Root Kit....Zero Access

4 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Page 3 of 6 • 1, 2, 3, 4, 5, 6

Re: Root Kit....Zero Access13th June 2012, 9:16 pm

OTL logfile created on: 6/13/2012 5:07:47 PM - Run 3
OTL by OldTimer - Version 3.2.45.0 Folder = C:\Users\JonEJet\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 38.61% Memory free
4.21 Gb Paging File | 2.43 Gb Available in Paging File | 57.81% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 59.84 Gb Free Space | 54.24% Space Free | Partition Type: NTFS
Drive D: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JONEJET-PC | User Name: JonEJet | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/06 11:50:57 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/06/04 15:50:17 | 000,023,328 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jp2launcher.exe
PRC - [2012/06/04 15:50:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2012/06/01 10:16:41 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTL.exe
PRC - [2012/03/06 19:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/10/01 09:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2010/10/14 18:45:05 | 000,589,824 | ---- | M] ( ) -- C:\Windows\System32\lxducoms.exe
PRC - [2010/02/01 23:02:21 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/19 15:01:12 | 000,077,824 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2007/08/15 19:31:50 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/08/15 18:58:02 | 000,200,704 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2007/04/25 15:14:16 | 004,444,160 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/03/29 14:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2007/02/26 01:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/25 22:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/11/15 00:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 20:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 22:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe

========== Modules (No Company Name) ==========

MOD - [2012/06/06 11:50:56 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/06/04 15:50:17 | 000,014,112 | ---- | M] () -- C:\Program Files\Java\jre6\bin\jp2native.dll
MOD - [2011/08/28 10:57:23 | 006,277,280 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2009/05/06 09:04:36 | 000,466,944 | ---- | M] () -- C:\Program Files\Lexmark Toolbar\resource.dll
MOD - [2009/05/06 09:03:44 | 000,372,736 | ---- | M] () -- C:\Program Files\Lexmark Toolbar\toolband.dll
MOD - [2007/09/13 19:11:18 | 000,249,856 | ---- | M] () -- C:\Windows\System32\igfxTMM.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (MpsSvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
SRV - File not found [On_Demand | Stopped] -- -- (BFE)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/10/01 09:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2010/10/14 18:45:05 | 000,589,824 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxducoms.exe -- (lxdu_device)
SRV - [2008/07/27 14:00:25 | 000,069,632 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/06/19 21:17:50 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/01/19 00:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 00:34:54 | 000,068,608 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\mprdim.dll -- (RemoteAccess)
SRV - [2008/01/19 00:34:46 | 000,053,760 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\Mcx2Svc.dll -- (Mcx2Svc)
SRV - [2007/09/24 21:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/09/19 15:01:12 | 000,077,824 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2007/03/29 14:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/02/26 01:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 22:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/11/15 00:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 20:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 22:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Tosrfcom)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\UP_date\PEDrv.sys -- (SVRPEDRV)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys -- (CWMonitor)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\SeviceFix13496S\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/03/06 19:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/06 19:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/06 19:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/06 19:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/06 19:01:48 | 000,057,688 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/03/06 19:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/10/01 09:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 09:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 09:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 09:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2011/06/30 13:20:45 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/30 13:20:45 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/01/18 22:49:18 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sermouse.sys -- (sermouse)
DRV - [2008/01/18 22:28:10 | 000,226,816 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\udfs.sys -- (udfs)
DRV - [2007/09/19 14:59:12 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2007/06/01 17:07:48 | 000,252,416 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8187B.sys -- (RTL8187B)
DRV - [2007/01/24 18:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/11/28 19:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 02:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\iaStorV.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:24 | 000,047,208 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\isapnp.sys -- (isapnp)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,080,488 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\msdsm.sys -- (msdsm)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,078,952 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\mpio.sys -- (mpio)
DRV - [2006/11/02 05:50:16 | 000,076,392 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sbp2port.sys -- (sbp2port)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\HpCISSs.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\Mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 05:49:49 | 000,027,752 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\i2omp.sys -- (i2omp)
DRV - [2006/11/02 05:49:38 | 000,019,560 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\wd.sys -- (Wd)
DRV - [2006/11/02 05:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 05:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 05:49:26 | 000,015,464 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\amdide.sys -- (amdide)
DRV - [2006/11/02 05:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 05:49:20 | 000,013,416 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\pciide.sys -- (pciide)
DRV - [2006/11/02 05:03:00 | 000,242,688 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\rdpdr.sys -- (rdpdr)
DRV - [2006/11/02 04:55:23 | 000,039,936 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\bthmodem.sys -- (BTHMODEM)
DRV - [2006/11/02 04:55:22 | 000,029,184 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hidbth.sys -- (HidBth)
DRV - [2006/11/02 04:55:09 | 000,068,608 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\usbcir.sys -- (usbcir) eHome Infrared Receiver (USBCIR)
DRV - [2006/11/02 04:55:08 | 000,035,328 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\circlass.sys -- (circlass)
DRV - [2006/11/02 04:55:05 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\usbohci.sys -- (usbohci)
DRV - [2006/11/02 04:55:01 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hidir.sys -- (HidIr)
DRV - [2006/11/02 04:52:52 | 000,020,608 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\wacompen.sys -- (WacomPen)
DRV - [2006/11/02 04:51:40 | 000,013,312 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sfloppy.sys -- (sfloppy)
DRV - [2006/11/02 04:51:38 | 000,013,312 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sffdisk.sys -- (sffdisk)
DRV - [2006/11/02 04:51:33 | 000,025,088 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\fdc.sys -- (fdc)
DRV - [2006/11/02 04:51:32 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\flpydisk.sys -- (flpydisk)
DRV - [2006/11/02 04:42:03 | 000,065,536 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\IPMIDrv.sys -- (IPMIDRV)
DRV - [2006/11/02 04:35:03 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\wmiacpi.sys -- (WmiAcpi)
DRV - [2006/11/02 04:30:19 | 000,039,424 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\viac7.sys -- (ViaC7)
DRV - [2006/11/02 04:30:18 | 000,040,960 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\amdk8.sys -- (AmdK8)
DRV - [2006/11/02 04:30:18 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\crusoe.sys -- (Crusoe)
DRV - [2006/11/02 04:30:18 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\amdk7.sys -- (AmdK7)
DRV - [2006/11/02 04:30:18 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\processr.sys -- (Processor)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\BrSerId.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/10/18 15:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/06 02:22:14 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/09/27 08:06:00 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\kr3npxp.sys -- (KR3NPXP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {8A96AF9E-4074-43b7-BEA3-87217BDA7406}
IE - HKLM\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = http://www.searchqu.com/web?src=ieb&systemid=406&q={searchTerms}
IE - HKLM\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_home?ie=UTF8&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ie_sp_
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {21475A23-BD73-3152-6CAC-741072CD9B98}
IE - HKCU\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = http://www.bing.com/search?FORM=BABTDF&PC=BBLN&q={searchTerms}&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{21475A23-BD73-3152-6CAC-741072CD9B98}: "URL" = http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_ie_us_display?ie=UTF8&tag=bds-amzn-serp-us-ie-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ie_ds_&query={searchTerms}
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=078E4B36CE8D139AA3721C4FC3CC31B5&q={searchTerms}
IE - HKCU\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = http://www.searchqu.com/web?src=ieb&systemid=406&q={searchTerms}
IE - HKCU\..\SearchScopes\{BC37B0C6-1699-454D-815B-74DB6873EE31}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7TSHB
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Blekko"
FF - prefs.js..browser.search.order.1: "Blekko"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_home?ie=UTF8&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ff_sp_"
FF - prefs.js..keyword.URL: "http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_ff_us_display?ie=UTF8&tag=bds-amzn-serp-us-ff-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ff_ab_&query="
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/05/07 13:16:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/06 11:51:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/04 19:44:19 | 000,000,000 | ---D | M]

[2012/01/16 23:58:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Extensions
[2012/03/12 20:07:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\6llx2x2q.default\extensions
[2012/06/01 10:11:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions
[2012/06/06 11:51:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/01 10:11:28 | 000,502,682 | ---- | M] () (No name found) -- C:\USERS\JONEJET\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OKCRVXTN.DEFAULT\EXTENSIONS\ABB@AMAZON.COM.XPI
[2012/03/12 20:07:50 | 000,004,728 | ---- | M] () (No name found) -- C:\USERS\JONEJET\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OKCRVXTN.DEFAULT\EXTENSIONS\COOIJLURCQ@COOIJLURCQ.ORG.XPI
[2012/06/06 11:50:58 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/20 21:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/05/28 15:04:42 | 000,002,134 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\search.xml
[2012/04/20 21:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Amazon (Enabled)
CHR - default_search_provider: search_url = http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_cr_us_display?ie=UTF8&tag=bds-amzn-serp-us-cr-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_cr_ds_&query={searchTerms}
CHR - default_search_provider: suggest_url = http://suggestqueries.google.com/complete/search?q={searchTerms}&output=chrome,
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\JonEJet\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Veetle TV Player (Enabled) = C:\Program Files\Veetle\Player\npvlc.dll
CHR - plugin: Veetle Broadcaster Plugin (Enabled) = C:\Program Files\Veetle\VLCBroadcast\npvbp.dll
CHR - plugin: Veetle TV Core (Enabled) = C:\Program Files\Veetle\plugins\npVeetle.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: avast! WebRep = C:\Users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\

O1 HOSTS File: ([2012/06/08 01:18:08 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.59.247.45 208.59.247.46
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}: DhcpNameServer = 10.61.32.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DBCEC8C8-8DDA-4014-B428-FED0EEFC40F8}: DhcpNameServer = 208.59.247.45 208.59.247.46
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/11 15:14:20 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/06/08 14:08:09 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/06/08 01:49:17 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\temp
[2012/06/08 01:18:36 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/08 01:14:09 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/06/07 23:23:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/06/07 07:41:09 | 000,000,000 | ---D | C] -- C:\SeviceFix
[2012/06/05 09:49:42 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2012/06/05 09:35:14 | 007,287,176 | ---- | C] (SurfRight B.V.) -- C:\Users\JonEJet\Desktop\HitmanPro36.exe
[2012/06/03 12:29:20 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\JonEJet\Documents\OTL.exe
[2012/06/02 14:55:01 | 098,077,435 | ---- | C] (Igor Pavlov) -- C:\Users\JonEJet\Desktop\OTLPEStd.exe
[2012/06/01 12:59:23 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\Seven Zip
[2012/06/01 12:27:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/06/01 10:16:29 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTL.exe
[2012/05/31 21:01:48 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon
[2012/05/31 21:00:53 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon Browser Bar
[2012/05/31 10:23:14 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\Documents\OneNote Notebooks
[2012/05/31 10:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/05/31 09:27:33 | 000,201,728 | ---- | C] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTC.exe
[2012/05/30 11:04:58 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\JonEJet\Desktop\aswMBR.exe
[2012/05/30 10:20:51 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
[2012/05/30 09:45:58 | 001,805,736 | ---- | C] (Symantec Corporation) -- C:\Users\JonEJet\Desktop\FixZeroAccess.exe
[2012/05/29 11:23:37 | 000,000,000 | ---D | C] -- C:\Program Files\Free Download Manager
[2012/05/29 11:22:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2012/05/29 11:22:35 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Roaming\Babylon
[2012/05/28 15:04:14 | 000,000,000 | ---D | C] -- C:\Users\JonEJet\AppData\Local\blekkotb_031
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/13 16:56:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/13 16:24:48 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/13 16:24:48 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/13 12:06:28 | 000,047,616 | ---- | M] () -- C:\Users\JonEJet\Desktop\Win32kDiag.exe
[2012/06/13 10:24:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/13 10:24:02 | 2137,415,680 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/12 01:00:48 | 000,001,982 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/06/09 13:40:35 | 000,059,246 | ---- | M] () -- C:\Users\JonEJet\Documents\marci.jpg
[2012/06/08 14:13:22 | 000,001,356 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\d3d9caps.dat
[2012/06/08 01:18:08 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/06/08 00:48:21 | 179,672,641 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/06/07 23:30:59 | 001,415,784 | ---- | M] () -- C:\Users\JonEJet\Desktop\yorkyt.exe
[2012/06/07 14:14:40 | 000,604,946 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/07 14:14:40 | 000,104,356 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/07 11:03:06 | 000,080,384 | ---- | M] () -- C:\Users\JonEJet\Documents\MBRCheck.exe
[2012/06/06 23:37:06 | 000,015,494 | ---- | M] () -- C:\Users\JonEJet\log.xml
[2012/06/06 12:26:20 | 007,287,176 | ---- | M] (SurfRight B.V.) -- C:\Users\JonEJet\Desktop\HitmanPro36.exe
[2012/06/05 09:49:42 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2012/06/02 14:55:07 | 098,077,435 | ---- | M] (Igor Pavlov) -- C:\Users\JonEJet\Desktop\OTLPEStd.exe
[2012/06/01 12:27:43 | 000,000,881 | ---- | M] () -- C:\Users\JonEJet\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/06/01 12:27:43 | 000,000,857 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/06/01 10:16:41 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JonEJet\Documents\OTL.exe
[2012/06/01 10:16:41 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTL.exe
[2012/05/31 10:23:11 | 000,001,122 | ---- | M] () -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/05/31 09:27:39 | 000,201,728 | ---- | M] (OldTimer Tools) -- C:\Users\JonEJet\Desktop\OTC.exe
[2012/05/31 09:19:25 | 000,349,920 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/05/30 11:05:05 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\JonEJet\Desktop\aswMBR.exe
[2012/05/30 09:46:03 | 001,805,736 | ---- | M] (Symantec Corporation) -- C:\Users\JonEJet\Desktop\FixZeroAccess.exe
[2012/05/28 12:15:03 | 000,005,120 | ---- | M] () -- C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/27 10:01:18 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/13 12:06:22 | 000,047,616 | ---- | C] () -- C:\Users\JonEJet\Desktop\Win32kDiag.exe
[2012/06/09 13:40:30 | 000,059,246 | ---- | C] () -- C:\Users\JonEJet\Documents\marci.jpg
[2012/06/08 14:17:37 | 2137,415,680 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/07 23:30:54 | 001,415,784 | ---- | C] () -- C:\Users\JonEJet\Desktop\yorkyt.exe
[2012/06/07 11:02:55 | 000,080,384 | ---- | C] () -- C:\Users\JonEJet\Documents\MBRCheck.exe
[2012/06/06 23:37:06 | 000,015,494 | ---- | C] () -- C:\Users\JonEJet\log.xml
[2012/06/01 12:24:16 | 000,000,881 | ---- | C] () -- C:\Users\JonEJet\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/06/01 12:24:16 | 000,000,869 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/06/01 12:24:16 | 000,000,857 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/05/31 10:23:11 | 000,001,122 | ---- | C] () -- C:\Users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2011/05/18 16:44:04 | 000,001,356 | ---- | C] () -- C:\Users\JonEJet\AppData\Local\d3d9caps.dat
[2011/01/30 04:50:10 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/30 04:50:10 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/12/28 12:48:12 | 000,651,264 | ---- | C] ( ) -- C:\Windows\System32\lxdupmui.dll
[2010/12/28 12:48:09 | 000,376,832 | ---- | C] ( ) -- C:\Windows\System32\lxducomm.dll
[2010/12/28 12:48:06 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxduhbn3.dll
[2010/12/28 12:48:04 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxducfg.exe
[2010/12/28 12:48:04 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdugrd.dll
[2010/12/28 12:48:02 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxduvs.dll
[2010/12/28 12:48:01 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\lxduih.exe
[2010/12/28 12:45:37 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXDUPMON.DLL
[2010/12/28 12:45:37 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXDUFXPU.DLL
[2010/12/28 12:45:15 | 000,086,016 | ---- | C] () -- C:\Windows\System32\lxduoem.dll
[2010/12/28 12:32:53 | 000,389,120 | ---- | C] () -- C:\Windows\System32\LXDUinst.dll
[2010/12/28 12:32:52 | 000,446,464 | ---- | C] ( ) -- C:\Windows\System32\LXDUhcp.dll
[2010/12/28 12:32:51 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxduinpa.dll
[2010/12/28 12:32:50 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxduiesc.dll
[2010/12/28 12:32:46 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxduusb1.dll
[2010/12/28 12:32:44 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxduserv.dll
[2010/12/28 12:32:39 | 000,577,536 | ---- | C] ( ) -- C:\Windows\System32\lxdulmpm.dll
[2010/12/28 12:32:24 | 000,589,824 | ---- | C] ( ) -- C:\Windows\System32\lxducoms.exe
[2010/12/28 12:32:13 | 000,761,856 | ---- | C] ( ) -- C:\Windows\System32\lxducomc.dll
[2010/12/28 12:23:12 | 000,409,600 | ---- | C] ( ) -- C:\Windows\System32\lxducoin.dll
[2010/12/28 12:22:08 | 000,081,920 | ---- | C] () -- C:\Windows\System32\lxducaps.dll
[2010/12/28 12:22:08 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxducnv4.dll
[2010/12/28 12:22:06 | 001,036,288 | ---- | C] () -- C:\Windows\System32\lxdudrs.dll
[2010/10/12 21:44:13 | 000,000,282 | ---- | C] () -- C:\Users\JonEJet\AppData\Roaming\wklnhst.dat

========== LOP Check ==========

[2012/01/30 22:44:31 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\30EF7
[2011/01/03 14:09:41 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\5600-6600 Series
[2012/05/29 11:22:35 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\Babylon
[2012/05/30 10:20:51 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
[2011/01/03 13:57:23 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\Lexmark Productivity Studio
[2011/04/03 11:17:53 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\OpenOffice.org
[2008/05/05 17:55:23 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\Sirius
[2012/06/01 11:35:56 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\SoftGrid Client
[2011/10/08 17:34:20 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\StreamTorrent
[2010/10/12 21:44:18 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\Template
[2009/06/17 11:39:53 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\TOSHIBA
[2011/01/28 17:36:21 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\TP
[2008/03/31 20:10:41 | 000,000,000 | ---D | M] -- C:\Users\JonEJet\AppData\Roaming\WinBatch
[2012/06/13 10:22:35 | 000,032,574 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Re: Root Kit....Zero Access13th June 2012, 9:24 pm

Also, not sure where that Amazon google search came from???

Re: Root Kit....Zero Access14th June 2012, 12:23 am

Something in your OTL log, do you know this IP address? 10.61.32.1

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Root Kit....Zero Access - Page 3 DXwU4

Re: Root Kit....Zero Access14th June 2012, 1:20 am

No, have no idea what that IP address is

Re: Root Kit....Zero Access14th June 2012, 6:11 am

Thanks Belahzur!

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:otl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}: DhcpNameServer = 10.61.32.1
CHR - default_search_provider: Amazon (Enabled)
CHR - default_search_provider: search_url = http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_cr_us_display?ie=UTF8&tag=bds-amzn-serp-us-cr-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_cr_ds_&query={searchTerms}
FF - prefs.js..browser.startup.homepage: "http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_home?ie=UTF8&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ff_sp_"
FF - prefs.js..keyword.URL: "http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_ff_us_display?ie=UTF8&tag=bds-amzn-serp-us-ff-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ff_ab_&query="
IE - HKCU\..\SearchScopes\{21475A23-BD73-3152-6CAC-741072CD9B98}: "URL" = http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_ie_us_display?ie=UTF8&tag=bds-amzn-serp-us-ie-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ie_ds_&query={searchTerms}
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=078E4B36CE8D139AA3721C4FC3CC31B5&q={searchTerms}
IE - HKLM\..\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}: "URL" = http://www.searchqu.com/web?src=ieb&systemid=406&q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_home?ie=UTF8&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ie_sp_

:commands
[emptytemp]
[reboot]
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects

System Memory

Disk Boot Sectors.

My Computer.

Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be neutralized then choose the delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Re: Root Kit....Zero Access14th June 2012, 1:39 pm

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570}\\DhcpNameServer| /E : value set successfully!
Unable to fix default_search_provider items.
Unable to fix default_search_provider items.
Prefs.js: "http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_home?ie=UTF8&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ff_sp_" removed from browser.startup.homepage
Prefs.js: "http://www.amazon.com/websearch/ref=bit_bds-amzn_serp_ff_us_display?ie=UTF8&tag=bds-amzn-serp-us-ff-20&tagbase=bds-amzn&tbrId=v1_abb-channel-17_058b36b5bfba43a19ad94c27393900e6_17_17_20120601_US_ff_ab_&query=" removed from keyword.URL
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{21475A23-BD73-3152-6CAC-741072CD9B98}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21475A23-BD73-3152-6CAC-741072CD9B98}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JonEJet
->Temp folder emptied: 225442345 bytes
->Temporary Internet Files folder emptied: 101693646 bytes
->Java cache emptied: 12308864 bytes
->FireFox cache emptied: 111239166 bytes
->Google Chrome cache emptied: 6962424 bytes
->Flash cache emptied: 355310 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15766 bytes
RecycleBin emptied: 62849844 bytes

Total Files Cleaned = 497.00 mb

OTL by OldTimer - Version 3.2.45.0 log created on 06142012_091807

< End of report >

Last edited by JonEJet on 14th June 2012, 2:07 pm; edited 1 time in total

Re: Root Kit....Zero Access14th June 2012, 2:01 pm

Hey JonEJet, the big guns are helping you now.

Seems you posted an OTL log you already posted before.

Assuming you ran the OTL "Run Fix" script that DragonMaster Jay requested in his previous post, the log should be located in C:\_OTL\Moved Files

Re: Root Kit....Zero Access14th June 2012, 2:04 pm

I thought so....looking again

Thanks Gabe, fixed previous post using todays scan

Re: Root Kit....Zero Access14th June 2012, 2:09 pm

Fixed...see above

Thank you

Re: Root Kit....Zero Access14th June 2012, 2:15 pm

OK

How about the AVP scan in safe mode, as indicated by DMJ?

Re: Root Kit....Zero Access14th June 2012, 2:19 pm

Scanning right now under safe mode Thank You!

Re: Root Kit....Zero Access14th June 2012, 5:49 pm

This scan is 3.5 hours in, and still has a ways to go...is that normal?

Re: Root Kit....Zero Access14th June 2012, 6:09 pm

It can take a while. Don't know why it is taking that long. Give it a bit longer.

Does it say if it has detected anything? If so...what's the detection?

Re: Root Kit....Zero Access14th June 2012, 6:16 pm

nothing detected as of yet

44% done,says I have 5 hours left???

Re: Root Kit....Zero Access14th June 2012, 6:51 pm

That seems a bit ridiculous, to be honest. I have successfully run that tool in 2 hours or less.

Let's switch to Dr Web CureIt, please:

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

Double-click on drweb-cureit.exe to start the program.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now, Click OK to start the scan.
This is a short scan that will scan the files currently running in memory.
If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis
Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
When finished, a message will be displayed at the bottom advising if any viruses were found.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found.
If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit when you have finished.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Re: Root Kit....Zero Access14th June 2012, 11:24 pm

OTL infected with Trojan.Siggen4.2299

Did the quick scan, now on custom scan which is 3hrs in....not sure why these are going so slow, but not stopping now

Has found 7 infections, 13 curious thusfar

Re: Root Kit....Zero Access15th June 2012, 2:21 am

Okay, I have the log saved....but it is so long i can't paste it here

What can I do so you can see it?

Also have a quarantine file saved in my documents.........should I delete them all?

Re: Root Kit....Zero Access15th June 2012, 6:01 am

Submit that to http://www.mediafire.com and then post the download link here, please.

Re: Root Kit....Zero Access15th June 2012, 1:01 pm

http://www.mediafire.com/?z6dg6xycdm5zgx5

Here is quarantine

http://www.mediafire.com/i/?kdub20h2ief5g0m

Re: Root Kit....Zero Access15th June 2012, 2:43 pm

Taking a look at your quarantine pic there...

OTL was detected incorrectly by Dr. Web. It happens all the time.

Anyway, it's interesting that GetAd.JS was quarantined. GetAd.js contains scripting code to redirect web searches. All those GetAd*.aspx were all special ad pages by the malware. It's a scripting/macro virus aimed at displaying individual ads to you while browsing the internet (AKA redirecting your searches). I have all the locations outlined below.

Coders work with this advertising model, but some have done it scammy: http://www.aspfree.com/c/a/ASP.NET/Programming-an-InText-Advertising-System-under-ASPNET-35/

It's a legit type of idea, but definitely used maliciously in this case of yours!!

From the Scan Log:

C:\Users\JonEJet\Documents\My Pictures\LL_files\GetAd.js - archive contains infected objects - moved
C:\Users\JonEJet\Documents\My Pictures\LL_files\getjs.js - archive JS-HTML
C:\Users\JonEJet\Documents\My Pictures\LL_files\GetAd.js - probably infected with SCRIPT.Virus
C:\Users\JonEJet\Documents\My Pictures\LL_files\GetAd.js - archive JS-HTML
>C:\Users\JonEJet\Documents\My Pictures\LL_files\GetAd.js/JSFile_1[0][919] - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[1].aspx - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[1].aspx - archive JS-HTML
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[1].aspx/JSFile_1[0][615] - probably infected with SCRIPT.Virus
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[1].aspx/JSWrite_2[185] - OK
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[1].aspx/IFrame_3[98] - OK
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[1].aspx - archive contains infected objects - moved
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[2].aspx - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[2].aspx - archive JS-HTML
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[2].aspx/JSFile_1[0][612] - probably infected with SCRIPT.Virus
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[2].aspx/JSWrite_2[185] - OK
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[2].aspx/IFrame_3[98] - OK
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[2].aspx - archive contains infected objects - moved
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[3].aspx - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[3].aspx - archive JS-HTML
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[3].aspx/JSFile_1[0][741] - probably infected with SCRIPT.Virus
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[3].aspx/JSWrite_2[1e2] - OK
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[3].aspx/IFrame_3[f5] - OK
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBN99C74\GetAd[3].aspx - archive contains infected objects - moved
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPVKWOSX\GetAd[1].aspx - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPVKWOSX\GetAd[1].aspx - archive JS-HTML
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPVKWOSX\GetAd[1].aspx/JSFile_1[0][741] - probably infected with SCRIPT.Virus
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPVKWOSX\GetAd[1].aspx/JSWrite_2[1e2] - OK
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPVKWOSX\GetAd[1].aspx/IFrame_3[f5] - OK
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPVKWOSX\GetAd[1].aspx - archive contains infected objects - moved
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\ros[2] - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\GetAd[1].aspx - probably infected with SCRIPT.Virus
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\GetAd[1].aspx - archive JS-HTML
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\GetAd[1].aspx/JSFile_1[0][61c] - probably infected with SCRIPT.Virus
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\GetAd[1].aspx/JSWrite_2[185] - OK
>C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\GetAd[1].aspx/IFrame_3[98] - OK
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0WF783Q\GetAd[1].aspx - archive contains infected objects - moved

C:\Documents and Settings\JonEJet\DoctorWeb\Quarantine\yorkyt.exe infected with Trojan.MulDrop3.44950 - incurable - moved

What was yorkyt.exe - did you rename a tool?

Do you know what the LL_files directory was? It's really strange to see detections within My Pictures. Usually the user put infected files there.

Redirects should be gone now, yes?

Re: Root Kit....Zero Access15th June 2012, 2:56 pm

Redirects are not gone, unbelievably ....just did a search

Only happens when I do a google search

The yorkyt.exe was a download during this process

I just deleted everything I could and I just got this

hxxp://8.26.70.252/see/display.php?q=new+york+jets&affsub=46355-4977_1233&subid=e10

Last edited by DragonMaster Jay on 15th June 2012, 6:18 pm; edited 1 time in total (Reason for editing : Please replace the tt letters in the HTTP:// with xx letters)

Re: Root Kit....Zero Access15th June 2012, 3:22 pm

I will be back in the next few hours with a new fix, after complete investigation is made in to this issue.

I have to step out for a short time. Be back soon!

Re: Root Kit....Zero Access15th June 2012, 3:25 pm

Thanks for the help guys....I know this is a pain in the A$$ for all of you.

Re: Root Kit....Zero Access15th June 2012, 6:16 pm

It can be. I've dealt with even worse issues here and here.

Anyway, this malware is looking more and more like DNSChanger. Appears from the events that have occurred, your DNS is poisoned.

Let's kill it...yes?! Cheesy Grin (sparkly

I have seen a combination infection from both Win32 DNSChanger-VJ and Rootkit.ZeroAccess.

NEXT STEPS IN ORDER

1. RE-RUN COMBOFIX
Delete your copy of ComboFix, and download a new version. Run ComboFix as instructed before, and post a new log please.

2. Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:Files
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[EMPTYJAVA]
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

3. Please open OTL -- Click the None button and paste this in the Custom Scans box:

hklm\software\clients\startmenuinternet|command /rs
%systemroot%\*. /rp /s
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
%USERPROFILE%\AppData\Local\*.* /s
%USERPROFILE%\AppData\Local\*. /s
%TEMP%\smtmp\*.* /s
win32k.sys /md5
"%WinDir%\$NtUninstallKB*$." /30
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s

Then click Run Scan. It shall launch a log. Please post it in your next reply.

4. Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to the disclaimer.
Place a check next to List Drivers MD5 as well as the default check marks that are already there
Press Scan button.
type exit and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

In your next reply, please make sure to include these logs:

-ComboFix log
-OTL Fix Log
-OTL Scan Log
-FRST Log

Also, let me know if it is redirecting after running the fix for OTL and ComboFix.

Re: Root Kit....Zero Access15th June 2012, 7:25 pm

One at a time Cheers Mate

ComboFix 12-06-15.03 - JonEJet 06/15/2012 14:35:57.2.2 - x86
Microsoft

Windows Vista

Home Premium 6.0.6001.1.1252.1.1033.18.2038.802 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-15 to 2012-06-15 )))))))))))))))))))))))))))))))
.
.
2012-06-15 18:45 . 2012-06-15 18:50 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-15 18:45 . 2012-06-15 18:45 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-15 18:45 . 2012-06-15 18:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-15 12:51 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-14 13:26 . 2012-06-14 13:26 0 ----a-w- c:\windows\system32\shoA32C.tmp
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-01 16:24 . 2012-04-21 01:18 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-06-01 16:24 . 2012-04-21 01:18 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-06 16:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-06 15:50 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-06 15:50 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-06 15:50 157600 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-06 15:50 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-06 15:50 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
.
**************************************************************************
.
Completion time: 2012-06-15 15:20:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-15 19:20
.
Pre-Run: 65,449,205,760 bytes free
Post-Run: 65,498,370,048 bytes free
.
- - End Of File - - B5B0758A59F530B339AEBE857D0BB436

Re: Root Kit....Zero Access15th June 2012, 7:43 pm

Step II

All processes killed
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\Windows\system32\drivers\etc\hosts
C:\Users\JonEJet\Desktop\cmd.bat deleted successfully.
C:\Users\JonEJet\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\JonEJet\Desktop\cmd.bat deleted successfully.
C:\Users\JonEJet\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: JonEJet
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 52972771 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 7527 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 51.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: JonEJet
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: JonEJet
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.48.0 log created on 06152012_153124

Re: Root Kit....Zero Access15th June 2012, 7:58 pm

Step III

http://www.mediafire.com/?45k48dhwoxkiygc

Re: Root Kit....Zero Access15th June 2012, 9:10 pm

Step IV

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 03-06-2012
Ran by SYSTEM at 15-06-2012 17:53:53
Running from C:\Users\JonEJet\Downloads
Windows Vista (TM) Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2007-09-20] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [129560 2007-09-20] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [1862144 2007-11-06] (Google)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [413696 2009-05-26] (Apple Inc.)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [198160 2010-02-01] (RealNetworks, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4241512 2012-03-06] (AVAST Software)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] (TOSHIBA)
HKU\JonEJet\...\Run: [MediaFire Tray] "C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" --boot-start [2172488 2012-06-13] (MediaFire LLC)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 208.59.247.45 208.59.247.46
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
Startup: C:\Users\JonEJet\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\JonEJet\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> (No File)
Startup: C:\Users\JonEJet\Start Menu\Programs\Startup\_uninst_.lnk
ShortcutTarget: _uninst_.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 AgereModemAudio; C:\Windows\system32\agrsmsvc.exe [9216 2006-10-05] (Agere Systems)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44768 2012-03-06] (AVAST Software)
2 CFSvcs; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2006-11-15] (TOSHIBA CORPORATION)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-19] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [181784 2007-09-24] (WildTangent, Inc.)
3 GoogleDesktopManager; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [1862144 2007-11-06] (Google)
2 gupdate1caa3b3b7341e00; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2010-02-01] (Google Inc.)
2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [589824 2010-10-14] ( )
2 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()
2 TNaviSrv; C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [77824 2007-09-19] (TOSHIBA Corporation)
2 TODDSrv; C:\Windows\system32\TODDSrv.exe [114688 2006-05-25] (TOSHIBA Corporation)
2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)
2 TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [125048 2007-02-26] (TOSHIBA CORPORATION)
2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [x]
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [x]
3 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe [x]

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20696 2012-03-06] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [57688 2012-03-06] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [35672 2012-03-06] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [612184 2012-03-06] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [337880 2012-03-06] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [53848 2012-03-06] (AVAST Software)
4 KR10I; C:\Windows\System32\drivers\kr10i.sys [219264 2006-11-09] (TOSHIBA CORPORATION)
4 KR10N; C:\Windows\System32\drivers\kr10n.sys [211072 2006-11-09] (TOSHIBA CORPORATION)
4 KR3NPXP; C:\Windows\System32\drivers\kr3npxp.sys [479488 2006-09-27] (TOSHIBA CORPORATION)
4 Processor; C:\Windows\System32\drivers\processr.sys [38400 2006-11-02] (Microsoft Corporation)
0 ACPI; system32\drivers\acpi.sys [x]
3 AgereSoftModem; system32\DRIVERS\AGRSM.sys [x]
3 AsyncMac; system32\DRIVERS\asyncmac.sys [x]
0 atapi; system32\drivers\atapi.sys [x]
2 avgntflt; system32\DRIVERS\avgntflt.sys [x]
1 avipbb; system32\DRIVERS\avipbb.sys [x]
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 bowser; system32\DRIVERS\bowser.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
4 cdfs; system32\DRIVERS\cdfs.sys [x]
1 cdrom; system32\DRIVERS\cdrom.sys [x]
0 CLFS; System32\CLFS.sys [x]
3 CmBatt; system32\DRIVERS\CmBatt.sys [x]
0 Compbatt; system32\DRIVERS\compbatt.sys [x]
0 crcdisk; system32\drivers\crcdisk.sys [x]
2 CWMonitor; \??\C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [x]
1 DfsC; System32\Drivers\dfsc.sys [x]
0 disk; system32\drivers\disk.sys [x]
3 drmkaud; system32\drivers\drmkaud.sys [x]
3 E1G60; system32\DRIVERS\E1G60I32.sys [x]
0 Ecache; System32\drivers\ecache.sys [x]
4 fdc; system32\DRIVERS\fdc.sys [x]
0 FileInfo; system32\drivers\fileinfo.sys [x]
3 Filetrace; system32\drivers\filetrace.sys [x]
4 flpydisk; system32\DRIVERS\flpydisk.sys [x]
0 FltMgr; system32\drivers\fltmgr.sys [x]
3 FwLnk; system32\DRIVERS\FwLnk.sys [x]
3 HdAudAddService; system32\drivers\HdAudio.sys [x]
3 HDAudBus; system32\DRIVERS\HDAudBus.sys [x]
3 HidUsb; system32\DRIVERS\hidusb.sys [x]
3 HTTP; system32\drivers\HTTP.sys [x]
1 i8042prt; system32\DRIVERS\i8042prt.sys [x]
3 igfx; system32\DRIVERS\igdkmd32.sys [x]
3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [x]
0 intelide; system32\drivers\intelide.sys [x]
3 intelppm; system32\DRIVERS\intelppm.sys [x]
3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
3 IpFilterDriver; system32\DRIVERS\ipfltdrv.sys [x]
3 IpInIp; system32\DRIVERS\ipinip.sys [x]
3 IPNAT; system32\DRIVERS\ipnat.sys [x]
3 IRENUM; system32\drivers\irenum.sys [x]
3 iScsiPrt; system32\DRIVERS\msiscsi.sys [x]
1 kbdclass; system32\DRIVERS\kbdclass.sys [x]
1 kbdhid; system32\DRIVERS\kbdhid.sys [x]
0 KSecDD; System32\Drivers\ksecdd.sys [x]
2 lltdio; system32\DRIVERS\lltdio.sys [x]
3 Modem; system32\drivers\modem.sys [x]
3 monitor; system32\DRIVERS\monitor.sys [x]
1 mouclass; system32\DRIVERS\mouclass.sys [x]
3 mouhid; system32\DRIVERS\mouhid.sys [x]
0 MountMgr; System32\drivers\mountmgr.sys [x]
3 mpsdrv; System32\drivers\mpsdrv.sys [x]
3 MpsSvc; . [x]
3 mrxsmb; system32\DRIVERS\mrxsmb.sys [x]
3 mrxsmb10; system32\DRIVERS\mrxsmb10.sys [x]
3 mrxsmb20; system32\DRIVERS\mrxsmb20.sys [x]
0 msahci; system32\drivers\msahci.sys [x]
0 msisadrv; system32\drivers\msisadrv.sys [x]
3 MSKSSRV; system32\drivers\MSKSSRV.sys [x]
3 MSPCLOCK; system32\drivers\MSPCLOCK.sys [x]
3 MSPQM; system32\drivers\MSPQM.sys [x]
3 mssmbios; system32\DRIVERS\mssmbios.sys [x]
3 MSTEE; system32\drivers\MSTEE.sys [x]
0 Mup; System32\Drivers\mup.sys [x]
3 NativeWifiP; system32\DRIVERS\nwifi.sys [x]
0 NDIS; system32\drivers\ndis.sys [x]
3 NdisTapi; system32\DRIVERS\ndistapi.sys [x]
3 Ndisuio; system32\DRIVERS\ndisuio.sys [x]
3 NdisWan; system32\DRIVERS\ndiswan.sys [x]
1 NetBIOS; system32\DRIVERS\netbios.sys [x]
1 netbt; System32\DRIVERS\netbt.sys [x]
1 nsiproxy; system32\drivers\nsiproxy.sys [x]
3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
3 ohci1394; system32\DRIVERS\ohci1394.sys [x]
0 partmgr; System32\drivers\partmgr.sys [x]
0 pci; system32\drivers\pci.sys [x]
0 pcmcia; system32\DRIVERS\pcmcia.sys [x]
2 PEAUTH; system32\drivers\peauth.sys [x]
3 PptpMiniport; system32\DRIVERS\raspptp.sys [x]
1 PSched; system32\DRIVERS\pacer.sys [x]
0 PxHelp20; System32\Drivers\PxHelp20.sys [x]
1 RasAcd; System32\DRIVERS\rasacd.sys [x]
3 Rasl2tp; system32\DRIVERS\rasl2tp.sys [x]
3 RasPppoe; system32\DRIVERS\raspppoe.sys [x]
3 RasSstp; system32\DRIVERS\rassstp.sys [x]
1 rdbss; system32\DRIVERS\rdbss.sys [x]
1 RDPCDD; System32\DRIVERS\RDPCDD.sys [x]
1 RDPENCDD; system32\drivers\rdpencdd.sys [x]
2 rspndr; system32\DRIVERS\rspndr.sys [x]
3 RTL8169; system32\DRIVERS\Rtlh86.sys [x]
3 RTL8187B; system32\DRIVERS\RTL8187B.sys [x]
3 sdbus; system32\DRIVERS\sdbus.sys [x]
3 Sftfs; system32\DRIVERS\Sftfslh.sys [x]
3 Sftplay; system32\DRIVERS\Sftplaylh.sys [x]
3 Sftredir; system32\DRIVERS\Sftredirlh.sys [x]
3 Sftvol; system32\DRIVERS\Sftvollh.sys [x]
1 Smb; system32\DRIVERS\smb.sys [x]
3 srv; System32\DRIVERS\srv.sys [x]
3 srv2; System32\DRIVERS\srv2.sys [x]
3 srvnet; System32\DRIVERS\srvnet.sys [x]
1 ssmdrv; system32\DRIVERS\ssmdrv.sys [x]
3 SVRPEDRV; \??\C:\Windows\System32\sysprep\UP_date\PEDrv.sys [x]
3 swenum; system32\DRIVERS\swenum.sys [x]
3 SynTP; system32\DRIVERS\SynTP.sys [x]
0 Tcpip; System32\drivers\tcpip.sys [x]
3 Tcpip6; system32\DRIVERS\tcpip.sys [x]
2 tcpipreg; System32\drivers\tcpipreg.sys [x]
3 tdcmdpst; system32\DRIVERS\tdcmdpst.sys [x]
3 TDPIPE; system32\drivers\tdpipe.sys [x]
3 TDTCP; system32\drivers\tdtcp.sys [x]
1 tdx; system32\DRIVERS\tdx.sys [x]
1 TermDD; system32\DRIVERS\termdd.sys [x]
3 tifm21; system32\drivers\tifm21.sys [x]
3 Tosrfcom; [x]
0 tos_sps32; system32\DRIVERS\tos_sps32.sys [x]
3 tssecsrv; System32\DRIVERS\tssecsrv.sys [x]
3 tunmp; system32\DRIVERS\tunmp.sys [x]
3 tunnel; system32\DRIVERS\tunnel.sys [x]
0 TVALZ; system32\DRIVERS\TVALZ_O.SYS [x]
4 udfs; system32\DRIVERS\udfs.sys [x]
3 umbus; system32\DRIVERS\umbus.sys [x]
3 usbccgp; system32\DRIVERS\usbccgp.sys [x]
3 usbehci; system32\DRIVERS\usbehci.sys [x]
3 usbhub; system32\DRIVERS\usbhub.sys [x]
3 usbprint; system32\DRIVERS\usbprint.sys [x]
3 usbscan; system32\DRIVERS\usbscan.sys [x]
3 USBSTOR; system32\DRIVERS\USBSTOR.SYS [x]
3 usbuhci; system32\DRIVERS\usbuhci.sys [x]
3 usbvideo; System32\Drivers\usbvideo.sys [x]
3 vga; system32\DRIVERS\vgapnp.sys [x]
0 volmgr; system32\drivers\volmgr.sys [x]
0 volmgrx; System32\drivers\volmgrx.sys [x]
0 volsnap; system32\drivers\volsnap.sys [x]
3 Wanarp; system32\DRIVERS\wanarp.sys [x]
1 Wanarpv6; system32\DRIVERS\wanarp.sys [x]
0 Wdf01000; system32\drivers\Wdf01000.sys [x]
3 WpdUsb; system32\DRIVERS\wpdusb.sys [x]
3 WUDFRd; system32\DRIVERS\WUDFRd.sys [x]
3 yukonwlh; system32\DRIVERS\yk60x86.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-15 16:39 - 2012-06-15 16:39 - 0020976 ____A C:\Users\JonEJet\Desktop\FRST.txt
2012-06-15 16:10 - 2012-06-15 16:10 - 0008842 ____A C:\Users\JonEJet\Desktop\directions.txt
2012-06-15 16:07 - 2012-06-15 16:39 - 0000000 ____D C:\FRST
2012-06-15 16:05 - 2012-06-15 16:05 - 0874322 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-15 15:52 - 2012-06-15 15:57 - 0424470 ____A C:\Users\JonEJet\Desktop\OTL.Txt
2012-06-15 15:31 - 2012-06-15 15:43 - 0000000 ____D C:\_OTL
2012-06-15 15:28 - 2012-06-15 15:28 - 0596480 ____A (OldTimer Tools) C:\Users\JonEJet\Desktop\OTL.exe
2012-06-15 15:20 - 2012-06-15 15:20 - 0009014 ____A C:\ComboFix.txt
2012-06-15 14:50 - 2012-06-15 14:50 - 0000000 ____D C:\$RECYCLE.BIN
2012-06-15 14:33 - 2011-06-26 02:45 - 0256000 ____A C:\Windows\PEV.exe
2012-06-15 14:33 - 2010-11-07 13:20 - 0208896 ____A C:\Windows\MBR.exe
2012-06-15 14:33 - 2009-04-20 00:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-15 14:33 - 2000-08-30 20:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-15 14:33 - 2000-08-30 20:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-15 14:33 - 2000-08-30 20:00 - 0098816 ____A C:\Windows\sed.exe
2012-06-15 14:33 - 2000-08-30 20:00 - 0080412 ____A C:\Windows\grep.exe
2012-06-15 14:33 - 2000-08-30 20:00 - 0068096 ____A C:\Windows\zip.exe
2012-06-15 14:32 - 2012-06-15 15:20 - 0000000 ____D C:\Qoobox
2012-06-15 14:32 - 2012-06-15 15:20 - 0000000 ____D C:\ComboFix
2012-06-15 14:31 - 2012-06-15 14:31 - 4559180 ___RA (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-15 05:53 - 2012-06-15 05:53 - 0000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-15 16:33 - 0000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:54 - 0000000 ____A C:\Windows\System32\install_results
2012-06-15 05:51 - 2012-06-15 05:52 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 0138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 15:08 - 2012-06-15 10:57 - 0000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-14 15:01 - 2012-06-14 15:05 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 14:57 - 2012-06-15 16:31 - 2135339008 __ASH C:\hiberfil.sys
2012-06-14 09:50 - 2012-06-14 10:07 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 0047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 0029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 0018588 ____A C:\Windows\System32\reg.txt
2012-06-09 13:40 - 2012-06-09 13:40 - 0059246 ____A C:\Users\JonEJet\Documents\marci.jpg
2012-06-08 01:14 - 2012-06-15 15:31 - 0000098 ____A C:\Windows\System32\Drivers\etc\Hosts
2012-06-08 00:48 - 2012-06-08 00:48 - 0138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-07 12:23 - 2012-06-07 12:32 - 0000294 ____A C:\Windows\mbr.log
2012-06-07 11:02 - 2012-06-07 11:03 - 0080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-07 07:41 - 2012-06-15 14:29 - 0000000 ____D C:\SeviceFix
2012-06-06 23:37 - 2012-06-06 23:37 - 0015494 ____A C:\Users\JonEJet\log.xml
2012-06-05 09:49 - 2012-06-05 09:49 - 0012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 0476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:51 - 2012-06-04 15:50 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:51 - 2012-06-04 15:50 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 13:36 - 2012-06-04 12:38 - 0002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-04 13:13 - 2012-06-05 12:39 - 0002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-04 11:30 - 2012-06-04 11:30 - 0868860 ____A C:\Users\JonEJet\Downloads\FSRT.exe
2012-06-02 14:55 - 2012-06-02 14:55 - 98077435 ____A (Igor Pavlov) C:\Users\JonEJet\Desktop\OTLPEStd.exe
2012-06-01 12:59 - 2012-06-01 12:59 - 0000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 12:24 - 2012-06-01 12:27 - 0000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 10:02 - 2012-06-01 10:03 - 0139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 0000000 ____D C:\Program Files\Amazon
2012-05-31 21:00 - 2012-06-01 11:45 - 0000000 ____D C:\Program Files\Amazon Browser Bar
2012-05-31 10:23 - 2012-05-31 10:23 - 0000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 10:01 - 2012-06-06 12:05 - 0000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-31 09:27 - 2012-05-31 09:27 - 0201728 ____A (OldTimer Tools) C:\Users\JonEJet\Desktop\OTC.exe
2012-05-30 17:52 - 2012-05-30 17:52 - 0154916 ____A C:\Users\JonEJet\gmer.txt
2012-05-30 11:14 - 2012-05-30 11:14 - 0138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 0138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:04 - 2012-05-30 11:05 - 4731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 0000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:45 - 2012-05-30 09:46 - 1805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 0047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 0302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:23 - 2012-05-29 11:27 - 0000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 0000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 0809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 11:02 - 2012-05-29 11:02 - 0000268 ____A C:\Users\JonEJet\Documents\CFScript.txt
2012-05-29 10:46 - 2012-05-29 10:46 - 0080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:45 - 2012-05-28 16:46 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 2127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:04 - 2012-05-28 15:46 - 0000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031
2012-05-28 15:04 - 2012-05-28 15:04 - 0000000 ____D C:\avast! sandbox

============ 3 Months Modified Files and Folders ===============

2012-06-15 16:42 - 2007-12-11 17:06 - 1242837 ____A C:\Windows\WindowsUpdate.log
2012-06-15 16:42 - 2006-11-02 09:01 - 0032574 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-15 16:42 - 2006-11-02 09:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-15 16:42 - 2006-11-02 08:47 - 0003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-15 16:42 - 2006-11-02 08:47 - 0003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-15 16:39 - 2012-06-15 16:39 - 0020976 ____A C:\Users\JonEJet\Desktop\FRST.txt
2012-06-15 16:39 - 2012-06-15 16:07 - 0000000 ____D C:\FRST
2012-06-15 16:33 - 2012-06-15 05:52 - 0000000 ____D C:\Users\JonEJet\AppData\Local\MediaFire Express
2012-06-15 16:31 - 2012-06-14 14:57 - 2135339008 __ASH C:\hiberfil.sys
2012-06-15 16:10 - 2012-06-15 16:10 - 0008842 ____A C:\Users\JonEJet\Desktop\directions.txt
2012-06-15 16:05 - 2012-06-15 16:05 - 0874322 ____A C:\Users\JonEJet\Desktop\FRST.exe
2012-06-15 15:57 - 2012-06-15 15:52 - 0424470 ____A C:\Users\JonEJet\Desktop\OTL.Txt
2012-06-15 15:56 - 2010-02-01 23:10 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-15 15:43 - 2012-06-15 15:31 - 0000000 ____D C:\_OTL
2012-06-15 15:31 - 2012-06-08 01:14 - 0000098 ____A C:\Windows\System32\Drivers\etc\Hosts
2012-06-15 15:28 - 2012-06-15 15:28 - 0596480 ____A (OldTimer Tools) C:\Users\JonEJet\Desktop\OTL.exe
2012-06-15 15:20 - 2012-06-15 15:20 - 0009014 ____A C:\ComboFix.txt
2012-06-15 15:20 - 2012-06-15 14:32 - 0000000 ____D C:\Qoobox
2012-06-15 15:20 - 2012-06-15 14:32 - 0000000 ____D C:\ComboFix
2012-06-15 14:51 - 2006-11-02 06:23 - 0000215 ____A C:\Windows\system.ini
2012-06-15 14:50 - 2012-06-15 14:50 - 0000000 ____D C:\$RECYCLE.BIN
2012-06-15 14:47 - 2007-11-06 19:27 - 0515718 ____A C:\Windows\PFRO.log
2012-06-15 14:45 - 2011-04-05 21:05 - 0000000 ____D C:\Windows\ERDNT
2012-06-15 14:31 - 2012-06-15 14:31 - 4559180 ___RA (Swearware) C:\Users\JonEJet\Desktop\ComboFix.exe
2012-06-15 14:29 - 2012-06-07 07:41 - 0000000 ____D C:\SeviceFix
2012-06-15 11:24 - 2008-03-31 15:54 - 0000000 ____D C:\users\JonEJet
2012-06-15 11:06 - 2008-03-31 15:56 - 0000000 ____D C:\Users\JonEJet\AppData\LocalLow
2012-06-15 10:57 - 2012-06-14 15:08 - 0000000 ____D C:\Users\JonEJet\DoctorWeb
2012-06-15 05:54 - 2012-06-15 05:52 - 0000000 ____A C:\Windows\System32\install_results
2012-06-15 05:53 - 2012-06-15 05:53 - 0000000 ____D C:\Program Files\MediaFire Express
2012-06-15 05:52 - 2012-06-15 05:51 - 24772832 ____A (MediaFire) C:\Users\JonEJet\Desktop\MediaFireExpress-0.13.1.3782-windows.exe
2012-06-14 22:07 - 2012-06-14 22:07 - 0138472 ____A C:\Windows\Minidump\Mini061412-01.dmp
2012-06-14 22:07 - 2011-12-24 16:50 - 296179937 ____A C:\Windows\MEMORY.DMP
2012-06-14 22:07 - 2011-12-24 16:50 - 0000000 ____D C:\Windows\Minidump
2012-06-14 15:05 - 2012-06-14 15:01 - 87081672 ____A C:\Users\JonEJet\Desktop\drweb-cureit.exe
2012-06-14 14:55 - 2011-05-18 16:44 - 0001356 ____A C:\Users\JonEJet\AppData\Local\d3d9caps.dat
2012-06-14 12:25 - 2011-12-18 20:31 - 2911356 ____A C:\Windows\ntbtlog.txt
2012-06-14 10:07 - 2012-06-14 09:50 - 137409816 ____A C:\Users\JonEJet\Desktop\setup_11.0.0.1245.x01_2012_06_14_14_31.exe
2012-06-14 03:02 - 2006-11-02 06:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 12:06 - 2012-06-13 12:06 - 0047616 ____A C:\Users\JonEJet\Desktop\Win32kDiag.exe
2012-06-13 10:40 - 2012-06-13 10:40 - 0029837 ____A C:\Windows\System32\svc.txt
2012-06-13 10:40 - 2012-06-13 10:40 - 0018588 ____A C:\Windows\System32\reg.txt
2012-06-12 01:00 - 2010-02-01 23:00 - 0001982 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-06-11 19:39 - 2011-04-08 13:49 - 0000000 ____D C:\Users\JonEJet\Desktop\Scapes New
2012-06-09 13:40 - 2012-06-09 13:40 - 0059246 ____A C:\Users\JonEJet\Documents\marci.jpg
2012-06-08 04:47 - 2006-11-02 06:22 - 41680896 ____A C:\Windows\System32\config\software_previous
2012-06-08 04:47 - 2006-11-02 06:22 - 17825792 ____A C:\Windows\System32\config\system_previous
2012-06-08 04:46 - 2006-11-02 07:18 - 0000000 ____D C:\Windows\System32\spool
2012-06-08 04:46 - 2006-11-02 07:18 - 0000000 ____D C:\Windows\System32\Msdtc
2012-06-08 04:46 - 2006-11-02 07:18 - 0000000 ____D C:\Windows\registration
2012-06-08 04:44 - 2006-11-02 06:22 - 40370176 ____A C:\Windows\System32\config\components_previous
2012-06-08 04:44 - 2006-11-02 06:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2012-06-08 01:13 - 2006-11-02 07:18 - 0000000 ___RD C:\users\Public
2012-06-08 00:48 - 2012-06-08 00:48 - 0138472 ____A C:\Windows\Minidump\Mini060812-01.dmp
2012-06-08 00:38 - 2006-11-02 06:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2012-06-08 00:38 - 2006-11-02 06:22 - 0262144 ____A C:\Windows\System32\config\default_previous
2012-06-07 14:14 - 2006-11-02 06:33 - 0704254 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-07 12:32 - 2012-06-07 12:23 - 0000294 ____A C:\Windows\mbr.log
2012-06-07 11:03 - 2012-06-07 11:02 - 0080384 ____A C:\Users\JonEJet\Documents\MBRCheck.exe
2012-06-06 23:37 - 2012-06-06 23:37 - 0015494 ____A C:\Users\JonEJet\log.xml
2012-06-06 12:05 - 2012-05-31 10:01 - 0000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-06-06 11:51 - 2009-07-24 21:11 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-06-05 12:39 - 2012-06-04 13:13 - 0002996 ____A C:\Users\JonEJet\Downloads\SystemLook.txt
2012-06-05 11:13 - 2007-11-11 11:18 - 0000000 ____D C:\DOCS
2012-06-05 09:49 - 2012-06-05 09:49 - 0012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-06-04 15:51 - 2007-11-06 19:07 - 0000000 ____D C:\Program Files\Common Files\Java
2012-06-04 15:50 - 2012-06-04 15:51 - 0476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-04 15:50 - 2012-06-04 15:51 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-04 15:50 - 2012-06-04 15:51 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-04 15:50 - 2011-04-02 12:25 - 0472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-06-04 15:50 - 2007-11-06 19:07 - 0000000 ____D C:\Program Files\Java
2012-06-04 12:38 - 2012-06-04 13:36 - 0002916 ____A C:\Windows\System32\SystemLook.txt
2012-06-04 11:30 - 2012-06-04 11:30 - 0868860 ____A C:\Users\JonEJet\Downloads\FSRT.exe
2012-06-02 14:55 - 2012-06-02 14:55 - 98077435 ____A (Igor Pavlov) C:\Users\JonEJet\Desktop\OTLPEStd.exe
2012-06-02 11:10 - 2006-11-02 08:52 - 0024781 ____A C:\Windows\setupact.log
2012-06-02 11:05 - 2007-11-06 18:28 - 0000000 ____D C:\Windows\System32\RTCOM
2012-06-01 12:59 - 2012-06-01 12:59 - 0000000 ____D C:\Users\JonEJet\AppData\Local\Seven Zip
2012-06-01 12:27 - 2012-06-01 12:24 - 0000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-06-01 12:26 - 2012-06-01 12:26 - 16339280 ____A (Mozilla) C:\Users\JonEJet\Desktop\Firefox Setup 12.0.exe
2012-06-01 11:45 - 2012-05-31 21:00 - 0000000 ____D C:\Program Files\Amazon Browser Bar
2012-06-01 11:35 - 2011-01-28 17:33 - 0000000 ____D C:\Users\JonEJet\AppData\Roaming\SoftGrid Client
2012-06-01 10:03 - 2012-06-01 10:02 - 0139264 ____A C:\Users\JonEJet\Downloads\SystemLook.exe
2012-05-31 21:01 - 2012-05-31 21:01 - 0000000 ____D C:\Program Files\Amazon
2012-05-31 13:41 - 2008-03-31 15:57 - 0089424 ____A C:\Users\JonEJet\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-31 10:23 - 2012-05-31 10:23 - 0000000 ____D C:\Users\JonEJet\Documents\OneNote Notebooks
2012-05-31 09:27 - 2012-05-31 09:27 - 0201728 ____A (OldTimer Tools) C:\Users\JonEJet\Desktop\OTC.exe
2012-05-31 09:19 - 2006-11-02 08:47 - 0349920 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-30 17:52 - 2012-05-30 17:52 - 0154916 ____A C:\Users\JonEJet\gmer.txt
2012-05-30 11:14 - 2012-05-30 11:14 - 0138472 ____A C:\Windows\Minidump\Mini053012-02.dmp
2012-05-30 11:09 - 2012-05-30 11:09 - 0138472 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 11:05 - 2012-05-30 11:04 - 4731392 ____A (AVAST Software) C:\Users\JonEJet\Desktop\aswMBR.exe
2012-05-30 10:20 - 2012-05-30 10:20 - 0000000 ____D C:\Users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-30 09:46 - 2012-05-30 09:45 - 1805736 ____A (Symantec Corporation) C:\Users\JonEJet\Desktop\FixZeroAccess.exe
2012-05-29 12:27 - 2012-05-29 12:27 - 0047616 ____A C:\Users\JonEJet\Downloads\Win32kDiag.exe
2012-05-29 11:34 - 2012-05-29 11:34 - 0302592 ____A C:\Users\JonEJet\Downloads\uyougp9z.exe
2012-05-29 11:27 - 2012-05-29 11:23 - 0000000 ____D C:\Program Files\Free Download Manager
2012-05-29 11:22 - 2012-05-29 11:22 - 0000000 ____D C:\Users\JonEJet\AppData\Roaming\Babylon
2012-05-29 11:19 - 2012-05-29 11:19 - 0809328 ____A (AirInstaller Inc.) C:\Users\JonEJet\Downloads\setup.exe
2012-05-29 11:02 - 2012-05-29 11:02 - 0000268 ____A C:\Users\JonEJet\Documents\CFScript.txt
2012-05-29 10:46 - 2012-05-29 10:46 - 0080384 ____A C:\Users\JonEJet\Downloads\MBRCheck.exe
2012-05-28 16:46 - 2012-05-28 16:45 - 82493320 ____A (Sophos Limited) C:\Users\JonEJet\Downloads\Sophos Virus Removal Tool.exe
2012-05-28 15:46 - 2012-05-28 15:46 - 2127448 ____A (Kaspersky Lab ZAO) C:\Users\JonEJet\Downloads\tdsskiller(1).exe
2012-05-28 15:46 - 2012-05-28 15:04 - 0000000 ____D C:\Users\JonEJet\AppData\Local\blekkotb_031
2012-05-28 15:04 - 2012-05-28 15:04 - 0000000 ____D C:\avast! sandbox
2012-05-28 12:15 - 2009-07-26 00:35 - 0005120 ____A C:\Users\JonEJet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-27 10:19 - 2006-11-02 07:18 - 0000000 ____D C:\Windows\SchCache
2012-05-27 10:01 - 2012-01-01 16:22 - 0000917 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-27 10:01 - 2010-12-07 06:54 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-05-15 12:02 - 2011-01-28 18:43 - 0000000 ____D C:\Users\JonEJet\Desktop\Scapes Old
2012-05-14 16:22 - 2011-01-28 15:06 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-07 13:16 - 2006-11-02 06:23 - 0002577 ____A C:\Windows\System32\config.nt
2012-04-04 15:56 - 2010-12-07 06:54 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-26 08:56 - 2012-03-26 08:56 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-02-21 16:56] - [2008-10-29 02:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll
[2011-01-28 15:41] - [2008-01-19 00:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2011-01-28 15:40] - [2008-01-19 00:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 2038.33 MB
Available physical RAM: 1724.23 MB
Total Pagefile: 1869.04 MB
Available Pagefile: 1781.33 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.39 MB

======================= Partitions =========================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: (SQ004585V03) (Fixed) (Total:110.32 GB) (Free:61.12 GB) NTFS
3 Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Unknown 1500 MB 1024 KB
Partition 2 Primary 110 GB 1501 MB
======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 TOSHIBA SYS NTFS Partition 1500 MB Healthy
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C SQ004585V03 NTFS Partition 110 GB Healthy
======================================================================================================

==========================================================

Last Boot:

======================= End Of Log ==========================

Re: Root Kit....Zero Access15th June 2012, 9:11 pm

Still being redirected FWIW.....lol Jeez

Re: Root Kit....Zero Access15th June 2012, 10:27 pm

We're doing a bit of damage control here, so forgive me if any of your browser extensions get deleted.

(Side note: You're very persistent. We could use you on the force. Let me know if you'd like some training!)

This system is hereby untrusted! Therefore, even if there are no signs of rootkits or redirects, there may still be malware lurking about. It is most recommended to forbid any more steps here, and reformat and reinstall your PC. If you choose to continue, and we can try anyway, I have no guarantees. Continue below if you choose!!

Type 27 Hidden Partition Identified!!

Do you know what this partition was created for: Partition 1 Unknown 1500 MB 1024 KB ?? The size of it is 1500 MB.

Please go to: VirusTotal

Root Kit....Zero Access - Page 3 79566475

Click the Browse button and search for the following file: c:\program files\mozilla firefox\components\browsercomps.dll
Click Open
Then click Send File
Please be patient while the file is scanned.
Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the codebox below into it:
killall::

ADS::
C:\Users\JonEJet\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\41F219BD-00000001.eml:OECustomProperty

File::
c:\windows\system32\shoA32C.tmp
C:\Users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_icmlaeflemplmjndnaapfdbbnpncnbda_0.localstorage
C:\Users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pbjikboenpfhbbejgkoklgkhjpfogcam_0.localstorage
C:\Users\JonEJet\Downloads\uyougp9z.exe
C:\Users\JonEJet\Downloads\setup.exe

Folder::
C:\Users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Default\aabjollpjkfbikmogkgjjdogkmdhjeoj
C:\Users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0
C:\Users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\379QDL8O
C:\Users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODNN00Q
C:\Users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SMJR8YQY
C:\Users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQ35FAKR
C:\Users\JonEJet\AppData\Local\temp\WPDNSE

SigCheck::
c:\windows\explorer.exe
C:\Windows\System32\User32.dll
C:\Windows\System32\Drivers\volsnap.sys

Reg::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]

Driver::
MpsSvc

Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Root Kit....Zero Access16th June 2012, 1:23 am

Jay....I'm very competitive dude....I can't stand losing, and this little guy has me fired up....I got to beat this thing.....If I can help the boys here in any way, I'm your guy!!!! (Gunsmoke)

Lets get back at it

Re: Root Kit....Zero Access16th June 2012, 2:24 am

https://www.virustotal.com/file/5399287c7dc6745c5c760e7f1e0da343a040f7176c867d59a4d6e4da4863ce78/analysis/1339810080/

ComboFix 12-06-15.03 - JonEJet 06/15/2012 21:34:42.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1068 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_icmlaeflemplmjndnaapfdbbnpncnbda_0.localstorage"
"c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pbjikboenpfhbbejgkoklgkhjpfogcam_0.localstorage"
"c:\users\JonEJet\Downloads\setup.exe"
"c:\users\JonEJet\Downloads\uyougp9z.exe"
"c:\windows\system32\shoA32C.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Default\aabjollpjkfbikmogkgjjdogkmdhjeoj
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Default\aabjollpjkfbikmogkgjjdogkmdhjeoj\background.html
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Default\aabjollpjkfbikmogkgjjdogkmdhjeoj\ContentScript.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Default\aabjollpjkfbikmogkgjjdogkmdhjeoj\manifest.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ar\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\be\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\bg\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ca\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\cs\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\da\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\de\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\el\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\en\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\en_GB\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\es\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\et\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\fa\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\fi\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\fr\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\he\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\hr\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\hu\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\id\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\it\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ja\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ko\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\nb\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\nl\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\pl\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\pt_BR\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\pt_PT\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ro\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ru\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\sk\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\sl\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\sr\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\sv\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\th\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\tr\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\uk\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\ur\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\vi\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\zh_CN\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\_locales\zh_TW\messages.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\background.html
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\manifest.json
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\popup.html
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\anchor.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\background.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\dateFormat.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\jquery.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\mouse.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\pbj.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\popup.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\protobuf.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\query.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\ratings.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\warnDlg.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\scripts\wrc_gpb.js
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\css\anchor.css
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\css\popup.css
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\background-body.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\background-right-bottom.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\background-right-top.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\close.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\disabled.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\grey.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\horizontal-line-white.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\horizontal-line.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icon_incorrect.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\corporate-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\corporate-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\corporate.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\drugs-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\drugs-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\drugs.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\gambling-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\gambling-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\gambling.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green-1.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green-2.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green-3.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green-hover.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green1-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green1-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green2-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green2-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green3-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green3-24.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\green3-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\grey-0.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\grey-3.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\grey-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\grey0-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\grey3-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\illegal-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\illegal-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\illegal.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\it-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\it-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\it.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\limet-hover.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\limet-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\limet.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\line-dark-horizontal.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\line-light-horizontal.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\logo128.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\logo256.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\logo48.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\logo64.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\news-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\news-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\news.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\orange-hover.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\orange-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\orange.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\orange1-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\orange2-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\orange3-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\pornography-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\pornography-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\pornography.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red-1.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red-2.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red-3.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red-hover.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red1-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red1-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red2-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red2-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red3-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\red3-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\shopping-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\shopping-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\shopping.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\social-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\social-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\social.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\violence-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\violence-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\violence.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\weapons-small-disable.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\weapons-small-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\weapons.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow-1.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow-2.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow-3.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow-hover.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow-selected.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow1-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow1-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow2-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow2-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow3-16.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\icons\yellow3-small.png
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\logo.jpg
c:\users\JonEJet\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\skin\images\vertical-line.jpg
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\379QDL8O
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\379QDL8O\&s=4uZeW4mRG8DveJvWLJ34AZkGGls[1].htm
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\379QDL8O\desktop.ini
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQ35FAKR
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQ35FAKR\desktop.ini
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQ35FAKR\pixel[1].gif
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODNN00Q
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODNN00Q\127.0.0[1].1
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODNN00Q\desktop.ini
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EODNN00Q\favicon[1].ico
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SMJR8YQY
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SMJR8YQY\desktop.ini
c:\users\JonEJet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SMJR8YQY\logo3[1].png
c:\users\JonEJet\AppData\Local\temp\WPDNSE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_MpsSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-05-16 to 2012-06-16 )))))))))))))))))))))))))))))))
.
.
2012-06-16 01:46 . 2012-06-16 01:46 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-06-16 01:46 . 2012-06-16 01:46 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-06-16 01:46 . 2012-06-16 01:46 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-06-16 01:46 . 2012-06-16 01:46 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-06-16 01:44 . 2012-06-16 01:51 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-16 01:44 . 2012-06-16 01:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-16 01:44 . 2012-06-16 01:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-15 20:07 . 2012-06-15 22:01 -------- d-----w- C:\FRST
2012-06-15 19:31 . 2012-06-15 19:43 -------- d-----w- C:\_OTL
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-15 22:05 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-01 16:24 . 2012-04-21 01:18 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-06-01 16:24 . 2012-04-21 01:18 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-06 16:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-06 15:50 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-06 15:50 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-06 15:50 157600 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-06 15:50 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-06 15:50 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Microsoft Application Virtualization Client\sftlist.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\windows\RtHDVCpl.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
.
**************************************************************************
.
Completion time: 2012-06-15 22:20:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-16 02:19
ComboFix2.txt 2012-06-15 19:20
.
Pre-Run: 65,528,909,824 bytes free
Post-Run: 65,221,079,040 bytes free
.
- - End Of File - - 6AC8B579407FAAAFFAC700494BBB44B0

Re: Root Kit....Zero Access16th June 2012, 2:27 am

This friggin' thing is absolutely nuts

Still redirecting http://8.26.70.252/see/display.php?q=bart+scott&affsub=46938-97510&subid=e10

Evil or enraged

Re: Root Kit....Zero Access16th June 2012, 6:08 am

Found the tripwire. Let's see a little bit more action and catch your machine at ALL ANGLES...Honestly, it should not be this hard to remove this thing. Others have removed it with ease.

Please download aswMBR from here

Save aswMBR.exe to your Desktop
Double click aswMBR.exe to run it
Click the Scan button to start the scan as illustrated below

Root Kit....Zero Access - Page 3 AswMBR_Scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

Once the scan finishes click Save log to save the log to your Desktop
Copy and paste the contents of aswMBR.txt back here for review

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button. Root Kit....Zero Access - Page 3 2hd457o

Root Kit....Zero Access - Page 3 2hd457o

Root Kit....Zero Access - Page 3 Settingsslider

Set the slider to Maximum.

Root Kit....Zero Access - Page 3 Driversports

IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.

Root Kit....Zero Access - Page 3 Generaltab

On the General tab, make sure all of the boxes are checked.

Root Kit....Zero Access - Page 3 Misce

On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.

Root Kit....Zero Access - Page 3 2ekm73m

Click Create Report to run it.

Root Kit....Zero Access - Page 3 Beginscanning

It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

Please run Panda ActiveScan online scan.

Choose Quick Scan then click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply

Re: Root Kit....Zero Access16th June 2012, 3:01 pm

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-16 10:39:32
-----------------------------
10:39:32.520 OS Version: Windows 6.0.6001 Service Pack 1
10:39:32.520 Number of processors: 2 586 0xF0D
10:39:32.522 ComputerName: JONEJET-PC UserName: JonEJet
10:39:37.676 Initialize success
10:39:37.848 AVAST engine defs: 12061600
10:39:40.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
10:39:40.500 Disk 0 Vendor: TOSHIBA_MK1246GSX LB213M Size: 114473MB BusType: 3
10:39:40.531 Disk 0 MBR read successfully
10:39:40.531 Disk 0 MBR scan
10:39:40.547 Disk 0 Windows VISTA default MBR code
10:39:40.562 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
10:39:40.593 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 112969 MB offset 3074048
10:39:40.593 Disk 0 scanning sectors +234434560
10:39:40.734 Disk 0 scanning C:\Windows\system32\drivers
10:40:08.181 Service scanning
10:41:36.165 Modules scanning
10:42:09.689 Disk 0 trace - called modules:
10:42:09.845 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
10:42:10.360 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85662ac8]
10:42:10.360 3 CLASSPNP.SYS[82b0b745] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x84e8cab0]
10:42:13.464 AVAST engine scan C:\Windows
10:42:21.919 AVAST engine scan C:\Windows\system32
10:52:14.985 AVAST engine scan C:\Windows\system32\drivers
10:52:43.002 AVAST engine scan C:\Users\JonEJet
10:55:06.351 AVAST engine scan C:\ProgramData
10:56:33.586 Scan finished successfully
11:00:03.078 Disk 0 MBR has been saved successfully to "C:\Users\JonEJet\Desktop\MBR.dat"
11:00:03.094 The log file has been saved successfully to "C:\Users\JonEJet\Desktop\aswMBR.txt"

http://www.getsysteminfo.com/read.php?file=7df54e93c9f25e439d127233538d1e42

Re: Root Kit....Zero Access16th June 2012, 3:32 pm

Malware. FILE: C:\USERS\JONEJET\APPDATA\LOCAL\TEMP:WINUPD.EXE to be deleted.

Malware. REGKEY: HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN[START PAGE]. Variable: START PAGE To be changed to: auto:blank

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SUPERHIDDEN] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SHOWSUPERHIDDEN] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Re: Root Kit....Zero Access16th June 2012, 3:39 pm

Still being redirected Sad tearing

Re: Root Kit....Zero Access16th June 2012, 4:19 pm

http://www.mediafire.com/?661h6lhm0ei2ik4

Re: Root Kit....Zero Access16th June 2012, 7:53 pm

Let me straighten a few views in this situation:

-There is no driver associated with this infection.
-No files!!
-This is pure hardcoded mountpoint somewhere in the OS. Problem is, figuring out where the mountpoint is.

ZAccess was preventing ComboFix from running, but the developer temporarily filled in a workaround so ComboFix could run...which means: ComboFix cannot remove the new variant.

Believe me when I say it, if this doesn't work and you want to keep fighting, we'll be working from a Linux environment!!

There are a few rootkit tools we will use, very unorthodox, but totally worth it! You're computer is now my test machine...temporarily. Big Grin

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1

Link 2

Link 3

Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Please push the 'Y' key and then press Enter
When program ask you Enter your choice: enter
[1] Dump the MBR of a physical disk to file.
and press the Enter key
Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
Enter 0 and press the Enter key.
The program will show Available MBR codes:, followed by a list of operating systems. Please enter
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7 and then press Enter.
The program will ask for the file name to dump to, type dump.dat and Press Enter. You should see Dumped successfully.
Next, type -1 and press Enter. Next press Enter again, and the program will exit.
Save it to your desktop then attach the resultant output in your next reply

Please download SanityCheck to your Desktop from here .
Please close all open windows, double-click "SanitySetup.exe" and follow the prompts to install the tool.
Please choose "I accept the agreement" and make sure to place a checkmark next to "Create a Desktop icon"
At the end, please click the "Finish" button. Click "Yes" and "OK" to close the next messages.
Please close the program and restart your computer.
Now, please re-run the program by clicking its icon or from "Start" => "All the programs" => "SanityCheck" and click the "Analyze.." button.
Finally, please click "OK" and scroll down the window to copy and paste the results in your next reply.

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Last edited by DragonMaster Jay on 16th June 2012, 7:56 pm; edited 1 time in total

Re: Root Kit....Zero Access16th June 2012, 7:56 pm

This a quest at this point....hahaha

Lets give it hell

Got this from MBR check...let me try again, not what you wanted

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: Intel Corporation
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: TOSHIBA
System Product Name: Satellite A205
Logical Drives Mask: 0x0001000c

Kernel Drivers (total 156):
0x81E1E000 \SystemRoot\system32\ntkrnlpa.exe
0x821D7000 \SystemRoot\system32\hal.dll
0x8040B000 \SystemRoot\system32\kdcom.dll
0x80413000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80473000 \SystemRoot\system32\PSHED.dll
0x80484000 \SystemRoot\system32\BOOTVID.dll
0x8048C000 \SystemRoot\system32\CLFS.SYS
0x804CD000 \SystemRoot\system32\CI.dll
0x80606000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80682000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8068F000 \SystemRoot\system32\drivers\acpi.sys
0x806D5000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806DE000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E6000 \SystemRoot\system32\drivers\pci.sys
0x8070D000 \SystemRoot\System32\drivers\partmgr.sys
0x8071C000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8071F000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80729000 \SystemRoot\system32\drivers\volmgr.sys
0x80738000 \SystemRoot\System32\drivers\volmgrx.sys
0x80782000 \SystemRoot\system32\drivers\intelide.sys
0x80789000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80797000 \SystemRoot\system32\DRIVERS\pcmcia.sys
0x807C1000 \SystemRoot\System32\drivers\mountmgr.sys
0x807D1000 \SystemRoot\system32\drivers\atapi.sys
0x807D9000 \SystemRoot\system32\drivers\ataport.SYS
0x805AD000 \SystemRoot\system32\drivers\msahci.sys
0x805B7000 \SystemRoot\system32\drivers\fltmgr.sys
0x805E9000 \SystemRoot\system32\drivers\fileinfo.sys
0x807F7000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8280D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8287E000 \SystemRoot\system32\drivers\ndis.sys
0x82989000 \SystemRoot\system32\drivers\msrpc.sys
0x829B4000 \SystemRoot\system32\drivers\NETIO.SYS
0x82A02000 \SystemRoot\System32\drivers\tcpip.sys
0x82AEB000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x87E0A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87F19000 \SystemRoot\system32\drivers\volsnap.sys
0x87F52000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x87F57000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
0x87FA2000 \SystemRoot\System32\Drivers\spldr.sys
0x87FAA000 \SystemRoot\System32\Drivers\mup.sys
0x87FB9000 \SystemRoot\System32\drivers\ecache.sys
0x87FE0000 \SystemRoot\system32\drivers\disk.sys
0x82B06000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87FF1000 \SystemRoot\system32\drivers\crcdisk.sys
0x82B3F000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x82B4A000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x82B53000 \SystemRoot\system32\DRIVERS\FwLnk.sys
0x82B5B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C40A000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8CA41000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8CAE0000 \SystemRoot\System32\drivers\watchdog.sys
0x8CAED000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8CAF8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8CB36000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8CB45000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8CB57000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8CB90000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8CBA3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8CBAE000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8CBDB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8CBDD000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8CBE8000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0x82B6A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8CBEC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x82B82000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x82BB0000 \SystemRoot\system32\DRIVERS\storport.sys
0x8CBF0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8BE03000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8BE1A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8BE25000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8BE48000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8BE57000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8BE6B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8BE80000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8BE90000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8BE92000 \SystemRoot\system32\DRIVERS\ks.sys
0x8BEBC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8BEC6000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8BED3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8BF07000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8C000000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8C1AF000 \SystemRoot\system32\drivers\portcls.sys
0x8BF18000 \SystemRoot\system32\drivers\drmk.sys
0x8CC08000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8CD24000 \SystemRoot\system32\drivers\modem.sys
0x8CD31000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x8CDCB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8CDD4000 \SystemRoot\System32\Drivers\Null.SYS
0x8CDDB000 \SystemRoot\System32\Drivers\Beep.SYS
0x8CDEB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8CDF2000 \SystemRoot\System32\drivers\vga.sys
0x8C1DC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8CC00000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8CDE2000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8BF3D000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8BF48000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8BF56000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8BF5F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8BF6B000 \SystemRoot\system32\DRIVERS\smb.sys
0x8BF7F000 \SystemRoot\system32\drivers\afd.sys
0x8BFC7000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8BFCE000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D20D000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D223000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8D22C000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8D242000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8D250000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D263000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8D269000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8D2A5000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D2AF000 \SystemRoot\System32\Drivers\dfsc.sys
0x8D2C6000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8D2ED000 \SystemRoot\System32\Drivers\aswSP.SYS
0x8D33E000 \SystemRoot\system32\DRIVERS\RTL8187B.sys
0x8D384000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8D39B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8D3A4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8D3B4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8D3BD000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8D3C5000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8D3D2000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8D3DD000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x94870000 \SystemRoot\System32\win32k.sys
0x8D3E7000 \SystemRoot\System32\drivers\Dxapi.sys
0x8D3F1000 \SystemRoot\system32\DRIVERS\monitor.sys
0x94A90000 \SystemRoot\System32\TSDDD.dll
0x94AB0000 \SystemRoot\System32\cdd.dll
0xA6C0D000 \SystemRoot\system32\drivers\luafv.sys
0xA6C28000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0xA6C5B000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA6C72000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA6C75000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0xA6C86000 \SystemRoot\system32\drivers\spsys.sys
0xA6D35000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA6D45000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xA6D6F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA6D79000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA6D8C000 \SystemRoot\system32\drivers\HTTP.sys
0xAA200000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA21D000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAA236000 \SystemRoot\system32\drivers\mrxdav.sys
0xAA256000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA275000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAA2AE000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAA2C6000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAA2EE000 \SystemRoot\System32\DRIVERS\srv.sys
0xAE00A000 \SystemRoot\system32\drivers\peauth.sys
0xAE0E8000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAE0F2000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0xAE186000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0xAE1BC000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAE1C8000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0xAE1D1000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xAE1E7000 \??\C:\Users\JonEJet\AppData\Local\Temp\aswMBR.sys
0x76EF0000 \Windows\System32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
540 C:\Windows\System32\smss.exe
612 csrss.exe
656 C:\Windows\System32\wininit.exe
668 csrss.exe
700 C:\Windows\System32\services.exe
748 C:\Windows\System32\winlogon.exe
776 C:\Windows\System32\lsass.exe
784 C:\Windows\System32\lsm.exe
944 C:\Windows\System32\svchost.exe
1008 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
1056 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\svchost.exe
1312 C:\Windows\System32\audiodg.exe
1344 C:\Windows\System32\SLsvc.exe
1384 C:\Windows\System32\svchost.exe
1544 C:\Windows\System32\svchost.exe
1752 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1780 C:\Windows\System32\dwm.exe
1792 C:\Windows\explorer.exe
1916 C:\Windows\System32\spoolsv.exe
1980 C:\Windows\System32\taskeng.exe
2016 C:\Windows\System32\taskeng.exe
652 C:\Windows\System32\agrsmsvc.exe
328 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
936 C:\Windows\System32\svchost.exe
2168 C:\Windows\System32\lxducoms.exe
2260 C:\TOSHIBA\IVP\ISM\pinger.exe
2476 C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
2496 C:\Windows\System32\svchost.exe
2556 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
2600 C:\Windows\System32\TODDSrv.exe
2624 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
2708 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
2788 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2812 C:\Windows\System32\svchost.exe
2924 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2944 C:\Windows\System32\SearchIndexer.exe
2988 C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
3388 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3704 C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
4016 C:\Windows\System32\igfxpers.exe
1680 C:\Windows\RtHDVCpl.exe
1144 C:\Program Files\Synaptics\SynTP\SynTPStart.exe
2772 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2916 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2964 C:\Program Files\AVAST Software\Avast\AvastUI.exe
3260 C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe
3344 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2212 C:\Windows\System32\wbem\unsecapp.exe
3572 WmiPrvSE.exe
3876 C:\Program Files\Synaptics\SynTP\SynToshiba.exe
3472 C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
4080 C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
848 C:\Users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
2828 C:\Windows\System32\wuauclt.exe
3464 C:\Program Files\Mozilla Firefox\firefox.exe
3952 C:\Windows\System32\taskeng.exe
5280 C:\Windows\System32\ctfmon.exe
6032 C:\Program Files\Mozilla Firefox\plugin-container.exe
4100 C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
3964 C:\Program Files\Java\jre6\bin\java.exe
5288 C:\Users\JonEJet\Documents\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: TOSHIBAMK1246GSX, Rev: LB213M

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61

Done!

Re: Root Kit....Zero Access16th June 2012, 8:33 pm

--------------------------------------------------------------------------------
Analysis
--------------------------------------------------------------------------------

Analyzing your system ...

Processes are running without company, product and description information

One or more processes have been detected which have not registered any company, product and description information. This is not necessarily the work of a virus or malware but does raise a flag of suspicion. It is suggested you find out what this process belongs to and why it is running on your system.

The process mf_status.exe does not have any product, company or description information.

Information about the responsible process mf_status.exe:

file path: C:\users\jonejet\appdata\local\mediafire express\mf_status.exe
Click here to do a Google search on mf_status.exe

The process mf_daemon.exe does not have any product, company or description information.

Information about the responsible process mf_daemon.exe:

file path: C:\users\jonejet\appdata\local\mediafire express\mf_daemon.exe
Click here to do a Google search on mf_daemon.exe

The process pinger.exe does not have any product, company or description information.

Information about the responsible process pinger.exe:

file path: C:\toshiba\ivp\ism\pinger.exe
Click here to do a Google search on pinger.exe

--------------------------------------------------------------------------------

Some driver entry points are being hijacked by other modules

Module aswSP.SYS is overwriting one or more dispatch entry points of other drivers running in the system. This controversial technique could be the work of malware running in the system but it could also be the work of legitimate software.

Information about the responsible module aswSP.SYS:

file path: C:\Windows\system32\drivers\aswsp.sys
product: avast! Antivirus System
description: avast! self protection module
company: AVAST Software
Click here to do a Google search on aswSP.SYS

--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

Irregularities have been detected on your system which indicate your system is possibly compromised by malware but it may also be that these are caused by a legitimate product. If you do not know what these files are about it is suggested that you locate the above mentioned files and do a search on their filenames with Google. This may help you find out whether the reported issues are the work of a legitimate product that you have installed deliberately or the work of a rootkit of other malware.

As always, we suggest you use a good antivirus scanner which does not make use of any controversial techniques and always practice caution when downloading files and opening email attachments.

Note that is is not always possible to make a clear distinction between malware and legitimate products. This is because certain legitimate products resort to agressive controversial techniques as an anti-piracy measure, to avoid debugging or for anti-competetive purposes. Antivirus or other security software may be making use of rootkit-like techniques in an attempt to hide itself from malware. Worse, such products may be involved in a controversial race along the lines of "defeat evil with its own weapons".

About your system:

Windows version: Windows Vista Service Pack 1, 6.0, build: 6001
Windows dir: C:\Windows
CPU: GenuineIntel Intel(R) Pentium(R) Dual CPU T2330 @ 1.60GHz Intel586, level: 6
2 logical processors, active mask: 3
RAM: 2136674304 total

Report generated on 6/16/2012 4:32:03 PM

Re: Root Kit....Zero Access16th June 2012, 8:36 pm

Uh oh...something happened....able to do a search without redirect???

False alarm, damnit

Getting confused with the 7 Zip/Unhooker thing

Going to take a break...I'm frustrated...at it again tomorrow

Re: Root Kit....Zero Access16th June 2012, 9:54 pm

Post any details you can. I'll be back in the morning anyway.

Remember, I need the DUMP from MBRCheck, not just a log.

Anyway, see if you can get RootkitUnhooker to work. The developer of the tool might have a handle on the situation.

Re: Root Kit....Zero Access17th June 2012, 4:58 am

THe MBR Check.....my only option at the end is to hit enter

it says DONE!!!!!!

Hit enter to exit.....no other option????

Re: Root Kit....Zero Access17th June 2012, 6:02 am

Hit the option to dump it to the file:

Is there no option there?

Re: Root Kit....Zero Access17th June 2012, 3:11 pm

No, no option to dump it

Re: Root Kit....Zero Access17th June 2012, 6:09 pm

Wooo...hard to hold my breath anymore...okay just kidding...but seriously, ComboFix CFScript was not run properly earlier. But, we'll do a new CFScript at this time.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the codebox below into it:
FixCSet::

SRPEEK::
c:\windows\explorer.exe
C:\Windows\System32\User32.dll
C:\Windows\System32\Drivers\volsnap.sys

Rootkit::
\\.\systemroot\system32\svchost.exe\*.* ::MODULE

Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Lastly:

Download and run this tool: http://download.eset.com/special/ESETSirefefRemover.exe

Re: Root Kit....Zero Access17th June 2012, 6:11 pm

I figured out the Thr Rootkit/Zip thing, and I'm scanning now

Re: Root Kit....Zero Access17th June 2012, 6:15 pm

Good. Include that with the other ComboFix Script and the ESET tool.

I will need to know if the ESET tool and ComboFix worked to solve the problem, but tell me that AFTER you have run the tools.

Re: Root Kit....Zero Access17th June 2012, 7:33 pm

ComboFix 12-06-15.03 - JonEJet 06/17/2012 14:46:42.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1174 [GMT -4:00]
Running from: c:\users\JonEJet\Desktop\ComboFix.exe
Command switches used :: c:\users\JonEJet\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\SavingsApp
c:\program files\SavingsApp\SavingsApp.dll
c:\program files\SavingsApp\SavingsApp.exe
c:\program files\SavingsApp\SavingsApp.ico
c:\program files\SavingsApp\SavingsApp.ini
c:\program files\SavingsApp\SavingsAppGui.exe
c:\program files\SavingsApp\SavingsAppInstaller.log
c:\program files\SavingsApp\Uninstall.exe
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome.manifest
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\background.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\browser.xul
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\crossrider.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\crossriderapi.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\dialog.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\lib\faye-browser-min.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\manage-apps-style.css
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\manage-apps.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\messaging.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\options.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\options.xul
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\push.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\search_dialog.xul
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\chrome\content\update.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\defaults\preferences\prefs.js
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\install.rdf
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\locale\en-US\translations.dtd
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button1.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button2.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button3.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button4.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\button5.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\crossrider_statusbar.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon128.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon16.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon24.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\icon48.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\panelarrow-up.png
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\popup.css
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\popup.html
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\popup_binding.xml
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\skin.css
c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\extensions\crossriderapp4639@crossrider.com\skin\update.css
c:\windows\system32\94AD42BA.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_94AD42BA
.
.
((((((((((((((((((((((((( Files Created from 2012-05-17 to 2012-06-17 )))))))))))))))))))))))))))))))
.
.
2012-06-17 18:56 . 2012-06-17 19:02 -------- d-----w- c:\users\JonEJet\AppData\Local\temp
2012-06-17 18:56 . 2012-06-17 18:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-17 18:56 . 2012-06-17 18:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-17 16:56 . 2012-06-17 16:56 -------- d-----w- c:\program files\MustBeRandomlyNamed
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\programdata\PC Optimizer Pro
2012-06-17 16:40 . 2012-06-17 16:40 -------- d-----w- c:\program files\File Type Assistant
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Roaming\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\program files\BitZipper
2012-06-17 16:39 . 2012-06-17 16:39 -------- d-----w- c:\users\JonEJet\AppData\Local\SavingsApp
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-06-17 16:38 . 2012-06-17 16:49 -------- d-----w- c:\program files\PC Optimizer Pro
2012-06-17 16:38 . 2012-06-17 16:38 -------- d-----w- c:\programdata\WeCareReminder
2012-06-16 20:42 . 2012-06-17 16:28 -------- d-----w- c:\program files\7-Zip
2012-06-16 20:15 . 2012-06-16 20:31 -------- d-----w- c:\program files\SanityCheck
2012-06-16 20:15 . 2011-05-04 15:36 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2012-06-16 15:15 . 2012-06-16 15:15 -------- d-----w- c:\program files\Panda Security
2012-06-15 20:07 . 2012-06-15 22:01 -------- d-----w- C:\FRST
2012-06-15 19:31 . 2012-06-15 19:43 -------- d-----w- C:\_OTL
2012-06-15 09:54 . 2012-06-15 09:54 -------- d-----w- c:\programdata\boost_interprocess
2012-06-15 09:53 . 2012-06-15 09:53 -------- d-----w- c:\program files\MediaFire Express
2012-06-15 09:52 . 2012-06-17 18:41 -------- d-----w- c:\users\JonEJet\AppData\Local\MediaFire Express
2012-06-14 19:08 . 2012-06-15 14:57 -------- d-----w- c:\users\JonEJet\DoctorWeb
2012-06-14 14:14 . 2012-06-14 14:14 -------- d-----w- c:\programdata\Kaspersky Lab
2012-06-08 18:08 . 2012-06-08 18:12 -------- d-----w- c:\programdata\HitmanPro
2012-06-07 11:41 . 2012-06-15 18:29 -------- d-----w- C:\SeviceFix
2012-06-06 15:50 . 2012-06-06 15:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-06 15:50 . 2012-06-06 15:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-05 13:49 . 2012-06-05 13:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-04 19:51 . 2012-06-04 19:50 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-01 16:59 . 2012-06-01 16:59 -------- d-----w- c:\users\JonEJet\AppData\Local\Seven Zip
2012-06-01 01:01 . 2012-06-01 01:01 -------- d-----w- c:\program files\Amazon
2012-06-01 01:00 . 2012-06-01 15:45 -------- d-----w- c:\program files\Amazon Browser Bar
2012-05-31 14:01 . 2012-06-16 14:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-31 13:59 . 2012-06-16 02:20 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-31 13:59 . 2012-06-16 02:20 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-31 13:59 . 2012-06-16 02:20 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-31 13:59 . 2012-06-16 02:20 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-30 14:20 . 2012-05-30 14:20 -------- d-----w- c:\users\JonEJet\AppData\Roaming\FixZeroAccess
2012-05-29 15:23 . 2012-05-29 15:27 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22 . 2012-05-29 15:22 -------- d-----w- c:\users\JonEJet\AppData\Roaming\Babylon
2012-05-28 19:04 . 2012-05-28 19:46 -------- d-----w- c:\users\JonEJet\AppData\Local\blekkotb_031
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 19:50 . 2011-04-02 16:25 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-12-07 10:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 02:20 . 2012-06-01 16:24 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"MediaFire Tray"="c:\users\JonEJet\AppData\Local\MediaFire Express\mf_systray.exe" [2012-06-13 2172488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-06 1862144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\JonEJet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.3.lnk - c:\users\JonEJet\AppData\Local\temp\quickstart.exe [N/A]
_uninst_.lnk - c:\users\JonEJet\AppData\Local\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0b4fdb4952f0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:58]
.
2012-06-17 c:\windows\Tasks\PC Optimizer Pro startups.job
- c:\program files\PC Optimizer Pro\StartApps.exe [2012-04-12 11:52]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = auto:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
FF - ProfilePath - c:\users\JonEJet\AppData\Roaming\Mozilla\Firefox\Profiles\okcrvxtn.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-SavingsApp - c:\program files\SavingsApp\Uninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\lxducoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_daemon.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_status.exe
c:\users\JonEJet\AppData\Local\MediaFire Express\mf_services.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
c:\progra~1\Java\jre6\bin\jp2launcher.exe
c:\program files\Java\jre6\bin\java.exe
.
**************************************************************************
.
Completion time: 2012-06-17 15:32:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-17 19:32
ComboFix2.txt 2012-06-16 02:20
ComboFix3.txt 2012-06-15 19:20
.
Pre-Run: 63,797,071,872 bytes free
Post-Run: 63,516,839,936 bytes free
.
- - End Of File - - 2DA054194162EFA36F499058FAD92377

Root Kit....Zero Access

descriptionRe: Root Kit....Zero Access13th June 2012, 9:16 pm

descriptionRe: Root Kit....Zero Access13th June 2012, 9:24 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 12:23 am

descriptionRe: Root Kit....Zero Access14th June 2012, 1:20 am

descriptionRe: Root Kit....Zero Access14th June 2012, 6:11 am

descriptionRe: Root Kit....Zero Access14th June 2012, 1:39 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 2:01 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 2:04 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 2:09 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 2:15 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 2:19 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 5:49 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 6:09 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 6:16 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 6:51 pm

descriptionRe: Root Kit....Zero Access14th June 2012, 11:24 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 2:21 am

descriptionRe: Root Kit....Zero Access15th June 2012, 6:01 am

descriptionRe: Root Kit....Zero Access15th June 2012, 1:01 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 2:43 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 2:56 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 3:22 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 3:25 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 6:16 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 7:25 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 7:43 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 7:58 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 9:10 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 9:11 pm

descriptionRe: Root Kit....Zero Access15th June 2012, 10:27 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 1:23 am

descriptionRe: Root Kit....Zero Access16th June 2012, 2:24 am

descriptionRe: Root Kit....Zero Access16th June 2012, 2:27 am

descriptionRe: Root Kit....Zero Access16th June 2012, 6:08 am

descriptionRe: Root Kit....Zero Access16th June 2012, 3:01 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 3:32 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 3:39 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 4:19 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 7:53 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 7:56 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 8:33 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 8:36 pm

descriptionRe: Root Kit....Zero Access16th June 2012, 9:54 pm

descriptionRe: Root Kit....Zero Access17th June 2012, 4:58 am

descriptionRe: Root Kit....Zero Access17th June 2012, 6:02 am

descriptionRe: Root Kit....Zero Access17th June 2012, 3:11 pm

descriptionRe: Root Kit....Zero Access17th June 2012, 6:09 pm

descriptionRe: Root Kit....Zero Access17th June 2012, 6:11 pm

descriptionRe: Root Kit....Zero Access17th June 2012, 6:15 pm

descriptionRe: Root Kit....Zero Access17th June 2012, 7:33 pm

descriptionRe: Root Kit....Zero Access

Re: Root Kit....Zero Access13th June 2012, 9:16 pm

Re: Root Kit....Zero Access13th June 2012, 9:24 pm

Re: Root Kit....Zero Access14th June 2012, 12:23 am

Re: Root Kit....Zero Access14th June 2012, 1:20 am

Re: Root Kit....Zero Access14th June 2012, 6:11 am

Re: Root Kit....Zero Access14th June 2012, 1:39 pm

Re: Root Kit....Zero Access14th June 2012, 2:01 pm

Re: Root Kit....Zero Access14th June 2012, 2:04 pm

Re: Root Kit....Zero Access14th June 2012, 2:09 pm

Re: Root Kit....Zero Access14th June 2012, 2:15 pm

Re: Root Kit....Zero Access14th June 2012, 2:19 pm

Re: Root Kit....Zero Access14th June 2012, 5:49 pm

Re: Root Kit....Zero Access14th June 2012, 6:09 pm

Re: Root Kit....Zero Access14th June 2012, 6:16 pm

Re: Root Kit....Zero Access14th June 2012, 6:51 pm

Re: Root Kit....Zero Access14th June 2012, 11:24 pm

Re: Root Kit....Zero Access15th June 2012, 2:21 am

Re: Root Kit....Zero Access15th June 2012, 6:01 am

Re: Root Kit....Zero Access15th June 2012, 1:01 pm

Re: Root Kit....Zero Access15th June 2012, 2:43 pm

Re: Root Kit....Zero Access15th June 2012, 2:56 pm

Re: Root Kit....Zero Access15th June 2012, 3:22 pm

Re: Root Kit....Zero Access15th June 2012, 3:25 pm

Re: Root Kit....Zero Access15th June 2012, 6:16 pm

Re: Root Kit....Zero Access15th June 2012, 7:25 pm

Re: Root Kit....Zero Access15th June 2012, 7:43 pm

Re: Root Kit....Zero Access15th June 2012, 7:58 pm

Re: Root Kit....Zero Access15th June 2012, 9:10 pm

Re: Root Kit....Zero Access15th June 2012, 9:11 pm

Re: Root Kit....Zero Access15th June 2012, 10:27 pm

Re: Root Kit....Zero Access16th June 2012, 1:23 am

Re: Root Kit....Zero Access16th June 2012, 2:24 am

Re: Root Kit....Zero Access16th June 2012, 2:27 am

Re: Root Kit....Zero Access16th June 2012, 6:08 am

Re: Root Kit....Zero Access16th June 2012, 3:01 pm

Re: Root Kit....Zero Access16th June 2012, 3:32 pm

Re: Root Kit....Zero Access16th June 2012, 3:39 pm

Re: Root Kit....Zero Access16th June 2012, 4:19 pm

Re: Root Kit....Zero Access16th June 2012, 7:53 pm

Re: Root Kit....Zero Access16th June 2012, 7:56 pm

Re: Root Kit....Zero Access16th June 2012, 8:33 pm

Re: Root Kit....Zero Access16th June 2012, 8:36 pm

Re: Root Kit....Zero Access16th June 2012, 9:54 pm

Re: Root Kit....Zero Access17th June 2012, 4:58 am

Re: Root Kit....Zero Access17th June 2012, 6:02 am

Re: Root Kit....Zero Access17th June 2012, 3:11 pm

Re: Root Kit....Zero Access17th June 2012, 6:09 pm

Re: Root Kit....Zero Access17th June 2012, 6:11 pm

Re: Root Kit....Zero Access17th June 2012, 6:15 pm

Re: Root Kit....Zero Access17th June 2012, 7:33 pm

Re: Root Kit....Zero Access