TechSpot

Trying to remove Redirect virus

Solved
By KerryP
May 19, 2011
  1. I am running windows 7 with AVG 2011. I have been having trouble getting rid of redirect and also have a radio program that has begun running in the backround.
    I went through your preliminary malware removal, but it's still there.
    Here is the scans.
    Malware bytes scan
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6619

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8080.16413

    5/19/2011 1:11:28 PM
    mbam-log-2011-05-19 (13-11-28).txt

    Scan type: Quick scan
    Objects scanned: 161286
    Time elapsed: 10 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\setups (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Users\Kerry\AppData\Local\Temp\-213E8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Kerry\AppData\Local\Temp\1363E8.tmp (Trojan.Agent) -> Delete on reboot.
    c:\Users\Kerry\AppData\Local\Temp\tmp9C31.tmp (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
    c:\Users\Kerry\AppData\Local\Temp\Low\tmp8F85.tmp (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files\funwebproducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    GMER scan
    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit quick scan 2011-05-19 13:56:58
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHW2120BH rev.00850012
    Running: xehykbcq.exe; Driver: C:\Users\Kerry\AppData\Local\Temp\fgloqpob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:252] 85E1FE7A
    Thread System [4:256] 85E22008

    ---- EOF - GMER 1.0.15 ----

    DDS Scan
    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 9.0.8080.16413
    Run by Kerry at 14:01:11 on 2011-05-19
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.822 [GMT -7:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Common Files\Steam\SteamService.exe
    C:\Windows\system32\DllHost.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Kerry\Downloads\dds.scr
    C:\Windows\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.com/
    uWindow Title = Windows Internet Explorer provided by Qwest
    uDefault_Page_URL = hxxp://qwest.live.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Google Sidewiki...
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-7 947528]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-25 52224]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-24 1343400]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 136176]
    .
    =============== Created Last 30 ================
    .
    2011-05-19 19:58:24 -------- d-----w- c:\users\kerry\appdata\roaming\Malwarebytes
    2011-05-19 19:58:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-19 19:58:15 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-19 19:58:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-19 18:30:58 -------- d-----w- c:\programdata\Common Toolkit Suite
    2011-05-18 22:44:45 -------- d-----w- c:\program files\common files\PX Storage Engine
    2011-05-18 22:42:31 -------- d-----w- c:\program files\DivX
    2011-05-18 22:41:16 -------- d-----w- c:\programdata\DivX
    2011-05-16 00:58:07 -------- d-----w- c:\users\kerry\appdata\roaming\uPlayer
    2011-05-16 00:58:07 -------- d-----w- c:\program files\uPlayer
    2011-05-08 02:40:36 -------- d-----w- c:\windows\system32\Adobe
    2011-04-21 17:28:27 -------- d-----w- c:\users\kerry\appdata\roaming\Gmail Notifier
    2011-04-21 17:28:22 -------- d-----w- c:\program files\Gmail Notifier
    .
    ==================== Find3M ====================
    .
    2011-04-15 04:28:30 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
    2011-04-05 07:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-26 15:13:29 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
    2011-03-16 23:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-02-25 17:14:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-22 15:12:50 22992 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
    .
    ============= FINISH: 14:01:49.01 ===============

    Any help would be greatly appreciated, as I have very little experience with these types of issues.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]
     
  3. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    aswMBR log

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-19 18:14:59
    -----------------------------
    18:14:59.606 OS Version: Windows 6.1.7601 Service Pack 1
    18:14:59.606 Number of processors: 2 586 0x4802
    18:14:59.606 ComputerName: KERRY-PC UserName: Kerry
    18:15:15.021 Initialize success
    18:15:28.047 The log file has been saved successfully to "C:\Users\Kerry\Desktop\aswMBR.txt"


    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-19 18:17:19
    -----------------------------
    18:17:19.137 OS Version: Windows 6.1.7601 Service Pack 1
    18:17:19.137 Number of processors: 2 586 0x4802
    18:17:19.152 ComputerName: KERRY-PC UserName: Kerry
    18:17:19.901 Initialize success
    18:17:21.898 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    18:17:21.898 Disk 0 Vendor: FUJITSU_MHW2120BH 00850012 Size: 114473MB BusType: 3
    18:17:23.942 Disk 0 MBR read successfully
    18:17:23.942 Disk 0 MBR scan
    18:17:23.942 Disk 0 Windows 7 default MBR code
    18:17:25.954 Disk 0 scanning sectors +234436545
    18:17:25.985 Disk 0 scanning C:\Windows\system32\drivers
    18:17:32.274 Service scanning
    18:17:33.757 Disk 0 trace - called modules:
    18:17:33.772 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85e551ed]<<
    18:17:33.788 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d5c8c0]
    18:17:33.788 3 CLASSPNP.SYS[889a559e] -> nt!IofCallDriver -> [0x8591c918]
    18:17:33.788 5 ACPI.sys[833a23d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84fc3908]
    18:17:33.803 \Driver\atapi[0x858ee718] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x85e551ed
    18:17:33.803 Scan finished successfully
    18:20:58.027 Disk 0 MBR has been saved successfully to "C:\Users\Kerry\Desktop\MBR.dat"
    18:20:58.043 The log file has been saved successfully to "C:\Users\Kerry\Desktop\aswMBR.txt"
     
  4. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    That looks good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    Combofix log

    ComboFix 11-05-18.04 - Kerry 05/19/2011 19:09:13.2.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1340 [GMT -7:00]
    Running from: c:\users\Kerry\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-20 02:17 . 2011-05-20 02:17 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-05-20 02:17 . 2011-05-20 02:17 -------- d-----w- c:\users\Matthew\AppData\Local\temp
    2011-05-20 02:17 . 2011-05-20 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-19 23:44 . 2011-05-19 23:44 2 --shatr- c:\windows\winstart.bat
    2011-05-19 23:43 . 2011-05-19 23:51 -------- d-----w- c:\program files\UnHackMe
    2011-05-19 22:42 . 2011-05-18 19:37 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D98E507A-4CE4-4D25-9BA4-8EEC479BADA4}\mpengine.dll
    2011-05-19 22:39 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-19 22:39 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-19 22:39 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-19 22:39 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-19 22:39 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-19 22:39 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-05-19 22:39 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-19 22:39 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-19 22:38 . 2011-05-19 22:38 -------- d-----w- c:\programdata\AVAST Software
    2011-05-19 22:38 . 2011-05-19 22:38 -------- d-----w- c:\program files\AVAST Software
    2011-05-19 22:30 . 2011-05-20 02:17 -------- d-----w- c:\users\Kerry\AppData\Local\temp
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\users\Kerry\AppData\Roaming\Malwarebytes
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-19 18:30 . 2011-05-19 18:30 -------- d-----w- c:\programdata\Common Toolkit Suite
    2011-05-18 22:45 . 2011-05-18 22:45 -------- d-----w- c:\users\Kerry\AppData\Roaming\DivX
    2011-05-18 22:44 . 2011-05-18 22:54 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2011-05-18 22:42 . 2011-05-18 22:54 -------- d-----w- c:\program files\DivX
    2011-05-18 22:41 . 2011-05-18 22:54 -------- d-----w- c:\programdata\DivX
    2011-05-16 00:58 . 2011-05-16 00:58 -------- d-----w- c:\users\Kerry\AppData\Roaming\uPlayer
    2011-05-16 00:58 . 2011-05-16 00:58 -------- d-----w- c:\program files\uPlayer
    2011-05-08 02:40 . 2011-05-08 02:43 -------- d-----w- c:\windows\system32\Adobe
    2011-04-21 17:28 . 2011-05-19 13:39 -------- d-----w- c:\users\Kerry\AppData\Roaming\Gmail Notifier
    2011-04-21 17:28 . 2011-04-21 17:28 -------- d-----w- c:\program files\Gmail Notifier
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
    2011-03-26 15:13 . 2011-03-26 15:13 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
    2011-03-11 18:02 . 2011-03-11 18:02 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-03-11 18:02 . 2011-03-11 18:02 161280 ----a-w- c:\windows\system32\msls31.dll
    2011-03-11 18:02 . 2011-03-11 18:02 1125376 ----a-w- c:\windows\system32\wininet.dll
    2011-03-11 18:02 . 2011-03-11 18:02 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-03-11 18:02 . 2011-03-11 18:02 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-03-11 18:02 . 2011-03-11 18:02 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-03-11 18:02 . 2011-03-11 18:02 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-03-11 18:02 . 2011-03-11 18:02 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-03-11 18:02 . 2011-03-11 18:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-03-11 18:02 . 2011-03-11 18:02 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-11 18:02 . 2011-03-11 18:02 367104 ----a-w- c:\windows\system32\html.iec
    2011-03-11 18:02 . 2011-03-11 18:02 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-03-11 18:02 . 2011-03-11 18:02 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-03-11 18:02 . 2011-03-11 18:02 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-03-11 18:02 . 2011-03-11 18:02 1426432 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-03-11 18:02 . 2011-03-11 18:02 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-03-11 18:02 . 2011-03-11 18:02 2382336 ----a-w- c:\windows\system32\mshtml.tlb
    2011-03-11 18:02 . 2011-03-11 18:02 1791488 ----a-w- c:\windows\system32\jscript9.dll
    2011-03-11 18:02 . 2011-03-11 18:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-03-11 18:02 . 2011-03-11 18:02 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-03-11 18:02 . 2011-03-11 18:02 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-03-10 16:51 . 2011-02-25 17:30 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-01 06:45 . 2011-02-25 03:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-02-28 18:39 . 2011-02-24 04:48 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2011-02-25 17:14 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-25 03:33 . 2011-02-25 03:33 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-02-25 03:33 . 2011-02-25 03:33 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-02-24 04:48 . 2011-02-24 04:48 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-02-24 04:48 . 2011-02-24 04:48 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-02-19 06:30 . 2011-03-09 14:52 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 06:30 . 2011-03-09 14:52 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 06:30 . 2011-03-09 14:52 739840 ----a-w- c:\windows\system32\d2d1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux4"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-10-19 02:27 136176 ----atw- c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2011-04-03 02:08 1242448 ----a-w- c:\program files\Steam\Steam.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 AVFSFilter;AVFSFilter;c:\windows\system32\DRIVERS\avfsfilter.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-24 1343400]
    R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 136176]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 16:21]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 16:21]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3645143618-988177714-1403921235-1000Core.job
    - c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 02:27]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3645143618-988177714-1403921235-1000UA.job
    - c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 02:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki...
    Trusted Zone: intuit.com\ttlc
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:14,8b,55,2e,df,2a,bc,05,a7,6f,de,61,7c,af,41,54,d6,f9,1d,d5,e5,31,cd,
    07,d3,ed,ae,dc,e6,f3,9c,22,7a,32,05,9c,7b,6b,8e,47,6b,6a,30,70,32,5d,34,de,\
    "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
    .
    [HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\SecuROM\License information*]
    "datasecu"=hex:f6,07,43,24,c8,f2,b0,1a,38,8f,0b,1d,c6,fe,0c,65,e5,ba,c4,d6,b5,
    fa,66,30,b0,e3,c9,9b,7c,e5,80,46,a9,39,ea,34,e5,88,58,c3,c0,99,1a,65,df,b6,\
    "rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-19 19:20:54
    ComboFix-quarantined-files.txt 2011-05-20 02:20
    ComboFix2.txt 2011-05-19 22:29
    .
    Pre-Run: 16,403,591,168 bytes free
    Post-Run: 15,895,220,224 bytes free
    .
    - - End Of File - - 84ACE3F0ADEFF4CFFED84DF8D69ABB24
     
  6. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    I can see, you ran Combofix twice (why?)

    Navigate to C:\Qoobox folder and post the content of ComboFix2.txt log.
     
  7. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    OOPs, I hadn't intended to.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Navigate to C:\Qoobox folder and post the content of ComboFix2.txt log.
     
  9. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    ComboFix 11-05-17.01 - Kerry 05/19/2011 15:21:28.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1414 [GMT -7:00]
    Running from: c:\users\Kerry\Downloads\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-19 22:27 . 2011-05-19 22:28 -------- d-----w- c:\users\Kerry\AppData\Local\temp
    2011-05-19 22:27 . 2011-05-19 22:27 -------- d-----w- c:\users\Matthew\AppData\Local\temp
    2011-05-19 22:27 . 2011-05-19 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\users\Kerry\AppData\Roaming\Malwarebytes
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-19 19:58 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-19 18:30 . 2011-05-19 18:30 -------- d-----w- c:\programdata\Common Toolkit Suite
    2011-05-18 22:45 . 2011-05-18 22:45 -------- d-----w- c:\users\Kerry\AppData\Roaming\DivX
    2011-05-18 22:44 . 2011-05-18 22:54 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2011-05-18 22:42 . 2011-05-18 22:54 -------- d-----w- c:\program files\DivX
    2011-05-18 22:41 . 2011-05-18 22:54 -------- d-----w- c:\programdata\DivX
    2011-05-16 00:58 . 2011-05-16 00:58 -------- d-----w- c:\users\Kerry\AppData\Roaming\uPlayer
    2011-05-16 00:58 . 2011-05-16 00:58 -------- d-----w- c:\program files\uPlayer
    2011-05-15 19:51 . 2011-05-15 19:51 -------- d-----w- c:\program files\Microsoft Silverlight
    2011-05-08 02:40 . 2011-05-08 02:43 -------- d-----w- c:\windows\system32\Adobe
    2011-04-21 17:28 . 2011-05-19 13:39 -------- d-----w- c:\users\Kerry\AppData\Roaming\Gmail Notifier
    2011-04-21 17:28 . 2011-04-21 17:28 -------- d-----w- c:\program files\Gmail Notifier
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
    2011-03-26 15:13 . 2011-03-26 15:13 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
    2011-03-11 18:02 . 2011-03-11 18:02 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-03-11 18:02 . 2011-03-11 18:02 161280 ----a-w- c:\windows\system32\msls31.dll
    2011-03-11 18:02 . 2011-03-11 18:02 1125376 ----a-w- c:\windows\system32\wininet.dll
    2011-03-11 18:02 . 2011-03-11 18:02 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-03-11 18:02 . 2011-03-11 18:02 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-03-11 18:02 . 2011-03-11 18:02 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-03-11 18:02 . 2011-03-11 18:02 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-03-11 18:02 . 2011-03-11 18:02 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-03-11 18:02 . 2011-03-11 18:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-03-11 18:02 . 2011-03-11 18:02 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-11 18:02 . 2011-03-11 18:02 367104 ----a-w- c:\windows\system32\html.iec
    2011-03-11 18:02 . 2011-03-11 18:02 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-03-11 18:02 . 2011-03-11 18:02 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-03-11 18:02 . 2011-03-11 18:02 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-03-11 18:02 . 2011-03-11 18:02 1426432 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-03-11 18:02 . 2011-03-11 18:02 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-03-11 18:02 . 2011-03-11 18:02 2382336 ----a-w- c:\windows\system32\mshtml.tlb
    2011-03-11 18:02 . 2011-03-11 18:02 1791488 ----a-w- c:\windows\system32\jscript9.dll
    2011-03-11 18:02 . 2011-03-11 18:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-03-11 18:02 . 2011-03-11 18:02 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-03-11 18:02 . 2011-03-11 18:02 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-03-10 16:51 . 2011-02-25 17:30 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-01 06:45 . 2011-02-25 03:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-02-28 18:39 . 2011-02-24 04:48 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2011-02-25 17:14 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-25 03:33 . 2011-02-25 03:33 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-02-25 03:33 . 2011-02-25 03:33 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-02-24 04:48 . 2011-02-24 04:48 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-02-24 04:48 . 2011-02-24 04:48 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-02-19 06:30 . 2011-03-09 14:52 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 06:30 . 2011-03-09 14:52 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 06:30 . 2011-03-09 14:52 739840 ----a-w- c:\windows\system32\d2d1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\Steam.exe" [2011-04-03 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux4"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-10-19 02:27 136176 ----atw- c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 AVFSFilter;AVFSFilter;c:\windows\system32\DRIVERS\avfsfilter.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-24 1343400]
    R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 136176]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [2010-12-15 1085440]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 16:21]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 16:21]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3645143618-988177714-1403921235-1000Core.job
    - c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 02:27]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3645143618-988177714-1403921235-1000UA.job
    - c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 02:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki...
    Trusted Zone: intuit.com\ttlc
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:14,8b,55,2e,df,2a,bc,05,a7,6f,de,61,7c,af,41,54,d6,f9,1d,d5,e5,31,cd,
    07,d3,ed,ae,dc,e6,f3,9c,22,7a,32,05,9c,7b,6b,8e,47,6b,6a,30,70,32,5d,34,de,\
    "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
    .
    [HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\SecuROM\License information*]
    "datasecu"=hex:f6,07,43,24,c8,f2,b0,1a,38,8f,0b,1d,c6,fe,0c,65,e5,ba,c4,d6,b5,
    fa,66,30,b0,e3,c9,9b,7c,e5,80,46,a9,39,ea,34,e5,88,58,c3,c0,99,1a,65,df,b6,\
    "rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-19 15:29:58
    ComboFix-quarantined-files.txt 2011-05-19 22:29
    .
    Pre-Run: 16,817,369,088 bytes free
    Post-Run: 16,419,893,248 bytes free
    .
    - - End Of File - - 8BCD4E38B25E90F7CB57E043E1CF096D
     
  10. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\winstart.bat
    
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  11. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    ComboFix 11-05-18.04 - Kerry 05/19/2011 20:05:46.3.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1099 [GMT -7:00]
    Running from: c:\users\Kerry\Downloads\ComboFix.exe
    Command switches used :: c:\users\Kerry\Desktop\CFScript - Shortcut.lnk
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-20 03:11 . 2011-05-20 03:11 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-05-20 03:11 . 2011-05-20 03:11 -------- d-----w- c:\users\Matthew\AppData\Local\temp
    2011-05-20 03:11 . 2011-05-20 03:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-19 23:44 . 2011-05-19 23:44 2 --shatr- c:\windows\winstart.bat
    2011-05-19 23:43 . 2011-05-19 23:51 -------- d-----w- c:\program files\UnHackMe
    2011-05-19 22:42 . 2011-05-18 19:37 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D98E507A-4CE4-4D25-9BA4-8EEC479BADA4}\mpengine.dll
    2011-05-19 22:39 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-19 22:39 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-19 22:39 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-19 22:39 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-19 22:39 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-19 22:39 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-05-19 22:39 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-19 22:39 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-19 22:38 . 2011-05-19 22:38 -------- d-----w- c:\programdata\AVAST Software
    2011-05-19 22:38 . 2011-05-19 22:38 -------- d-----w- c:\program files\AVAST Software
    2011-05-19 22:30 . 2011-05-20 03:11 -------- d-----w- c:\users\Kerry\AppData\Local\temp
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\users\Kerry\AppData\Roaming\Malwarebytes
    2011-05-19 19:58 . 2011-05-19 19:58 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-19 18:30 . 2011-05-19 18:30 -------- d-----w- c:\programdata\Common Toolkit Suite
    2011-05-18 22:45 . 2011-05-18 22:45 -------- d-----w- c:\users\Kerry\AppData\Roaming\DivX
    2011-05-18 22:44 . 2011-05-18 22:54 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2011-05-18 22:42 . 2011-05-18 22:54 -------- d-----w- c:\program files\DivX
    2011-05-18 22:41 . 2011-05-18 22:54 -------- d-----w- c:\programdata\DivX
    2011-05-16 00:58 . 2011-05-16 00:58 -------- d-----w- c:\users\Kerry\AppData\Roaming\uPlayer
    2011-05-16 00:58 . 2011-05-16 00:58 -------- d-----w- c:\program files\uPlayer
    2011-05-08 02:40 . 2011-05-08 02:43 -------- d-----w- c:\windows\system32\Adobe
    2011-04-21 17:28 . 2011-05-20 02:26 -------- d-----w- c:\users\Kerry\AppData\Roaming\Gmail Notifier
    2011-04-21 17:28 . 2011-04-21 17:28 -------- d-----w- c:\program files\Gmail Notifier
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
    2011-03-26 15:13 . 2011-03-26 15:13 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
    2011-03-11 18:02 . 2011-03-11 18:02 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-03-11 18:02 . 2011-03-11 18:02 161280 ----a-w- c:\windows\system32\msls31.dll
    2011-03-11 18:02 . 2011-03-11 18:02 1125376 ----a-w- c:\windows\system32\wininet.dll
    2011-03-11 18:02 . 2011-03-11 18:02 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-03-11 18:02 . 2011-03-11 18:02 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-03-11 18:02 . 2011-03-11 18:02 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-03-11 18:02 . 2011-03-11 18:02 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-03-11 18:02 . 2011-03-11 18:02 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-03-11 18:02 . 2011-03-11 18:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-03-11 18:02 . 2011-03-11 18:02 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-11 18:02 . 2011-03-11 18:02 367104 ----a-w- c:\windows\system32\html.iec
    2011-03-11 18:02 . 2011-03-11 18:02 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-03-11 18:02 . 2011-03-11 18:02 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-03-11 18:02 . 2011-03-11 18:02 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-03-11 18:02 . 2011-03-11 18:02 1426432 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-03-11 18:02 . 2011-03-11 18:02 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-03-11 18:02 . 2011-03-11 18:02 2382336 ----a-w- c:\windows\system32\mshtml.tlb
    2011-03-11 18:02 . 2011-03-11 18:02 1791488 ----a-w- c:\windows\system32\jscript9.dll
    2011-03-11 18:02 . 2011-03-11 18:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-03-11 18:02 . 2011-03-11 18:02 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-03-11 18:02 . 2011-03-11 18:02 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-03-10 16:51 . 2011-02-25 17:30 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-01 06:45 . 2011-02-25 03:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-02-28 18:39 . 2011-02-24 04:48 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2011-02-25 17:14 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-25 03:33 . 2011-02-25 03:33 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-02-25 03:33 . 2011-02-25 03:33 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-02-24 04:48 . 2011-02-24 04:48 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-02-24 04:48 . 2011-02-24 04:48 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-02-19 06:30 . 2011-03-09 14:52 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-02-19 06:30 . 2011-03-09 14:52 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-02-19 06:30 . 2011-03-09 14:52 739840 ----a-w- c:\windows\system32\d2d1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux4"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-10-19 02:27 136176 ----atw- c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2011-04-03 02:08 1242448 ----a-w- c:\program files\Steam\Steam.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 AVFSFilter;AVFSFilter;c:\windows\system32\DRIVERS\avfsfilter.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-24 1343400]
    R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 136176]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 16:21]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 16:21]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3645143618-988177714-1403921235-1000Core.job
    - c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 02:27]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3645143618-988177714-1403921235-1000UA.job
    - c:\users\Kerry\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 02:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki...
    Trusted Zone: intuit.com\ttlc
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:14,8b,55,2e,df,2a,bc,05,a7,6f,de,61,7c,af,41,54,d6,f9,1d,d5,e5,31,cd,
    07,d3,ed,ae,dc,e6,f3,9c,22,7a,32,05,9c,7b,6b,8e,47,6b,6a,30,70,32,5d,34,de,\
    "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
    .
    [HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\SecuROM\License information*]
    "datasecu"=hex:f6,07,43,24,c8,f2,b0,1a,38,8f,0b,1d,c6,fe,0c,65,e5,ba,c4,d6,b5,
    fa,66,30,b0,e3,c9,9b,7c,e5,80,46,a9,39,ea,34,e5,88,58,c3,c0,99,1a,65,df,b6,\
    "rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-19 20:13:51
    ComboFix-quarantined-files.txt 2011-05-20 03:13
    ComboFix2.txt 2011-05-20 02:20
    ComboFix3.txt 2011-05-19 22:29
    .
    Pre-Run: 15,937,667,072 bytes free
    Post-Run: 15,895,674,880 bytes free
    .
    - - End Of File - - F17A19FB9230BC59F46BFFBA8EEC2A0B
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    How is redirection?

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
  13. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    RkU Version: 3.8.388.590, Type LE (SR2)
    ==============================================
    OS Name: Windows 7
    Version 6.1.7601 (Service Pack 1)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x8EA14000 C:\Windows\system32\DRIVERS\atikmdag.sys 5320704 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
    0x82C03000 C:\Windows\system32\ntkrnlpa.exe 4268032 bytes (Microsoft Corporation, NT Kernel & System)
    0x82C03000 PnpManager 4268032 bytes
    0x82C03000 RAW 4268032 bytes
    0x82C03000 WMIxWDM 4268032 bytes
    0x93217000 C:\Windows\system32\DRIVERS\bcmwl6.sys 2519040 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
    0x82580000 Win32k 2412544 bytes
    0x82580000 C:\Windows\System32\win32k.sys 2412544 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x88A13000 C:\Windows\System32\drivers\tcpip.sys 1351680 bytes (Microsoft Corporation, TCP/IP Driver)
    0x83E2D000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
    0x81EEA000 C:\Windows\system32\DRIVERS\VSTDPV3.SYS 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
    0x8EF27000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x88816000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
    0x82019000 C:\Windows\system32\DRIVERS\VSTCNXT3.SYS 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0x83284000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
    0x99E36000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x92E75000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x8332F000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x8DC14000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x83F9A000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
    0x8DD5C000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x8E2C0000 C:\Windows\system32\DRIVERS\rixdptsk.sys 335872 bytes (REDC, RICOH XD SM Driver)
    0x99F4D000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
    0x81E15000 C:\Windows\system32\drivers\HdAudio.sys 327680 bytes (Microsoft Corporation, High Definition Audio Function Driver)
    0x99EFE000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x93492000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x83CA1000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x8E20A000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x833AE000 C:\Windows\system32\drivers\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x92E03000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x8E38C000 C:\Windows\system32\drivers\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x83242000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
    0x83D91000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x88B8E000 C:\Windows\system32\drivers\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x888CD000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x81EAD000 C:\Windows\system32\DRIVERS\VSTAZL3.SYS 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
    0x92F48000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x8E287000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
    0x82161000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x83015000 ACPI_HAL 225280 bytes
    0x83015000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x83D4C000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x8E358000 C:\Windows\system32\drivers\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
    0x8895D000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
    0x8DD2A000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x88B5D000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x81E65000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x9354E000 C:\Windows\system32\drivers\1394ohci.sys 184320 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
    0x88930000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
    0x83F5C000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x99F9E000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0x83C38000 C:\Windows\system32\drivers\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x8898F000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x8890B000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
    0x83D20000 C:\Windows\system32\drivers\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x92F25000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x8EFDE000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x99ED0000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
    0x8E254000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8DC9E000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x889B4000 C:\Windows\system32\drivers\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x934EC000 C:\Windows\system32\drivers\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x8DDC2000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x82420000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
    0x82146000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x92F83000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x8219C000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x92EFA000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x81E94000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
    0x9357B000 C:\Windows\system32\drivers\sdbus.sys 102400 bytes (Microsoft Corporation, SecureDigital Bus Driver)
    0x83DD2000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x9350B000 C:\Windows\system32\drivers\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
    0x935E5000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x8E312000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x8E32A000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x8E341000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x8DCFD000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
    0x820F2000 C:\Windows\system32\drivers\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0x83D01000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
    0x935A5000 C:\Windows\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
    0x82116000 C:\Windows\system32\drivers\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
    0x83F87000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x92E59000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8DC00000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x935D3000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
    0x8E275000 C:\Windows\system32\DRIVERS\amdk8.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
    0x92F13000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x9353D000 C:\Windows\system32\DRIVERS\bcm4sbxp.sys 69632 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
    0x88BED000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x83D80000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x8E3D0000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x83C6D000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
    0x83229000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x93594000 C:\Windows\system32\DRIVERS\rimmptsk.sys 69632 bytes (REDC, RICOH SD/MMC Driver)
    0x88A00000 C:\Windows\system32\drivers\termdd.sys 69632 bytes (Microsoft Corporation, Remote Desktop Server Driver)
    0x8DDE1000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
    0x821B6000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x88BD5000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
    0x92E49000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x83C91000 C:\Windows\system32\drivers\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
    0x934DD000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x88800000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
    0x8DDF2000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8DCEF000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x83CF3000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x83E00000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
    0x8EA00000 C:\Windows\system32\drivers\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x833A0000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x935C6000 C:\Windows\system32\drivers\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
    0x93530000 C:\Windows\system32\drivers\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x820CE000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
    0x93523000 C:\Windows\system32\drivers\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
    0x99EF1000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x8DCBF000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
    0x889E7000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
    0x8DD14000 C:\Windows\system32\DRIVERS\TDI.SYS 49152 bytes (Microsoft Corporation, TDI Wrapper)
    0x8DC92000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x83C86000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
    0x8210B000 C:\Windows\system32\drivers\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0x8321E000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
    0x8213B000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
    0x82130000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0x8DCE4000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x93200000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x83C62000 C:\Windows\system32\drivers\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
    0x8DD20000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x820DB000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x889DD000 C:\Windows\system32\drivers\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x889D3000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x93488000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
    0x9347E000 C:\Windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
    0x83D43000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
    0xA1C96000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
    0x83D17000 C:\Windows\system32\drivers\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x83E0E000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xA1CB7000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
    0x827E0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x92E6C000 C:\Windows\system32\DRIVERS\vwifimp.sys 36864 bytes (Microsoft Corporation, Virtual WiFi Miniport Driver)
    0x935BD000 C:\Windows\system32\drivers\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0x833F6000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x8323A000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0xA1CA1000 C:\Users\Kerry\AppData\Local\Temp\catchme.sys 32768 bytes
    0x83C7E000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
    0x88BE5000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
    0x80BC1000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
    0x83200000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8DCCC000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x8DCD4000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
    0x8DCDC000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
    0x88BCD000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x8DC8B000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x82129000 C:\Windows\system32\drivers\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0x8DC84000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x83CEC000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0x8DDBB000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
    0x8DDB6000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0x935B9000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0x82199000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x99ECD000 C:\Windows\system32\drivers\SECDRV.SYS 12288 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0xA1C9F000 C:\Windows\system32\Drivers\PROCEXP113.SYS 8192 bytes
    0x9320B000 C:\Windows\system32\drivers\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x82109000 C:\Windows\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    ==============================================
    >Stealth
    ==============================================
    0x85D6AA91 Unknown page with executable code, 1391 bytes
    0x88B8E000 WARNING: Virus alike driver modification [volsnap.sys], 258048 bytes
    0x85D69288 Unknown page with executable code, 3448 bytes
    0x85D6B191 Unknown page with executable code, 3695 bytes
    0x85D6DE7A Unknown thread object [ ETHREAD 0x84F5C538 ] TID: 236, 600 bytes
    0x85D70008 Unknown thread object [ ETHREAD 0x85EF7D48 ] TID: 240, 600 bytes
    0x85D6F0DE Unknown thread object [ ETHREAD 0x84FF3A70 ] , 600 bytes
    0x85D6DB45 Unknown thread object [ ETHREAD 0x85EC9D48 ] , 600 bytes
    0xA1C56F2E Unknown thread object [ ETHREAD 0x86D5DD48 ] , 600 bytes
    0x85D6FCDC Unknown page with executable code, 804 bytes
     
  14. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  15. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    I can't get the TDSSkiller to start
     
  16. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    Downloads and extracts fine, but wont open to start scan
     
  17. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Rename TDSSKiller.exe to Kerry.com and try again.
     
  18. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    Still not working....
     
  19. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    volsnap.sys
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  20. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    It froze, should I run again?
     
  21. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Disable your AV program and try again.
     
  22. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    OTL logfile created on: 5/19/2011 10:05:53 PM - Run 2
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Kerry\Downloads
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8080.16413)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 108.74 Gb Total Space | 14.77 Gb Free Space | 13.59% Space Free | Partition Type: NTFS

    Computer Name: KERRY-PC | User Name: Kerry | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/05/19 21:23:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Kerry\Downloads\OTL.exe
    PRC - [2011/05/10 05:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2011/04/07 10:39:34 | 002,155,008 | ---- | M] (www.gmailnotifier.com) -- C:\Program Files\Gmail Notifier\Gmail Notifier.exe
    PRC - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/11/20 05:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/05/19 21:23:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Kerry\Downloads\OTL.exe
    MOD - [2010/11/20 04:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (SupportSoft RemoteAssist)
    SRV - [2011/05/13 21:36:37 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
    SRV - [2010/08/24 03:01:11 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/05/10 05:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/05/10 05:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/05/10 05:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/05/10 04:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/05/10 04:59:44 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/05/10 04:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2009/07/13 16:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
    DRV - [2009/07/13 15:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [2008/11/05 23:20:24 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2008/10/11 15:56:00 | 000,045,056 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2008/07/29 15:41:36 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2008/06/03 06:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.google.com/ [binary data]
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



    O1 HOSTS File: ([2011/05/19 15:28:06 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
    O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
    O15 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O24 - Desktop WallPaper:
    O24 - Desktop BackupWallPaper:
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)


    ========== Files/Folders - Created Within 30 Days ==========

    [2011/05/19 20:12:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/05/19 20:04:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2011/05/19 16:43:59 | 000,000,000 | ---D | C] -- C:\Users\Kerry\Documents\RegRun2
    [2011/05/19 16:43:52 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
    [2011/05/19 15:39:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2011/05/19 15:39:54 | 000,307,928 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/05/19 15:39:54 | 000,019,544 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/05/19 15:39:48 | 000,025,432 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/05/19 15:39:47 | 000,049,240 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/05/19 15:39:46 | 000,441,176 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/05/19 15:39:40 | 000,053,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/05/19 15:39:04 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/05/19 15:39:04 | 000,040,112 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/05/19 15:38:56 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/05/19 15:38:56 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/05/19 15:30:00 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/05/19 15:30:00 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Local\temp
    [2011/05/19 15:19:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/05/19 15:19:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/05/19 15:19:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/05/19 15:19:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/05/19 15:17:29 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/05/19 12:58:24 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\Malwarebytes
    [2011/05/19 12:58:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/05/19 11:30:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite
    [2011/05/19 11:19:31 | 000,000,000 | ---D | C] -- C:\Users\Kerry\Documents\tdsskiller[1]
    [2011/05/18 15:45:06 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\DivX
    [2011/05/18 15:44:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
    [2011/05/18 15:42:31 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
    [2011/05/18 15:41:16 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
    [2011/05/15 17:58:07 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\uPlayer
    [2011/05/15 17:58:07 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\uPlayer
    [2011/05/15 17:58:07 | 000,000,000 | ---D | C] -- C:\Program Files\uPlayer
    [2011/05/13 13:21:28 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kerry\Desktop\kerry.com.exe
    [2011/05/07 19:40:36 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
    [2011/04/21 10:28:27 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\Gmail Notifier
    [2011/04/21 10:28:23 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gmail Notifier
    [2011/04/21 10:28:22 | 000,000,000 | ---D | C] -- C:\Program Files\Gmail Notifier
    [2011/04/21 10:11:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/05/19 21:24:31 | 000,001,079 | ---- | M] () -- C:\Users\Kerry\Desktop\OTL - Shortcut.lnk
    [2011/05/19 21:01:03 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kerry\Desktop\kerry.com.exe
    [2011/05/19 20:21:04 | 000,001,166 | ---- | M] () -- C:\Users\Kerry\Desktop\RKUnhookerLE - Shortcut.lnk
    [2011/05/19 19:08:51 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/05/19 19:08:50 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/05/19 19:04:04 | 000,000,731 | ---- | M] () -- C:\Users\Kerry\Desktop\ComboFix - Shortcut.lnk
    [2011/05/19 19:00:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/05/19 19:00:26 | 1508,491,264 | -HS- | M] () -- C:\hiberfil.sys
    [2011/05/19 18:20:58 | 000,000,512 | ---- | M] () -- C:\Users\Kerry\Desktop\MBR.dat
    [2011/05/19 17:00:11 | 000,024,684 | ---- | M] () -- C:\Users\Kerry\Documents\cc_20110519_170001.reg
    [2011/05/19 16:48:51 | 000,000,075 | ---- | M] () -- C:\Windows\System32\Partizan.RRI
    [2011/05/19 16:44:00 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/05/19 16:44:00 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
    [2011/05/19 16:44:00 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
    [2011/05/19 15:39:55 | 000,001,994 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/05/19 15:28:06 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/05/19 14:20:40 | 000,001,083 | ---- | M] () -- C:\Users\Kerry\Desktop\dds - Shortcut.lnk
    [2011/05/19 13:38:34 | 000,001,130 | ---- | M] () -- C:\Users\Kerry\Desktop\xehykbcq - Shortcut.lnk
    [2011/05/13 21:45:43 | 000,009,616 | ---- | M] () -- C:\Users\Kerry\Documents\cc_20110513_214515.reg
    [2011/05/12 20:03:27 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/05/12 20:03:27 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/05/12 20:01:01 | 000,029,184 | ---- | M] () -- C:\Users\Kerry\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/05/10 05:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/05/10 05:10:55 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/05/10 05:03:54 | 000,441,176 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/05/10 05:03:44 | 000,307,928 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/05/10 05:02:37 | 000,049,240 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/05/10 04:59:56 | 000,025,432 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/05/10 04:59:44 | 000,053,592 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/05/10 04:59:35 | 000,019,544 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/05/08 17:34:01 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
    [2011/04/25 11:51:30 | 000,000,213 | ---- | M] () -- C:\Users\Kerry\Desktop\Half-Life 2.url
    [2011/04/25 11:46:50 | 000,000,213 | ---- | M] () -- C:\Users\Kerry\Desktop\Left 4 Dead 2.url
    [2011/04/25 07:37:05 | 000,000,213 | ---- | M] () -- C:\Users\Kerry\Desktop\Counter-Strike Source.url
    [2011/04/21 10:28:24 | 000,001,081 | ---- | M] () -- C:\Users\Kerry\Desktop\Gmail Notifier.lnk
    [2011/04/21 10:11:28 | 000,001,088 | ---- | M] () -- C:\Users\Kerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa 3.lnk
    [2011/04/21 10:11:28 | 000,001,064 | ---- | M] () -- C:\Users\Public\Desktop\Picasa 3.lnk
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/05/19 21:24:31 | 000,001,079 | ---- | C] () -- C:\Users\Kerry\Desktop\OTL - Shortcut.lnk
    [2011/05/19 20:21:04 | 000,001,166 | ---- | C] () -- C:\Users\Kerry\Desktop\RKUnhookerLE - Shortcut.lnk
    [2011/05/19 19:04:04 | 000,000,731 | ---- | C] () -- C:\Users\Kerry\Desktop\ComboFix - Shortcut.lnk
    [2011/05/19 18:20:58 | 000,000,512 | ---- | C] () -- C:\Users\Kerry\Desktop\MBR.dat
    [2011/05/19 17:00:04 | 000,024,684 | ---- | C] () -- C:\Users\Kerry\Documents\cc_20110519_170001.reg
    [2011/05/19 16:48:51 | 000,000,075 | ---- | C] () -- C:\Windows\System32\Partizan.RRI
    [2011/05/19 16:44:00 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat
    [2011/05/19 15:39:55 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/05/19 15:19:58 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/05/19 15:19:58 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/05/19 15:19:58 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/05/19 15:19:58 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/05/19 15:19:58 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/05/19 14:20:40 | 000,001,083 | ---- | C] () -- C:\Users\Kerry\Desktop\dds - Shortcut.lnk
    [2011/05/19 13:38:34 | 000,001,130 | ---- | C] () -- C:\Users\Kerry\Desktop\xehykbcq - Shortcut.lnk
    [2011/05/13 21:45:19 | 000,009,616 | ---- | C] () -- C:\Users\Kerry\Documents\cc_20110513_214515.reg
    [2011/04/25 11:51:30 | 000,000,213 | ---- | C] () -- C:\Users\Kerry\Desktop\Half-Life 2.url
    [2011/04/25 11:46:50 | 000,000,213 | ---- | C] () -- C:\Users\Kerry\Desktop\Left 4 Dead 2.url
    [2011/04/25 07:37:05 | 000,000,213 | ---- | C] () -- C:\Users\Kerry\Desktop\Counter-Strike Source.url
    [2011/04/21 10:28:24 | 000,001,081 | ---- | C] () -- C:\Users\Kerry\Desktop\Gmail Notifier.lnk
    [2011/04/21 10:11:28 | 000,001,088 | ---- | C] () -- C:\Users\Kerry\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa 3.lnk
    [2011/04/21 10:11:28 | 000,001,064 | ---- | C] () -- C:\Users\Public\Desktop\Picasa 3.lnk
    [2011/02/24 20:14:11 | 000,000,063 | ---- | C] () -- C:\Windows\wininit.ini
    [2011/02/09 15:28:15 | 000,029,184 | ---- | C] () -- C:\Users\Kerry\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/10/26 12:43:47 | 000,000,372 | ---- | C] () -- C:\Windows\ka.ini
    [2010/09/22 16:06:44 | 000,022,328 | ---- | C] () -- C:\Users\Kerry\AppData\Roaming\PnkBstrK.sys
    [2010/09/19 17:56:30 | 000,000,450 | ---- | C] () -- C:\Windows\SIERRA.INI
    [2010/09/15 15:25:06 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
    [2010/09/15 15:25:06 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
    [2010/09/15 15:25:06 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
    [2010/08/22 18:20:35 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
    [2010/08/22 18:12:59 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
    [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
    [2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
    [2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
    [2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
    [2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
    [2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
    [2009/07/13 21:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2009/07/13 21:33:53 | 000,317,520 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2009/07/13 19:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2009/07/13 19:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2009/07/13 19:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2009/07/13 19:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2009/07/13 19:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2009/07/13 19:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2009/07/13 16:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2008/06/03 03:35:18 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
    [2008/06/03 03:02:02 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
    [2008/04/28 21:09:10 | 000,172,033 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
    [2008/03/06 00:38:44 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe

    ========== LOP Check ==========

    [2011/05/06 16:37:09 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Audacity
    [2010/09/30 07:37:24 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\AVG10
    [2011/03/26 09:17:42 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Bioshock
    [2010/11/05 14:52:29 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Digital Photo Organizer
    [2010/10/01 09:28:59 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\DriverCure
    [2011/05/19 12:51:08 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Fighters
    [2011/04/06 14:14:40 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Flip Video
    [2011/05/19 19:26:53 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Gmail Notifier
    [2010/09/19 12:22:56 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\ImgBurn
    [2010/11/06 16:22:18 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\IObit
    [2010/10/01 09:28:59 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\ParetoLogic
    [2010/11/01 17:57:52 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\PCHC
    [2010/10/17 13:08:19 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\SPORE
    [2010/11/01 18:20:05 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Systweak
    [2010/09/21 10:52:06 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Uniblue
    [2011/05/15 17:58:07 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\uPlayer
    [2011/01/26 17:56:55 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\AVG10
    [2011/01/26 17:56:46 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\Fighters
    [2009/07/13 21:53:46 | 000,030,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < >

    < * >
    [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () -- \autoexec.bat
    [2010/11/20 05:40:07 | 000,383,786 | RHS- | M] () -- \bootmgr
    [2010/10/01 09:57:23 | 000,008,192 | RHS- | M] () -- \BOOTSECT.BAK
    [2011/05/19 20:13:51 | 000,013,234 | ---- | M] () -- \ComboFix.txt
    [2009/06/10 14:42:20 | 000,000,010 | ---- | M] () -- \config.sys
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1028.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1031.txt
    [2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- \eula.1033.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1036.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1040.txt
    [2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- \eula.1041.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1042.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.2052.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.3082.txt
    [2010/12/12 11:18:21 | 000,000,295 | ---- | M] () -- \Facilitator.log
    [2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- \globdata.ini
    [2011/05/19 19:00:26 | 1508,491,264 | -HS- | M] () --
    [2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- \install.ini
    [2007/11/07 09:03:18 | 000,076,304 | ---- | M] () -- \install.res.1028.dll
    [2007/11/07 09:03:18 | 000,096,272 | ---- | M] () -- \install.res.1031.dll
    [2007/11/07 09:03:18 | 000,091,152 | ---- | M] () -- \install.res.1033.dll
    [2007/11/07 09:03:18 | 000,097,296 | ---- | M] () -- \install.res.1036.dll
    [2007/11/07 09:03:18 | 000,095,248 | ---- | M] () -- \install.res.1040.dll
    [2007/11/07 09:03:18 | 000,081,424 | ---- | M] () -- \install.res.1041.dll
    [2007/11/07 09:03:18 | 000,079,888 | ---- | M] () -- \install.res.1042.dll
    [2007/11/07 09:03:18 | 000,075,792 | ---- | M] () -- \install.res.2052.dll
    [2007/11/07 09:03:18 | 000,096,272 | ---- | M] () -- \install.res.3082.dll
    [2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- \IO.SYS
    [2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- \MSDOS.SYS
    [2011/05/19 19:00:31 | 2011,324,416 | -HS- | M] () --
    [2011/05/15 17:57:17 | 000,009,991 | ---- | M] () -- \scramble.log
    [2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- \vcredist.bmp
    [2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- \VC_RED.cab
    [2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- \VC_RED.MSI

    < %SYSTEMDRIVE%\*.* >
    [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2010/11/20 05:40:07 | 000,383,786 | RHS- | M] () -- C:\bootmgr
    [2010/10/01 09:57:23 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
    [2011/05/19 20:13:51 | 000,013,234 | ---- | M] () -- C:\ComboFix.txt
    [2009/06/10 14:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
    [2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
    [2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
    [2010/12/12 11:18:21 | 000,000,295 | ---- | M] () -- C:\Facilitator.log
    [2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
    [2011/05/19 19:00:26 | 1508,491,264 | -HS- | M] () -- C:\hiberfil.sys
    [2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
    [2007/11/07 09:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
    [2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
    [2007/11/07 09:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
    [2007/11/07 09:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
    [2007/11/07 09:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
    [2007/11/07 09:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
    [2007/11/07 09:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
    [2007/11/07 09:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
    [2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
    [2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/05/19 19:00:31 | 2011,324,416 | -HS- | M] () -- C:\pagefile.sys
    [2011/05/15 17:57:17 | 000,009,991 | ---- | M] () -- C:\scramble.log
    [2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
    [2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
    [2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

    < %systemroot%\Fonts\*.com >
    [2009/07/13 21:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/13 21:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/13 21:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/13 21:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 14:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2009/07/13 18:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
    [2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
    [2010/11/20 05:21:36 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/05/10 05:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2010/09/23 01:32:56 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2011/03/13 19:45:02 | 000,001,702 | -HS- | M] () -- C:\Users\Kerry\AppData\Roaming\Microsoft\LastFlashConfig.wfc

    < %PROGRAMFILES%\*.* >
    [2009/07/13 21:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/08/22 16:42:44 | 000,000,221 | -HS- | M] () -- C:\Users\Kerry\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini
    [2011/03/25 18:21:22 | 000,000,221 | -HS- | M] () -- C:\Users\Kerry\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/03/04 12:27:21 | 003,033,192 | ---- | M] (Piriform Ltd) -- C:\Users\Kerry\Desktop\CCleaner_Setup_3_0_4.exe
    [2011/05/19 21:01:03 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kerry\Desktop\kerry.com.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 14:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2011/02/25 15:23:26 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
    [2011/02/25 15:23:26 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
    [2011/02/25 15:23:26 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
    [2011/02/25 15:23:26 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
    [2011/02/25 15:23:26 | 000,786,432 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
    [2011/02/25 15:23:26 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/02/25 15:39:34 | 000,000,402 | -HS- | M] () -- C:\Users\Kerry\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-19 22:42:35


    < MD5 for: VOLSNAP.SYS >
    [2009/07/13 18:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys
    [2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys
    [2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys
    [2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\drivers\volsnap.sys

    < * >
    [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () -- \autoexec.bat
    [2010/11/20 05:40:07 | 000,383,786 | RHS- | M] () -- \bootmgr
    [2010/10/01 09:57:23 | 000,008,192 | RHS- | M] () -- \BOOTSECT.BAK
    [2011/05/19 20:13:51 | 000,013,234 | ---- | M] () -- \ComboFix.txt
    [2009/06/10 14:42:20 | 000,000,010 | ---- | M] () -- \config.sys
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1028.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1031.txt
    [2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- \eula.1033.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1036.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1040.txt
    [2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- \eula.1041.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.1042.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.2052.txt
    [2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- \eula.3082.txt
    [2010/12/12 11:18:21 | 000,000,295 | ---- | M] () -- \Facilitator.log
    [2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- \globdata.ini
    [2011/05/19 19:00:26 | 1508,491,264 | -HS- | M] () --
    [2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- \install.ini
    [2007/11/07 09:03:18 | 000,076,304 | ---- | M] () -- \install.res.1028.dll
    [2007/11/07 09:03:18 | 000,096,272 | ---- | M] () -- \install.res.1031.dll
    [2007/11/07 09:03:18 | 000,091,152 | ---- | M] () -- \install.res.1033.dll
    [2007/11/07 09:03:18 | 000,097,296 | ---- | M] () -- \install.res.1036.dll
    [2007/11/07 09:03:18 | 000,095,248 | ---- | M] () -- \install.res.1040.dll
    [2007/11/07 09:03:18 | 000,081,424 | ---- | M] () -- \install.res.1041.dll
    [2007/11/07 09:03:18 | 000,079,888 | ---- | M] () -- \install.res.1042.dll
    [2007/11/07 09:03:18 | 000,075,792 | ---- | M] () -- \install.res.2052.dll
    [2007/11/07 09:03:18 | 000,096,272 | ---- | M] () -- \install.res.3082.dll
    [2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- \IO.SYS
    [2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- \MSDOS.SYS
    [2011/05/19 19:00:31 | 2011,324,416 | -HS- | M] () --
    [2011/05/15 17:57:17 | 000,009,991 | ---- | M] () -- \scramble.log
    [2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- \vcredist.bmp
    [2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- \VC_RED.cab
    [2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- \VC_RED.MSI

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:07BF512B

    < End of report >
     
  23. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    OTL Extras logfile created on: 5/19/2011 9:25:21 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Kerry\Downloads
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8080.16413)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 108.74 Gb Total Space | 14.83 Gb Free Space | 13.64% Space Free | Partition Type: NTFS

    Computer Name: KERRY-PC | User Name: Kerry | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    https [open] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{2B818257-E6C7-4841-8C29-C5C9A982BCE5}" = RICOH Media Driver ver.2.07.01.04
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3516C69A-024D-42A8-B948-FFAA7B9CC49A}" = Windows SideShow Managed Runtime 1.0
    "{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
    "{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
    "{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
    "{420DFB63-8AE7-F7D6-E4B4-AB6D140221F4}" = FlipShare
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
    "{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
    "{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
    "{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B3DAF54F-DB25-4586-9EF1-96D24BB14088}" = Windows Movie Maker 2.6
    "{C07F8D75-7A8D-400E-A8F9-A3F396B49BB1}" = SPORE™ Creepy & Cute Parts Pack
    "{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D88C3E7C-1DA6-4AD7-97FC-75BC8705B266}" = runtime
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
    "avast" = avast! Free Antivirus
    "CCleaner" = CCleaner
    "Code Head Calculated Risk" = Code Head Calculated Risk
    "Digital Photo Organizer_is1" = Digital Photo Organizer 1.7
    "Gmail Notifier" = Gmail Notifier
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "ImgBurn" = ImgBurn
    "Insaniquarium Deluxe 1.1" = Insaniquarium Deluxe 1.1
    "JumpStart 4th Grade" = JumpStart 4th Grade
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Picasa 3" = Picasa 3
    "Steam App 10" = Counter-Strike
    "Steam App 17580" = Dystopia
    "Steam App 220" = Half-Life 2
    "Steam App 240" = Counter-Strike: Source
    "Steam App 4000" = Garry's Mod
    "Steam App 50" = Half-Life: Opposing Force
    "Steam App 550" = Left 4 Dead 2
    "TurboTax 2009" = TurboTax 2009
    "WinLiveSuite" = Windows Live Essentials

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for Kerry

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >
     
  24. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
    

    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
     
  25. KerryP

    KerryP TS Rookie Topic Starter Posts: 34

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys", destinationFile = "\??\c:\windows\system32\drivers\volsnap.sys"
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.