computer locks up and has malware

wepxc11 · Jan 8, 2011

computer locks up and needs to be powered off before it works again and it has malware that spybot will not remove

ken545 · Jan 11, 2011

:snwelcome:

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Yep, your infected. Please do not attach any logs or reports that we ask for unless asked to do so, just copy and paste them into this thread.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

OTL by OldTimer

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

wepxc11 · Jan 12, 2011

I have run Malwarebytes no problems were found see log below

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/01/2011 16:51:34
mbam-log-2011-01-12 (16-51-34).txt

Scan type: Quick scan
Objects scanned: 155068
Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

unable to run OTL I keep getting:-

OTL has encountered a problem and needs to close. We are sorry for the inconvenience.
and the following error signature:-
AppName: otl[1].exe AppVer: 3.2.20.0 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

Can you tell me what to do next
Thank you for your support

ken545 · Jan 12, 2011

Try this one, you ran it already but I need to see the original file

Download DDS from one of the links below to your desktop

Link 1
Link 2

Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

Then run this one

Download the HostsXpert 4.3 - Hosts File Manager.

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

wepxc11 · Jan 13, 2011

ken545 said:
Try this one, you ran it already but I need to see the original file

Download DDS from one of the links below to your desktop

Link 1
Link 2

Double click the tool to run it.

A black Screen will open, just read the contents and do nothing.

When the tool finishes, it will open 2 reports, DDS.txt and attach.txt

Copy/Paste the contents of 'DDS.txt' into your post.

'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

Then run this one

Download the HostsXpert 4.3 - Hosts File Manager.

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert

Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home

Click "Make Hosts Writable?" in the upper left corner.

Click Restore Microsoft's Hosts file and then click OK.

Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

I've tried to do what you asked below is the dss file:-

DDS (Ver_10-12-12.02) - NTFSx86
Run by Diana at 17:20:17.78 on 13/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1480 [GMT 0:00]

AV: My Security Shield *Enabled/Updated* {739709BF-88DB-4460-A8B4-83425AB9C54D}
FW: AVG Firewall *Disabled*
FW: My Security Shield *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\Diana\Local Settings\Temporary Internet

Files\Content.IE5\CLVK6KT1\dds[1].scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=u

tf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\diana\startm~1\programs\startup\erunta~1.lnk - c:\program

files\erunt\AUTOBACK.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -

hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/

wmvadvd.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} -

hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161

180053796
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} -

hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} -

hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38195.0576851852
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6106/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5}

- c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.1.1 HP001708CE2B45
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-7-27 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-2-15 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe

[2010-10-1 374152]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2011-01-12 16:54:28 602112 ----a-w- c:\temp\OTL.exe
2010-12-19 15:30:01 -------- d--h--w- C:\$AVG
2010-12-19 14:01:51 -------- d-----w- c:\docume~1\diana\applic~1\AVG10
2010-12-19 14:00:43 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-19 13:58:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-19 13:56:06 -------- d-----w- c:\program files\AVG
2010-12-19 13:49:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-15 08:09:42 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

==================== Find3M ====================

2010-11-19 15:18:39 2026 ----a-w- C:\cc_20101119_151835.reg
2010-11-19 15:18:08 91930 ----a-w- C:\cc_20101119_151753.reg
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\SETA.tmp
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\win

The Attach txt file is attached as requested but when i run Hostsxpert i do not get the "Make host writable" in the upper left hand corner I get "Make read only" in the upper left hand corner and when i run "restore MS host files" i get the message can not create file C:\windows\system32\drivers\etc\hosts.

Sorry to be such a problem
Thank you for your support

ken545 · Jan 13, 2011

Hi,

Do this, before you proceed make sure you still have HostXpert on your desktop, if you do not then you need to redownload it.

Please download OTM by OldTimer and save it to your desktop.
Double click the

icon on your desktop.

Paste the following code under the

area.
Do not include the word "Code".

Code:

:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\drivers\etc\hosts


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large

button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the

line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Now run HostsXpert

Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

wepxc11 · Jan 14, 2011

ken545 said:
Hi,

Do this, before you proceed make sure you still have HostXpert on your desktop, if you do not then you need to redownload it.

Please download OTM by OldTimer and save it to your desktop.

Double click the

icon on your desktop.

Paste the following code under the

area.
Do not include the word "Code".

Code:

:Processes explorer.exe :Services :Reg :Files c:\windows\system32\drivers\etc\hosts :Commands [purity] [emptytemp] [start explorer] [Reboot]

Push the large

button.

OTM may ask to reboot the machine. Please do so if asked.

Copy/Paste the contents under the

line here in your next reply.

If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Now run HostsXpert

Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

See this Link for programs that need to be disabled and instruction on how to disable them.

Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

I'm sorry but i am still getting the same problems with the downloaded programs.
I haved them to the following places:- OTM C:\Documents and Settings\Diana\Desktop
size on disc 508KB

error signature AppName: otm.exe AppVer: 3.1.17.2 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

and
HostsXpert C:\Documents and Settings\Diana\Desktop
size on disc 364KB
not getting make host writable in the corner and when run restore files I am getting
error can't create file c:\windows\system32\drivers\etc\hosts

i have not yet tried to download combofix because the others haven't worked and i'm not sure if they need to be done in a certain order.

Thanks for your patience.If you can point out where i'm going wrong i would be grateful

ken545 · Jan 14, 2011

See if you can download and run Combofix

wepxc11 · Jan 14, 2011

wepxc11 said:
I'm sorry but i am still getting the same problems with the downloaded programs.
I haved them to the following places:- OTM C:\Documents and Settings\Diana\Desktop
size on disc 508KB

error signature AppName: otm.exe AppVer: 3.1.17.2 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

and
HostsXpert C:\Documents and Settings\Diana\Desktop
size on disc 364KB
not getting make host writable in the corner and when run restore files I am getting
error can't create file c:\windows\system32\drivers\etc\hosts

i have not yet tried to download combofix because the others haven't worked and i'm not sure if they need to be done in a certain order.

Thanks for your patience.If you can point out where i'm going wrong i would be grateful

Thank you I have run Compofix and the log is below:-

ComboFix 11-01-14.01 - Diana 14/01/2011 17:07:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1659 [GMT 0:00]
Running from: c:\documents and settings\Diana\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\8e8669\71.mof
c:\documents and settings\All Users\Application Data\8e8669\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\HP Image Zone Fast Start.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\Symantec Fax Starter Edition Port.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\VIA RAID TOOL.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\8e8669\MSS.ico
c:\documents and settings\All Users\Application Data\8e8669\MSSSys\vd952342.bd
c:\documents and settings\Diana\Recent\ANTIGEN.dll
c:\documents and settings\Diana\Recent\ANTIGEN.drv
c:\documents and settings\Diana\Recent\ANTIGEN.exe
c:\documents and settings\Diana\Recent\ANTIGEN.sys
c:\documents and settings\Diana\Recent\ANTIGEN.tmp
c:\documents and settings\Diana\Recent\cb.dll
c:\documents and settings\Diana\Recent\cb.exe
c:\documents and settings\Diana\Recent\cb.tmp
c:\documents and settings\Diana\Recent\cid.dll
c:\documents and settings\Diana\Recent\cid.exe
c:\documents and settings\Diana\Recent\cid.tmp
c:\documents and settings\Diana\Recent\CLSV.dll
c:\documents and settings\Diana\Recent\CLSV.drv
c:\documents and settings\Diana\Recent\CLSV.sys
c:\documents and settings\Diana\Recent\CLSV.tmp
c:\documents and settings\Diana\Recent\DBOLE.dll
c:\documents and settings\Diana\Recent\DBOLE.drv
c:\documents and settings\Diana\Recent\DBOLE.exe
c:\documents and settings\Diana\Recent\DBOLE.sys
c:\documents and settings\Diana\Recent\DBOLE.tmp
c:\documents and settings\Diana\Recent\ddv.dll
c:\documents and settings\Diana\Recent\ddv.exe
c:\documents and settings\Diana\Recent\ddv.sys
c:\documents and settings\Diana\Recent\delfile.dll
c:\documents and settings\Diana\Recent\delfile.drv
c:\documents and settings\Diana\Recent\delfile.exe
c:\documents and settings\Diana\Recent\delfile.sys
c:\documents and settings\Diana\Recent\dudl.exe
c:\documents and settings\Diana\Recent\dudl.tmp
c:\documents and settings\Diana\Recent\eb.dll
c:\documents and settings\Diana\Recent\eb.drv
c:\documents and settings\Diana\Recent\eb.exe
c:\documents and settings\Diana\Recent\eb.sys
c:\documents and settings\Diana\Recent\eb.tmp
c:\documents and settings\Diana\Recent\energy.dll
c:\documents and settings\Diana\Recent\energy.drv
c:\documents and settings\Diana\Recent\energy.exe
c:\documents and settings\Diana\Recent\energy.sys
c:\documents and settings\Diana\Recent\energy.tmp
c:\documents and settings\Diana\Recent\exec.dll
c:\documents and settings\Diana\Recent\exec.drv
c:\documents and settings\Diana\Recent\exec.exe
c:\documents and settings\Diana\Recent\exec.sys
c:\documents and settings\Diana\Recent\exec.tmp
c:\documents and settings\Diana\Recent\fan.dll
c:\documents and settings\Diana\Recent\fan.exe
c:\documents and settings\Diana\Recent\fan.sys
c:\documents and settings\Diana\Recent\fan.tmp
c:\documents and settings\Diana\Recent\fix.drv
c:\documents and settings\Diana\Recent\fix.exe
c:\documents and settings\Diana\Recent\fix.sys
c:\documents and settings\Diana\Recent\FS.exe
c:\documents and settings\Diana\Recent\FS.tmp
c:\documents and settings\Diana\Recent\FW.drv
c:\documents and settings\Diana\Recent\FW.sys
c:\documents and settings\Diana\Recent\FW.tmp
c:\documents and settings\Diana\Recent\gid.sys
c:\documents and settings\Diana\Recent\gid.tmp
c:\documents and settings\Diana\Recent\grid.dll
c:\documents and settings\Diana\Recent\grid.drv
c:\documents and settings\Diana\Recent\grid.tmp
c:\documents and settings\Diana\Recent\hymt.dll
c:\documents and settings\Diana\Recent\hymt.sys
c:\documents and settings\Diana\Recent\hymt.tmp
c:\documents and settings\Diana\Recent\kernel32.dll
c:\documents and settings\Diana\Recent\kernel32.drv
c:\documents and settings\Diana\Recent\kernel32.exe
c:\documents and settings\Diana\Recent\kernel32.sys
c:\documents and settings\Diana\Recent\kernel32.tmp
c:\documents and settings\Diana\Recent\pal.dll
c:\documents and settings\Diana\Recent\pal.drv
c:\documents and settings\Diana\Recent\pal.exe
c:\documents and settings\Diana\Recent\pal.tmp
c:\documents and settings\Diana\Recent\PE.dll
c:\documents and settings\Diana\Recent\PE.drv
c:\documents and settings\Diana\Recent\PE.exe
c:\documents and settings\Diana\Recent\PE.sys
c:\documents and settings\Diana\Recent\PE.tmp
c:\documents and settings\Diana\Recent\ppal.drv
c:\documents and settings\Diana\Recent\ppal.sys
c:\documents and settings\Diana\Recent\ppal.tmp
c:\documents and settings\Diana\Recent\runddl.tmp
c:\documents and settings\Diana\Recent\runddlkey.dll
c:\documents and settings\Diana\Recent\runddlkey.drv
c:\documents and settings\Diana\Recent\SICKBOY.drv
c:\documents and settings\Diana\Recent\SICKBOY.exe
c:\documents and settings\Diana\Recent\SICKBOY.sys
c:\documents and settings\Diana\Recent\SICKBOY.tmp
c:\documents and settings\Diana\Recent\sld.dll
c:\documents and settings\Diana\Recent\sld.drv
c:\documents and settings\Diana\Recent\sld.sys
c:\documents and settings\Diana\Recent\SM.dll
c:\documents and settings\Diana\Recent\SM.drv
c:\documents and settings\Diana\Recent\SM.tmp
c:\documents and settings\Diana\Recent\snl2w.dll
c:\documents and settings\Diana\Recent\snl2w.drv
c:\documents and settings\Diana\Recent\snl2w.exe
c:\documents and settings\Diana\Recent\snl2w.sys
c:\documents and settings\Diana\Recent\std.dll
c:\documents and settings\Diana\Recent\std.drv
c:\documents and settings\Diana\Recent\std.exe
c:\documents and settings\Diana\Recent\std.tmp
c:\documents and settings\Diana\Recent\tempdoc.dll
c:\documents and settings\Diana\Recent\tempdoc.drv
c:\documents and settings\Diana\Recent\tempdoc.exe
c:\documents and settings\Diana\Recent\tempdoc.tmp
c:\documents and settings\Diana\Recent\tjd.dll
c:\documents and settings\Diana\Recent\tjd.drv
c:\documents and settings\Diana\Recent\tjd.exe
c:\documents and settings\Diana\Recent\tjd.tmp

.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-13 17:28 . 2011-01-13 17:28 -------- d-----w- C:\HostXpert
2011-01-13 17:26 . 2011-01-13 17:26 -------- d-----w- C:\.HostsXpert[1]
2011-01-12 16:54 . 2011-01-12 16:54 602112 ----a-w- c:\temp\OTL.exe
2011-01-07 18:16 . 2011-01-07 18:16 -------- d-----w- c:\program files\ERUNT
2010-12-19 15:30 . 2010-12-19 15:30 -------- d-----w- C:\$AVG
2010-12-19 14:01 . 2010-12-19 14:01 -------- d-----w- c:\documents and settings\Diana\Application Data\AVG10
2010-12-19 14:00 . 2010-12-19 14:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-19 13:58 . 2011-01-06 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-19 13:56 . 2010-12-19 13:56 -------- d-----w- c:\program files\AVG
2010-12-19 13:49 . 2010-12-19 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2010-09-20 12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-09-20 12:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 15:18 . 2010-11-19 15:18 2026 ----a-w- C:\cc_20101119_151835.reg
2010-11-19 15:18 . 2010-11-19 15:17 91930 ----a-w- C:\cc_20101119_151753.reg
2010-11-18 18:12 . 2004-07-27 07:51 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2003-10-27 19:09 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-02-06 18:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-03-31 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-03-31 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"nwiz"="nwiz.exe" [2003-11-17 753664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-07 185896]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Diana\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 10:24 49152 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 09:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 22:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-20 08:51 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\WINDOWS\\ServicePackFiles\\i386\\iexplore.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [27/07/2004 09:25 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/02/2010 11:25 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [01/10/2010 14:26 374152]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 11:25]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 11:25]

2011-01-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-CPU Thermometer - c:\program files\CPU Thermometer\CPUThermometer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-14 17:18:36
ComboFix-quarantined-files.txt 2011-01-14 17:18

Pre-Run: 22,188,318,720 bytes free
Post-Run: 22,148,616,192 bytes free

- - End Of File - - 94B81638CB3EB6CE28EF9C3CAC2AC99E

I hope this helps

ken545 · Jan 14, 2011

Hi,

I need to look over your CF log very closely, in the meantime see if you can download and run OTL and post the log. If you have the one you downloaded earlier just drag it to the trash

OTL by OldTimer

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

wepxc11 · Jan 14, 2011

ken545 said:
Hi,

I need to look over your CF log very closely, in the meantime see if you can download and run OTL and post the log. If you have the one you downloaded earlier just drag it to the trash

OTL by OldTimer

Download OTL to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

When the window appears, underneath Output at the top change it to Minimal Output.

Check the boxes beside LOP Check and Purity Check.

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Sorry every time i try to run the OTL or OTM programs I get:-OTL(or OTM) has encountered a problem and needs to close. We are sorry for the inconvenience. Then the following data:-
AppName: otl.exe AppVer: 3.2.20.2 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

I am running them from the desktop as requested.
Thanking you for your assistance and I'm sorry that things are not as straight forward as they should be.

ken545 · Jan 14, 2011

Hi,

CF log looks ok. No need to quote in your post everything that I post .

Try this program in lew of OTL

Download OTS.exe by OldTimer to your Desktop.

Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
- Under Drivers, select "All".
- Under Additional Scans, click on the "Extra" button.
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, Attach the file ).

wepxc11 · Jan 15, 2011

Can't run OTS file either

I can't run OTS file either. I keep getting the same sort of message as I did on OTM and OTL, that it has encountered a problem and needs to shut down. I have tried to run it from different locations but it still fails the same.

ken545 · Jan 15, 2011

Good Morning,

You just may be missing some Windows Files.

Go Start>Run and type CMD enter
At the command prompt type SFC /scannow. Put your XP CD in, the System File Checker will start and it will replace any Windows files it needs from your CD. You may or may not need the CD depending how the manufacturer of your computer set it up.

The Run Entry is not enabled by default with Vista but is easy to add
http://www.technotraits.com/2008/10/display-the-run-entry-in-vista-start-menu/

After you run System File Checker, give OTL another shot

wepxc11 · Jan 15, 2011

running sfc/scannow

I haven't got a disc as the computer came preloaded anyway i ran scannow and it failed several times during the scan so I thought i would be clever and borrow a xp pro disc and try to load from it but it doesn't appear very sucessful as i have run it half a dozen times and scannow is still failing still unable to run otl or any of the others. Sorry

ken545 · Jan 15, 2011

Did it prompt you for the XP Disk ?

Go to My Computer > C:\ drive, do you have an i386 folder ?

wepxc11 · Jan 15, 2011

yes it did prompt for the disc but only after it had started its scan and presumably found a file that was missing or faulty and yes i have a C:/I386 folder with lots of files in it.

ken545 · Jan 15, 2011

OK, lets worry about that later.

Drag your version of Combofix to the trash and lets run it again this way

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

wepxc11 · Jan 15, 2011

combofix report

That ran perfectly i have zipped the file because it was to big to send otherwise

ken545 · Jan 15, 2011

OK,

While I am looking over your CF log go ahead and run DDS again and post that log

Download DDS from one of the links below to your desktop

Link 1
Link 2

Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

computer locks up and has malware

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert