GT500

Emsisoft Employee
  • Content Count

    13513
  • Joined

  • Days Won

    421

Posts posted by GT500


  1. OK, I have written a script that will tell ComboFix how to delete some stuff I saw in your log. Here are instructions on what to do with the script:

    1. Download an updated version of ComboFix from one of the following links:
      [list=]
    2. BleepingComputer
    3. InfoSpyware

    [*] Turn off your Anti-Virus software.

    [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

    [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

    http://support.emsisoft.com/topic/7588-is-this-malware-safesurf-surfguard/
    
    KillAll::
    
    FCopy::
    c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
    
    File::
    c:\windows\$NtUninstallKB951748_0$\tcpip.sys
    c:\windows\ERDNT\cache\tcpip.sys
    c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

    [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

    [*] Close Notepad and verify that the CFScript file is saved on your desktop.

    [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

    CFScriptB-4.gif

    When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.


  2. I'm sorry, that's my fault. I exported the NetScvs from Windows XP, and you're using Windows 7. Here's the proper script and instructions for Windows 7:

    1. Download an updated version of ComboFix from one of the following links:
      [list=]
    2. BleepingComputer
    3. InfoSpyware

    [*] Turn off your Anti-Virus software.

    [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

    [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

    http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/
    
    KillAll::
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
    "netsvcs"=hex(7):41,65,4c,6f,6f,6b,75,70,53,76,63,00,43,65,72,74,50,72,6f,70,\
     53,76,63,00,53,43,50,6f,6c,69,63,79,53,76,63,00,6c,61,6e,6d,61,6e,73,65,72,\
     76,65,72,00,67,70,73,76,63,00,49,4b,45,45,58,54,00,41,75,64,69,6f,53,72,76,\
     00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
     62,69,6c,69,74,79,00,49,61,73,00,49,72,6d,6f,6e,00,4e,6c,61,00,4e,74,6d,73,\
     73,76,63,00,4e,57,43,57,6f,72,6b,73,74,61,74,69,6f,6e,00,4e,77,73,61,70,61,\
     67,65,6e,74,00,52,61,73,61,75,74,6f,00,52,61,73,6d,61,6e,00,52,65,6d,6f,74,\
     65,61,63,63,65,73,73,00,53,45,4e,53,00,53,68,61,72,65,64,61,63,63,65,73,73,\
     00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,57,6d,69,00,57,6d,\
     64,6d,50,6d,53,70,00,54,65,72,6d,53,65,72,76,69,63,65,00,77,75,61,75,73,65,\
     72,76,00,42,49,54,53,00,53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,\
     4c,6f,67,6f,6e,48,6f,75,72,73,00,50,43,41,75,64,69,74,00,68,65,6c,70,73,76,\
     63,00,75,70,6c,6f,61,64,6d,67,72,00,69,70,68,6c,70,73,76,63,00,73,65,63,6c,\
     6f,67,6f,6e,00,41,70,70,49,6e,66,6f,00,6d,73,69,73,63,73,69,00,4d,4d,43,53,\
     53,00,77,65,72,63,70,6c,73,75,70,70,6f,72,74,00,45,61,70,48,6f,73,74,00,50,\
     72,6f,66,53,76,63,00,73,63,68,65,64,75,6c,65,00,68,6b,6d,73,76,63,00,53,65,\
     73,73,69,6f,6e,45,6e,76,00,77,69,6e,6d,67,6d,74,00,62,72,6f,77,73,65,72,00,\
     54,68,65,6d,65,73,00,42,44,45,53,56,43,00,41,70,70,4d,67,6d,74,00,00

    [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

    [*] Close Notepad and verify that the CFScript file is saved on your desktop.

    [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

    CFScriptB-4.gif

    When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.


  3. Are you sure there isn't already an OTL log saved on your desktop? The only way to save an OTL log with the same name as one that already exists would be to overwrite the old one.

    I am seeing some services in that log that are missing files. It may not be related to an infection, however it is best to repair them anyway.

    Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  4. OK, it looks like we still need to fix some services, so here's another script. Here is another script with instructions on what to do again:

    1. Download an updated version of ComboFix from one of the following links:
      [list=]
    2. BleepingComputer
    3. InfoSpyware

    [*] Turn off your Anti-Virus software.

    [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

    [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

    http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/
    
    KillAll::
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
    "netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
     76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
     65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
     00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
     62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
     49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
     57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
     6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
     61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
     52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
     75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
     63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
     68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
     56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
     73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\
     6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\
     57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,57,6d,64,6d,50,6d,\
     53,4e,00,00

    [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

    [*] Close Notepad and verify that the CFScript file is saved on your desktop.

    [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

    CFScriptB-4.gif

    When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.


  5. OK, we should be able to use ComboFix to get rid of some of those broken services. I have written a script that will tell ComboFix how to delete some broken services from your logs. Here are instructions on what to do with the script:

    1. Download an updated version of ComboFix from one of the following links:
      [list=]
    2. BleepingComputer
    3. InfoSpyware

    [*] Turn off your Anti-Virus software.

    [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.

    [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

    http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/
    
    KillAll::
    
    Driver::
    zppinger
    zpjava
    zpaction
    zdeviceservice
    ZDCNDIS5
    zBackupAssistService
    z800obex
    yediex
    yats32
    XilinxPC4Driver
    XFX_program
    XDva004
    xaudioservice
    wzcsvc
    Wuser32
    WUSB54GPV4SRV
    WUSB54GCSVC
    WPFFontCache_v0400
    wpdusb
    wmp54gv4svc
    WmFilter
    WmBEnum
    WLAN_USB
    wkscfgsrv
    WISTechVIDCAP
    winvnc4
    winpowerrmi
    winpower
    windowblinds
    winachcf
    WimFltr
    WGX
    websenselogserver
    websensecommunicationagent
    webrootenterpriseclientservice
    w810obex
    w800obex
    w550bus
    w39n51
    w300bus
    vzupsvc
    vzfw
    vtserver
    vserial
    vsapint
    vrfwsvc
    VRcore
    VrAcFil
    vpn5000service
    vncdrv
    vmparport
    vmodem
    vmnetuserif
    vmkbd2
    vmauthdservice
    videX32
    Video3D
    viaudio
    vet-rec
    vetmsgnt
    vetmonnt
    vetfddnt
    VCIDRV
    VCAM
    VAIOMediaPlatform-PhotoServer-HTTP
    VAIOMediaPlatform-MusicServer-HTTP
    vaiomediaplatform-integratedserver-upnp
    USBModem
    usbio
    USBCamera
    usb_rndisx
    USB_NDIS_51
    UCTblHid
    U81xmdfl
    U81xbus
    U2SP
    tvtpktfilter
    TUWinStylerThemeSvc
    tunnelguardservice
    trufos
    truecrypt
    trioservice
    trayman
    traprcvr
    transarcafsdaemon
    tosrfcom
    tosporte
    tomcatcws3
    tng-dtmg
    tnbrlds
    tmesrv3
    tifm
    TIEHDUSB
    thpsrv
    teefer
    tdsmapi
    tdimsys
    TClass2k
    tbhsd
    syslogd
    sysenforce
    symsecureport
    symlcbrd
    SymIMMP
    symids
    symevent
    symc8xx
    symappcore
    symantecantibotagent
    sym_u3
    swwd
    SWUMX51
    SWUMX20
    SWNC8U20
    SWNC5E00
    SWMX00
    svv
    svcwrsssdk
    suservice
    surveyor
    stylexphelper
    stunnel
    StkAMini
    stirusb
    sthda
    steamdvr
    statusagent
    StarOpen
    ssscsisv
    sr
    SQLBrowser
    spsslm
    sprtsvc_smartagent
    spmd
    sparrow
    sonypvu1
    softfax
    SNP2STD
    snmptrapdservice
    SndTDriverV32
    snac
    SMTPSVC
    SMNDIS5
    SMCB000
    SlWdmSup
    slservice
    slapd-data52
    sisnic
    siskp
    siside
    SiSGbeXP
    SiS7018
    SIODRV
    si3114r
    Shockprf
    sglfb
    SGHIDI
    sfusvc) Zd1211u(zydas
    sfsync04
    sfng32
    sfman
    sfhlp01
    SerTVOutCtlr
    ser2plms
    SECYPUSB
    SeaPort
    se59mdfl
    se58obex
    se58mgmt
    se58bus
    se44mdm
    SE2Emgmt
    SE2Emdfl
    se2Cunic
    SE2Cbus
    SE2Bmdm
    SE26mdfl
    sdhelper
    sddmi2
    sdcoreservice
    screadspool
    scdemu
    sbservice
    SaiU040B
    SaiMini
    sagefserver
    S7oppilx
    s616obex
    s616mdfl
    s125mgmt
    s117nd5
    s116nd5
    rxmssync
    RTLE8023xp
    RTL8023xp
    rtl8023
    rt2500usb
    rt2500
    rsvp
    RSAFAL
    RR2Ctrl
    rpcapd
    rollbackclientservice
    ROB_V
    RMSvc
    rmedia
    rksample
    rkhdrv31
    risdptsk
    rimsptsk
    remotelyanywhere
    regsrvc
    Rawwan
    RAPIProtocol
    rapapp
    QV2KUX
    qserver
    ql1240
    qconsvc
    pxfhbus
    pwisvc
    PTDCMdm
    psdistributionagent
    psadd
    prtg4service
    prodrv06
    procexp90
    prevxdriver
    prevxagent
    PQNTDrv
    pmsveh
    pmj151la
    pinetmgr
    PhilCam8116
    pgsql-8.0
    pepifilter
    pensup
    penrendezvous
    pdlnepkt
    pdlnebas
    pdlndldl
    pdiddcci
    pcx1unic
    pctoolsfirewallplus
    PCTINDIS5
    pclepci
    pca
    pav_service
    passthru
    papyjoy
    papycpu2
    Packet
    p2pgasvc
    P16X
    ossrv
    OsaFsLoc
    oraclesnmppeermasteragent
    oracleservicelocalora
    oracleorahomepagingserver
    oracleorahomedatagatherer
    oraclemtsrecoveryservice
    oracleformsserver-forms60server-oraform
    oracledbconsoleorcl
    openvpnservice
    ooclevercacheagent
    olapserver
    odysseyIM4
    odysseyIM3
    NWSNS
    NWFILTER
    NWDNS
    NVXBAR
    NVTCP
    nvstor64
    nvport
    nvnetbus
    nvgts
    nvatabus
    nvata
    nv4
    nuvaud2
    ntuneservice
    ntlmssp
    nscservice
    NPPTNT
    npkcusb
    npkcsvc
    npfmntor
    npapimon
    nod32krn
    nmwcdcj
    nmap
    nidomainservice
    NICSer_WPC300N
    ni_nic
    nhcDriverDevice
    ngserver
    ngdbserv
    netw4x32
    NETw3x32
    netsvc
    neokdss
    NCPro
    navapel
    navap
    mysqlinventime
    MxlW2k
    MTsensor
    mssql$microsoftsmlbiz
    MSSQL$AUTODESKVAULT
    mskservice
    msi_wlan_service
    msgsrvservice
    MSFWDrv
    MSCamSvc
    mrobeservice
    MRESP50a64
    MRESP50
    mraid35x
    mqdmmdm
    MQAC
    mps9
    MpFilter
    mmc_2K
    mhn
    mgabg
    mdmxsdk
    mdm
    mcvsrte
    mcusrmgr
    mcproxy
    mcontrol
    mcmscsvc
    mclogmanagerservice
    maxbackserviceint
    MaVctrl
    MaRdPnp
    mail2ec
    MagicTune
    mafwboot
    macformatservice
    MA8032U
    MA8032M
    lxdm_device
    lxcz_device
    lxcg_device
    lxcf_device
    lxcc_device
    lxby_device
    lxbx_device
    lvsrvlauncher
    lvpr2mon
    lvmvdrv
    lvckap
    LVBulk
    lpx
    lp6nds35
    logmein
    lockmgr
    LMS
    LMouKE
    LMouFilt
    LMIRfsDriver
    lmimaint
    lktimesync
    LHidFilt
    lcs
    lbrtfdc
    L1e
    Ktp
    KS0108
    KMW_KBD
    kmixer
    KLOGNT
    kbfiltr
    k750obex
    jsdaemon
    JiaoIO
    JiaoCap
    jaguar
    iwebcal
    IWCA
    ithsgt
    iteatapi
    itchfltr
    issvc
    issm
    iSMBIOS
    isapisearch
    ipssvc
    ipsraidn
    IPSECSHM
    IPFilter
    ipcsvc
    iPassPeriodicUpdateService
    iPassPeriodicUpdateApp
    ip6fw
    Invoker
    IntelC52
    inport
    ino_flpy
    infrastructure
    incdsrv
    incdrm
    incdpass
    imap4d32
    iksyssec
    IJPLMSVC
    igateway
    iftpsvc
    IFP700
    idisw2km
    icollectservice
    ibmcicstransactiongateway
    IASJet
    iap
    iam
    iAimTV6
    iAimTV5
    iaimtv1
    iAimFP7
    i81x
    i2omp
    hwpsgt
    hwdatacard
    hsxhwazl
    HPFECP20
    hpci
    houdinilicenseserver
    hidgame
    hf30service
    hcwPVRP2
    hap17v2k
    GVCplDrv
    gotomypc
    GoToAssist
    GoogleDesktopManager-010708-104812
    GoBack2K
    giveio
    ghaio
    gdrv
    GBDevice
    FVXSCSI
    ftpds
    FreeTdi
    freepops
    freebsd
    forcewarewebinterface
    fix
    FirePM
    firelm01
    fips
    filterservice
    filemon701
    filechecker
    FETNDIS
    fa_scheduler
    Exportit
    EU3_USB
    epoxusdm
    eloggersvc6
    elockservice
    elnkupdateservice
    eamon
    eabfiltr
    DynDNS_Updater_Service
    dvpapi
    dsproct
    dsbrokerservice
    drvnddm
    drvmcdb
    dntus26
    dnsexit
    dmio
    d-link_st3402
    DLH5X
    dlbu_device
    dlaudfam
    digictrl
    DeviceScanner
    Defrag32b
    deckzpsx
    dcstor32
    dcpflics
    DCamUSBMke2
    DCamUSBGrandTek
    DCamUSBDXGTech
    dbmang
    db2jds
    CXAVXBAR
    cwafreportscheduler
    cusrvc
    ctxcpuusync
    ctprxy2k
    CTEXFIFX.DLL
    CTEDSPSY.DLL
    ctdvda2k
    ctaud2k
    cpqnicmgmt
    cpqfcalm
    cportclm
    COMMONFX.DLL
    com0com
    cmdagent
    clr_optimization_v2.0.50215_32
    citrixxteserver
    cicsclient
    centennialclientagent
    CDRPDACC
    cdr4_xp
    cdr4_2k
    cdmservice
    c-dillasrv
    CdaD10BA
    CdaC15BA
    ccsetmgr
    ccalib8
    cavasm
    ca-messagequeuing
    CAMCHALA
    CAMCAUD
    Cam5603C
    caisafe
    cachemgr
    caccprovsp
    CA561
    bwsvc
    bwmservice
    btwrchid
    btwmodem
    btnhnd
    btnetfilter
    bt3cser
    BsHelpCS
    BRCMDECO
    botcbs
    blueservice
    blueletaudio
    bh611
    bgsvcgen
    beatjamupnpmusicserver
    bdselfpr
    bdfdll
    bcftdi
    bantext
    backupexecrpcservice
    backupexecagentaccelerator
    axsnmsvc
    avp
    avgtdi
    avgfwsrv
    avgclean
    avg7updsvc
    AVerBDA
    ATSWPDRV
    atmeltpm
    atkkeyboardservice
    atkdisplf
    ativraxx
    atinrvxx
    atikmdag
    ATIBTCAP
    ati
    atfsd
    atdisk
    AtcL002
    atchksrv
    asuskeyboardservice
    aslm75
    artourservice
    arp1394
    Appn
    APLMp50
    antivirservice
    amon
    AmdLLD
    ALYac_PZSrv
    Alpham1
    AlKernel
    aliadwdm
    alcxsens
    alcan5wn
    akshhl
    aic78u2
    agpcpq
    agnwifi
    agentsrv
    AFGSp50
    aexnsclienttransport
    aec
    aeaudio
    ADSMService
    adobeversioncue
    adobeactivefilemonitor5.0
    acsvc
    ac97intc
    abp480n5
    a8djavs
    A88xEnc
    a016obex
    a016mdfl
    {a7447300-8075-4b0d-83f1-3d75c8ebc623}
    {85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}
    
    NetSvc::
    zppinger
    zpjava
    zpaction
    zdeviceservice
    ZDCNDIS5
    zBackupAssistService
    z800obex
    yediex
    yats32
    XilinxPC4Driver
    XFX_program
    XDva004
    xaudioservice
    wzcsvc
    Wuser32
    WUSB54GPV4SRV
    WUSB54GCSVC
    WPFFontCache_v0400
    wpdusb
    wmp54gv4svc
    WmFilter
    WmBEnum
    WLAN_USB
    wkscfgsrv
    WISTechVIDCAP
    winvnc4
    winpowerrmi
    winpower
    windowblinds
    winachcf
    WimFltr
    WGX
    websenselogserver
    websensecommunicationagent
    webrootenterpriseclientservice
    w810obex
    w800obex
    w550bus
    w39n51
    w300bus
    vzupsvc
    vzfw
    vtserver
    vserial
    vsapint
    vrfwsvc
    VRcore
    VrAcFil
    vpn5000service
    vncdrv
    vmparport
    vmodem
    vmnetuserif
    vmkbd2
    vmauthdservice
    videX32
    Video3D
    viaudio
    vet-rec
    vetmsgnt
    vetmonnt
    vetfddnt
    VCIDRV
    VCAM
    VAIOMediaPlatform-PhotoServer-HTTP
    VAIOMediaPlatform-MusicServer-HTTP
    vaiomediaplatform-integratedserver-upnp
    USBModem
    usbio
    USBCamera
    usb_rndisx
    USB_NDIS_51
    UCTblHid
    U81xmdfl
    U81xbus
    U2SP
    tvtpktfilter
    TUWinStylerThemeSvc
    tunnelguardservice
    trufos
    truecrypt
    trioservice
    trayman
    traprcvr
    transarcafsdaemon
    tosrfcom
    tosporte
    tomcatcws3
    tng-dtmg
    tnbrlds
    tmesrv3
    tifm
    TIEHDUSB
    thpsrv
    teefer
    tdsmapi
    tdimsys
    TClass2k
    tbhsd
    syslogd
    sysenforce
    symsecureport
    symlcbrd
    SymIMMP
    symids
    symevent
    symc8xx
    symappcore
    symantecantibotagent
    sym_u3
    swwd
    SWUMX51
    SWUMX20
    SWNC8U20
    SWNC5E00
    SWMX00
    svv
    svcwrsssdk
    suservice
    surveyor
    stylexphelper
    stunnel
    StkAMini
    stirusb
    sthda
    steamdvr
    statusagent
    StarOpen
    ssscsisv
    sr
    SQLBrowser
    spsslm
    sprtsvc_smartagent
    spmd
    sparrow
    sonypvu1
    softfax
    SNP2STD
    snmptrapdservice
    SndTDriverV32
    snac
    SMTPSVC
    SMNDIS5
    SMCB000
    SlWdmSup
    slservice
    slapd-data52
    sisnic
    siskp
    siside
    SiSGbeXP
    SiS7018
    SIODRV
    si3114r
    Shockprf
    sglfb
    SGHIDI
    sfusvc) Zd1211u(zydas
    sfsync04
    sfng32
    sfman
    sfhlp01
    SerTVOutCtlr
    ser2plms
    SECYPUSB
    SeaPort
    se59mdfl
    se58obex
    se58mgmt
    se58bus
    se44mdm
    SE2Emgmt
    SE2Emdfl
    se2Cunic
    SE2Cbus
    SE2Bmdm
    SE26mdfl
    sdhelper
    sddmi2
    sdcoreservice
    screadspool
    scdemu
    sbservice
    SaiU040B
    SaiMini
    sagefserver
    S7oppilx
    s616obex
    s616mdfl
    s125mgmt
    s117nd5
    s116nd5
    rxmssync
    RTLE8023xp
    RTL8023xp
    rtl8023
    rt2500usb
    rt2500
    rsvp
    RSAFAL
    RR2Ctrl
    rpcapd
    rollbackclientservice
    ROB_V
    RMSvc
    rmedia
    rksample
    rkhdrv31
    risdptsk
    rimsptsk
    remotelyanywhere
    regsrvc
    Rawwan
    RAPIProtocol
    rapapp
    QV2KUX
    qserver
    ql1240
    qconsvc
    pxfhbus
    pwisvc
    PTDCMdm
    psdistributionagent
    psadd
    prtg4service
    prodrv06
    procexp90
    prevxdriver
    prevxagent
    PQNTDrv
    pmsveh
    pmj151la
    pinetmgr
    PhilCam8116
    pgsql-8.0
    pepifilter
    pensup
    penrendezvous
    pdlnepkt
    pdlnebas
    pdlndldl
    pdiddcci
    pcx1unic
    pctoolsfirewallplus
    PCTINDIS5
    pclepci
    pca
    pav_service
    passthru
    papyjoy
    papycpu2
    Packet
    p2pgasvc
    P16X
    ossrv
    OsaFsLoc
    oraclesnmppeermasteragent
    oracleservicelocalora
    oracleorahomepagingserver
    oracleorahomedatagatherer
    oraclemtsrecoveryservice
    oracleformsserver-forms60server-oraform
    oracledbconsoleorcl
    openvpnservice
    ooclevercacheagent
    olapserver
    odysseyIM4
    odysseyIM3
    NWSNS
    NWFILTER
    NWDNS
    NVXBAR
    NVTCP
    nvstor64
    nvport
    nvnetbus
    nvgts
    nvatabus
    nvata
    nv4
    nuvaud2
    ntuneservice
    ntlmssp
    nscservice
    NPPTNT
    npkcusb
    npkcsvc
    npfmntor
    npapimon
    nod32krn
    nmwcdcj
    nmap
    nidomainservice
    NICSer_WPC300N
    ni_nic
    nhcDriverDevice
    ngserver
    ngdbserv
    netw4x32
    NETw3x32
    netsvc
    neokdss
    NCPro
    navapel
    navap
    mysqlinventime
    MxlW2k
    MTsensor
    mssql$microsoftsmlbiz
    MSSQL$AUTODESKVAULT
    mskservice
    msi_wlan_service
    msgsrvservice
    MSFWDrv
    MSCamSvc
    mrobeservice
    MRESP50a64
    MRESP50
    mraid35x
    mqdmmdm
    MQAC
    mps9
    MpFilter
    mmc_2K
    mhn
    mgabg
    mdmxsdk
    mdm
    mcvsrte
    mcusrmgr
    mcproxy
    mcontrol
    mcmscsvc
    mclogmanagerservice
    maxbackserviceint
    MaVctrl
    MaRdPnp
    mail2ec
    MagicTune
    mafwboot
    macformatservice
    MA8032U
    MA8032M
    lxdm_device
    lxcz_device
    lxcg_device
    lxcf_device
    lxcc_device
    lxby_device
    lxbx_device
    lvsrvlauncher
    lvpr2mon
    lvmvdrv
    lvckap
    LVBulk
    lpx
    lp6nds35
    logmein
    lockmgr
    LMS
    LMouKE
    LMouFilt
    LMIRfsDriver
    lmimaint
    lktimesync
    LHidFilt
    lcs
    lbrtfdc
    L1e
    Ktp
    KS0108
    KMW_KBD
    kmixer
    KLOGNT
    kbfiltr
    k750obex
    jsdaemon
    JiaoIO
    JiaoCap
    jaguar
    iwebcal
    IWCA
    ithsgt
    iteatapi
    itchfltr
    issvc
    issm
    iSMBIOS
    isapisearch
    ipssvc
    ipsraidn
    IPSECSHM
    IPFilter
    ipcsvc
    iPassPeriodicUpdateService
    iPassPeriodicUpdateApp
    ip6fw
    Invoker
    IntelC52
    inport
    ino_flpy
    infrastructure
    incdsrv
    incdrm
    incdpass
    imap4d32
    iksyssec
    IJPLMSVC
    igateway
    iftpsvc
    IFP700
    idisw2km
    icollectservice
    ibmcicstransactiongateway
    IASJet
    iap
    iam
    iAimTV6
    iAimTV5
    iaimtv1
    iAimFP7
    i81x
    i2omp
    hwpsgt
    hwdatacard
    hsxhwazl
    HPFECP20
    hpci
    houdinilicenseserver
    hidgame
    hf30service
    hcwPVRP2
    hap17v2k
    GVCplDrv
    gotomypc
    GoToAssist
    GoogleDesktopManager-010708-104812
    GoBack2K
    giveio
    ghaio
    gdrv
    GBDevice
    FVXSCSI
    ftpds
    FreeTdi
    freepops
    freebsd
    forcewarewebinterface
    fix
    FirePM
    firelm01
    fips
    filterservice
    filemon701
    filechecker
    FETNDIS
    fa_scheduler
    Exportit
    EU3_USB
    epoxusdm
    eloggersvc6
    elockservice
    elnkupdateservice
    eamon
    eabfiltr
    DynDNS_Updater_Service
    dvpapi
    dsproct
    dsbrokerservice
    drvnddm
    drvmcdb
    dntus26
    dnsexit
    dmio
    d-link_st3402
    DLH5X
    dlbu_device
    dlaudfam
    digictrl
    DeviceScanner
    Defrag32b
    deckzpsx
    dcstor32
    dcpflics
    DCamUSBMke2
    DCamUSBGrandTek
    DCamUSBDXGTech
    dbmang
    db2jds
    CXAVXBAR
    cwafreportscheduler
    cusrvc
    ctxcpuusync
    ctprxy2k
    CTEXFIFX.DLL
    CTEDSPSY.DLL
    ctdvda2k
    ctaud2k
    cpqnicmgmt
    cpqfcalm
    cportclm
    COMMONFX.DLL
    com0com
    cmdagent
    clr_optimization_v2.0.50215_32
    citrixxteserver
    cicsclient
    centennialclientagent
    CDRPDACC
    cdr4_xp
    cdr4_2k
    cdmservice
    c-dillasrv
    CdaD10BA
    CdaC15BA
    ccsetmgr
    ccalib8
    cavasm
    ca-messagequeuing
    CAMCHALA
    CAMCAUD
    Cam5603C
    caisafe
    cachemgr
    caccprovsp
    CA561
    bwsvc
    bwmservice
    btwrchid
    btwmodem
    btnhnd
    btnetfilter
    bt3cser
    BsHelpCS
    BRCMDECO
    botcbs
    blueservice
    blueletaudio
    bh611
    bgsvcgen
    beatjamupnpmusicserver
    bdselfpr
    bdfdll
    bcftdi
    bantext
    backupexecrpcservice
    backupexecagentaccelerator
    axsnmsvc
    avp
    avgtdi
    avgfwsrv
    avgclean
    avg7updsvc
    AVerBDA
    ATSWPDRV
    atmeltpm
    atkkeyboardservice
    atkdisplf
    ativraxx
    atinrvxx
    atikmdag
    ATIBTCAP
    ati
    atfsd
    atdisk
    AtcL002
    atchksrv
    asuskeyboardservice
    aslm75
    artourservice
    arp1394
    Appn
    APLMp50
    antivirservice
    amon
    AmdLLD
    ALYac_PZSrv
    Alpham1
    AlKernel
    aliadwdm
    alcxsens
    alcan5wn
    akshhl
    aic78u2
    agpcpq
    agnwifi
    agentsrv
    AFGSp50
    aexnsclienttransport
    aec
    aeaudio
    ADSMService
    adobeversioncue
    adobeactivefilemonitor5.0
    acsvc
    ac97intc
    abp480n5
    a8djavs
    A88xEnc
    a016obex
    a016mdfl
    {a7447300-8075-4b0d-83f1-3d75c8ebc623}
    {85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}

    [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

    [*] Close Notepad and verify that the CFScript file is saved on your desktop.

    [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:

    CFScriptB-4.gif

    When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.


  6. There's still some strange services in that log. Please download Farbar Service Scanner, save it on your desktop, and follow the instructions below to get me a log.

    1. Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please attach the log to a reply by clicking on the More Reply Options button to the lower-right of where you type your reply.


  7. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  8. I could have come bundled with something else. Since it does appear to be questionable, lets go ahead and remove it with OTL. I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

    1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
      :OTL
      O4 - HKLM..\Run: [jsafesurf] C:\js\safesurf.exe (JetSwap Inc.)
      [2012/03/11 01:02:54 | 000,000,000 | -H-D | C] -- C:\js
      
      :Commands
      [EMPTYTEMP]


    2. Then click the Run Fix button at the top.
    3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
    4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.


  9. According to this Web Of Trust report the website go.jetswap.com has about a 75% trustworthiness rating (100% is the best possible score, and 0% is the worst possible score).

    On my first glance, I am only seeing one entry in your OTL log that appears to be related to this "SafeSurf" application. This ThreatExpert reports shows that parts of SafeSurf are detected by Ikarus and Kaspersky as a "Risk Tool", which means it is most likely unwanted software. This list of analysis reports at VirScan.org does not show consistent detections from anti-virus software, with a detection rate ranging from anywhere between 0% and 43%.

    Just for reference, there does appear to be a legitimate program named SafeSurf, so my first recommendation would be to upload the file to VirusTotal at this link and then post a link to the analysis in a reply for me to review. The file that you will want to upload is as follows:

    C:\js\safesurf.exe


  10. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

    1. Disconnect from the Internet and close all running programs.
    2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
    4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    5. Allow the driver to load if asked.
    6. You may be prompted to scan immediately if it detects rootkit activity.
    7. If you are prompted to scan your system click "No", save the log and post back the results.
    8. If not prompted, click the "Rootkit/Malware" tab.
    9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    10. Select all drives that are connected to your system to be scanned.
    11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
    12. When the scan is finished, click Save to save the scan results to your Desktop.
    13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
    14. Exit the program and re-enable all active protection when done.


  11. Please download Crysis Aversion Tool from this link (you can run it from your USB flash drive), run it on the computer that is unable to access the Internet, and select the following fixes:

    • Flush DNS Resolver Cache
    • Repair Internet Explorer
    • Reset All Networking Interfaces

    After selecting those three fixes, click the Apply Checked Fixes button, and it will tell you the progress in the lower-left corner. When it says that it is complete, you can close Crysis Aversion Tool, and restart your computer. Let me know if that repairs your Internet connection.