Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: Issues and need tissues

  1. #1
    Member
    Join Date
    Jan 2009
    Posts
    35

    Default Issues and need tissues

    This computer was infected last week. I ran spybot then Malwarebytes and thought I got it. Apparently not. I tried the same today and get an error in spybot that states cannot create file C:\windows\system32\drivers\etc\host. I found the exact complaint in the forums where the helper advised to delete the host txt file and had a link for a copy and paste of another file. That did not work either.

    Below is my DDS file and then the spybot log as requested in the instructions for help.

    I appreciate any help!

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Mom and Dad at 13:03:13.04 on Fri 03/25/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1279 [GMT -7:00]
    .
    AV: Personal Internet Security 2011 *Enabled/Updated* {AE717E0F-F02D-41FA-846F-EC467DFE0AEF}
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Personal Internet Security 2011 *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Greetings Workshop\GWREMIND.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\Mom and Dad\Local Settings\Temporary Internet Files\Content.IE5\JO1GMM1D\dds[1].scr
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyServer = http=127.0.0.1:25547
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\docume~1\momand~1\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    uPolicies-explorer: DisallowRun = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279841975171
    DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.gunbroker.com/WebResource.axd?d=Qydpf0KIwF1Fr6RRPI2vp09Qx7960W1PefrwdgTL1YWRWyUo6in6PN6VS7m59gst6zjhnPK4xtevtkkiPAeNbVdLz1lm1BKvO-eVx_B2d1Lb7EFrywmMr-EfCQUqniwFPL_qr5-6LT50B9lSJqZDgme2Vksu6ajL4Qvm6a-2VX8ROm8K0&t=634230999680000000
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    IFEO: image file execution options - svchost.exe
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 getantivirusplusnow.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-22 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-22 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-22 40384]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-20 363344]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-12-10 92008]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-20 20952]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-4 136176]
    S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-03-21 23:23:29 -------- d-----w- c:\docume~1\momand~1\locals~1\applic~1\InContext Solutions
    2011-03-20 23:07:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-20 23:06:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-20 23:06:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-20 22:49:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-20 22:49:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-03-17 23:33:27 -------- d-----w- c:\docume~1\momand~1\locals~1\applic~1\Help
    2011-03-17 23:33:15 -------- d-----w- C:\Sierra
    2011-03-02 01:49:55 -------- d-----w- c:\documents and settings\mom and dad\Citrix
    2011-02-26 00:19:50 -------- d-----w- c:\program files\Greetings Workshop
    .
    ==================== Find3M ====================
    .
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 20:06:36 38848 ----a-w- c:\windows\avastSS.scr
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 13:03:55.57 ===============

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    4-open-davinci.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    securitysoftwarepayments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    privatesecuredpayments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    secure.privatesecuredpayments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    getantivirusplusnow.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    secure-plus-payments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.getantivirusplusnow.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.secure-plus-payments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.getavplusnow.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    safebrowsing-cache.google.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    urs.microsoft.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.securesoftwarebill.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    secure.paysecuresystem.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    paysoftbillsolution.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    protected.maxisoftwaremart.com=74.125.45.100

    Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host (Redirected host, nothing done)
    www.securesoftwarebill.com=74.125.45.100

    Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host (Redirected host, nothing done)
    secure.paysecuresystem.com=74.125.45.100

    Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host (Redirected host, nothing done)
    paysoftbillsolution.com=74.125.45.100



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2011-03-24 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-03-22 Includes\AdwareC.sbi (*)
    2010-08-12 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2010-11-30 Includes\Hijackers.sbi (*)
    2011-03-08 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-02-24 Includes\Malware.sbi (*)
    2011-03-22 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-15 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-03-08 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-03-15 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-03-22 Includes\TrojansC-02.sbi (*)
    2011-03-03 Includes\TrojansC-03.sbi (*)
    2011-03-08 Includes\TrojansC-04.sbi (*)
    2011-03-21 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



    Backup Your Registry with ERUNT:
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
    • Inside the new folder, double-click ERUNT.exe to start the program
    • OK all the prompts to back up your registry to the default location.
    Note: to restore your registry, go to the backup folder and start ERDNT.exe







    Open OTL.exe
    • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

      Code:
      :processes
      killallprocesses
      
      :OTL
      uInternet Settings,ProxyServer = http=127.0.0.1:25547
      Hosts: 74.125.45.100 4-open-davinci.com
      Hosts: 74.125.45.100 securitysoftwarepayments.com
      Hosts: 74.125.45.100 privatesecuredpayments.com
      Hosts: 74.125.45.100 secure.privatesecuredpayments.com
      Hosts: 74.125.45.100 getantivirusplusnow.com
      .
      
      
      :Services
      
      :Reg
      
      :Files
      ipconfig /flushdns /c
      
      
      
      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Then click the Run Fix button at the top. <--Not run Scan
    • Let the program run unhindered, reboot when it is done
    • Then post the results of the log it produces.
    • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Member
    Join Date
    Jan 2009
    Posts
    35

    Default

    [*]Then click the Run Fix button at the top. <--Not run Scan[*]Let the program run unhindered, reboot when it is done[*]Then post the results of the log it produces.

    Done here is the first log you requested:

    All processes killed
    ========== PROCESSES ==========
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Mom and Dad\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Mom and Dad\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56504 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 49914 bytes

    User: Mom and Dad
    ->Temp folder emptied: 1821884 bytes
    ->Temporary Internet Files folder emptied: 277219203 bytes
    ->Java cache emptied: 22520366 bytes
    ->Flash cache emptied: 415025 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 718755 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2195181 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 491732 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12801524 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 304.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 03262011_173059

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Mom and Dad\Local Settings\Temp\~DF6763.tmp not found!
    File\Folder C:\Documents and Settings\Mom and Dad\Local Settings\Temp\~DF6777.tmp not found!
    File\Folder C:\Documents and Settings\Mom and Dad\Local Settings\Temp\~DF68C6.tmp not found!
    File\Folder C:\Documents and Settings\Mom and Dad\Local Settings\Temp\~DF68DA.tmp not found!
    File\Folder C:\Documents and Settings\Mom and Dad\Local Settings\Temp\~DF6920.tmp not found!
    File\Folder C:\Documents and Settings\Mom and Dad\Local Settings\Temp\~DF6934.tmp not found!
    C:\Documents and Settings\Mom and Dad\Local Settings\Temporary Internet Files\Content.IE5\PQ4VNKXU\showthread[1].htm moved successfully.
    C:\Documents and Settings\Mom and Dad\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    [*]Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )[/list][/QUOTE]

    Here is the second log you requested:


    OTL logfile created on: 3/26/2011 5:37:16 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Mom and Dad\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.82 Gb Total Space | 214.49 Gb Free Space | 92.13% Space Free | Partition Type: NTFS

    Computer Name: HUFF | User Name: Mom and Dad | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/03/26 17:29:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom and Dad\Desktop\OTL.exe
    PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    PRC - [2011/01/13 01:47:34 | 003,396,624 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2011/01/13 01:47:33 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2010/12/20 18:08:56 | 000,443,728 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2010/12/10 05:29:00 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    PRC - [2010/12/10 05:28:56 | 000,247,144 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    PRC - [1997/09/04 00:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Greetings Workshop\GWREMIND.EXE


    ========== Modules (SafeList) ==========

    MOD - [2011/03/26 17:29:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom and Dad\Desktop\OTL.exe
    MOD - [2011/01/13 01:47:35 | 000,189,728 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
    MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (nosGetPlusHelper) getPlus(R)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
    SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
    SRV - [2011/01/13 01:47:33 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2010/12/10 05:29:00 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/01/13 01:41:16 | 000,294,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/01/13 01:40:16 | 000,047,440 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/01/13 01:40:04 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011/01/13 01:37:30 | 000,023,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/01/13 01:37:11 | 000,029,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011/01/13 01:37:09 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2009/05/16 03:58:46 | 004,069,888 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2007/05/02 16:21:22 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B0 9B F1 1A 86 EA CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25547

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7.1
    FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2


    [2011/02/09 21:57:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Extensions
    [2011/02/09 21:57:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Extensions\home2@tomtom.com
    [2011/02/09 21:57:36 | 000,000,000 | ---D | M] (Map status indicator) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

    O1 HOSTS File: ([2011/03/26 17:31:05 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
    O4 - Startup: C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE (Microsoft Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1279841975171 (MUWebControl Class)
    O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} http://www.gunbroker.com/WebResource...30999680000000 (Image Uploader Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} http://panda-plugin.disney.go.com/pl...p3dactivex.cab (P3DActiveX Control)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.65
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/07/22 15:54:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O33 - MountPoints2\{e4bd539f-34aa-11e0-9b84-001d09990735}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O35 - HKCU\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKCU\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/03/26 17:30:59 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/03/26 17:29:46 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mom and Dad\Desktop\OTL.exe
    [2011/03/25 14:36:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\Mozilla
    [2011/03/25 13:02:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/03/25 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
    [2011/03/25 13:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
    [2011/03/21 16:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Start Menu\Programs\InContext Solutions
    [2011/03/21 16:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\InContext Solutions
    [2011/03/20 16:07:01 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/03/20 16:07:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/03/20 16:06:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/03/20 16:06:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/03/20 15:49:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
    [2011/03/20 15:49:38 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2011/03/20 15:49:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2011/03/20 15:25:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2011/03/17 16:33:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\Help
    [2011/03/17 16:33:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Application Data\Help
    [2011/03/17 16:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Sierra
    [2011/03/17 16:33:15 | 000,000,000 | ---D | C] -- C:\Sierra
    [2011/03/09 15:30:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\My Documents\lead pot
    [2011/03/04 18:58:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Desktop\Favorites
    [2011/03/03 19:17:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Desktop\Kittens
    [2011/03/01 18:49:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Citrix
    [2011/02/25 17:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Greetings Workshop
    [2011/02/25 17:19:50 | 000,000,000 | ---D | C] -- C:\Program Files\Greetings Workshop

    ========== Files - Modified Within 30 Days ==========

    [2011/03/26 17:33:32 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/03/26 17:33:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/03/26 17:31:05 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
    [2011/03/26 17:29:50 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mom and Dad\Desktop\OTL.exe
    [2011/03/26 17:20:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/03/25 14:36:46 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
    [2011/03/25 13:47:53 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2011/03/24 19:13:45 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Desktop\Spybot - Search & Destroy.lnk
    [2011/03/22 17:01:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011/03/20 16:07:01 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/03/20 15:37:05 | 000,018,114 | -HS- | M] () -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\8q1gjv45b1b2ny58w4voq16g4u2
    [2011/03/20 15:37:05 | 000,018,114 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8q1gjv45b1b2ny58w4voq16g4u2
    [2011/03/19 21:16:30 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Desktop\Microsoft Office Word 2007.lnk
    [2011/03/19 12:36:26 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Application Data\mcs.rma
    [2011/03/19 12:36:26 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Application Data\7B25EC
    [2011/03/17 16:36:53 | 000,000,277 | ---- | M] () -- C:\WINDOWS\SIERRA.INI
    [2011/03/17 16:25:26 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Desktop\Microsoft Office Excel 2007.lnk
    [2011/03/09 01:44:30 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/03/01 18:50:02 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
    [2011/02/26 10:57:50 | 000,266,208 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/02/25 17:20:43 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
    [2011/02/25 17:20:40 | 000,000,752 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Desktop\Greetings Workshop.lnk
    [2011/02/25 17:20:40 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Desktop\Install Microsoft Internet Explorer.lnk

    ========== Files Created - No Company Name ==========

    [2011/03/25 14:36:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2011/03/24 19:13:45 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Desktop\Spybot - Search & Destroy.lnk
    [2011/03/20 16:07:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/03/19 21:16:28 | 000,018,114 | -HS- | C] () -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\8q1gjv45b1b2ny58w4voq16g4u2
    [2011/03/19 21:16:28 | 000,018,114 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8q1gjv45b1b2ny58w4voq16g4u2
    [2011/03/17 16:36:16 | 000,000,277 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
    [2011/03/01 18:50:02 | 000,000,081 | ---- | C] () -- C:\CTX.DAT
    [2011/02/25 17:20:43 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
    [2011/02/25 17:20:40 | 000,000,752 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Desktop\Greetings Workshop.lnk
    [2011/02/25 17:20:40 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Desktop\Install Microsoft Internet Explorer.lnk
    [2010/12/29 12:39:03 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Application Data\mcs.rma
    [2010/12/29 12:39:03 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Application Data\7B25EC
    [2010/12/27 13:01:18 | 000,011,970 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2010/12/13 16:15:28 | 000,000,213 | ---- | C] () -- C:\WINDOWS\1STLADY.INI
    [2010/11/28 14:49:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
    [2010/07/30 16:21:06 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/07/23 10:47:57 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\fusioncache.dat
    [2010/07/22 18:02:41 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
    [2010/07/22 17:56:02 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
    [2010/07/22 17:54:27 | 000,117,088 | ---- | C] () -- C:\WINDOWS\hpoins11.dat.temp
    [2010/07/22 17:54:27 | 000,011,634 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat.temp
    [2010/07/22 17:54:03 | 000,011,634 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat
    [2010/07/22 17:32:14 | 000,116,734 | ---- | C] () -- C:\WINDOWS\hpoins11.dat
    [2010/07/22 16:50:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
    [2010/07/22 16:40:21 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
    [2010/07/22 16:03:14 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2010/07/22 15:55:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/07/22 15:52:09 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/07/22 08:46:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/07/22 08:45:20 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2009/05/16 02:54:02 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
    [2009/05/16 02:54:02 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
    [2009/04/23 19:04:54 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2009/02/18 17:55:22 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
    [2009/02/03 20:52:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
    [2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2005/03/22 11:48:43 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2005/03/22 11:48:43 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 03:00:00 | 000,526,100 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 03:00:00 | 000,095,448 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/04 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

    < End of report >

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    I am looking at an entry for a toolbar that is locked with no information, are there any unwanted toolbars that you do not want?

    Your hosts file has been reset back to Microsoft default so you should be ok in this department.

    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the button.
    14. Push
    Please make sure you include the following items in your next post:
    The log that was produced after running ESET Online Scanner.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Member
    Join Date
    Jan 2009
    Posts
    35

    Default

    There are no unwanted toolbars. There use to be but they were removed some time ago. Maybe the entry is just a remant.

    Here is the log after the scan you requested:

    C:\Documents and Settings\All Users\Application Data\eb29ef\552.mof Win32/RogueAV.A trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160309.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160315.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160316.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160317.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160318.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160319.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160320.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160321.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160322.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160323.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160353.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160354.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160355.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160356.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160357.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110320-160358.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-190415.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-190420.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-190422.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-190423.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-190439.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-190440.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110324-193340.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-094702.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-095633.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-095809.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-095811.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-104436.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-104437.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-104439.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-123645.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-123648.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-123649.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-123650.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-123651.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125531.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125541.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125542.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125543.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125544.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125545.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125546.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125658.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-125714.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-135946.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-135949.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-135950.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-135951.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-135952.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\etc\hosts.20110325-135953.backup Win32/Qhost trojan cleaned by deleting - quarantined
    C:\_OTL\MovedFiles\03262011_173059\C_WINDOWS\System32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting (after the next restart) - quarantined

  6. #6
    Member
    Join Date
    Jan 2009
    Posts
    35

    Default

    When you have a moment why didn't AVAST or Malwarebytes detect these.

  7. #7
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hey, how are ya doing, hope your having a good day.

    Well, in response to your question, there is no silver bullet, what one program finds another may not. Been at this for over 8 years and the threats nowadays are so much complicated then they were back then. Your AV blocks viruses and this was malware , if that makes sense.

    What happened to you was that your hostfile got infected , but it looks fine now, ESET found and removed the older infected hostsfiles.

    How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #8
    Member
    Join Date
    Jan 2009
    Posts
    35

    Default

    It seem everything is running ok just need to get the windows security alerts back on line for updates. For some reason it will not turn on.

  9. #9
    Member
    Join Date
    Jan 2009
    Posts
    35

    Default

    Windows is telling me that to turn on the automatic updates but gives me an error and it won't. When I try to go to Windows Update web site it gives an error and will not scan for updates. That seems to be the only issue now.

    I know everyone has their opinion but is AVAST and Malwarebytes up in the good catagory? I have read they are but I consider you more than expert then just reading on the web.

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Avast is more than adequate and Malwarebytes is one of the better programs on the internet

    Lets run a few more scans,


    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please




    Open OTL and run a new scan and post the log please
    Last edited by ken545; 2011-03-27 at 23:25.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •