Jump to content

Trojan.Win32.Alureon!E2


Recommended Posts

Hello,

I've been struggling to remove this trojan for several days. Previously Emsisoft found the trojan as Sirefef!E2. In this scan, it appears as noted in the subject line.

My Emsisoft scan log is as follows:

SQLite format 3 @ -â$ û û rƒCtableILogsILogsCREATE TABLE ILogs(

ID INTEGER PRIMARY KEY,

Name TEXT,

Location TEXT,

FileSize INTEGER,

Date INTEGER,

StrDate TEXT,

InfectionType INTEGER,

RiskLevel INTEGER,

Action INTEGER,

Source TEXT,

Unic TEXT)=##‚AtableDBIntegrityDBIntegrityCREATE TABLE DBIntegrity(

ID INTEGER PRIMARY KEY,

TableName TEXT,

Revision INTEGER NOT NULL DEFAULT 1,

RecordsLimit INTEGER NOT NULL DEFAULT

Ý ëÝ ILogs¸ #DBIntegrity¸

T T )

;3

YTrojan.Win32.Alureon!E2C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\U\[email protected]\2012-07-14 11:46:33{7B859D00-7D8B-48CC-81B0-0B9205BFABD6}

K K =##‚AtableDBIntegrityDBIntegrityCREATE TABLE DBIntegrity(

ID INTEGER PRIMARY KEY,

TableName TEXT,

Revision INTEGER NOT NULL DEFAULT 1,

RecordsLimit INTEGER NOT NULL DEFAULT 3000)rƒCtableILogsILogsCREATE TABLE ILogs(

ID INTEGER PRIMARY KEY,

Name TEXT,

Location TEXT,

FileSize INTEGER,

Date INTEGER,

StrDate TEXT,

InfectionType INTEGER,

RiskLevel INTEGER,

Action INTEGER,

Source TEXT,

Unic TEXT)

¼ ¼ „A/ˆGtriggerILogs_AfterInsertILogsCREATE TRIGGER ILogs_AfterInsert AFTER INSERT ON ILogs

BEGIN

UPDATE ILogs SET Date = CASE WHEN New.Date IS NOT NULL THEN New.Date ELSE StrFTime('%s', 'now', 'localtime') END,

StrDate = DateTime(CASE WHEN New.Date IS NOT NULL THEN New.Date ELSE StrFTime('%s', 'now', 'localtime') END, 'unixepoch')

WHERE ROWID = New.ROWID;

DELETE FROM ILogs WHERE ID <= CASE WHEN (SELECT RecordsLimit FROM DBIntegrity WHERE TableName = 'ILogs') = 0 THEN 0

ELSE New.ID - (SELECT RecordsLimit FROM DBIntegrity WHERE TableName='ILogs') END;

END

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I am also including the Emsisoft report (sparse content) for possible additional information:

Emsisoft Emergency Kit - Version 2.0

Last update: 7/14/2012 11:02:43 AM

Scan settings:

Scan type: Smart Scan

Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\

Scan archives: Off

ADS Scan: On

Scan start: 7/14/2012 11:03:18 AM

C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\U\[email protected] detected: Trojan.Win32.Alureon!E2

Scanned 624767

Found 1

Scan end: 7/14/2012 12:09:13 PM

Scan time: 1:05:55

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The OTL.txt follows:

OTL logfile created on: 7/14/2012 12:14:52 PM - Run 1

OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Big Kahuna\Desktop\Malware Removal

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 59.82% Memory free

3.99 Gb Paging File | 3.01 Gb Available in Paging File | 75.48% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 289.21 Gb Total Space | 184.75 Gb Free Space | 63.88% Space Free | Partition Type: NTFS

Drive D: | 8.88 Gb Total Space | 0.90 Gb Free Space | 10.13% Space Free | Partition Type: NTFS

Drive E: | 4.20 Gb Total Space | 1.94 Gb Free Space | 46.19% Space Free | Partition Type: UDF

Computer Name: BIGKAHUNA-PC | User Name: Big Kahuna | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Big Kahuna\Desktop\Malware Removal\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe (Symantec Corporation)

PRC - C:\Program Files\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH)

PRC - C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe (Auslogics)

PRC - C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccsvchst.exe (Symantec Corporation)

PRC - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe (Symantec Corporation)

PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)

PRC - C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe (Symantec Corporation)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Windows\System32\atashost.exe (WebEx Communications, Inc.)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\Windows\System32\schtasks.exe (Microsoft Corporation)

PRC - C:\Program Files\DS Clock\dsclock.exe (Duality Software)

PRC - C:\Program Files\DS Clock\dsetime.exe ()

PRC - C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - (CSHelper) -- C:\Windows\system32\CSHelper.exe File not found

SRV - (Norton PC Checkup Application Launcher) -- C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe (Symantec Corporation)

SRV - (a2AntiMalware) -- C:\Program Files\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH)

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)

SRV - (NAV) -- C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe (Symantec Corporation)

SRV - (NSL) -- C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe (Symantec Corporation)

SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)

SRV - (PCCUJobMgr) -- C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe (Symantec Corporation)

SRV - (atashost) -- C:\Windows\System32\atashost.exe (WebEx Communications, Inc.)

SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)

SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)

SRV - (DSClockSyncTime) -- C:\Program Files\DS Clock\dsetime.exe ()

========== Driver Services (SafeList) ==========

DRV - (USBAAPL) -- System32\Drivers\usbaapl.sys File not found

DRV - (SBRE) -- C:\Windows\system32\drivers\SBREdrv.sys File not found

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found

DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found

DRV - (MRESP50a64) -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS File not found

DRV - (MREMP50a64) -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS File not found

DRV - (MCSTRM) -- File not found

DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys File not found

DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found

DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found

DRV - (mbamchameleon) -- C:\Windows\System32\drivers\mbamchameleon.sys ()

DRV - (IDSVix86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20120613.007\IDSvix86.sys (Symantec Corporation)

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120615.022\NAVEX15.SYS (Symantec Corporation)

DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20120615.022\NAVENG.SYS (Symantec Corporation)

DRV - (a2acc) -- C:\Program Files\Emsisoft Anti-Malware\a2accx86.sys (Emsisoft GmbH)

DRV - (BHDrvx86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20120531.001\BHDrvx86.sys (Symantec Corporation)

DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)

DRV - (A2DDA) -- C:\Program Files\Emsisoft Anti-Malware\a2ddax86.sys (Emsi Software GmbH)

DRV - (SYMTDIv) -- C:\Windows\System32\drivers\NAV\1207010.003\symtdiv.sys (Symantec Corporation)

DRV - (SRTSP) -- C:\Windows\System32\drivers\NAV\1207010.003\srtsp.sys (Symantec Corporation)

DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\System32\drivers\NAV\1207010.003\srtspx.sys (Symantec Corporation)

DRV - (SymEFA) -- C:\Windows\System32\drivers\NAV\1207010.003\symefa.sys (Symantec Corporation)

DRV - (SymDS) -- C:\Windows\System32\drivers\NAV\1207010.003\symds.sys (Symantec Corporation)

DRV - (SymIRON) -- C:\Windows\System32\drivers\NAV\1207010.003\ironx86.sys (Symantec Corporation)

DRV - (Start1Driver) -- C:\Windows\System32\drivers\Start1Driver.SYS (AdwareAway.com)

DRV - (DiagnosticScan) -- C:\Windows\System32\drivers\DiagnosticScan.SYS (AdwareAway.com)

DRV - (winusb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)

DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)

DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)

DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\Windows\System32\drivers\HSX_DP.sys (Conexant Systems, Inc.)

DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)

DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)

DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

DRV - (MREMPR5) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)

DRV - (MRENDIS5) -- C:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)

DRV - (Ps2) -- C:\Windows\System32\drivers\PS2.sys (Hewlett-Packard Company)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.inklineglobal.com

IE - HKLM\..\SearchScopes,DefaultScope = {122618CA-EDCC-4901-ADE3-676812245040}

IE - HKLM\..\SearchScopes\{122618CA-EDCC-4901-ADE3-676812245040}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKLM\..\SearchScopes\{3A21D82B-ECB6-4ED7-BB40-27836C9E0C29}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKLM\..\SearchScopes\{AD54EB9D-22E5-4386-932F-83AE9E596077}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.inklineglobal.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://google.inklineglobal.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://google.inklineglobal.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\SearchScopes,DefaultScope = {122618CA-EDCC-4901-ADE3-676812245040}

IE - HKCU\..\SearchScopes\{122618CA-EDCC-4901-ADE3-676812245040}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=PPC&o=102944&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=6L&apn_dtid=YYYYYYYYUS&apn_uid=7345EFC1-5BCA-4D22-AE09-48BA514D3A73&apn_sauid=0DAD4DD6-270E-4A88-9985-D9A1B5041E37

IE - HKCU\..\SearchScopes\{3A21D82B-ECB6-4ED7-BB40-27836C9E0C29}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGIK

IE - HKCU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=SWL&chn=&geo=US&ver=1

IE - HKCU\..\SearchScopes\{F813F595-1DA6-4476-915D-E3C2FDF0B758}: "URL" = http://www.google.com/cse?cx=partner-pub-6697027465779297:3144322079&ie=ISO-8859-1&sa=Search&q={searchTerms}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll File not found

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@logitech.com/HarmonyRemote,version=1.0.0: C:\Program Files\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll (Logitech Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/17 17:15:31 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{203FB6B2-2E1E-4474-863B-4C483ECCE78E}: C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.2.0.6\coFFNST\ [2011/08/19 14:01:51 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\ [2012/06/21 23:09:48 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/17 17:15:31 | 000,000,000 | ---D | M]

[2011/03/04 16:36:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Big Kahuna\AppData\Roaming\Mozilla\Extensions

[2009/04/16 18:01:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Big Kahuna\AppData\Roaming\Mozilla\Extensions\[email protected]

========== Chrome ==========

CHR - default_search_provider: Yahoo! ()

CHR - default_search_provider: search_url = http://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}

CHR - default_search_provider: suggest_url = http://ff.search.yahoo.com/gossip?output=fxjson&command={searchTerms}

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ips\ipsbho.dll (Symantec Corporation)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Norton Safe Web Lite BHO) - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)

O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.

O3 - HKLM\..\Toolbar: (Norton Safe Web Lite) - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (Norton Safe Web Lite) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)

O4 - HKLM..\Run: [bdinstaller] "E:\products\AntivirusPlus\en\install\32bit\setuplauncher.exe" /run:"E:\products\AntivirusPlus\en\install\32bit\setupdownloader.exe" /args:"/after_restart" File not found

O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)

O4 - HKLM..\Run: [sunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)

O4 - HKCU..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe (Duality Software)

O4 - HKCU..\Run: [rtapts] C:\Users\Big Kahuna\AppData\Roaming\rtapts.dll (Midiman/M-Audio)

O4 - HKCU..\Run: [wunfdx] C:\Users\Big Kahuna\AppData\Roaming\wunfdx.dll (DT Soft Ltd)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Domains: bankofamerica.com ([safe] https in Trusted sites)

O15 - HKCU\..Trusted Domains: chase.com ([chaseonline] https in Trusted sites)

O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} http://download.copysafe.net/plugins5/installers/Copysafe.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A8AF857-B8D0-4BC1-9E14-B12EF29BC146}: DhcpNameServer = 192.168.1.254 192.168.0.1

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Big Kahuna\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

O24 - Desktop BackupWallPaper: C:\Users\Big Kahuna\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/09/27 11:15:52 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{f17b6912-871c-11e1-9753-001d6093894f}\Shell - "" = AutoRun

O33 - MountPoints2\{f17b6912-871c-11e1-9753-001d6093894f}\Shell\AutoRun\command - "" = M:\TL-Bootstrap.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/14 11:23:36 | 000,410,112 | ---- | C] (Midiman/M-Audio) -- C:\Users\Big Kahuna\AppData\Roaming\rtapts.dll

[2012/07/14 11:22:45 | 000,140,800 | ---- | C] (DT Soft Ltd) -- C:\Users\Big Kahuna\AppData\Roaming\wunfdx.dll

[2012/07/14 03:40:18 | 002,047,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2012/07/14 03:01:55 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2012/07/14 03:01:54 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2012/07/14 03:01:54 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2012/07/14 03:01:53 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll

[2012/07/14 03:01:53 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll

[2012/07/14 03:01:53 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2012/07/14 03:01:52 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2012/07/14 02:48:19 | 000,000,000 | ---D | C] -- C:\Users\Big Kahuna\Desktop\Malware Removal

[2012/07/14 02:09:33 | 000,000,000 | ---D | C] -- C:\ProgramData\GFI Software

[2012/07/13 22:20:06 | 000,000,000 | ---D | C] -- C:\bd_logs

[2012/07/13 22:04:32 | 009,226,440 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerInstaller.exe

[2012/07/13 21:51:27 | 000,000,000 | ---D | C] -- C:\Users\Big Kahuna\AppData\Roaming\DriverCure

[2012/07/13 21:51:24 | 000,000,000 | ---D | C] -- C:\Users\Big Kahuna\AppData\Roaming\SpeedyPC Software

[2012/07/13 21:50:49 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedyPC Software

[2012/07/13 21:42:25 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll

[2012/07/08 14:18:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware

[2012/07/08 14:18:01 | 000,000,000 | ---D | C] -- C:\Program Files\Emsisoft Anti-Malware

[2012/07/08 14:18:01 | 000,000,000 | ---D | C] -- C:\Users\Big Kahuna\Documents\Anti-Malware

[2012/07/08 12:02:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2012/07/05 19:09:17 | 000,000,000 | ---D | C] -- C:\Windows\Sun

[2012/07/05 18:45:44 | 000,000,000 | ---D | C] -- C:\Users\Big Kahuna\AppData\Roaming\Malwarebytes

[2012/07/05 18:45:40 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2012/07/05 18:45:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/07/05 18:45:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/07/05 18:45:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2012/07/05 12:45:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Modem Booster

[2012/07/05 12:45:55 | 000,000,000 | ---D | C] -- C:\ProgramData\inKline Global

[2012/07/05 12:45:55 | 000,000,000 | ---D | C] -- C:\Program Files\inKline Global

[2012/07/04 14:35:38 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft

[2012/07/02 14:01:10 | 000,000,000 | ---D | C] -- C:\Program Files\Ad-Aware Antivirus

[2012/07/02 13:54:49 | 000,000,000 | ---D | C] -- C:\Users\Big Kahuna\AppData\Roaming\Ad-Aware Antivirus

[2012/06/26 09:25:06 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll

[2012/06/26 09:25:06 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll

[2012/06/26 09:24:49 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll

[2012/06/26 09:24:49 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll

[2012/06/26 09:24:49 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll

[2012/06/26 09:24:43 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll

[2012/06/26 09:24:43 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe

[2 C:\Users\Big Kahuna\Documents\*.tmp files -> C:\Users\Big Kahuna\Documents\*.tmp -> ]

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[1 C:\Users\Big Kahuna\*.tmp files -> C:\Users\Big Kahuna\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/14 12:05:23 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2012/07/14 11:57:04 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2012/07/14 11:23:42 | 000,410,112 | ---- | M] (Midiman/M-Audio) -- C:\Users\Big Kahuna\AppData\Roaming\rtapts.dll

[2012/07/14 11:22:45 | 000,140,800 | ---- | M] (DT Soft Ltd) -- C:\Users\Big Kahuna\AppData\Roaming\wunfdx.dll

[2012/07/14 10:56:24 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2012/07/14 10:55:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/07/14 04:51:34 | 183,385,720 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2012/07/14 04:04:08 | 000,982,632 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/07/14 04:04:08 | 000,234,288 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/07/14 03:59:57 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/07/14 03:59:57 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/07/14 03:59:45 | 000,404,056 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2012/07/14 03:40:24 | 002,635,244 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1207010.003\Cat.DB

[2012/07/14 02:50:54 | 000,107,008 | ---- | M] () -- C:\Users\Big Kahuna\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/07/14 01:04:24 | 000,000,932 | ---- | M] () -- C:\Users\Big Kahuna\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk

[2012/07/14 01:04:24 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/07/13 22:04:39 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

[2012/07/13 22:04:39 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

[2012/07/13 22:04:34 | 009,226,440 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerInstaller.exe

[2012/07/08 16:53:17 | 000,007,680 | ---- | M] () -- C:\Windows\19744687.exe

[2012/07/08 16:53:17 | 000,000,090 | ---- | M] () -- C:\Windows\19744687.dat

[2012/07/08 14:18:19 | 000,000,914 | ---- | M] () -- C:\Users\Big Kahuna\Application Data\Microsoft\Internet Explorer\Quick Launch\Emsisoft Anti-Malware.lnk

[2012/07/08 14:18:19 | 000,000,890 | ---- | M] () -- C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk

[2012/07/08 11:29:08 | 000,000,914 | ---- | M] () -- C:\Users\Big Kahuna\Desktop\magicJack.lnk

[2012/07/05 18:42:41 | 000,028,488 | ---- | M] () -- C:\Windows\System32\drivers\mbamchameleon.sys

[2012/07/05 12:45:56 | 000,001,030 | ---- | M] () -- C:\Users\Public\Desktop\ModemBooster.lnk

[2012/07/05 12:45:56 | 000,000,201 | ---- | M] () -- C:\Users\Public\Desktop\Boost My PC.url

[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2012/07/02 14:07:55 | 000,001,058 | ---- | M] () -- C:\Users\Big Kahuna\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics BoostSpeed.lnk

[2012/06/29 16:51:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat

[2012/06/29 16:51:49 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat

[2 C:\Users\Big Kahuna\Documents\*.tmp files -> C:\Users\Big Kahuna\Documents\*.tmp -> ]

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[1 C:\Users\Big Kahuna\*.tmp files -> C:\Users\Big Kahuna\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/14 01:04:24 | 000,000,932 | ---- | C] () -- C:\Users\Big Kahuna\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk

[2012/07/09 01:23:44 | 183,385,720 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2012/07/08 16:53:17 | 000,007,680 | ---- | C] () -- C:\Windows\19744687.exe

[2012/07/08 16:53:17 | 000,000,090 | ---- | C] () -- C:\Windows\19744687.dat

[2012/07/08 16:52:33 | 000,095,744 | ---- | C] () -- C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\U\[email protected]

[2012/07/08 14:18:19 | 000,000,914 | ---- | C] () -- C:\Users\Big Kahuna\Application Data\Microsoft\Internet Explorer\Quick Launch\Emsisoft Anti-Malware.lnk

[2012/07/08 14:18:19 | 000,000,890 | ---- | C] () -- C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk

[2012/07/05 20:53:18 | 000,000,914 | ---- | C] () -- C:\Users\Big Kahuna\Desktop\magicJack.lnk

[2012/07/05 18:45:41 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/07/05 18:42:41 | 000,028,488 | ---- | C] () -- C:\Windows\System32\drivers\mbamchameleon.sys

[2012/07/05 12:45:56 | 000,001,030 | ---- | C] () -- C:\Users\Public\Desktop\ModemBooster.lnk

[2012/07/05 12:45:56 | 000,000,201 | ---- | C] () -- C:\Users\Public\Desktop\Boost My PC.url

[2012/07/04 13:49:04 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\L\[email protected]

[2012/07/02 14:07:55 | 000,001,058 | ---- | C] () -- C:\Users\Big Kahuna\Application Data\Microsoft\Internet Explorer\Quick Launch\Auslogics BoostSpeed.lnk

[2012/04/28 11:00:27 | 000,179,951 | ---- | C] () -- C:\Windows\hpwins14.dat

[2012/04/21 20:34:31 | 000,179,964 | ---- | C] () -- C:\Windows\hpwins14.dat.temp

[2012/04/21 20:34:31 | 000,001,108 | ---- | C] () -- C:\Windows\hpwmdl14.dat.temp

[2012/01/11 12:27:57 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\@

[2012/01/11 12:27:57 | 000,002,048 | -HS- | C] () -- C:\Users\Big Kahuna\AppData\Local\{f24642fd-8f42-55f9-343c-7c025de13551}\@

[2012/01/02 00:24:16 | 000,007,052 | ---- | C] () -- C:\Users\Big Kahuna\AppData\Local\d3d9caps.dat

[2011/10/19 14:40:18 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi

[2011/04/26 20:06:09 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat

[2011/04/26 20:06:09 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat

[2010/12/03 13:51:19 | 000,000,004 | ---- | C] () -- C:\Users\Big Kahuna\AppData\Roaming\4C4D17

[2010/12/03 13:51:18 | 000,870,128 | ---- | C] () -- C:\Users\Big Kahuna\AppData\Roaming\mcs.rma

[2010/10/16 15:08:47 | 000,000,212 | ---- | C] () -- C:\Windows\wininit.ini

[2010/10/14 18:31:08 | 000,001,940 | ---- | C] () -- C:\Users\Big Kahuna\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2008/09/26 13:19:11 | 000,000,600 | ---- | C] () -- C:\Users\Big Kahuna\PUTTY.RND

[2008/01/24 00:28:28 | 000,107,008 | ---- | C] () -- C:\Users\Big Kahuna\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2012/07/02 14:19:50 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Ad-Aware Antivirus

[2012/01/02 01:21:49 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Auslogics

[2009/02/07 11:43:57 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Autodesk

[2011/12/11 17:59:15 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\CBS Interactive

[2010/12/03 16:54:31 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Disney Mix It Plug-in

[2012/07/13 21:51:27 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\DriverCure

[2008/01/03 13:16:28 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Duality Software

[2010/08/07 13:30:23 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\GARMIN

[2009/04/28 17:36:18 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\LimeWire

[2012/07/08 11:29:12 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\mjusbsp

[2010/07/09 16:55:19 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\NwDocx

[2011/12/11 17:59:23 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\OpenCandy

[2009/02/22 21:43:51 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Snapfish

[2012/07/13 21:51:24 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\SpeedyPC Software

[2011/08/19 12:48:21 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Tific

[2009/11/21 21:02:25 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\Weather Defender

[2008/01/13 23:05:08 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\WildTangent

[2008/06/13 10:45:32 | 000,000,000 | ---D | M] -- C:\Users\Big Kahuna\AppData\Roaming\WinBatch

[2012/07/14 03:56:15 | 000,032,618 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 193 bytes -> C:\ProgramData\TEMP:07BF512B

@Alternate Data Stream - 191 bytes -> C:\ProgramData\TEMP:07BF512B

< End of report >

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And finally the Extras.txt file content:

OTL Extras logfile created on: 7/14/2012 12:14:52 PM - Run 1

OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Big Kahuna\Desktop\Malware Removal

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 59.82% Memory free

3.99 Gb Paging File | 3.01 Gb Available in Paging File | 75.48% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 289.21 Gb Total Space | 184.75 Gb Free Space | 63.88% Space Free | Partition Type: NTFS

Drive D: | 8.88 Gb Total Space | 0.90 Gb Free Space | 10.13% Space Free | Partition Type: NTFS

Drive E: | 4.20 Gb Total Space | 1.94 Gb Free Space | 46.19% Space Free | Partition Type: UDF

Computer Name: BIGKAHUNA-PC | User Name: Big Kahuna | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htafile [open] -- "%1" %*

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

"UacDisableNotify" = 1

"InternetSettingsDisableNotify" = 1

"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status

"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools

"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport

"{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5

"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data

"{0EC7C406-B592-4686-BAC1-AD29A85EAE6A}" = HP Driver Diagnostics

"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox

"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive

"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter

"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService

"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax

"{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java 6 Update 30

"{279D3818-7287-4ab4-A927-542EBEA9E365}" = ProductContext

"{293B2D75-5735-4DFE-8642-F0EDEE9EB064}" = TurboTax 2010 wgaiper

"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation

"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine

"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1

"{328019A7-0012-401D-96A2-4CDDD02675A8}" = Garmin POI Loader

"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE

"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module

"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup

"{374256A0-EAA2-012B-AD60-000000000000}" = TurboTax 2009 wgaiper

"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset

"{380CC749-8C28-4C74-BE01-45921D062302}" = BPDSoftware_Ini

"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset

"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine

"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper

"{41853D20-40CC-4266-978D-F128BB97CA96}" = 6400_Help

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter

"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper

"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In

"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth

"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan

"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7

"{5D934326-165A-413b-B056-26BE1EC082AF}" = J6400

"{5E06C076-E4E7-4239-A886-B3D8AC84C166}" = HP Print Diagnostic Utility

"{612F4E20-3661-4D44-AD79-823F1B613FB3}" = HP Update

"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{634F79E1-2A41-4C40-9E8D-89EC740AC9D6}" = Logitech Harmony Remote Software

"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2

"{656C0E21-331E-11DF-81CE-005056806466}" = Google Earth

"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{6845255F-15CC-4DD1-94D5-D38F370118B3}_is1" = Auslogics Duplicate File Finder

"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm

"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components

"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed

"{73A43E42-3658-4DD9-8551-FACDA3632538}" = HP Advisor

"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7DCF7BBA-39A9-4e27-9154-F57BCED90CBF}" = HP Officejet J6400 Series

"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer

"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio

"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver

"{85C8D391-0EAE-4492-8A0A-2EE8B0B6DA03}" = BPDSoftware

"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine

"{885F5AC6-4413-4D30-99A9-F4494BFA4923}" = Logitech Harmony Remote Software 7

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport

"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp

"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback

"{A11409F1-CD33-4076-85CB-4EE4A8439BFE}" = Scan

"{A285E15B-62B6-4259-997D-DCD6F34CDA80}" = CopySafe Plugin

"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime

"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1

"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8

"{AF2AA03F-2E8C-46C7-98FC-B91B229D505A}_is1" = ModemBooster 8

"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper

"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B395BC1D-CC06-425E-9049-4CD985EFF004}" = LightScribe 1.8.15.1

"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5

"{BC30E5E7-047D-4232-A7E8-F2CB7CC7B2E0}_is1" = Emsisoft Anti-Malware

"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant

"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9

"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg

"{CD95F661-A5C4-44F5-A6AA-ECDD91C240CA}" = WinZip 16.0

"{CDEFD989-469E-421D-A8B1-EC7AB25C8CB2}" = TurboTax 2008 wgaiper

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library

"{D17111CB-C992-42A9-9D56-C19395102AAA}" = Garmin WebUpdater

"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component

"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag

"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01

"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp

"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin

"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"CameraWindowDC" = Canon Utilities CameraWindow DC

"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX

"CameraWindowLauncher" = Canon Utilities CameraWindow

"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder

"Cisco Connect" = Cisco Connect

"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP

"DS Clock_is1" = DS Clock

"HP Imaging Device Functions" = HP Imaging Device Functions 10.0

"HP Photosmart Essential" = HP Photosmart Essential 2.5

"HP Smart Web Printing" = HP Smart Web Printing 4.60

"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX

"MyCamera" = Canon Utilities MyCamera

"MyCameraDC" = Canon Utilities MyCamera DC

"NortonPCCheckup" = Norton PC Checkup

"NST" = Norton Safe Web Lite

"NVIDIA Drivers" = NVIDIA Drivers

"OsdMaestro" = HP On-Screen Cap/Num/Scroll Lock Indicator

"PC-Doctor 5 for Windows" = Hardware Diagnostic Tools

"PhotoStitch" = Canon Utilities PhotoStitch

"Punch! Professional Home Design - Platinum" = Punch! Professional Home Design - Platinum

"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX

"RemoteCaptureDC" = Canon Utilities RemoteCapture DC

"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX

"TurboTax 2008" = TurboTax 2008

"TurboTax 2009" = TurboTax 2009

"TurboTax 2010" = TurboTax 2010

"TurboTax Deluxe 2007" = TurboTax Deluxe 2007

"WildTangent hp Master Uninstall" = My HP Games

"WinZip Self-Extractor" = WinZip Self-Extractor

"Yahoo! Mail" = Yahoo! Internet Mail

"Yahoo! Mail Advisor" = Yahoo! Mail Advisor

"Yahoo! Search Defender" = Yahoo! Search Protection

"Yahoo! Software Update" = Yahoo! Software Update

"YInstHelper" = Yahoo! Install Manager

"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"CNET TechTracker" = CNET TechTracker

"magicJack" = magicJack

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 4/10/2010 3:01:42 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 1024

Description =

Error - 4/10/2010 3:02:15 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 4/10/2010 3:02:15 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 4/10/2010 3:02:15 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 1024

Description =

Error - 4/11/2010 3:01:37 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 4/11/2010 3:01:37 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 4/11/2010 3:01:37 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 1024

Description =

Error - 4/11/2010 3:02:10 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 4/11/2010 3:02:10 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 11606

Description =

Error - 4/11/2010 3:02:10 AM | Computer Name = BigKahuna-PC | Source = MsiInstaller | ID = 1024

Description =

[ Media Center Events ]

Error - 6/9/2009 5:43:00 PM | Computer Name = BigKahuna-PC | Source = MCUpdate | ID = 0

Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 6/11/2009 6:09:06 PM | Computer Name = BigKahuna-PC | Source = MCUpdate | ID = 0

Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 6/15/2009 6:23:12 AM | Computer Name = BigKahuna-PC | Source = MCUpdate | ID = 0

Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/6/2010 6:07:34 PM | Computer Name = BigKahuna-PC | Source = MCUpdate | ID = 0

Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]

Error - 7/14/2012 3:59:57 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 7/14/2012 3:59:57 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 7/14/2012 3:59:57 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 7/14/2012 3:59:57 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7003

Description =

Error - 7/14/2012 3:59:57 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 7/14/2012 3:59:57 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7003

Description =

Error - 7/14/2012 4:00:51 AM | Computer Name = BigKahuna-PC | Source = DCOM | ID = 10016

Description =

Error - 7/14/2012 4:01:15 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7022

Description =

Error - 7/14/2012 4:01:15 AM | Computer Name = BigKahuna-PC | Source = Service Control Manager | ID = 7026

Description =

Error - 7/14/2012 10:55:52 AM | Computer Name = BigKahuna-PC | Source = Dhcpv6 | ID = 1000

Description = Your computer has lost the lease to its IP address + on the Network

Card with network address 001D6093894F.

< End of report >

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks in advance for any help you can provide !!!!

Link to post
Share on other sites

No logs are to be copied and pasted into threads, unless specifically asked to do so.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

I actually did try to attach my Emsisoft Emergency Kit logfile, but got a message saying that I wasn't allowed to attach DB3 files (logs.db3).

So I then thought I was supposed to paste the logfiles rather than attach.

Sorry about that.

Anyway, I ran the Combofix procedure as instructed, but after restarting and re-running Emsisoft, it's still showing "Trojan.Win32.Alureon!E2" as a high priority "found" virus.

I am attaching the ComboFix log.

Do we have a next step?

Link to post
Share on other sites

db3 is not the log file from the scan, it is actually a database file created during the scan.

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of JRE 7 Update 5.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop.
    Windows x86 Offline (jre-7u5-windows-i586.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

The installed version of Adobe Shockwave Player on this computer is out-dated. Install the latest version of Adobe Shockwave Player available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java™ 6 Update 30
Java™ SE Runtime Environment 6 Update 1

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O4 - HKLM..\Run: [bdinstaller] "E:\products\AntivirusPlus\en\install\32bit\setuplauncher.exe" /run:"E:\products\AntivirusPlus\en\install\32bit\setupdownloader.exe" /args:"/after_restart" File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
    O13 - gopher Prefix: missing
    O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} http://download.copy...rs/Copysafe.cab (Reg Error: Key error.)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}  (Reg Error: Value error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
    O33 - MountPoints2\{f17b6912-871c-11e1-9753-001d6093894f}\Shell - "" = AutoRun
    O33 - MountPoints2\{f17b6912-871c-11e1-9753-001d6093894f}\Shell\AutoRun\command - "" = M:\TL-Bootstrap.exe
    [2 C:\Users\Big Kahuna\Documents\*.tmp files -> C:\Users\Big Kahuna\Documents\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [1 C:\Users\Big Kahuna\*.tmp files -> C:\Users\Big Kahuna\*.tmp -> ]
    [2012/07/08 16:53:17 | 000,007,680 | ---- | M] () -- C:\Windows\19744687.exe
    [2012/07/08 16:53:17 | 000,000,090 | ---- | M] () -- C:\Windows\19744687.dat
    [2012/07/08 16:52:33 | 000,095,744 | ---- | C] () -- C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\U\[email protected]
    [2012/07/04 13:49:04 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\L\[email protected]
    [2012/01/11 12:27:57 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{f24642fd-8f42-55f9-343c-7c025de13551}\@
    [2012/01/11 12:27:57 | 000,002,048 | -HS- | C] () -- C:\Users\Big Kahuna\AppData\Local\{f24642fd-8f42-55f9-343c-7c025de13551}\@
    @Alternate Data Stream - 193 bytes -> C:\ProgramData\TEMP:07BF512B
    @Alternate Data Stream - 191 bytes -> C:\ProgramData\TEMP:07BF512B
    
    :Files
    c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

OK, so I followed your instructions, which may have resolved the problem.

After running OTL with your specific fix code, I rebooted as required.

The OTL log is attached.

When the system came up, BitDefender found and removed a virus instance (but did not name it).

I then ran a Emsisift quick scan with no problems found.

I am in process of running a deep scan (72%), but have to leave for the airport.

I won't be able to continue our "journey" until I return late Friday night.

I am sincerely appreciate of your help and perservance !!!

Will update you next Friday.

Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, Elise, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...