PDA

View Full Version : computer locks up and has malware



wepxc11
2011-01-08, 19:11
computer locks up and needs to be powered off before it works again and it has malware that spybot will not remove

ken545
2011-01-12, 00:53
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


Yep, your infected. Please do not attach any logs or reports that we ask for unless asked to do so, just copy and paste them into this thread.



Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

wepxc11
2011-01-12, 19:18
I have run Malwarebytes no problems were found see log below

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 5507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/01/2011 16:51:34
mbam-log-2011-01-12 (16-51-34).txt

Scan type: Quick scan
Objects scanned: 155068
Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

unable to run OTL I keep getting:-

OTL has encountered a problem and needs to close. We are sorry for the inconvenience.
and the following error signature:-
AppName: otl[1].exe AppVer: 3.2.20.0 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb


Can you tell me what to do next
Thank you for your support

ken545
2011-01-12, 21:15
Try this one, you ran it already but I need to see the original file

Download DDS from one of the links below to your desktop

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)




Then run this one

Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

wepxc11
2011-01-13, 19:54
Try this one, you ran it already but I need to see the original file

Download DDS from one of the links below to your desktop

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)




Then run this one

Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


I've tried to do what you asked below is the dss file:-


DDS (Ver_10-12-12.02) - NTFSx86
Run by Diana at 17:20:17.78 on 13/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1480 [GMT 0:00]

AV: My Security Shield *Enabled/Updated* {739709BF-88DB-4460-A8B4-83425AB9C54D}
FW: AVG Firewall *Disabled*
FW: My Security Shield *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\Diana\Local Settings\Temporary Internet

Files\Content.IE5\CLVK6KT1\dds[1].scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=u

tf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\diana\startm~1\programs\startup\erunta~1.lnk - c:\program

files\erunt\AUTOBACK.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -

hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/

wmvadvd.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} -

hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161

180053796
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} -

hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} -

hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38195.0576851852
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6106/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5}

- c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.1.1 HP001708CE2B45
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-7-27 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-2-15 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe

[2010-10-1 374152]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2011-01-12 16:54:28 602112 ----a-w- c:\temp\OTL.exe
2010-12-19 15:30:01 -------- d--h--w- C:\$AVG
2010-12-19 14:01:51 -------- d-----w- c:\docume~1\diana\applic~1\AVG10
2010-12-19 14:00:43 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-19 13:58:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-19 13:56:06 -------- d-----w- c:\program files\AVG
2010-12-19 13:49:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-15 08:09:42 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

==================== Find3M ====================

2010-11-19 15:18:39 2026 ----a-w- C:\cc_20101119_151835.reg
2010-11-19 15:18:08 91930 ----a-w- C:\cc_20101119_151753.reg
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\SETA.tmp
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\win



The Attach txt file is attached as requested but when i run Hostsxpert i do not get the "Make host writable" in the upper left hand corner I get "Make read only" in the upper left hand corner and when i run "restore MS host files" i get the message can not create file C:\windows\system32\drivers\etc\hosts.


Sorry to be such a problem
Thank you for your support

ken545
2011-01-13, 20:13
Hi,

Do this, before you proceed make sure you still have HostXpert on your desktop, if you do not then you need to redownload it.




Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".



:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\drivers\etc\hosts


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Now run HostsXpert


Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES





Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

wepxc11
2011-01-14, 11:48
Hi,

Do this, before you proceed make sure you still have HostXpert on your desktop, if you do not then you need to redownload it.




Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".



:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\drivers\etc\hosts


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Now run HostsXpert


Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES





Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


I'm sorry but i am still getting the same problems with the downloaded programs.
I haved them to the following places:- OTM C:\Documents and Settings\Diana\Desktop
size on disc 508KB

error signature AppName: otm.exe AppVer: 3.1.17.2 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

and
HostsXpert C:\Documents and Settings\Diana\Desktop
size on disc 364KB
not getting make host writable in the corner and when run restore files I am getting
error can't create file c:\windows\system32\drivers\etc\hosts

i have not yet tried to download combofix because the others haven't worked and i'm not sure if they need to be done in a certain order.

Thanks for your patience.If you can point out where i'm going wrong i would be grateful

ken545
2011-01-14, 12:55
See if you can download and run Combofix

wepxc11
2011-01-14, 19:24
I'm sorry but i am still getting the same problems with the downloaded programs.
I haved them to the following places:- OTM C:\Documents and Settings\Diana\Desktop
size on disc 508KB

error signature AppName: otm.exe AppVer: 3.1.17.2 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

and
HostsXpert C:\Documents and Settings\Diana\Desktop
size on disc 364KB
not getting make host writable in the corner and when run restore files I am getting
error can't create file c:\windows\system32\drivers\etc\hosts

i have not yet tried to download combofix because the others haven't worked and i'm not sure if they need to be done in a certain order.

Thanks for your patience.If you can point out where i'm going wrong i would be grateful

Thank you I have run Compofix and the log is below:-

ComboFix 11-01-14.01 - Diana 14/01/2011 17:07:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1659 [GMT 0:00]
Running from: c:\documents and settings\Diana\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\8e8669\71.mof
c:\documents and settings\All Users\Application Data\8e8669\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\HP Image Zone Fast Start.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\Symantec Fax Starter Edition Port.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\VIA RAID TOOL.lnk
c:\documents and settings\All Users\Application Data\8e8669\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\8e8669\MSS.ico
c:\documents and settings\All Users\Application Data\8e8669\MSSSys\vd952342.bd
c:\documents and settings\Diana\Recent\ANTIGEN.dll
c:\documents and settings\Diana\Recent\ANTIGEN.drv
c:\documents and settings\Diana\Recent\ANTIGEN.exe
c:\documents and settings\Diana\Recent\ANTIGEN.sys
c:\documents and settings\Diana\Recent\ANTIGEN.tmp
c:\documents and settings\Diana\Recent\cb.dll
c:\documents and settings\Diana\Recent\cb.exe
c:\documents and settings\Diana\Recent\cb.tmp
c:\documents and settings\Diana\Recent\cid.dll
c:\documents and settings\Diana\Recent\cid.exe
c:\documents and settings\Diana\Recent\cid.tmp
c:\documents and settings\Diana\Recent\CLSV.dll
c:\documents and settings\Diana\Recent\CLSV.drv
c:\documents and settings\Diana\Recent\CLSV.sys
c:\documents and settings\Diana\Recent\CLSV.tmp
c:\documents and settings\Diana\Recent\DBOLE.dll
c:\documents and settings\Diana\Recent\DBOLE.drv
c:\documents and settings\Diana\Recent\DBOLE.exe
c:\documents and settings\Diana\Recent\DBOLE.sys
c:\documents and settings\Diana\Recent\DBOLE.tmp
c:\documents and settings\Diana\Recent\ddv.dll
c:\documents and settings\Diana\Recent\ddv.exe
c:\documents and settings\Diana\Recent\ddv.sys
c:\documents and settings\Diana\Recent\delfile.dll
c:\documents and settings\Diana\Recent\delfile.drv
c:\documents and settings\Diana\Recent\delfile.exe
c:\documents and settings\Diana\Recent\delfile.sys
c:\documents and settings\Diana\Recent\dudl.exe
c:\documents and settings\Diana\Recent\dudl.tmp
c:\documents and settings\Diana\Recent\eb.dll
c:\documents and settings\Diana\Recent\eb.drv
c:\documents and settings\Diana\Recent\eb.exe
c:\documents and settings\Diana\Recent\eb.sys
c:\documents and settings\Diana\Recent\eb.tmp
c:\documents and settings\Diana\Recent\energy.dll
c:\documents and settings\Diana\Recent\energy.drv
c:\documents and settings\Diana\Recent\energy.exe
c:\documents and settings\Diana\Recent\energy.sys
c:\documents and settings\Diana\Recent\energy.tmp
c:\documents and settings\Diana\Recent\exec.dll
c:\documents and settings\Diana\Recent\exec.drv
c:\documents and settings\Diana\Recent\exec.exe
c:\documents and settings\Diana\Recent\exec.sys
c:\documents and settings\Diana\Recent\exec.tmp
c:\documents and settings\Diana\Recent\fan.dll
c:\documents and settings\Diana\Recent\fan.exe
c:\documents and settings\Diana\Recent\fan.sys
c:\documents and settings\Diana\Recent\fan.tmp
c:\documents and settings\Diana\Recent\fix.drv
c:\documents and settings\Diana\Recent\fix.exe
c:\documents and settings\Diana\Recent\fix.sys
c:\documents and settings\Diana\Recent\FS.exe
c:\documents and settings\Diana\Recent\FS.tmp
c:\documents and settings\Diana\Recent\FW.drv
c:\documents and settings\Diana\Recent\FW.sys
c:\documents and settings\Diana\Recent\FW.tmp
c:\documents and settings\Diana\Recent\gid.sys
c:\documents and settings\Diana\Recent\gid.tmp
c:\documents and settings\Diana\Recent\grid.dll
c:\documents and settings\Diana\Recent\grid.drv
c:\documents and settings\Diana\Recent\grid.tmp
c:\documents and settings\Diana\Recent\hymt.dll
c:\documents and settings\Diana\Recent\hymt.sys
c:\documents and settings\Diana\Recent\hymt.tmp
c:\documents and settings\Diana\Recent\kernel32.dll
c:\documents and settings\Diana\Recent\kernel32.drv
c:\documents and settings\Diana\Recent\kernel32.exe
c:\documents and settings\Diana\Recent\kernel32.sys
c:\documents and settings\Diana\Recent\kernel32.tmp
c:\documents and settings\Diana\Recent\pal.dll
c:\documents and settings\Diana\Recent\pal.drv
c:\documents and settings\Diana\Recent\pal.exe
c:\documents and settings\Diana\Recent\pal.tmp
c:\documents and settings\Diana\Recent\PE.dll
c:\documents and settings\Diana\Recent\PE.drv
c:\documents and settings\Diana\Recent\PE.exe
c:\documents and settings\Diana\Recent\PE.sys
c:\documents and settings\Diana\Recent\PE.tmp
c:\documents and settings\Diana\Recent\ppal.drv
c:\documents and settings\Diana\Recent\ppal.sys
c:\documents and settings\Diana\Recent\ppal.tmp
c:\documents and settings\Diana\Recent\runddl.tmp
c:\documents and settings\Diana\Recent\runddlkey.dll
c:\documents and settings\Diana\Recent\runddlkey.drv
c:\documents and settings\Diana\Recent\SICKBOY.drv
c:\documents and settings\Diana\Recent\SICKBOY.exe
c:\documents and settings\Diana\Recent\SICKBOY.sys
c:\documents and settings\Diana\Recent\SICKBOY.tmp
c:\documents and settings\Diana\Recent\sld.dll
c:\documents and settings\Diana\Recent\sld.drv
c:\documents and settings\Diana\Recent\sld.sys
c:\documents and settings\Diana\Recent\SM.dll
c:\documents and settings\Diana\Recent\SM.drv
c:\documents and settings\Diana\Recent\SM.tmp
c:\documents and settings\Diana\Recent\snl2w.dll
c:\documents and settings\Diana\Recent\snl2w.drv
c:\documents and settings\Diana\Recent\snl2w.exe
c:\documents and settings\Diana\Recent\snl2w.sys
c:\documents and settings\Diana\Recent\std.dll
c:\documents and settings\Diana\Recent\std.drv
c:\documents and settings\Diana\Recent\std.exe
c:\documents and settings\Diana\Recent\std.tmp
c:\documents and settings\Diana\Recent\tempdoc.dll
c:\documents and settings\Diana\Recent\tempdoc.drv
c:\documents and settings\Diana\Recent\tempdoc.exe
c:\documents and settings\Diana\Recent\tempdoc.tmp
c:\documents and settings\Diana\Recent\tjd.dll
c:\documents and settings\Diana\Recent\tjd.drv
c:\documents and settings\Diana\Recent\tjd.exe
c:\documents and settings\Diana\Recent\tjd.tmp

.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-13 17:28 . 2011-01-13 17:28 -------- d-----w- C:\HostXpert
2011-01-13 17:26 . 2011-01-13 17:26 -------- d-----w- C:\.HostsXpert[1]
2011-01-12 16:54 . 2011-01-12 16:54 602112 ----a-w- c:\temp\OTL.exe
2011-01-07 18:16 . 2011-01-07 18:16 -------- d-----w- c:\program files\ERUNT
2010-12-19 15:30 . 2010-12-19 15:30 -------- d-----w- C:\$AVG
2010-12-19 14:01 . 2010-12-19 14:01 -------- d-----w- c:\documents and settings\Diana\Application Data\AVG10
2010-12-19 14:00 . 2010-12-19 14:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-19 13:58 . 2011-01-06 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-19 13:56 . 2010-12-19 13:56 -------- d-----w- c:\program files\AVG
2010-12-19 13:49 . 2010-12-19 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2010-09-20 12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-09-20 12:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 15:18 . 2010-11-19 15:18 2026 ----a-w- C:\cc_20101119_151835.reg
2010-11-19 15:18 . 2010-11-19 15:17 91930 ----a-w- C:\cc_20101119_151753.reg
2010-11-18 18:12 . 2004-07-27 07:51 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2003-10-27 19:09 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-02-06 18:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-03-31 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-03-31 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"nwiz"="nwiz.exe" [2003-11-17 753664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-07 185896]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Diana\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 10:24 49152 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 09:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 22:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-20 08:51 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\WINDOWS\\ServicePackFiles\\i386\\iexplore.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [27/07/2004 09:25 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/02/2010 11:25 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [01/10/2010 14:26 374152]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 11:25]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 11:25]

2011-01-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-CPU Thermometer - c:\program files\CPU Thermometer\CPUThermometer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-14 17:18:36
ComboFix-quarantined-files.txt 2011-01-14 17:18

Pre-Run: 22,188,318,720 bytes free
Post-Run: 22,148,616,192 bytes free

- - End Of File - - 94B81638CB3EB6CE28EF9C3CAC2AC99E

I hope this helps

ken545
2011-01-14, 19:35
Hi,

I need to look over your CF log very closely, in the meantime see if you can download and run OTL and post the log. If you have the one you downloaded earlier just drag it to the trash


OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

wepxc11
2011-01-14, 23:35
Hi,

I need to look over your CF log very closely, in the meantime see if you can download and run OTL and post the log. If you have the one you downloaded earlier just drag it to the trash


OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.




Sorry every time i try to run the OTL or OTM programs I get:-OTL(or OTM) has encountered a problem and needs to close. We are sorry for the inconvenience. Then the following data:-
AppName: otl.exe AppVer: 3.2.20.2 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

I am running them from the desktop as requested.
Thanking you for your assistance and I'm sorry that things are not as straight forward as they should be.

ken545
2011-01-15, 01:54
Hi,

CF log looks ok. No need to quote in your post everything that I post .

Try this program in lew of OTL


Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.

Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, Attach the file ).

wepxc11
2011-01-15, 11:27
I can't run OTS file either. I keep getting the same sort of message as I did on OTM and OTL, that it has encountered a problem and needs to shut down. I have tried to run it from different locations but it still fails the same.

ken545
2011-01-15, 13:31
Good Morning,

You just may be missing some Windows Files.

Go Start>Run and type CMD enter
At the command prompt type SFC /scannow. Put your XP CD in, the System File Checker will start and it will replace any Windows files it needs from your CD. You may or may not need the CD depending how the manufacturer of your computer set it up.

The Run Entry is not enabled by default with Vista but is easy to add
http://www.technotraits.com/2008/10/display-the-run-entry-in-vista-start-menu/


After you run System File Checker, give OTL another shot

wepxc11
2011-01-15, 16:51
I haven't got a disc as the computer came preloaded anyway i ran scannow and it failed several times during the scan so I thought i would be clever and borrow a xp pro disc and try to load from it but it doesn't appear very sucessful as i have run it half a dozen times and scannow is still failing still unable to run otl or any of the others. Sorry

ken545
2011-01-15, 17:25
Did it prompt you for the XP Disk ?

Go to My Computer > C:\ drive, do you have an i386 folder ?

wepxc11
2011-01-15, 18:08
yes it did prompt for the disc but only after it had started its scan and presumably found a file that was missing or faulty and yes i have a C:/I386 folder with lots of files in it.

ken545
2011-01-15, 18:57
OK, lets worry about that later.

Drag your version of Combofix to the trash and lets run it again this way

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

wepxc11
2011-01-15, 19:48
That ran perfectly i have zipped the file because it was to big to send otherwise

ken545
2011-01-15, 19:54
OK,

While I am looking over your CF log go ahead and run DDS again and post that log

Download DDS from one of the links below to your desktop

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)


Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)

wepxc11
2011-01-15, 20:28
DDS (Ver_10-12-12.02) - NTFSx86
Run by Diana at 18:22:49.00 on 15/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1489 [GMT 0:00]

FW: AVG Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Diana\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\diana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161180053796
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38195.0576851852
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6106/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-7-27 77056]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-15 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-1 374152]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2011-01-15 14:47:01 37563 -c--a-w- c:\windows\system32\dllcache\OLD1EF7.tmp
2011-01-15 14:45:59 48000 -c--a-w- c:\windows\system32\dllcache\OLD1E21.tmp
2011-01-15 14:44:59 56832 -c--a-w- c:\windows\system32\dllcache\OLD1D8D.tmp
2011-01-15 14:43:59 34688 -c--a-w- c:\windows\system32\dllcache\OLD1D18.tmp
2011-01-15 14:42:59 9216 -c--a-w- c:\windows\system32\dllcache\OLD1C06.tmp
2011-01-15 14:41:34 24618 -c--a-w- c:\windows\system32\dllcache\OLD1B22.tmp
2011-01-15 14:40:59 206976 -c--a-w- c:\windows\system32\dllcache\OLD1A63.tmp
2011-01-15 14:39:59 7680 -c--a-w- c:\windows\system32\dllcache\OLD1934.tmp
2011-01-15 14:38:59 10240 -c--a-w- c:\windows\system32\dllcache\OLD17EA.tmp
2011-01-15 14:37:33 49664 -c--a-w- c:\windows\system32\dllcache\OLD1785.tmp
2011-01-15 14:36:59 169984 -c--a-w- c:\windows\system32\dllcache\OLD171F.tmp
2011-01-15 14:34:59 20736 -c--a-w- c:\windows\system32\dllcache\OLD16DF.tmp
2011-01-15 14:33:41 17664 -c--a-w- c:\windows\system32\dllcache\OLD1698.tmp
2011-01-15 14:32:54 259328 -c--a-w- c:\windows\system32\dllcache\OLD1663.tmp
2011-01-15 14:31:59 44544 -c--a-w- c:\windows\system32\dllcache\OLD1629.tmp
2011-01-15 14:30:59 52255 -c--a-w- c:\windows\system32\dllcache\OLD15AE.tmp
2011-01-15 14:29:50 58880 -c--a-w- c:\windows\system32\dllcache\OLD1542.tmp
2011-01-15 14:28:59 59904 -c--a-w- c:\windows\system32\dllcache\OLD1458.tmp
2011-01-15 14:27:59 34173 -c--a-w- c:\windows\system32\dllcache\OLD1323.tmp
2011-01-15 14:26:59 334208 -c--a-w- c:\windows\system32\dllcache\OLD1265.tmp
2011-01-15 14:25:59 714698 -c--a-w- c:\windows\system32\dllcache\OLD111E.tmp
2011-01-15 14:24:30 23552 -c--a-w- c:\windows\system32\dllcache\OLDFF8.tmp
2011-01-15 14:23:43 6272 -c--a-w- c:\windows\system32\dllcache\OLDFA2.tmp
2011-01-15 14:22:59 96256 -c--a-w- c:\windows\system32\dllcache\OLDF4B.tmp
2011-01-15 14:19:34 116224 -c--a-w- c:\windows\system32\dllcache\OLDECC.tmp
2011-01-15 14:19:33 23040 -c--a-w- c:\windows\system32\dllcache\OLDEC8.tmp
2011-01-15 14:19:32 18944 -c--a-w- c:\windows\system32\dllcache\OLDEC4.tmp
2011-01-15 14:19:31 4608 -c--a-w- c:\windows\system32\dllcache\OLDEBC.tmp
2011-01-15 14:19:31 27648 -c--a-w- c:\windows\system32\dllcache\OLDEC0.tmp
2011-01-15 14:19:07 99865 -c--a-w- c:\windows\system32\dllcache\OLDEB8.tmp
2011-01-15 14:19:06 16970 -c--a-w- c:\windows\system32\dllcache\OLDEB1.tmp
2011-01-15 14:19:05 19455 -c--a-w- c:\windows\system32\dllcache\OLDEAD.tmp
2011-01-15 14:19:01 19200 -c--a-w- c:\windows\system32\dllcache\OLDEA9.tmp
2011-01-15 14:17:59 48256 -c--a-w- c:\windows\system32\dllcache\OLDE28.tmp
2011-01-15 14:16:59 21896 -c--a-w- c:\windows\system32\dllcache\OLDD32.tmp
2011-01-15 14:15:54 8704 -c--a-w- c:\windows\system32\dllcache\OLDC9A.tmp
2011-01-15 14:15:53 39936 -c--a-w- c:\windows\system32\dllcache\OLDC97.tmp
2011-01-15 14:15:53 10240 -c--a-w- c:\windows\system32\dllcache\OLDC94.tmp
2011-01-15 14:15:52 6144 -c--a-w- c:\windows\system32\dllcache\OLDC8E.tmp
2011-01-15 14:15:52 358400 -c--a-w- c:\windows\system32\dllcache\OLDC8B.tmp
2011-01-15 14:15:52 188416 -c--a-w- c:\windows\system32\dllcache\OLDC91.tmp
2011-01-15 14:15:51 33280 -c--a-w- c:\windows\system32\dllcache\OLDC85.tmp
2011-01-15 14:15:51 259072 -c--a-w- c:\windows\system32\dllcache\OLDC88.tmp
2011-01-15 14:15:50 12288 -c--a-w- c:\windows\system32\dllcache\OLDC82.tmp
2011-01-15 14:11:59 68608 -c--a-w- c:\windows\system32\dllcache\OLDBF3.tmp
2011-01-15 14:11:59 252032 -c--a-w- c:\windows\system32\dllcache\OLDBEF.tmp
2011-01-15 14:11:58 18944 -c--a-w- c:\windows\system32\dllcache\OLDBE7.tmp
2011-01-15 14:11:58 101760 -c--a-w- c:\windows\system32\dllcache\OLDBEB.tmp
2011-01-15 14:11:50 18400 -c--a-w- c:\windows\system32\dllcache\OLDBE0.tmp
2011-01-15 14:11:50 161568 -c--a-w- c:\windows\system32\dllcache\OLDBE4.tmp
2011-01-15 14:11:49 98080 -c--a-w- c:\windows\system32\dllcache\OLDBDC.tmp
2011-01-15 14:11:49 386560 -c--a-w- c:\windows\system32\dllcache\OLDBD8.tmp
2011-01-15 14:11:48 36480 -c--a-w- c:\windows\system32\dllcache\OLDBD4.tmp
2011-01-15 14:11:45 17664 -c--a-w- c:\windows\system32\dllcache\OLDBD0.tmp
2011-01-15 14:11:44 26112 -c--a-w- c:\windows\system32\dllcache\OLDBCC.tmp
2011-01-15 14:10:57 6912 -c--a-w- c:\windows\system32\dllcache\OLDBC8.tmp
2011-01-15 14:10:56 11520 -c--a-w- c:\windows\system32\dllcache\OLDBC4.tmp
2011-01-15 14:10:55 11648 -c--a-w- c:\windows\system32\dllcache\OLDBC0.tmp
2011-01-15 14:10:54 57856 -c--a-w- c:\windows\system32\dllcache\OLDBBC.tmp
2011-01-15 14:07:39 14848 -c--a-w- c:\windows\system32\dllcache\OLDB2A.tmp
2011-01-15 14:06:59 79360 -c--a-w- c:\windows\system32\dllcache\OLDA9A.tmp
2011-01-15 14:04:44 9344 -c--a-w- c:\windows\system32\dllcache\OLD9DE.tmp
2011-01-15 14:03:54 40960 -c--a-w- c:\windows\system32\dllcache\OLD95A.tmp
2011-01-15 14:02:42 58880 -c--a-w- c:\windows\system32\dllcache\OLD8F4.tmp
2011-01-15 14:01:58 5632 -c--a-w- c:\windows\system32\dllcache\OLD825.tmp
2011-01-15 14:00:56 10129408 -c--a-w- c:\windows\system32\dllcache\OLD6FC.tmp
2011-01-15 13:59:59 24632 -c--a-w- c:\windows\system32\dllcache\OLD5FF.tmp
2011-01-15 13:58:59 69692 -c--a-w- c:\windows\system32\dllcache\OLD522.tmp
2011-01-15 13:57:59 72832 -c--a-w- c:\windows\system32\dllcache\OLD409.tmp
2011-01-15 13:56:35 13824 -c--a-w- c:\windows\system32\dllcache\OLD24E.tmp
2011-01-15 13:55:59 26880 -c--a-w- c:\windows\system32\dllcache\OLD18E.tmp
2011-01-15 13:54:59 5632 -c--a-w- c:\windows\system32\dllcache\OLDF4.tmp
2011-01-15 13:53:58 16384 -c--a-w- c:\windows\system32\dllcache\OLD88.tmp
2011-01-15 13:52:45 20540 -c--a-w- c:\windows\system32\dllcache\OLD12.tmp
2011-01-15 13:52:45 16439 -c--a-w- c:\windows\system32\dllcache\OLD15.tmp
2011-01-15 13:52:43 43520 -c--a-w- c:\windows\system32\dllcache\OLDC.tmp
2011-01-15 13:52:43 290816 -c--a-w- c:\windows\system32\dllcache\OLDF.tmp
2011-01-15 13:52:42 20540 -c--a-w- c:\windows\system32\dllcache\OLD6.tmp
2011-01-15 13:52:42 16439 -c--a-w- c:\windows\system32\dllcache\OLD9.tmp
2011-01-15 12:55:46 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-15 12:55:45 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-15 12:55:44 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-15 12:55:44 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-15 12:55:43 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-15 12:55:20 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-15 12:55:19 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-15 12:55:17 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-15 12:55:13 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2011-01-15 12:55:12 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-15 12:53:58 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2011-01-15 12:52:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2011-01-15 12:51:59 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2011-01-15 12:50:58 5504 -c--a-w- c:\windows\system32\dllcache\perc2hib.sys
2011-01-15 12:49:59 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2011-01-15 12:48:58 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2011-01-15 12:47:35 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2011-01-15 12:46:59 93696 -c--a-w- c:\windows\system32\dllcache\hpgt42.dll
2011-01-15 12:45:59 66591 -c--a-w- c:\windows\system32\dllcache\el90xbc5.sys
2011-01-15 12:44:59 216064 -c--a-w- c:\windows\system32\dllcache\cpscan.dll
2011-01-15 12:43:50 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-01-15 12:42:32 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-01-15 12:41:36 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-14 16:40:13 -------- d-sha-r- C:\cmdcons
2011-01-14 16:37:10 98816 ----a-w- c:\windows\sed.exe
2011-01-14 16:37:10 89088 ----a-w- c:\windows\MBR.exe
2011-01-14 16:37:10 256512 ----a-w- c:\windows\PEV.exe
2011-01-14 16:37:10 161792 ----a-w- c:\windows\SWREG.exe
2011-01-13 17:28:46 -------- d-----w- C:\HostXpert
2011-01-13 17:26:21 -------- d-----w- C:\.HostsXpert[1]
2011-01-12 16:54:28 602112 ----a-w- c:\temp\OTL.exe
2010-12-19 15:30:01 -------- d-----w- C:\$AVG
2010-12-19 14:01:51 -------- d-----w- c:\docume~1\diana\applic~1\AVG10
2010-12-19 14:00:43 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-19 13:58:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-19 13:56:06 -------- d-----w- c:\program files\AVG
2010-12-19 13:49:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2010-11-19 15:18:39 2026 ----a-w- C:\cc_20101119_151835.reg
2010-11-19 15:18:08 91930 ----a-w- C:\cc_20101119_151753.reg
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 18:23:26.35 ===============

ken545
2011-01-15, 21:23
Hi,

I am not seeing markers in your log that show your hosts file is infected, it may have been fixed.


Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic




Post the ESET log and let me know how things are running now ?

wepxc11
2011-01-15, 23:39
estonline file it says all have been fixed. lets hope so


C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\8e8669\71.mof.vir Win32/RogueAV.A trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{AF6222A9-E625-41BF-BE22-EECE262BAB3D}\RP1874\A0273305.mof Win32/RogueAV.A trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143710.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143715.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143716.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143717.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143721.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143722.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143724.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143726.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143735.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143736.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143739.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143742.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143755.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100916-143757.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094756.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094802.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094804.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094806.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094807.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094810.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094812.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094815.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094817.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094821.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094822.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094824.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094825.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20100917-094826.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133026.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133035.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133036.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133038.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133039.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133041.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133044.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133045.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133046.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133047.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133142.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133147.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-133148.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165400.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165456.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165500.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165501.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165512.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165633.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165635.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165636.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165637.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165702.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165705.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165706.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165707.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20101219-165708.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193152.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193158.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193159.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193201.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193202.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193203.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193205.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193206.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193207.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193208.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193210.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193215.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110106-193358.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-175851.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-175947.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-175950.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180040.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180042.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180043.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180044.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180045.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180046.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180047.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180048.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180049.backup Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.20110107-180050.backup Win32/Qhost trojan cleaned by deleting - quarantined

ken545
2011-01-15, 23:58
Those that where removed where exactly what I was looking for, they would have been on your OTL log if we could have run it. What they are are infected copies of your Hosts file

Why dont you drag OTL and OTL(1) to the trash and lets grab a fresh copy , download it to your desktop and then boot to safemode and try to run it.

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.








To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

wepxc11
2011-01-16, 01:33
After all that I can't get it to start in safe mode. It could be the keyboard as it is a wireless model. The menu comes up but can't get it to step up to the safe mode selection. I will get another wired keyboard in the morning and try again.
PS otl failed again in normal mode but i'll try safe mode tomorrow and contact you again.
Thanks again for all your help.

wepxc11
2011-01-16, 11:52
I have changed the keyboard for a directly wired one and can now get into safe mode but all three of the OT programs fail saying there is a problem and need to close in both safe and normal modes.

ken545
2011-01-16, 12:17
Hi,

Not running those programs may be windows related, what I would like you to do is post at this windows forum ( all of us forums work together ) and tell them you want to run System File Checker. Let them know you have a I386 folder and no XP CD. ( the CD you borrowed may not have worked ....has to do with service packs and a few other things ). After they get you to run SFC successfully then try OTL again, post back here either way and let me know.
http://forums.whatthetech.com/index.php?showforum=119

Let me know when you posted and I will give on of the techs a heads up so you wont have to wait

wepxc11
2011-01-16, 18:07
I have posted a topic on the other forum as suggested and am awaiting a reply. I will post the results back to you asap.
Thank you for all your help so far.

ken545
2011-01-16, 22:44
I am linked to that post and added my 2 cents :)

The correct entry in SourcePath should be C:\

Then go to Start > Run and type this in sfc /scannow ( note the space between c and /, its needed and see if it will run now

ken545
2011-01-18, 02:01
You need to download and run OTL to your desktop, it will not run from other locations

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

wepxc11
2011-01-18, 22:04
Thank you for your help. I can now run sfc scannow the problem was in the registery with some files settings pointing to the wrong locations. Now it only stops once and asks for the service pack 3 disc but as it is a mod that microsoft send i havent got a disc so i don't know yet how to resolve that one. I have tried to run otl.exe but with no success it is on the desktop and the path is C:\Documents and Settings\Diana\Desktop. it still gives the same message about OTL has encountered a problem and needs to close. We are sorry for the inconvenience.
I don't know what to do next.

ken545
2011-01-18, 23:46
Hi,

After all this we may get OTL to run and it will find no problems :) Hang on a bit , I am looking into this further.

ken545
2011-01-19, 11:16
Lets do a few things.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:File
C:\windows\system32\kernel32.dll


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




=====================================


Two programs to download

First

ISOBurner (http://www.ntfs.com/iso-burning.htm) this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions (http://www.ntfs.com/iso_burner_free.htm)

Second


Download OTLPE.iso (http://oldtimer.geekstogo.com/OTLPE.iso) and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.

When downloaded double click and this will then open ISOBurner to burn the file to CD

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)


Your system should now display a REATOGO-X-PE desktop.

Double-click on the OTLPE icon.

When asked "Do you wish to load the remote registry", select Yes

When asked "Do you wish to load remote user profile(s) for scanning", select Yes

Ensure the box "Automatically Load All Remaining Users" is checked and press OK

OTL should now start. Change the following settings

Change Standard Registry to All



Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive.

Please post the contents of the C:\OTL.txt file in your reply.

wepxc11
2011-01-19, 20:16
Here is the system look file you asked for but the OTLPE link is broken. I have been on the web site directly but can't find the OTLPE file to download. There is another otlpsomething file i tried and the link to that fails as well. if you can give me another link i will try again. iso file downloaded ok.

systemlook file

SystemLook 04.09.10 by jpshortstuff
Log created at 17:52 on 19/01/2011 by Diana
Administrator - Elevation successful

========== File ==========

C:\windows\system32\kernel32.dll - File found and opened.
MD5: B921FB870C9AC0D509B2CCABBBBE95F3
Created at 12:00 on 31/03/2003
Modified at 14:06 on 21/03/2009
Size: 989696 bytes
Attributes: --a----
FileDescription: Windows NT BASE API Client DLL
FileVersion: 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)
ProductVersion: 5.1.2600.5781
OriginalFilename: kernel32
InternalName: kernel32
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-

ken545
2011-01-19, 20:27
I am going to send that information on that file to the author of OTL and see what he thinks

That link for OTLPE may not be working, I was hoping it would but that tool may have been pulled.

How are things in general working now ?

wepxc11
2011-01-20, 00:41
Its been ok up to now but i have only been using it to sort this problem out. it did freeze before getting the sfc scannow sorted out but it seems to be holding its own at the moment. I would like to get the one problem that sfc scannow found and asked for a SP3 disc for sorted though. one of your support staff mentioned in passing that there was a method of getting the disc made up from a download can you point me towards it.
Thank you

ken545
2011-01-20, 01:08
Well what there talking about is slipstreaming your XP CD, what this does is it takes you Windows XP CD and along with downloading Service Pack 3, it creates a new CD for your computer which will include XP and Service Pack 3 so that if you have to do a new reinstall of windows it will be all up to date, but you stated that you don't have your windows CD or even a recovery disk for your computer so this will not be able to be done with someone else s CD as the windows keycode will not match up.

The only thing I can suggest is to contact the manufacturer of your computer and request the recovery disk for your computer, with that disk you will be able to reinstall windows back to factory defaults, but if things are running ok then I dont think I would go through all that trouble

Are you able to do windows updates ?

wepxc11
2011-01-20, 09:29
sorry i misunderstood the cd bit I thought they we're talking about having a SP3 only cd.

Yes I haven't had any trouble getting Microsoft updates that I know about.

ken545
2011-01-20, 11:01
Being able to update windows is a good sign. I submitted the information on that file to the author of OTL but have not heard back yet .


When you slipstream a windows disk, basically what this does is take the windows files on the older original windows disk along with the files from Service pack 3 that you download to your desktop and combines them into one new CD.

wepxc11
2011-01-20, 19:13
Thank you I look forward to hearing from you

ken545
2011-01-20, 19:38
Hi,

This is from Old Timer

Hey ken545. That appears to be a valid version of kernel32.dll so there is something else amiss with that user's system but I don't know exactly what that might be. They are either missing some system component or some component has been compromised.

Cheers.

OT


Are you experiencing a lot of windows errors ?

wepxc11
2011-01-21, 15:37
I don't seem to be getting any windows errors. The only problems encountered so far are the missing/faulty file found on the sfc scan and the otl,otm etc programs not running

ken545
2011-01-21, 18:36
The only thing I can suggest if you feel you have problems is to contact the manufacturer of your system and purchase a windows CD or the recovery CD and do a System Repair, what this will do is just copy windows over the current version and in the process all the missing or corrupt files will be installed. If this is the way you want to go let me know and I can get you help on completing that task.

wepxc11
2011-01-21, 20:03
Thank you for all your help and advice. The computer was from tiny computers which crashed some time ago so i don't think there will be much help there but if you have some notes that you can pass on i will try to get a disc from another source.
thanks again for your help

ken545
2011-01-21, 21:21
Your welcome .

I guess help from Tiny Computers is washed up
http://www.pcworld.com/article/87343/tiny_computers_collapse_strands_customers.html

The only problem is when and if you borrow a win xp pro disk to do a repair, the key code numbers wont match the one on your system and it may not either start of complete the repair.

1. How old is this computer.
2. When you go go My Computer does is show a D:\ Recovery Partition ?

wepxc11
2011-01-22, 18:18
Thank you for all your help. The computer is an old one and on reflection I should get a new one its just that i'm a bit mean and i also don't want to be bothered with windows 7. At least now you have helped me this far its stable and i can use it till i get one.
Thank you again

ken545
2011-01-22, 19:57
Your very welcome.

I have Windows 7 on three of my systems and its amazing :)



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)


Safe Surfn
Ken

ken545
2011-01-25, 04:14
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.