Solved Trying to remove Redirect virus

Broni · May 21, 2011

Excellent!

Hold on....

Broni · May 21, 2011

Please, re-run OTL with the same custom script as in my reply #19.
Only one log will be produced.

KerryP · May 21, 2011

OTL logfile created on: 5/21/2011 4:34:35 PM - Run 8
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Kerry\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8080.16413)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 108.74 Gb Total Space | 16.02 Gb Free Space | 14.73% Space Free | Partition Type: NTFS

Computer Name: KERRY-PC | User Name: Kerry | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/19 21:23:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Kerry\Downloads\OTL.exe
PRC - [2011/05/10 05:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/04/07 10:39:34 | 002,155,008 | ---- | M] (www.gmailnotifier.com) -- C:\Program Files\Gmail Notifier\Gmail Notifier.exe
PRC - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 05:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/05/19 21:23:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Kerry\Downloads\OTL.exe
MOD - [2010/11/20 04:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SupportSoft RemoteAssist)
SRV - [2011/05/13 21:36:37 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/08/24 03:01:11 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - [2011/05/10 05:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/05/10 05:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/05/10 05:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/05/10 04:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/05/10 04:59:44 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/05/10 04:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2009/07/13 16:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 15:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2008/11/05 23:20:24 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/10/11 15:56:00 | 000,045,056 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2008/07/29 15:41:36 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2008/06/03 06:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.google.com/ [binary data]
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/05/21 06:22:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O15 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2011/05/21 06:22:38 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/05/21 06:19:41 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Local\temp
[2011/05/21 06:11:13 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/05/21 06:10:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/05/19 16:43:59 | 000,000,000 | ---D | C] -- C:\Users\Kerry\Documents\RegRun2
[2011/05/19 16:43:52 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2011/05/19 15:39:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/05/19 15:39:54 | 000,307,928 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/05/19 15:39:54 | 000,019,544 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/05/19 15:39:48 | 000,025,432 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/05/19 15:39:47 | 000,049,240 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/05/19 15:39:46 | 000,441,176 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/05/19 15:39:40 | 000,053,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/05/19 15:39:04 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/05/19 15:39:04 | 000,040,112 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/05/19 15:38:56 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/05/19 15:38:56 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/05/19 15:30:00 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/05/19 15:19:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/05/19 15:19:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/05/19 15:19:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/05/19 15:19:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/05/19 15:17:29 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/19 12:58:24 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\Malwarebytes
[2011/05/19 12:58:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/05/19 11:30:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite
[2011/05/19 11:19:31 | 000,000,000 | ---D | C] -- C:\Users\Kerry\Documents\tdsskiller[1]
[2011/05/18 15:45:06 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\DivX
[2011/05/18 15:44:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2011/05/18 15:42:31 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2011/05/18 15:41:16 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2011/05/15 17:58:07 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\uPlayer
[2011/05/15 17:58:07 | 000,000,000 | ---D | C] -- C:\Users\Kerry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\uPlayer
[2011/05/15 17:58:07 | 000,000,000 | ---D | C] -- C:\Program Files\uPlayer
[2011/05/13 13:21:28 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kerry\Desktop\TDSSKiller.exe
[2011/05/07 19:40:36 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/21 15:37:06 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/21 15:37:06 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/21 15:29:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/21 15:29:30 | 1508,491,264 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/21 06:22:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/05/20 21:35:38 | 000,000,731 | ---- | M] () -- C:\Users\Kerry\Desktop\ComboFix - Shortcut.lnk
[2011/05/20 20:15:20 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kerry\Desktop\TDSSKiller.exe
[2011/05/20 18:43:07 | 000,000,741 | ---- | M] () -- C:\Users\Kerry\Desktop\SystemLook - Shortcut.lnk
[2011/05/20 17:29:42 | 000,001,148 | ---- | M] () -- C:\Users\Kerry\Desktop\BlitzBlank - Shortcut.lnk
[2011/05/20 03:04:09 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/20 03:04:09 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/19 21:24:31 | 000,001,079 | ---- | M] () -- C:\Users\Kerry\Desktop\OTL - Shortcut.lnk
[2011/05/19 20:21:04 | 000,001,166 | ---- | M] () -- C:\Users\Kerry\Desktop\RKUnhookerLE - Shortcut.lnk
[2011/05/19 18:20:58 | 000,000,512 | ---- | M] () -- C:\Users\Kerry\Desktop\MBR.dat
[2011/05/19 17:00:11 | 000,024,684 | ---- | M] () -- C:\Users\Kerry\Documents\cc_20110519_170001.reg
[2011/05/19 16:48:51 | 000,000,075 | ---- | M] () -- C:\Windows\System32\Partizan.RRI
[2011/05/19 16:44:00 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/05/19 16:44:00 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
[2011/05/19 15:39:55 | 000,001,994 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/05/19 14:20:40 | 000,001,083 | ---- | M] () -- C:\Users\Kerry\Desktop\dds - Shortcut.lnk
[2011/05/19 13:38:34 | 000,001,130 | ---- | M] () -- C:\Users\Kerry\Desktop\xehykbcq - Shortcut.lnk
[2011/05/13 21:45:43 | 000,009,616 | ---- | M] () -- C:\Users\Kerry\Documents\cc_20110513_214515.reg
[2011/05/12 20:01:01 | 000,029,184 | ---- | M] () -- C:\Users\Kerry\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/10 05:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/05/10 05:10:55 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/05/10 05:03:54 | 000,441,176 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/05/10 05:03:44 | 000,307,928 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/05/10 05:02:37 | 000,049,240 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/05/10 04:59:56 | 000,025,432 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/05/10 04:59:44 | 000,053,592 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/05/10 04:59:35 | 000,019,544 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/05/08 17:34:01 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/04/25 11:51:30 | 000,000,213 | ---- | M] () -- C:\Users\Kerry\Desktop\Half-Life 2.url
[2011/04/25 11:46:50 | 000,000,213 | ---- | M] () -- C:\Users\Kerry\Desktop\Left 4 Dead 2.url
[2011/04/25 07:37:05 | 000,000,213 | ---- | M] () -- C:\Users\Kerry\Desktop\Counter-Strike Source.url
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/20 21:35:38 | 000,000,731 | ---- | C] () -- C:\Users\Kerry\Desktop\ComboFix - Shortcut.lnk
[2011/05/20 18:43:07 | 000,000,741 | ---- | C] () -- C:\Users\Kerry\Desktop\SystemLook - Shortcut.lnk
[2011/05/20 17:29:42 | 000,001,148 | ---- | C] () -- C:\Users\Kerry\Desktop\BlitzBlank - Shortcut.lnk
[2011/05/19 21:24:31 | 000,001,079 | ---- | C] () -- C:\Users\Kerry\Desktop\OTL - Shortcut.lnk
[2011/05/19 20:21:04 | 000,001,166 | ---- | C] () -- C:\Users\Kerry\Desktop\RKUnhookerLE - Shortcut.lnk
[2011/05/19 18:20:58 | 000,000,512 | ---- | C] () -- C:\Users\Kerry\Desktop\MBR.dat
[2011/05/19 17:00:04 | 000,024,684 | ---- | C] () -- C:\Users\Kerry\Documents\cc_20110519_170001.reg
[2011/05/19 16:48:51 | 000,000,075 | ---- | C] () -- C:\Windows\System32\Partizan.RRI
[2011/05/19 15:39:55 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/05/19 15:19:58 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/05/19 15:19:58 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/05/19 15:19:58 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/05/19 15:19:58 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/05/19 15:19:58 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/05/19 14:20:40 | 000,001,083 | ---- | C] () -- C:\Users\Kerry\Desktop\dds - Shortcut.lnk
[2011/05/19 13:38:34 | 000,001,130 | ---- | C] () -- C:\Users\Kerry\Desktop\xehykbcq - Shortcut.lnk
[2011/05/13 21:45:19 | 000,009,616 | ---- | C] () -- C:\Users\Kerry\Documents\cc_20110513_214515.reg
[2011/04/25 11:51:30 | 000,000,213 | ---- | C] () -- C:\Users\Kerry\Desktop\Half-Life 2.url
[2011/04/25 11:46:50 | 000,000,213 | ---- | C] () -- C:\Users\Kerry\Desktop\Left 4 Dead 2.url
[2011/04/25 07:37:05 | 000,000,213 | ---- | C] () -- C:\Users\Kerry\Desktop\Counter-Strike Source.url
[2011/02/24 20:14:11 | 000,000,063 | ---- | C] () -- C:\Windows\wininit.ini
[2011/02/09 15:28:15 | 000,029,184 | ---- | C] () -- C:\Users\Kerry\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/26 12:43:47 | 000,000,372 | ---- | C] () -- C:\Windows\ka.ini
[2010/09/22 16:06:44 | 000,022,328 | ---- | C] () -- C:\Users\Kerry\AppData\Roaming\PnkBstrK.sys
[2010/09/19 17:56:30 | 000,000,450 | ---- | C] () -- C:\Windows\SIERRA.INI
[2010/09/15 15:25:06 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2010/09/15 15:25:06 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2010/09/15 15:25:06 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2010/08/22 18:20:35 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2010/08/22 18:12:59 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/07/13 21:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 21:33:53 | 000,317,520 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 19:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 19:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 19:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 19:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 19:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 19:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 16:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008/06/03 03:35:18 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/06/03 03:02:02 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2008/04/28 21:09:10 | 000,172,033 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/03/06 00:38:44 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe

========== LOP Check ==========

[2011/05/06 16:37:09 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Audacity
[2010/09/30 07:37:24 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\AVG10
[2011/03/26 09:17:42 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Bioshock
[2010/11/05 14:52:29 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Digital Photo Organizer
[2010/10/01 09:28:59 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\DriverCure
[2011/05/19 12:51:08 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Fighters
[2011/04/06 14:14:40 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Flip Video
[2011/05/21 15:41:53 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Gmail Notifier
[2010/09/19 12:22:56 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\ImgBurn
[2010/11/06 16:22:18 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\IObit
[2010/10/01 09:28:59 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\ParetoLogic
[2010/11/01 17:57:52 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\PCHC
[2010/10/17 13:08:19 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\SPORE
[2010/11/01 18:20:05 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Systweak
[2010/09/21 10:52:06 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Uniblue
[2011/05/15 17:58:07 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\uPlayer
[2011/01/26 17:56:55 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\AVG10
[2011/01/26 17:56:46 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\Fighters
[2009/07/13 21:53:46 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/06/10 14:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2011/05/21 10:39:56 | 000,001,230 | ---- | M] () -- C:\blitzblank.log
[2010/11/20 05:40:07 | 000,383,786 | RHS- | M] () -- C:\bootmgr
[2010/10/01 09:57:23 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/05/21 06:29:09 | 000,014,383 | ---- | M] () -- C:\ComboFix.txt
[2009/06/10 14:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2010/12/12 11:18:21 | 000,000,295 | ---- | M] () -- C:\Facilitator.log
[2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2011/05/21 15:29:30 | 1508,491,264 | -HS- | M] () -- C:\hiberfil.sys
[2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 09:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 09:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 09:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 09:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 09:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 09:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 09:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/09/19 17:56:21 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/05/21 15:29:32 | 2011,324,416 | -HS- | M] () -- C:\pagefile.sys
[2011/05/15 17:57:17 | 000,009,991 | ---- | M] () -- C:\scramble.log
[2011/05/21 16:11:29 | 000,063,762 | ---- | M] () -- C:\TDSSKiller.2.5.1.0_21.05.2011_16.10.16_log.txt
[2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

< %systemroot%\Fonts\*.com >
[2009/07/13 21:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/13 21:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/13 21:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/13 21:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 14:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2009/07/13 18:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
[2010/11/20 05:21:36 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2011/05/10 05:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/11/10 02:28:46 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2011/03/13 19:45:02 | 000,001,702 | -HS- | M] () -- C:\Users\Kerry\AppData\Roaming\Microsoft\LastFlashConfig.wfc

< %PROGRAMFILES%\*.* >
[2009/07/13 21:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/08/22 16:42:44 | 000,000,221 | -HS- | M] () -- C:\Users\Kerry\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini
[2011/03/25 18:21:22 | 000,000,221 | -HS- | M] () -- C:\Users\Kerry\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/03/04 12:27:21 | 003,033,192 | ---- | M] (Piriform Ltd) -- C:\Users\Kerry\Desktop\CCleaner_Setup_3_0_4.exe
[2011/05/20 20:15:20 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kerry\Desktop\TDSSKiller.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 14:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2011/02/25 15:23:26 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2011/02/25 15:23:26 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2011/02/25 15:23:26 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2011/02/25 15:23:26 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2011/02/25 15:23:26 | 000,786,432 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
[2011/02/25 15:23:26 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/02/25 15:39:34 | 000,000,402 | -HS- | M] () -- C:\Users\Kerry\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< MD5 for: VOLSNAP.SYS >
[2009/07/13 18:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys
[2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\System32\drivers\volsnap.sys
[2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys
[2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP

FC5A2B2
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:07BF512B

< End of report >

Broni · May 21, 2011

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O15 - HKU\S-1-5-21-3645143618-988177714-1403921235-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2010/09/30 07:37:24 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\AVG10
[2010/09/21 10:52:06 | 000,000,000 | ---D | M] -- C:\Users\Kerry\AppData\Roaming\Uniblue
[2011/01/26 17:56:55 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\AVG10
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:07BF512B

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

===================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

KerryP · May 21, 2011

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry value HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\AvgUninstallURL deleted successfully.
File move failed. C:\Windows\System32\cmd.exe scheduled to be moved on reboot.
Registry key HKEY_USERS\S-1-5-21-3645143618-988177714-1403921235-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
C:\Windows\Downloaded Program Files\DivXPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Windows\msdownld.tmp folder deleted successfully.
C:\Users\Kerry\AppData\Roaming\AVG10\cfgall folder moved successfully.
C:\Users\Kerry\AppData\Roaming\AVG10 folder moved successfully.
C:\Users\Kerry\AppData\Roaming\Uniblue\RegistryBooster\_temp folder moved successfully.
C:\Users\Kerry\AppData\Roaming\Uniblue\RegistryBooster\history folder moved successfully.
C:\Users\Kerry\AppData\Roaming\Uniblue\RegistryBooster\backup folder moved successfully.
C:\Users\Kerry\AppData\Roaming\Uniblue\RegistryBooster folder moved successfully.
C:\Users\Kerry\AppData\Roaming\Uniblue folder moved successfully.
C:\Users\Matthew\AppData\Roaming\AVG10\cfgall folder moved successfully.
C:\Users\Matthew\AppData\Roaming\AVG10 folder moved successfully.
ADS C:\ProgramData\TEMP

FC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
ADS C:\ProgramData\TEMP:07BF512B deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kerry
->Temp folder emptied: 93958 bytes
->Temporary Internet Files folder emptied: 35755880 bytes
->Java cache emptied: 162744 bytes
->Flash cache emptied: 39493 bytes

User: Matthew
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 11585197 bytes
->Flash cache emptied: 689 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65748 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 45.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Kerry
->Flash cache emptied: 0 bytes

User: Matthew
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05212011_165521

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\cmd.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

KerryP · May 21, 2011

Results of screen317's Security Check version 0.99.7
Windows 7 Service Pack 1 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Adobe Flash Player
Adobe Reader 9.4.4
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````

Broni · May 21, 2011

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

KerryP · May 21, 2011

No threats found on ESET, I will update Acrobat reader.

Broni · May 21, 2011

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

KerryP · May 21, 2011

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kerry
->Temp folder emptied: 42413 bytes
->Temporary Internet Files folder emptied: 11025618 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 611 bytes

User: Matthew
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66016 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 11.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Kerry
->Flash cache emptied: 0 bytes

User: Matthew
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05212011_185759

Files\Folders moved on Reboot...
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W3SH7B95\background-banner-middle-v45[1].jpg moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W3SH7B95\background-banner-middle-v9a[1].jpg moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W3SH7B95\background-banner-right-v45[1].jpg moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VNZFHEND\background-banner-right-v9a[1].jpg moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5X40XNU\background_banner_green_50_v45[1].jpg moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q5X40XNU\background_banner_green_50_v9a[1].jpg moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\65215BYB\background_button_green_full[1].png moved successfully.
C:\Users\Kerry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\65215BYB\list-item-plus[1].png moved successfully.

Registry entries deleted on Reboot...

KerryP · May 21, 2011

Thank You so much for your time.I will reply tomorrow to let you know how things are going.

Broni · May 21, 2011

You're very welcome

KerryP · May 22, 2011

Everything seems to be working fine,
Thanks again,
Kerry

Broni · May 22, 2011

Way to go!!

Good luck and stay safe

Solved Trying to remove Redirect virus

Broni

Posts: 56,041 +517

Broni

Posts: 56,041 +517

KerryP

Posts: 34 +0

Broni

Posts: 56,041 +517

KerryP

Posts: 34 +0

KerryP

Posts: 34 +0

Broni

Posts: 56,041 +517

KerryP

Posts: 34 +0

Broni

Posts: 56,041 +517

KerryP

Posts: 34 +0

KerryP

Posts: 34 +0

Broni

Posts: 56,041 +517

KerryP

Posts: 34 +0

Broni

Posts: 56,041 +517

Similar threads

Latest posts