13:12:15 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Snapfish
    [2012/01/28 01:09:17 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Temp
    [2010/11/14 23:08:40 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\WinBatch
    [2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
    [2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
    [2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
    [2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
    [2010/11/20 20:30:25 | 000,000,000 | ---D | M] -- C:\ProgramData\LogMeIn
    [2011/03/29 17:57:17 | 000,000,000 | ---D | M] -- C:\ProgramData\magicJack
    [2007/10/17 15:37:34 | 000,000,000 | ---D | M] -- C:\ProgramData\muvee Technologies
    [2007/10/17 15:43:11 | 000,000,000 | ---D | M] -- C:\ProgramData\PC-Doctor
    [2010/11/17 15:34:45 | 000,000,000 | ---D | M] -- C:\ProgramData\RetroExp
    [2012/01/27 22:57:27 | 000,000,000 | ---D | M] -- C:\ProgramData\Samsung
    [2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
    [2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
    [2011/12/09 19:55:53 | 000,000,000 | ---D | M] -- C:\ProgramData\WebEx
    [2007/10/17 15:34:12 | 000,000,000 | ---D | M] -- C:\ProgramData\WildTangent
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At1.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At11.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At13.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At15.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At17.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At19.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At21.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At23.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At25.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At27.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At29.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At3.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At31.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At33.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At35.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At37.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At39.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At41.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At43.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At45.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At47.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At5.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At7.job
    [2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At9.job
    [2012/02/12 16:14:44 | 000,032,606 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
     
  22. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    [2012/02/07 12:13:29 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
    [2012/02/06 17:19:40 | 000,000,112 | ---- | M] () -- C:\ProgramData\eR42x5S0l.dat
    [2012/02/06 16:55:59 | 000,029,696 | ---- | M] () -- C:\Windows\System32\ByV7O4X.com
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No CLSID value found.
    O3 - HKU\paulisofi_ON_C\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    
    
    :Services
    
    :Reg
    
    :Files
    C:\Windows\tasks\At*.job
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
     
  23. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    All right.
     
  24. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    I did as instructed. I clicked Run Fix and it only took abut a split second to do it. I'm not sure what "run unhindered" means.
     
  25. paulisofi

    paulisofi TS Rookie Topic Starter Posts: 145

    New log:

    ========== OTL ==========
    C:\WINDOWS\System32\dds_trash_log.cmd moved successfully.
    C:\ProgramData\eR42x5S0l.dat moved successfully.
    C:\WINDOWS\System32\ByV7O4X.com moved successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\ not found.
    Registry value HKEY_USERS\paulisofi_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Windows\tasks\At1.job moved successfully.
    C:\Windows\tasks\At11.job moved successfully.
    C:\Windows\tasks\At13.job moved successfully.
    C:\Windows\tasks\At15.job moved successfully.
    C:\Windows\tasks\At17.job moved successfully.
    C:\Windows\tasks\At19.job moved successfully.
    C:\Windows\tasks\At21.job moved successfully.
    C:\Windows\tasks\At23.job moved successfully.
    C:\Windows\tasks\At25.job moved successfully.
    C:\Windows\tasks\At27.job moved successfully.
    C:\Windows\tasks\At29.job moved successfully.
    C:\Windows\tasks\At3.job moved successfully.
    C:\Windows\tasks\At31.job moved successfully.
    C:\Windows\tasks\At33.job moved successfully.
    C:\Windows\tasks\At35.job moved successfully.
    C:\Windows\tasks\At37.job moved successfully.
    C:\Windows\tasks\At39.job moved successfully.
    C:\Windows\tasks\At41.job moved successfully.
    C:\Windows\tasks\At43.job moved successfully.
    C:\Windows\tasks\At45.job moved successfully.
    C:\Windows\tasks\At47.job moved successfully.
    C:\Windows\tasks\At5.job moved successfully.
    C:\Windows\tasks\At7.job moved successfully.
    C:\Windows\tasks\At9.job moved successfully.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 02122012_171832


    I haven't rebooted yet (with the created dvd). Shall I do that now and then there will be another log that I need to post? Or after rebooting from created dvd, i need to remove dvd and then shut down completely and then attempt to reboot normally into windows?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.