Malware suspected - Repeated deletions of desktop folder and it keeps reappearing!

[shinybeast]

Hi Crymmsun,

The folder on your desktop may be recreated by the software you used to process the audio files. I can't be sure. I have not seen any signs of malware on your computer thus far.


Adobe Reader is out of date. Older versions have security vulnerabilities and you should update it.


Uninstall Programs

Click Start, click Run...
Type appwiz.cpl and press Enter to open Add or Remove Programs
For each of the programs listed below, highlight them in the list and click Remove

Adobe Reader 8.1.7
Java(TM) 6 Update 6
Java(TM) 6 Update 7

Once finished, close Add or Remove Programs window


Download and Install Adobe Reader

• Click Here to download the installer for Adobe Reader and save AdbeRdr930_en_US.exe to a convenient location.
• Double-click AdbeRdr930_en_US.exe and follow the prompts to install Adobe Reader 9.3

ESET Log

If the ESET scan completed, the following should open the log.

Copy the text in the code box below.

Code:

C:\Program Files\ESET\ESET Online Scanner\log.txt

Click Start, click Run... and paste the above text in the Open: field and click OK.
The ESET log should open.
Please copy and paste it in your next reply.


OTL Scan

• Double-click OTL.exe to start the program
• Click Run Scan in upper left of window.
• Once it is finished, a log will open (OTL.txt)
• Please copy and paste the contents of OTL.txt in your next reply.

Please post the ESET log and the OTL log in your next reply.

[Crymmsun]

It was my bad the log wasn't there. I didn't copy the log before ticking the "uninstall on finish" box. I went ahead and ran the ESET again. Here are my ESET and new OTL logs:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=3c3f77a663d9474fa80eb90747c9102e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-19 03:18:19
# local_time=2010-01-18 09:18:19 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 48500953 48500953 0 0
# compatibility_mode=769 16775141 100 98 0 199232724 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=54932
# found=0
# cleaned=0
# scan_time=5132

OTL logfile created on: 1/18/2010 9:25:38 PM - Run 3
OTL by OldTimer - Version 3.1.25.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 604.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 27.95 Gb Free Space | 37.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JUBILEE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Rainlendar2\Rainlendar2.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
PRC - C:\WINDOWS\system32\WLTRYSVC.EXE ()
PRC - C:\WINDOWS\system32\BCMWLTRY.EXE (Dell Inc.)
PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (MSCamSvc) -- c:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)
SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe ()
SRV - (wltrysvc) -- C:\WINDOWS\System32\WLTRYSVC.EXE ()
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)


========== Driver Services (SafeList) ==========

DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (TVICHW32) -- C:\WINDOWS\system32\drivers\TVICHW32.SYS (EnTech Taiwan)
DRV - (AegisP) AEGIS Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (VX3000) -- C:\WINDOWS\system32\drivers\VX3000.sys (Microsoft Corporation)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\ialmnt5.sys (Intel Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS (Conexant Systems, Inc.)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (cercsr6) -- C:\WINDOWS\system32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (STAC97) Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\stac97.sys (SigmaTel, Inc.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (USBCM) -- C:\WINDOWS\system32\drivers\Sacm2A.sys ( )
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ww2.cox.com/myconnection/neworleans/home.cox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://neworleans.cox.net/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/02 04:38:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/18 19:24:09 | 00,000,000 | ---D | M]

[2009/03/09 06:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/03/09 06:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/02 04:49:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\akl73k0n.default\extensions
[2008/10/02 04:46:39 | 00,000,274 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\akl73k0n.default\searchplugins\search.xml
[2010/01/18 19:22:00 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 11:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (371676 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 12837 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Motorola Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe ()
O4 - HKCU..\Run: [SansaDispatch] C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 68 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/OAS/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/images/global/js/s.../SysProExe.cab (Scanner.SysScanner)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo2.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsof...?1239734013757 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} http://support.f-secure.com/enu/home...fshc/fscax.cab (F-Secure Health Check 1.1)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeup...tent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/s...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} https://secure.thefilingroom.com/members/XUpload.ocx (Persits Software XUpload)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/30 21:51:41 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{82da9170-a5a0-11dc-90b5-00114362eace}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/18 19:45:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/01/18 19:45:52 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/18 19:24:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents
[2010/01/18 02:21:23 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/15 19:16:41 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/12 23:31:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Julie's Documents\Downloads
[2010/01/12 18:07:01 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/08 01:58:23 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/07 23:56:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/12/23 17:53:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ConsumerSoft
[2009/12/23 17:53:47 | 00,000,000 | ---D | C] -- C:\Program Files\ConsumerSoft
[2009/11/26 05:38:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/23 01:10:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/23 01:10:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009/11/23 01:10:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/06/02 19:22:39 | 00,015,429 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\Sacm2A.sys
[2008/04/14 23:15:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2007/11/22 10:09:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/10/30 22:12:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/10/30 21:51:33 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/01/18 19:41:09 | 00,726,050 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/18 19:41:09 | 00,604,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/18 19:41:09 | 00,109,706 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/18 19:37:29 | 00,000,436 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2010/01/18 19:37:03 | 00,000,450 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration RunOnce Task.job
[2010/01/18 19:36:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/18 19:36:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/18 19:35:59 | 11,272,192 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/01/18 19:35:35 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/18 14:52:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/18 08:42:10 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/16 07:17:06 | 00,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/16 07:17:05 | 00,181,760 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/15 19:39:11 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\p7jp8646.exe
[2010/01/15 19:16:44 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/13 23:47:00 | 00,000,436 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration Task.job
[2010/01/12 23:00:13 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/07 23:31:29 | 00,371,676 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/04 20:25:28 | 00,125,952 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Yule09Chris.doc
[2009/12/23 17:28:05 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

========== Files Created - No Company Name ==========

[2010/01/15 19:39:08 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\p7jp8646.exe
[2009/12/23 20:37:21 | 00,125,952 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Yule09Chris.doc
[2009/10/11 02:55:06 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2009/10/11 02:54:51 | 00,000,114 | ---- | C] () -- C:\WINDOWS\Sierra.ini
[2009/06/02 19:22:39 | 00,053,693 | R--- | C] () -- C:\WINDOWS\UNDPX2A.sys
[2008/07/25 00:21:40 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2008/04/15 00:08:01 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/02/21 05:42:13 | 00,001,145 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/02/04 17:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/11/30 01:42:27 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/15 10:02:22 | 00,002,879 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/11/02 17:31:39 | 00,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/11/02 08:48:32 | 00,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/11/02 01:05:56 | 00,181,760 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/30 22:32:03 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/10/30 22:32:03 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1996/12/09 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/12/09 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
< End of report >

[shinybeast]

Hi Crymmsun,

I do not see any evidence of malware. Do you still have the non-deletable folder and the End Now dialog showing up at shutdown?

Let's check the disc for errors.

Copy the text in the code box below.

Code:

chkdsk c: /f

• Click Start, click Run... and paste the above text in the Open: field.
• A black window will open saying that chkdsk cannot run and will ask if you want to schedule a check next time system restarts.
• Press Y, then press Enter
• Restart the computer.
• After restart a scan will begin.
  Do not touch the keyboard or mouse and let the scan finish.
• After it is complete, Windows will load

Once Windows loads, delete the stubborn folder and restart the computer.
Note whether the issues remain and get back to me with that information.

[Crymmsun]

Shinybeast,

Everything seems to be five by five. The check disk reported nothing wrong and I haven't seen the folder pop back onto the desktop. Haven't had the End Now happen in a bit, either. So, got no idea what was going on there with those two things, but it looks like all is well... For now. ::Grins.::

[shinybeast]

Hi Crymmsun,

I'm glad the issues seem to be gone.


Delete GMER file
Delete the randomly named GMER file from your desktop. It looks like this


OTL Cleanup

Please run OTL which should still be on your desktop
In the upper right click CleanUp
This will delete OTL and will clean up after it.
NOTE: OTL may need to reboot to finish clean up. Close all running programs and allow the reboot if necessary.


You logs are clean!


Create a new System Restore point and clear old ones

Please clear old restore points in order to avoid reintroducing malware from a restore point in the future.

Create a new restore point

• Navigate to Start > All Programs > Accessories > System Tools and click System Restore
• On the right side of the welcome window, select (tick) Create a restore point, then click Next
• Under Restore point desciption, name the restore point (I suggest post-malware removal or something similar)
• Click Create, then click Close

Delete old restore points

• Click Start, click Run..., type cleanmgr and press Enter
• Select the drive XP is installed on (usually C: ) and click OK
• Once the Disk Cleanup dialog opens, click the More Options tab
• Under System Restore click Clean up...
• You will be asked if you are sure you want to clean all restore points but the most recent one, click Yes
• Close the Disk Cleanup dialog to finish.

Note: Do the above once. Restore points should not be routinely deleted.


Implementing the following suggestions will greatly reduce your chances of malware problems in the future.

Update Windows

It is important to keep Windows and Microsoft programs updated to close vulnerabilities as they are discovered.

I suggest that you occasionally visit Microsoft Update and install all important updates. Please visit Microsoft Update as soon as possible as described below.

Close all windows and temporarily disable your anti-virus (usually through a tray icon)

Use Internet Explorer to visit this site: http://update.microsoft.com/microsof....aspx?ln=en-US

Once the page loads follow instructions to install all critical updates. You may need to repeat this process until fully updated.


Keep installed programs up to date

Anti-virus
Most important is keeping your anti-virus software up to date. An out of date anti-virus is not much better than no anti-virus. If your anti-virus is not set to update automatically (preferred), it is imperative that you occasionally update it manually. You usually can accomplish this through a tray icon.

Update Other Vulnerable Software
Malware writers are increasingly targeting vulnerabilities in commonly used applications. There are several online sites which will scan your computer for outdated software. I've listed two below. I recommend occasionally visiting and scanning your computer to detect vulnerable software that should be updated.
Secunia Online Software Inspector
F-Secure Health Check

Mozilla Firefox Plug-in Check
If using Firefox, Click here to visit Mozilla, check your plug-ins and update them as necessary.


Best Practices for Email and Downloaded Files.

• Do not read emails from unknown sources.
• Make it a habit to never open email attachments from anyone, including people you know, unless you absolutely have to. If you need to open an attachment, scan it with your anti-virus before you open it.
• Do not use Peer to Peer software to "share" media and software. You will get more than you expected and the "bonus" will not be something you want and will bring you back seeking help.
• Do not use keygens or hacked software. First, it is stealing. Second, it is almost always infected with something. If you cannot afford to buy something, there is likely a free alternative that will be a good substitute. Search around and seek out advice from a trusted forum. Most will be glad to tell you of their favorite free program that performs the job you want done.

Additional Protection Programs

The programs listed below are excellent for improving your computer's security.

WinPatrol by Bill Pytlovany - "WinPatrol is a multi-purpose utility designed to increase performance and protect against unwanted changes." Information on it's many features can be found here

MVPS Hosts file - A replacement HOSTS file that redirects known malicious and ad serving sites to the localhost, thus preventing connection to them.
Note: MVPS Hosts file can sometimes slow down the computer so read the information on the site to mitigate this effect.

I encourage you to check out Tony Klein's article "How did I get infected in the first place?"
and miekiemoes' article "How to prevent Malware:"

If you have any questions about these suggestions, I would be happy to answer them.

Regards,
shinybeast

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

[Crymmsun]

Hi Shinybeast,

Thank you so much for helping me. You're an ace. ::Smiles.:: I have done all that you suggested and will be keeping my computer up to date, implementing all you've told me about.

Again, thank you for all you do here helping people and their computers stay safe!

[shinybeast]

You are very welcome, Crymmsun.
Stay safe!

[Dakeyras]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.