WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"Trojan.Zeroaccess! khem" is getting on my nerves... :(

Started by thatguy89 , Feb 24 2012 09:11 AM

This topic is locked

136 replies to this topic

#16 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 27 February 2012 - 10:28 AM

Hi,

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

Advertisements

Register to Remove

#17 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 27 February 2012 - 07:22 PM

Ergh, it was actually going ok, it was slow at points during the scan but it was scanning non the less. I had it going for 2 and a half hours and then i had to go but i left the machine running. Unfortunately when i got back windows told me it had recovered from a blue screen shut down

i think this might have just been down to the fact that when i leave my laptop on for too long it makes several high pitch noises before shutting down (might be overheating?) but thats not my primary worry right now! I'll try again in the morning and let you know how it goes. Should i leave the internet on when scanning? The lack of protection seems to be letting the trojan do whatever it wants (pop ups and trying to download flash etc.) Before i left i turned off the wifi and the scan seemed to start speeding up a bit anyway... Good night!

#18 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 27 February 2012 - 07:27 PM

Hi, You can try and run that in Safe Mode as well. Yes GMER can take some time to run.

Also if you have your laptop to go to sleep after a certain amount of time disable that too so it won't go to sleep accidentally.

#19 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 28 February 2012 - 08:43 AM

### it

Ive tried several times to run Gmer.exe on safe mode and normally, each time leading to a blue screen crash... why does this ### trojan have to make it so difficult.... I tried downloading it again and rerunning it but same problem. It just scans away as it should and then bam, blue screen! this sucks.

#20 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 28 February 2012 - 09:22 AM

Hi,

Yep they can be a pain LOL!!
----------

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
SRV - (symsnap) -- File not found
SRV - (n558) -- File not found
SRV - (Anydlc) -- File not found
SRV - (crauto) -- C:\Windows\System32\ipsecmon.dll (Oak Technology Inc.)
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
FF - prefs.js..browser.search.defaultenginename: "iLivid Web Search"
FF - prefs.js..browser.search.order.1: "iLivid Web Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.ask.co.uk"
FF - prefs.js..extensions.enabledItems: {99079a25-328f-4bd4-be04-00955acaa0a7}:4.4.1.00
FF - prefs.js..extensions.enabledItems: {ba14329e-9550-4989-b3f2-9732e92d17cc}:3.7.0.6
FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&appid=101&systemid=406&sr=0&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
[2011/10/12 15:53:46 | 000,002,520 | ---- | M] () -- C:\Users\Compaq\AppData\Roaming\Mozilla\Firefox\Profiles\zyg90ndo.default\searchplugins\SearchResults.xml
[2011/10/12 15:53:46 | 000,002,520 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O2 - BHO: (aTube Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (aTube Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (aTube Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O33 - MountPoints2\{25d47d5d-dc37-11de-adef-00238be688d6}\Shell - "" = AutoRun
O33 - MountPoints2\{25d47d5d-dc37-11de-adef-00238be688d6}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{7e845458-a480-11de-a064-00238be688d6}\Shell - "" = AutoRun
O33 - MountPoints2\{7e845458-a480-11de-a064-00238be688d6}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/02/26 00:18:21 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/25 13:36:27 | 000,040,960 | ---- | M] () -- C:\Users\Compaq\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/22 09:52:03 | 000,000,000 | ---- | M] () -- C:\ProgramData\m6j3wHM1.dat
[2012/02/22 09:51:36 | 000,000,000 | ---- | M] () -- C:\Windows\System32\67AC568.com
[2012/02/22 09:50:24 | 000,028,160 | ---- | M] () -- C:\ProgramData\67AC568.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

---------

In your next reply please post the BOTH of the logs made by OTL.

#21 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 28 February 2012 - 09:54 AM

ok, OTL opened a .txt after reboot saying all processes killed. I'll put up the scan results ASAP (OTL is currently "not responding" since reaching "scanning modules." I'll keep you updated on that!)

#22 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 28 February 2012 - 10:11 AM

It may take some time.

#23 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 28 February 2012 - 10:13 AM

Here's OTL.Txt

------------------------------------------

OTL logfile created on: 28/02/2012 16:06:33 - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Compaq\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.93 Gb Total Physical Memory | 2.41 Gb Available Physical Memory | 82.26% Memory free
6.06 Gb Paging File | 5.74 Gb Available in Paging File | 94.68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.33 Gb Total Space | 111.79 Gb Free Space | 50.28% Space Free | Partition Type: NTFS
Drive D: | 10.55 Gb Total Space | 1.80 Gb Free Space | 17.04% Space Free | Partition Type: NTFS

Computer Name: COMPAQ-PC | User Name: Compaq | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Compaq\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe (COMODO)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe (Adobe Systems Incorporated)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll ()
MOD - C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll ()

========== Win32 Services (SafeList) ==========

SRV - (cmdAgent) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
SRV - (CLPSLS) -- C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLS.exe (COMODO)
SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SRV - (NIS) -- C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe (Symantec Corporation)
SRV - (SupportSoft RemoteAssist) -- C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe (SupportSoft, Inc.)
SRV - (sprtsvc_O2DA) SupportSoft Sprocket Service (O2DA) -- C:\Program Files\O2 Assistant\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (tgsrvc_O2DA) SupportSoft Repair Service (O2DA) -- C:\Program Files\O2 Assistant\bin\tgsrvc.exe (SupportSoft, Inc.)
SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (STacSV) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\stacsv.exe (IDT, Inc.)
SRV - (AESTFilters) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_fa807195\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (Recovery Service for Windows) -- C:\Program Files\SMINST\BLService.exe ()
SRV - (ezSharedSvc) -- C:\Windows\System32\ezsvc7.dll (EasyBits Sofware AS)
SRV - (SED133x) -- C:\Windows\System32\HssDrv.dll (Oak Technology Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (MA_CMIDI_InstallerService) -- C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe (Avid Technology, Inc.)

========== Driver Services (SafeList) ==========

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (cmdGuard) -- C:\Windows\System32\drivers\cmdGuard.sys (COMODO)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120227.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120227.002\NAVENG.SYS (Symantec Corporation)
DRV - (inspect) -- C:\Windows\System32\drivers\inspect.sys (COMODO)
DRV - (cmdHlp) -- C:\Windows\System32\drivers\cmdhlp.sys (COMODO)
DRV - (IDSVix86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20120224.002\IDSvix86.sys (Symantec Corporation)
DRV - (RapportCerberus_34302) -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys ()
DRV - (BHDrvx86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys (Symantec Corporation)
DRV - (RapportEI) -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys (Trusteer Ltd.)
DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
DRV - (RapportKELL) -- C:\Windows\System32\Drivers\RapportKELL.sys (Trusteer Ltd.)
DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (RapportIaso) -- c:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys (Trusteer Ltd.)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SYMTDIv) -- C:\Windows\System32\Drivers\NIS\1207000.00D\SYMTDIV.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\Windows\System32\Drivers\NIS\1207000.00D\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\system32\drivers\NIS\1207000.00D\SRTSPX.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\Windows\system32\drivers\NIS\1207000.00D\SYMEFA.SYS (Symantec Corporation)
DRV - (SymDS) -- C:\Windows\system32\drivers\NIS\1207000.00D\SYMDS.SYS (Symantec Corporation)
DRV - (SymIRON) -- C:\Windows\system32\drivers\NIS\1207000.00D\Ironx86.SYS (Symantec Corporation)
DRV - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV - (RapportBuka) -- C:\Windows\System32\drivers\RapportBuka.sys (Trusteer Ltd.)
DRV - (SE1008mdm) -- C:\Windows\System32\drivers\SE1008mdm.sys (Sony Ericsson)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (IntcHdmiAddService) Intel® -- C:\Windows\System32\drivers\IntcHdmi.sys (Intel® Corporation)
DRV - (NETw3v32) Intel® -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (MA_CMIDI) -- C:\Windows\System32\drivers\MA_CMIDI.SYS (M-Audio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...rio&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...rio&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...rio&pf=cnnb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.2
FF - prefs.js..extensions.enabledItems:
FF - prefs.js..extensions.enabledItems:
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:15.0.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2011.7.4.3
FF - prefs.js..network.proxy.no_proxies_on: ""

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.0.198: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.0.198: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.0.198: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.0.198: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.0.198: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Compaq\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Compaq\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\IPSFFPlgn\ [2012/02/19 18:02:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\coFFPlgn_2011_7_5_2 [2012/02/28 15:49:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/02/19 18:01:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/20 12:49:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/20 12:49:34 | 000,000,000 | ---D | M]

[2011/10/12 21:24:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Compaq\AppData\Roaming\mozilla\Extensions
[2012/01/22 15:37:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Compaq\AppData\Roaming\mozilla\Firefox\Profiles\zyg90ndo.default\extensions
[2010/03/13 21:03:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Compaq\AppData\Roaming\mozilla\Firefox\Profiles\zyg90ndo.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/10/12 15:53:59 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Compaq\AppData\Roaming\mozilla\Firefox\Profiles\zyg90ndo.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2012/01/22 15:37:25 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Users\Compaq\AppData\Roaming\mozilla\Firefox\Profiles\zyg90ndo.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2012/01/22 14:56:00 | 000,000,000 | ---D | M] (Bflix extension) -- C:\Users\Compaq\AppData\Roaming\mozilla\Firefox\Profiles\zyg90ndo.default\extensions\info@thebflix.com
[2012/01/22 15:02:31 | 000,002,472 | ---- | M] () -- C:\Users\Compaq\AppData\Roaming\Mozilla\Firefox\Profiles\zyg90ndo.default\searchplugins\safesearch.xml
[2012/01/22 14:55:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/28 15:49:01 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\COFFPLGN_2011_7_5_2
[2012/02/19 18:02:03 | 000,000,000 | ---D | M] (Symantec Intrusion Prevention) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\IPSFFPLGN
[2011/12/21 07:42:18 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/04/12 16:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/21 05:14:26 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/12/21 05:02:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/21 05:14:26 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/12/21 05:14:26 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/21 05:14:26 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{googl
e:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chro
me&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client
=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Compaq\AppData\Local\Google\Chrome\Application\17.0.963.56\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Compaq\AppData\Local\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Compaq\AppData\Local\Google\Chrome\Application\17.0.963.56\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java™ Platform SE 6 U20 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks™ Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Compaq\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Gmail = C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

Hosts file not found
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.0.13\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ips\ipsbho.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.0.13\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.0.13\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [COMODO] C:\Program Files\Comodo\COMODO GeekBuddy\CLPSLA.exe (COMODO)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [CPA] C:\Program Files\Comodo\COMODO GeekBuddy\VALA.exe (COMODO)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [O2DA] C:\Program Files\O2 Assistant\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{73F92850-0943-4CBD-8836-3F9DF80843DA}: DhcpNameServer = 192.168.1.254
O20 - AppInit_DLLs: (C:\Windows\System32\guard32.dll) - C:\Windows\System32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/28 15:44:08 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/28 15:40:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/02/28 15:40:11 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/02/27 10:00:39 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/26 11:38:43 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Roaming\Tific
[2012/02/26 11:35:33 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Local\Symantec
[2012/02/26 10:22:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/26 10:22:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/26 10:22:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/26 10:22:29 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/26 10:15:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/26 00:32:58 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Users\Compaq\Desktop\OTL.exe
[2012/02/26 00:26:08 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/25 10:55:34 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Compaq\Desktop\dds.com
[2012/02/25 10:53:28 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Users\Compaq\Desktop\aswMBR.exe
[2012/02/25 10:44:09 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Compaq\Desktop\dds.scr
[2012/02/24 14:57:14 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Compaq\Desktop\HiJackThis.exe
[2012/02/20 13:14:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/02/20 13:14:51 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/02/20 11:27:24 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Roaming\SUPERAntiSpyware.com
[2012/02/20 11:27:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/02/20 11:26:59 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/02/20 11:26:59 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/02/20 10:52:32 | 000,000,000 | ---D | C] -- C:\ProgramData\CPA_VA
[2012/02/20 10:25:05 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\COMODO
[2012/02/20 10:24:29 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Local\Comodo
[2012/02/20 10:14:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2012/02/20 10:14:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
[2012/02/20 10:14:05 | 000,000,000 | ---D | C] -- C:\Program Files\Comodo
[2012/02/20 10:03:58 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Roaming\Malwarebytes
[2012/02/20 10:03:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/20 10:03:48 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/02/20 10:03:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/02/20 10:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/13 12:03:03 | 000,000,000 | ---D | C] -- C:\ProgramData\LightScribe
[2012/02/05 15:11:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\K-Lite Codec Pack
[2012/02/05 15:11:53 | 000,000,000 | ---D | C] -- C:\Program Files\K-Lite Codec Pack
[2012/02/05 14:59:43 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2012/02/05 14:46:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media
[2012/02/05 14:46:09 | 000,000,000 | ---D | C] -- C:\WMSDK
[2012/02/04 16:00:16 | 000,000,000 | ---D | C] -- C:\Users\Compaq\Desktop\photos Aurore phone
[2012/02/03 18:17:13 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Roaming\Media Player Classic
[2012/02/03 15:58:11 | 000,000,000 | ---D | C] -- C:\Users\Compaq\AppData\Local\{63666F5D-CB50-4006-BAD8-A7A359057769}
[2012/02/03 15:41:32 | 000,262,144 | ---- | C] (Creative Labs) -- C:\Windows\System32\wrap_oal.dll
[2012/02/03 15:41:32 | 000,086,016 | ---- | C] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\System32\OpenAL32.dll
[2012/02/03 15:39:45 | 000,000,000 | ---D | C] -- C:\Program Files\OpenLibraries
[2012/02/03 10:00:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PeerBlock
[2012/02/03 10:00:07 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock

========== Files - Modified Within 30 Days ==========

[2012/02/28 16:03:51 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/28 16:03:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/28 16:02:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/28 16:02:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/28 15:55:01 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4056065152-634905853-1308159465-1000UA.job
[2012/02/28 15:49:24 | 000,000,286 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2012/02/28 15:40:29 | 000,000,873 | ---- | M] () -- C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/28 15:40:17 | 000,000,693 | ---- | M] () -- C:\Users\Compaq\Desktop\NTREGOPT.lnk
[2012/02/28 15:40:16 | 000,000,674 | ---- | M] () -- C:\Users\Compaq\Desktop\ERUNT.lnk
[2012/02/28 15:36:33 | 216,923,374 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/26 21:18:32 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForCompaq.job
[2012/02/26 19:56:19 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4056065152-634905853-1308159465-1000Core.job
[2012/02/26 00:33:00 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Compaq\Desktop\OTL.exe
[2012/02/26 00:26:08 | 000,609,196 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/26 00:26:08 | 000,108,672 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/26 00:23:00 | 002,044,183 | ---- | M] () -- C:\Users\Compaq\Desktop\tdsskiller.zip
[2012/02/25 11:02:53 | 000,000,512 | ---- | M] () -- C:\Users\Compaq\Desktop\MBR.dat
[2012/02/25 10:55:35 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Compaq\Desktop\dds.com
[2012/02/25 10:54:19 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Users\Compaq\Desktop\aswMBR.exe
[2012/02/25 10:44:29 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Compaq\Desktop\dds.scr
[2012/02/24 14:57:17 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Compaq\Desktop\HiJackThis.exe
[2012/02/20 13:31:23 | 003,745,384 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/20 13:22:29 | 000,292,100 | ---- | M] () -- C:\Users\Compaq\Documents\cc_20120220_132138.reg
[2012/02/20 13:14:54 | 000,000,764 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/02/20 11:27:03 | 000,001,760 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/02/20 11:03:11 | 002,185,990 | ---- | M] () -- C:\Windows\System32\drivers\NIS\1207000.00D\Cat.DB
[2012/02/20 10:58:44 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\COMODO Firewall.lnk
[2012/02/20 10:57:56 | 000,000,863 | ---- | M] () -- C:\Users\Public\Desktop\Comodo Dragon.lnk
[2012/02/20 10:14:19 | 000,001,017 | ---- | M] () -- C:\Users\Compaq\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/02/20 10:14:19 | 000,000,993 | ---- | M] () -- C:\Users\Public\Desktop\COMODO GeekBuddy.lnk
[2012/02/20 10:03:49 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/19 18:20:08 | 000,006,756 | ---- | M] () -- C:\Users\Compaq\AppData\Local\d3d9caps.dat
[2012/02/17 15:57:53 | 000,002,047 | ---- | M] () -- C:\Users\Compaq\Desktop\Google Chrome.lnk
[2012/02/17 15:57:53 | 000,002,009 | ---- | M] () -- C:\Users\Compaq\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/02/15 10:11:08 | 000,002,587 | ---- | M] () -- C:\Users\Compaq\Desktop\Microsoft Office Word 2007.lnk
[2012/02/08 10:53:04 | 000,000,326 | ---- | M] () -- C:\MemeoSendAddin
[2012/02/03 15:41:32 | 000,262,144 | ---- | M] (Creative Labs) -- C:\Windows\System32\wrap_oal.dll
[2012/02/03 15:41:32 | 000,086,016 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\System32\OpenAL32.dll
[2012/02/03 10:00:11 | 000,001,688 | ---- | M] () -- C:\Users\Compaq\Desktop\PeerBlock.lnk
[2012/02/01 17:57:19 | 000,002,173 | ---- | M] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk

========== Files Created - No Company Name ==========

[2012/02/28 15:48:06 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/28 15:40:29 | 000,000,873 | ---- | C] () -- C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/28 15:40:16 | 000,000,693 | ---- | C] () -- C:\Users\Compaq\Desktop\NTREGOPT.lnk
[2012/02/28 15:40:15 | 000,000,674 | ---- | C] () -- C:\Users\Compaq\Desktop\ERUNT.lnk
[2012/02/28 14:22:56 | 216,923,374 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/02/27 20:12:07 | 000,302,592 | ---- | C] () -- C:\Users\Compaq\Desktop\gmer.exe
[2012/02/26 10:22:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/26 10:22:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/26 10:22:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/26 10:22:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/26 10:22:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/26 00:22:57 | 002,044,183 | ---- | C] () -- C:\Users\Compaq\Desktop\tdsskiller.zip
[2012/02/25 11:02:53 | 000,000,512 | ---- | C] () -- C:\Users\Compaq\Desktop\MBR.dat
[2012/02/20 13:21:45 | 000,292,100 | ---- | C] () -- C:\Users\Compaq\Documents\cc_20120220_132138.reg
[2012/02/20 13:14:53 | 000,000,764 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/02/20 11:27:03 | 000,001,760 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/02/20 10:58:43 | 000,001,753 | ---- | C] () -- C:\Users\Public\Desktop\COMODO Firewall.lnk
[2012/02/20 10:14:19 | 000,001,017 | ---- | C] () -- C:\Users\Compaq\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2012/02/20 10:14:19 | 000,000,993 | ---- | C] () -- C:\Users\Public\Desktop\COMODO GeekBuddy.lnk
[2012/02/20 10:14:08 | 000,000,863 | ---- | C] () -- C:\Users\Public\Desktop\Comodo Dragon.lnk
[2012/02/20 10:03:49 | 000,000,866 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/03 16:08:58 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2012/02/03 10:00:10 | 000,001,688 | ---- | C] () -- C:\Users\Compaq\Desktop\PeerBlock.lnk
[2012/01/10 17:52:32 | 000,000,132 | ---- | C] () -- C:\Users\Compaq\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2011/01/08 11:04:09 | 000,001,940 | ---- | C] () -- C:\Users\Compaq\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/07/09 14:07:42 | 000,006,524 | ---- | C] () -- C:\Users\Compaq\AppData\Roaming\wklnhst.dat
[2010/07/07 12:41:13 | 000,000,114 | ---- | C] () -- C:\Windows\wininit.ini
[2010/03/02 11:11:02 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat

< End of report >

#24 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 28 February 2012 - 10:20 AM

hmm, I'm having some difficulty finding the extras.txt though.. I went on C:\-OTL which opens up with the option to go on "moved files" but there's a fair bit of stuff in there and I don't really know where to look....?

#25 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 28 February 2012 - 10:22 AM

There will be no Extras.txt log created this time. Was there a log that was created showing everything that was removed? If you have that please post that as well.

Advertisements

Register to Remove

#26 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 28 February 2012 - 10:26 AM

Ohdear, there was one that came up after the reboot but i closed it, any idea where it might be / what its called??? D'oh!

#27 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 28 February 2012 - 10:29 AM

No that is ok... Lets see if we can get ComboFix to run now. Delete all copies of ComboFix on your system using right-click >> delete and then download a fresh copy. Once you have a fresh copy on your Desktop, please run a scan and post the log that is created into your next reply.

#28 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 28 February 2012 - 11:05 AM

It seems to be doing the same as before (not going any further than scan times...may take longer). Maybe i could redo the otl fix you posted and save the results this time? i suppose for now i could try gmer again..

#29 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 28 February 2012 - 11:45 AM

Yes go ahead and run GMER again. See what it comes up with.

#30 thatguy89

Authentic Member

Authentic Member
80 posts

Posted 29 February 2012 - 03:50 AM

well Jeff, I hate to make life difficult for you but the gmer.exe is doing the same thing again: It just won't finish the scan before the computer goes into a blue screen shut down... It seems like whatever progress is being made, the trojan just recovers to say F you each time!

Body Background

skin color theme