Inactive System infected: ZeroAccess Rootkit Activity 4 and TidServ Activity 2

ok... I will... I'm sorry but I'm on the verge of a heart attack here... and I truly can't lose my computer or the docs in it... So then it doesn't matter that it "booted" as windows xp and this machine is vista?
 
I double clicked on OTLPE icon and now I have a pop up that says: (Note: I had to delete the final parenthesis of all indicated drives because this post was not being allowed like that).

Browse for folder

Choose Windows Directory

My computer

RAM Disk (B:
HP (C:
HP_PAVILION (D:
Removable Disk (E:
Removable Disk (F:
Removable Disk (G:
Removable Disk (H:
Removable Disk (I:
ReatogoPE (X:
Shared documents

Folder: My Computer

OK Cancel
 
This is not the best news if the tool can't find Windows folder.

Navigate to a folder where Windows is normally installed.
That'd be C:\Windows
 
I went to HP (C:) and I found one of the folders there is WINDOWS. i went in there and it has a lot of subfolders. What shall I do?
 
Just stop at "Windows" folder.
Click ok or whatever accepting button you have there.
 
Sorry, that wasn't the first question in your instructions, but the one that I got first is listed second in your instructions. Shall I proceed?
 
The first question that popped up on the infected pc is:

Do you wish to load remote user profile(s) for scanning?

According to your instructions, that question should be second, after Do you wish to load the remote registry? which I've never had so far.
 
Yes, yes. I wasn't sure if it was ok that it was not following the supposed order. Now, I clicked Yes there and I got another pop up that says:

Select User Profile

IUSR_NMPR
LocalService
NetworkService
paulisofi
systemprofile

Automatically load all remaining users? (-----> this one has a checkmark to the left of it)

OK CANCEL
 
Scan has just finished running. i see the OTL.txt in notepad but I don't think it's been saved to C:|. I already looked for it there and didn't find it. Shall I manually save it somewhere first and then save a copy in the usb flash drive?
 
Here's the OTL.txt:

OTL logfile created on: 2/12/2012 4:45:06 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 289.28 Gb Total Space | 198.80 Gb Free Space | 68.72% Space Free | Partition Type: NTFS
Drive D: | 298.09 Gb Total Space | 288.94 Gb Free Space | 96.93% Space Free | Partition Type: NTFS
Drive I: | 8.81 Gb Total Space | 0.85 Gb Free Space | 9.67% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2012/02/06 12:56:00 | 000,156,672 | ---- | M] (Intel Corporation ) [Auto] -- C:\WINDOWS\System32\NCUSBw32.dll -- (NecUsb3)
SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/08/19 11:26:50 | 000,450,848 | ---- | M] (Logitech Inc.) [Disabled] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/02/28 20:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 12:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/09/27 17:49:10 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Disabled] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2010/09/27 17:47:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Disabled] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2010/05/31 14:31:10 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Disabled] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2009/06/24 13:57:04 | 000,136,704 | ---- | M] (HP) [Disabled] -- C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe -- (HP LaserJet Service)
SRV - [2008/01/19 02:33:32 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto] -- C:\WINDOWS\System32\NVXBAR.dll -- (se44mgmt)
SRV - [2007/06/27 13:18:08 | 000,223,448 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel(R)
SRV - [2007/06/27 13:17:26 | 000,272,600 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe -- (QualityManager) Intel(R)
SRV - [2007/06/27 13:17:12 | 000,446,680 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel(R)
SRV - [2007/06/27 13:16:02 | 000,157,912 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel(R)
SRV - [2007/06/27 13:15:28 | 000,039,640 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe -- (DHTRACE) Intel(R)
SRV - [2007/06/27 13:15:14 | 000,059,096 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM) Intel(R)
SRV - [2007/06/27 13:14:46 | 000,317,656 | ---- | M] (Intel(R) Corporation) [Disabled] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe -- (NMSCore) Intel(R)
SRV - [2007/06/27 13:13:56 | 000,268,504 | ---- | M] () [Disabled] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel(R) Viiv(TM)
SRV - [2007/05/29 10:19:08 | 000,198,240 | ---- | M] () [Disabled] -- C:\hp\HPEZBTN\HPBtnSrv.exe -- (HPBtnSrv)
SRV - [2007/02/12 14:46:34 | 000,208,896 | ---- | M] () [Disabled] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService)
SRV - [2007/01/18 15:02:06 | 000,094,208 | ---- | M] (EMC Corporation) [Disabled] -- C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrorun.exe -- (RetroExpLauncher)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - File not found [File_System | System] -- -- (DfsC)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - File not found [Kernel | System] -- -- (AFD)
DRV - [2012/02/06 03:59:00 | 000,072,192 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\drivers\tdx.sys -- (tdx)
DRV - [2011/12/07 23:22:38 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
DRV - [2011/12/07 23:22:38 | 000,080,184 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
DRV - [2011/08/19 11:26:50 | 004,334,624 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\lvuvc.sys -- (LVUVC) Logitech HD Pro Webcam C910(UVC)
DRV - [2011/08/19 11:26:46 | 000,315,808 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\lvrs.sys -- (LVRS)
DRV - [2011/08/19 11:26:34 | 000,022,176 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\lvbusflt.sys -- (CompFilter)
DRV - [2011/05/03 02:43:00 | 010,525,288 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/11/15 02:18:42 | 000,005,632 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\IntelDH.sys -- (IntelDH)
DRV - [2010/09/27 17:50:44 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/05/31 14:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/31 14:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/05/07 21:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2010/03/05 18:40:57 | 000,017,408 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\mvusbews.sys -- (mvusbews)
DRV - [2008/02/26 20:17:30 | 000,493,568 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\netr73.sys -- (netr73)
DRV - [2008/01/19 01:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2008/01/15 02:56:30 | 000,218,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/12/18 16:18:52 | 000,039,408 | ---- | M] (Cyberlink Corp.) [Kernel | Auto] -- C:\Program Files\HP\DVDPlay\000.fcl -- ({22D78859-9CE9-4B77-BF18-AC83E81A9263})
DRV - [2007/09/07 09:36:08 | 000,156,928 | ---- | M] (ViXS Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\xcbda.sys -- (xcbdaNtsc) ViXS Tuner Card (NTSC)
DRV - [2007/06/27 13:17:46 | 000,014,552 | ---- | M] () [File_System | On_Demand] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys -- (TSHWMDTCP)
DRV - [2007/05/09 05:52:26 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/04/26 12:18:18 | 000,206,336 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\HSXHWBS3.sys -- (HSXHWBS3)
DRV - [2007/04/26 12:17:02 | 000,984,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/02/18 23:34:50 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\nmsunidr.sys -- (nmsunidr)
DRV - [2005/12/12 12:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




IE - HKU\paulisofi_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\paulisofi_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/09/04 20:16:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/06 01:34:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/11 02:33:04 | 000,000,000 | ---D | M]

[2012/02/06 01:34:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/29 10:55:53 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 06:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/08/03 18:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npOGAPlugin.dll
[2012/01/29 08:36:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/29 08:36:35 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/07 12:27:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No CLSID value found.
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\paulisofi_ON_C\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKU\IUSR_NMPR_ON_C..\Run: [Power2GoExpress] File not found
O4 - HKU\IUSR_NMPR_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\System32\WerFault.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Launcher] C:\WINDOWS\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\IUSR_NMPR_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\paulisofi_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000042 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000043 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000044 - File not found
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/17 15:38:04 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/12 16:03:05 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/02/12 16:03:04 | 000,000,000 | R--D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/02/12 16:03:04 | 000,000,000 | R--D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/02/12 16:02:54 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Identities
[2012/02/12 16:02:48 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Local\Temp
[2012/02/08 15:55:06 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/08 13:52:55 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netbt.svs
[2012/02/07 12:34:27 | 000,000,000 | ---D | C] -- C:\Users\IUSR_NMPR\AppData\Local\temp
[2012/02/07 12:27:15 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/02/07 12:23:31 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/02/07 12:23:31 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\temp
[2012/02/07 11:56:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/07 11:56:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/07 11:56:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/07 11:56:14 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/06 23:00:38 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\shutdown right after NIS needs to be disconnected
[2012/02/06 22:54:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/06 14:42:25 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\LOGS1
[2012/02/06 12:56:00 | 000,156,672 | ---- | C] (Intel Corporation ) -- C:\Windows\System32\NCUSBw32.dll
[2012/02/06 11:51:01 | 000,100,864 | ---- | C] (GMER) -- C:\pxtcypod.sys
[2012/02/06 11:23:13 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\Malwarebytes
[2012/02/06 11:23:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/06 11:23:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/02/06 11:23:04 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/02/06 11:23:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/06 03:57:35 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/05 23:32:37 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Documents\MISCELLANEOUS (DESKTOP)
[2012/02/05 21:45:49 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\NPE
[2012/02/05 21:42:59 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\LogMeIn Rescue Applet
[2012/02/05 16:45:51 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Macromedia
[2012/02/05 16:45:47 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe
[2012/02/05 15:58:49 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\FixZeroAccess
[2012/01/28 01:09:17 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\Temp
[2012/01/28 00:33:13 | 000,000,000 | ---D | C] -- C:\Temp
[2012/01/28 00:25:59 | 000,181,432 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudmdm.sys
[2012/01/28 00:25:59 | 000,080,184 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\System32\drivers\ssudbus.sys
[2012/01/27 23:53:54 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\SAMSUNG GALAXY S II SKYROCKET backup and other features
[2012/01/27 23:03:17 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\Samsung
[2012/01/27 23:02:59 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Documents\samsung
[2012/01/27 22:57:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
[2012/01/27 22:56:52 | 004,659,712 | ---- | C] (Dmitry Streblechenko) -- C:\Windows\System32\Redemption.dll
[2012/01/27 22:56:29 | 000,020,032 | ---- | C] (Devguru Co., Ltd) -- C:\Windows\System32\drivers\dgderdrv.sys
[2012/01/27 22:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\MarkAny
[2012/01/27 22:56:28 | 000,821,824 | ---- | C] (Devguru Co., Ltd.) -- C:\Windows\System32\dgderapi.dll
[2012/01/27 22:54:47 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Roaming\Samsung
[2012/01/27 22:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
[2012/01/27 22:54:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
[2012/01/27 22:52:49 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\AppData\Local\Downloaded Installations
[2012/01/25 18:10:26 | 001,259,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2012/01/22 04:11:28 | 000,000,000 | ---D | C] -- C:\Users\paulisofi\Desktop\NEW CELL PHONE MANUAL

========== Files - Modified Within 30 Days ==========

[2012/02/12 18:38:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/12 16:14:42 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/12 16:14:42 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/12 16:14:29 | 221,697,415 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/12 16:12:54 | 000,007,680 | ---- | M] () -- C:\Windows\System\svchost.exe
[2012/02/08 16:12:58 | 000,320,120 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/08 13:41:40 | 000,603,516 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/08 13:41:40 | 000,103,586 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/07 12:27:11 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/02/07 12:13:29 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/06 22:01:29 | 000,000,910 | ---- | M] () -- C:\Users\paulisofi\Desktop\ComboFix - Shortcut.lnk
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At9.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At7.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At5.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At47.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At39.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At37.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At35.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At33.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At31.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At29.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At27.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At25.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At23.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At21.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At19.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At17.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At15.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At13.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At11.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/02/06 17:19:40 | 000,000,112 | ---- | M] () -- C:\ProgramData\eR42x5S0l.dat
[2012/02/06 16:55:59 | 000,029,696 | ---- | M] () -- C:\Windows\System32\ByV7O4X.com
[2012/02/06 14:45:32 | 000,000,574 | ---- | M] () -- C:\Users\paulisofi\Desktop\bootkit_remover - Shortcut.lnk
[2012/02/06 14:15:26 | 000,000,876 | ---- | M] () -- C:\Users\paulisofi\Desktop\aswMBR - Shortcut.lnk
[2012/02/06 13:01:09 | 000,103,733 | ---- | M] () -- C:\Windows\System32\itusbcore.dat
[2012/02/06 13:01:09 | 000,000,196 | ---- | M] () -- C:\Windows\System32\itlsvc.dat
[2012/02/06 12:56:00 | 000,156,672 | ---- | M] (Intel Corporation ) -- C:\Windows\System32\NCUSBw32.dll
[2012/02/06 12:08:56 | 000,000,857 | ---- | M] () -- C:\Users\paulisofi\Desktop\dds - Shortcut.lnk
[2012/02/06 11:55:18 | 000,001,229 | ---- | M] () -- C:\Users\paulisofi\Desktop\oi9st45y - Shortcut.lnk
[2012/02/06 11:51:01 | 000,100,864 | ---- | M] (GMER) -- C:\pxtcypod.sys
[2012/02/06 11:23:05 | 000,000,868 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/06 11:23:05 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/06 03:59:00 | 000,072,192 | ---- | M] () -- C:\Windows\System32\drivers\tdx.sys
[2012/02/06 01:34:09 | 000,000,832 | ---- | M] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/02/06 01:34:08 | 000,000,820 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/06 01:34:08 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/06 01:15:36 | 001,272,728 | ---- | M] () -- C:\Users\paulisofi\Documents\bookmarks.html
[2012/02/05 21:44:54 | 000,001,356 | ---- | M] () -- C:\Users\paulisofi\AppData\Local\d3d9caps.dat
[2012/02/05 16:31:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\afd.sys_backup
[2012/02/05 15:53:07 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/01/27 22:57:07 | 000,001,720 | ---- | M] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2012/01/27 22:57:07 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung

========== Files Created - No Company Name ==========

[2012/02/12 16:03:05 | 000,000,879 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/02/12 16:03:03 | 000,000,874 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/02/12 16:02:50 | 000,000,845 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
[2012/02/07 12:30:01 | 000,007,680 | ---- | C] () -- C:\Windows\System\svchost.exe
[2012/02/07 11:56:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/07 11:56:18 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/07 11:56:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/07 11:56:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/07 11:56:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/06 22:01:29 | 000,000,910 | ---- | C] () -- C:\Users\paulisofi\Desktop\ComboFix - Shortcut.lnk
[2012/02/06 16:56:27 | 000,000,112 | ---- | C] () -- C:\ProgramData\eR42x5S0l.dat
[2012/02/06 16:56:26 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At47.job
[2012/02/06 16:56:25 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At45.job
[2012/02/06 16:56:24 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At43.job
[2012/02/06 16:56:23 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At41.job
[2012/02/06 16:56:22 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At39.job
[2012/02/06 16:56:21 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At37.job
[2012/02/06 16:56:20 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At35.job
[2012/02/06 16:56:19 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At33.job
[2012/02/06 16:56:18 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At31.job
[2012/02/06 16:56:17 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At29.job
[2012/02/06 16:56:16 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At27.job
[2012/02/06 16:56:16 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At25.job
[2012/02/06 16:56:15 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At23.job
[2012/02/06 16:56:14 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At21.job
[2012/02/06 16:56:13 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At19.job
[2012/02/06 16:56:12 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At17.job
[2012/02/06 16:56:11 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At15.job
[2012/02/06 16:56:10 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At13.job
[2012/02/06 16:56:08 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At11.job
[2012/02/06 16:56:07 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At9.job
[2012/02/06 16:56:05 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At7.job
[2012/02/06 16:56:03 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At5.job
[2012/02/06 16:56:02 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At3.job
[2012/02/06 16:56:00 | 000,029,696 | ---- | C] () -- C:\Windows\System32\ByV7O4X.com
[2012/02/06 16:56:00 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At1.job
[2012/02/06 14:45:32 | 000,000,574 | ---- | C] () -- C:\Users\paulisofi\Desktop\bootkit_remover - Shortcut.lnk
[2012/02/06 14:15:26 | 000,000,876 | ---- | C] () -- C:\Users\paulisofi\Desktop\aswMBR - Shortcut.lnk
[2012/02/06 13:01:09 | 000,103,733 | ---- | C] () -- C:\Windows\System32\itusbcore.dat
[2012/02/06 13:01:09 | 000,000,196 | ---- | C] () -- C:\Windows\System32\itlsvc.dat
[2012/02/06 12:08:56 | 000,000,857 | ---- | C] () -- C:\Users\paulisofi\Desktop\dds - Shortcut.lnk
[2012/02/06 11:52:35 | 000,001,229 | ---- | C] () -- C:\Users\paulisofi\Desktop\oi9st45y - Shortcut.lnk
[2012/02/06 11:23:05 | 000,000,868 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/06 01:34:08 | 000,000,832 | ---- | C] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/02/06 01:34:08 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/06 01:34:07 | 000,000,820 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/02/06 01:15:36 | 001,272,728 | ---- | C] () -- C:\Users\paulisofi\Documents\bookmarks.html
[2012/02/05 16:34:12 | 221,697,415 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/02/05 15:54:03 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/01/27 22:57:06 | 000,001,720 | ---- | C] () -- C:\Users\paulisofi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2011/09/16 14:54:48 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2011/09/16 14:54:44 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2011/09/16 14:54:44 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2011/09/16 14:54:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2011/09/16 14:54:44 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2011/08/19 11:26:20 | 010,898,456 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll
[2011/08/19 11:26:20 | 000,336,408 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll
[2011/08/19 11:26:20 | 000,104,472 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe
[2011/08/15 02:43:55 | 000,001,356 | ---- | C] () -- C:\Users\paulisofi\AppData\Local\d3d9caps.dat
[2011/08/12 14:20:14 | 000,015,896 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
[2011/07/26 08:48:54 | 000,028,418 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2011/06/25 17:40:58 | 000,005,632 | ---- | C] () -- C:\Users\paulisofi\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/15 21:28:01 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\afd.sys_backup
[2011/05/29 17:54:24 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/01/21 03:35:05 | 000,284,160 | ---- | C] () -- C:\Windows\System32\mvhlewsi.DLL
[2010/12/21 16:55:46 | 000,023,103 | ---- | C] () -- C:\Windows\hpqins15.dat.temp
[2010/11/22 22:53:27 | 000,023,128 | ---- | C] () -- C:\Windows\hpqins15.dat
[2010/11/22 22:21:29 | 000,081,920 | ---- | C] () -- C:\Windows\System32\mvusbews.dll
[2010/11/14 20:07:04 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/11/14 18:58:20 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/11/14 18:58:20 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2010/11/14 18:57:55 | 000,072,192 | ---- | C] () -- C:\Windows\System32\drivers\tdx.sys
[2010/05/07 21:43:30 | 000,025,824 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2009/08/03 18:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 18:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/01 13:48:16 | 000,053,478 | ---- | C] () -- C:\Windows\mvtcpui.ini
[2007/10/17 15:34:20 | 000,107,026 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/10/17 15:18:24 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/10/17 15:15:59 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
[2007/10/17 15:15:59 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
[2006/11/02 08:02:10 | 000,000,680 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,320,120 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,603,516 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,103,586 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/06/23 13:09:34 | 000,019,968 | R--- | C] () -- C:\Windows\System32\cpuinf32.dll

========== LOP Check ==========

[2012/02/05 15:58:49 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\FixZeroAccess
[2011/02/11 12:39:33 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Leadertech
[2011/06/05 22:08:20 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\mjusbsp
[2012/01/27 22:54:47 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Samsung
[2011/02/04 13:12:15 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Snapfish
[2012/01/28 01:09:17 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\Temp
[2010/11/14 23:08:40 | 000,000,000 | ---D | M] -- C:\Users\paulisofi\AppData\Roaming\WinBatch
[2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2010/11/20 20:30:25 | 000,000,000 | ---D | M] -- C:\ProgramData\LogMeIn
[2011/03/29 17:57:17 | 000,000,000 | ---D | M] -- C:\ProgramData\magicJack
[2007/10/17 15:37:34 | 000,000,000 | ---D | M] -- C:\ProgramData\muvee Technologies
[2007/10/17 15:43:11 | 000,000,000 | ---D | M] -- C:\ProgramData\PC-Doctor
[2010/11/17 15:34:45 | 000,000,000 | ---D | M] -- C:\ProgramData\RetroExp
[2012/01/27 22:57:27 | 000,000,000 | ---D | M] -- C:\ProgramData\Samsung
[2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2010/11/14 02:35:49 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2011/12/09 19:55:53 | 000,000,000 | ---D | M] -- C:\ProgramData\WebEx
[2007/10/17 15:34:12 | 000,000,000 | ---D | M] -- C:\ProgramData\WildTangent
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At21.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At23.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At25.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At27.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At29.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At31.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At33.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At35.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At37.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At39.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At41.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At43.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At45.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At47.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2012/02/06 17:38:52 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At9.job
[2012/02/12 16:14:44 | 000,032,606 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >
 
Do this on the computer you are posting from:
Copy the text in the codebox below:


Code: 
:OTL
[2012/02/07 12:13:29 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/06 17:19:40 | 000,000,112 | ---- | M] () -- C:\ProgramData\eR42x5S0l.dat
[2012/02/06 16:55:59 | 000,029,696 | ---- | M] () -- C:\Windows\System32\ByV7O4X.com
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No CLSID value found.
O3 - HKU\paulisofi_ON_C\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.


:Services

:Reg

:Files
C:\Windows\tasks\At*.job

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Remove the CD and shut down computer manually.
  • Attempt to reboot normally into Windows.
 
I did as instructed. I clicked Run Fix and it only took abut a split second to do it. I'm not sure what "run unhindered" means.
 
New log:

========== OTL ==========
C:\WINDOWS\System32\dds_trash_log.cmd moved successfully.
C:\ProgramData\eR42x5S0l.dat moved successfully.
C:\WINDOWS\System32\ByV7O4X.com moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\ not found.
Registry value HKEY_USERS\paulisofi_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\tasks\At1.job moved successfully.
C:\Windows\tasks\At11.job moved successfully.
C:\Windows\tasks\At13.job moved successfully.
C:\Windows\tasks\At15.job moved successfully.
C:\Windows\tasks\At17.job moved successfully.
C:\Windows\tasks\At19.job moved successfully.
C:\Windows\tasks\At21.job moved successfully.
C:\Windows\tasks\At23.job moved successfully.
C:\Windows\tasks\At25.job moved successfully.
C:\Windows\tasks\At27.job moved successfully.
C:\Windows\tasks\At29.job moved successfully.
C:\Windows\tasks\At3.job moved successfully.
C:\Windows\tasks\At31.job moved successfully.
C:\Windows\tasks\At33.job moved successfully.
C:\Windows\tasks\At35.job moved successfully.
C:\Windows\tasks\At37.job moved successfully.
C:\Windows\tasks\At39.job moved successfully.
C:\Windows\tasks\At41.job moved successfully.
C:\Windows\tasks\At43.job moved successfully.
C:\Windows\tasks\At45.job moved successfully.
C:\Windows\tasks\At47.job moved successfully.
C:\Windows\tasks\At5.job moved successfully.
C:\Windows\tasks\At7.job moved successfully.
C:\Windows\tasks\At9.job moved successfully.
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 02122012_171832


I haven't rebooted yet (with the created dvd). Shall I do that now and then there will be another log that I need to post? Or after rebooting from created dvd, i need to remove dvd and then shut down completely and then attempt to reboot normally into windows?
 
You must log in or register to reply here.

Similar threads

R
Solved Norton blocked attack by: System Infected: Miner.Bitcoinminer Activity #
2
Replies
32
Views
3K
Broni
Broni
N
Several popular Minecraft mods are infected with Fracturiser malware
Replies
0
Views
611
nanoguy
N
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back