Computer infected with Window Fix Disc

[johnallanchambers]

OTL Extras logfile created on: 4/16/2011 12:48:46 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\John\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 129.00 Mb Available Physical Memory | 26.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 33.21 Gb Free Space | 44.58% Space Free | Partition Type: NTFS

Computer Name: CHAMBERS-1 | User Name: John | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1644491937-879983540-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office\1033\WFXMSRVR.EXE" = C:\Program Files\Microsoft Office\Office\1033\WFXMSRVR.EXE:*:Enabled:WFXMSRVR -- ()
"C:\Program Files\QuickTime\QuickTimePlayer.exe" = C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player -- (Apple Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{2FBF04DC-404C-4FA4-BA28-99903080D2B9}" = Magnifier Powertoy for Windows XP
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CDF4815-1334-4AF3-B780-1F6526011C5A}" = HyperLoad - Golf Course
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}" = Symantec AntiVirus
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C39DE425-6CCF-4B12-A101-3CB5CF3AF3AD}" = Slideshow Generator Powertoy for Windows XP
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 1.0" = Adobe Photoshop Elements
"Adobe SVG Viewer" = Adobe SVG Viewer
"CutePDF Writer Installation" = CutePDF Writer 2.3
"DL" = Delta Flight Schedules
"ERUNT_is1" = ERUNT 1.1j
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSPUB5" = Microsoft Publisher 98
"SystemRequirementsLab" = System Requirements Lab
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1644491937-879983540-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.5.0.416

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/25/2011 10:44:29 AM | Computer Name = CHAMBERS-1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/25/2011 10:44:29 AM | Computer Name = CHAMBERS-1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/25/2011 10:44:47 AM | Computer Name = CHAMBERS-1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/8/2011 8:38:11 PM | Computer Name = CHAMBERS-1 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4079, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 3/20/2011 9:55:06 AM | Computer Name = CHAMBERS-1 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Trojan.Gen in File: c:\program files\itunes\ituneshelper.exe
by: Manual scan. Action: Delete failed. Action Description: The file was left
unchanged.

Error - 3/20/2011 10:02:36 AM | Computer Name = CHAMBERS-1 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan.Gen in File: c:\program files\itunes\ituneshelper.exe
by: Manual scan. Action: Delete succeeded. Action Description: The file was deleted
successfully.

Error - 3/22/2011 9:48:39 AM | Computer Name = CHAMBERS-1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module oleacc.dll, version 4.2.5406.0, fault address 0x0000bd1c.

Error - 4/13/2011 11:42:18 PM | Computer Name = CHAMBERS-1 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4095, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 4/13/2011 11:52:03 PM | Computer Name = CHAMBERS-1 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 4/14/2011 12:16:55 PM | Computer Name = CHAMBERS-1 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4095, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

[ System Events ]
Error - 4/16/2011 10:46:16 AM | Computer Name = CHAMBERS-1 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0xc00d2767'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 4/16/2011 12:00:34 PM | Computer Name = CHAMBERS-1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/16/2011 12:00:56 PM | Computer Name = CHAMBERS-1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl Fips i2omgmt intelppm SASDIFSV SASKUTIL SAVRT SAVRTPEL SYMTDI

Error - 4/16/2011 12:02:38 PM | Computer Name = CHAMBERS-1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/16/2011 12:27:53 PM | Computer Name = CHAMBERS-1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i2omgmt

Error - 4/16/2011 12:27:55 PM | Computer Name = CHAMBERS-1 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0xc00d2767'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 4/16/2011 12:27:59 PM | Computer Name = CHAMBERS-1 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0xc00d2767'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 4/16/2011 12:31:41 PM | Computer Name = CHAMBERS-1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i2omgmt

Error - 4/16/2011 12:31:52 PM | Computer Name = CHAMBERS-1 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0xc00d2767'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.

Error - 4/16/2011 12:31:58 PM | Computer Name = CHAMBERS-1 | Source = WMPNetworkSvc | ID = 866312
Description = A new media server was not initialized because WMCreateDeviceRegistration()
encountered error '0xc00d2767'. The Windows Media DRM components on your computer
might be corrupted. Verify that protected files play correctly in Windows Media
Player, and then restart the WMPNetworkSvc service.


< End of report >

[ken545]

Hello John

Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
• Inside the new folder, double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe







Open OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :processes
  killallprocesses
  
  :OTL
  [2011/03/25 12:10:31 | 000,430,685 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110414-014619.backup
  @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
  
  :Services
  
  :Reg
  
  :Files
  ipconfig /release /c
  ipconfig /renew /c
  ipconfig /flushdns /c
  
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top. <--Not run Scan
• Let the program run unhindered, reboot when it is done
• Then post the results of the log it produces.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

[johnallanchambers]

Hi Ken,
I already have erunt on machine. Should I just use this as it is and follow your instructions.
John

[ken545]

Yes, just run it if you have it already

[johnallanchambers]

All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\WINDOWS\system32\drivers\etc\hosts.20110414-014619.backup moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\John\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\John\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.103
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
C:\Documents and Settings\John\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\John\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\John\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\John\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: John
->Temp folder emptied: 4044363 bytes
->Temporary Internet Files folder emptied: 430023443 bytes
->FireFox cache emptied: 62732543 bytes
->Flash cache emptied: 258283 bytes

User: Kaitltlyn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Kate
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3328627 bytes
->Flash cache emptied: 1460 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 327706 bytes
->Flash cache emptied: 64258 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 811988 bytes
->Flash cache emptied: 53334 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2187305 bytes
%systemroot%\System32 .tmp files removed: 2832913 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 622349 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 887669 bytes

Total Files Cleaned = 485.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04162011_181317

Files\Folders moved on Reboot...
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\OGGOXNGL\showthread[1].htm moved successfully.

Registry entries deleted on Reboot...

[ken545]

John,

Run OTL and post a new log and then run Malwarebytes


Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

[johnallanchambers]

OTL logfile created on: 4/16/2011 6:31:23 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\John\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 79.00 Mb Available Physical Memory | 16.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 33.71 Gb Free Space | 45.25% Space Free | Partition Type: NTFS

Computer Name: CHAMBERS-1 | User Name: John | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\John\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (Safer Networking Limited)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
PRC - C:\WINDOWS\system32\MDM.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\John\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\Logitech\iTouch\itchhk.dll (Logitech Inc.)
MOD - C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL (Logitech Inc.)


========== Win32 Services (SafeList) ==========

SRV - (HitmanPro35Crusader) -- File not found
SRV - (HidServ) -- File not found
SRV - (SLService) -- C:\WINDOWS\System32\slserv.exe (Smart Link)
SRV - (SavRoam) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (DefWatch) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110415.002\navex15.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110415.002\naveng.sys (Symantec Corporation)
DRV - (hitmanpro35) -- C:\WINDOWS\system32\drivers\hitmanpro35.sys ()
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eraserutilrebootdrv.sys (Symantec Corporation)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\spbbcdrv.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SAVRTPEL) -- C:\Program Files\Symantec AntiVirus\savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Symantec AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SlNtHal) -- C:\WINDOWS\system32\drivers\slnthal.sys (Smart Link)
DRV - (SlWdmSup) -- C:\WINDOWS\system32\drivers\slwdmsup.sys (Smart Link)
DRV - (Slntamr) -- C:\WINDOWS\system32\drivers\slntamr.sys (Smart Link)
DRV - (NtMtlFax) -- C:\WINDOWS\system32\drivers\ntmtlfax.sys (Smart Link)
DRV - (Mtlmnt5) -- C:\WINDOWS\system32\drivers\mtlmnt5.sys (Smart Link)
DRV - (RecAgent) -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys (Smart Link)
DRV - (Mtlstrm) -- C:\WINDOWS\system32\drivers\mtlstrm.sys (Smart Link)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek Semiconductor Corporation)
DRV - (itchfltr) -- C:\WINDOWS\system32\drivers\itchfltr.sys (Logitech, Inc.)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/30 22:26:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/29 10:58:38 | 000,000,000 | ---D | M]

[2010/10/06 11:38:58 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Extensions
[2010/10/06 11:38:58 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\amsntw2b.default\extensions
[2010/10/06 11:38:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/17 08:25:19 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/04/16 18:14:03 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: google.com ([b.mail] https in Trusted sites)
O15 - HKCU\..Trusted Domains: google.com ([mail] https in Trusted sites)
O15 - HKCU\..Trusted Domains: google.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: landrecordsonline.com ([sussex] https in Trusted sites)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetect...etection32.cab (Device Detection)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:AutorunsDisabled () -
O24 - Desktop WallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/02 10:54:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/01/09 13:38:40 | 000,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/16 18:13:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/16 12:43:58 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.exe
[2011/04/16 12:24:58 | 000,323,584 | -HS- | C] (Valve Corporation) -- C:\Documents and Settings\John\Local Settings\Application Data\djt.exe
[2011/04/14 00:48:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/14 00:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/14 00:44:41 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\John\Desktop\erunt-setup.exe
[2011/04/13 22:32:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\John\Recent
[2011/04/13 22:29:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John\Start Menu\Programs\Windows Fix Disk
[2011/04/03 09:40:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Delta Flight Schedules
[2011/03/26 12:47:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/03/26 12:47:07 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[1998/12/08 22:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 22:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 22:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 22:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 22:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 22:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL

========== Files - Modified Within 30 Days ==========

[2011/04/16 18:32:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/16 18:23:16 | 000,000,051 | ---- | M] () -- C:\WINDOWS\iTouch.ini
[2011/04/16 18:22:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/16 18:21:34 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/16 18:20:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/16 18:14:03 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/16 12:43:59 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John\Desktop\OTL.exe
[2011/04/16 12:25:33 | 000,003,218 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0au1wai723b6v6h7c0w2ive7yef
[2011/04/16 12:25:32 | 000,003,218 | -HS- | M] () -- C:\Documents and Settings\John\Local Settings\Application Data\0au1wai723b6v6h7c0w2ive7yef
[2011/04/16 12:24:58 | 000,323,584 | -HS- | M] (Valve Corporation) -- C:\Documents and Settings\John\Local Settings\Application Data\djt.exe
[2011/04/16 12:07:54 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\John\Desktop\RKUnhookerLE.EXE
[2011/04/15 11:25:44 | 000,172,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/15 11:17:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 02:22:36 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/14 01:41:22 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/14 01:41:22 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\John\Desktop\Spybot - Search & Destroy.lnk
[2011/04/14 00:51:45 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\John\Desktop\dds.scr
[2011/04/14 00:48:33 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\John\Desktop\ERUNT.lnk
[2011/04/14 00:44:42 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\John\Desktop\erunt-setup.exe
[2011/04/13 20:14:13 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/12 14:00:18 | 000,002,473 | -H-- | M] () -- C:\Documents and Settings\John\Desktop\Microsoft Word.lnk
[2011/04/12 00:45:11 | 000,000,206 | -H-- | M] () -- C:\Documents and Settings\John\Desktop\KATE MAIL.url
[2011/04/11 02:27:22 | 000,000,177 | -H-- | M] () -- C:\Documents and Settings\John\Desktop\Google.url
[2011/04/09 10:33:24 | 000,000,377 | -H-- | M] () -- C:\Documents and Settings\John\Desktop\NJ Tax Records Search.url
[2011/04/07 07:15:35 | 000,000,326 | -H-- | M] () -- C:\Documents and Settings\John\Desktop\Personal Banking - PNC Bank.url
[2011/04/03 10:25:11 | 000,000,188 | -H-- | M] () -- C:\Documents and Settings\John\Desktop\Garden State Multiple Listing Service.url
[2011/04/03 09:40:15 | 000,001,623 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Delta Flight Schedules.lnk
[2011/03/26 12:47:17 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/03/23 11:31:36 | 000,307,275 | ---- | M] () -- C:\Documents and Settings\John\My Documents\Floor plan 60 broadway.pdf

========== Files Created - No Company Name ==========

[2011/04/16 12:24:59 | 000,003,218 | -HS- | C] () -- C:\Documents and Settings\John\Local Settings\Application Data\0au1wai723b6v6h7c0w2ive7yef
[2011/04/16 12:24:59 | 000,003,218 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0au1wai723b6v6h7c0w2ive7yef
[2011/04/16 12:07:53 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\John\Desktop\RKUnhookerLE.EXE
[2011/04/14 01:41:22 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/14 00:51:45 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\John\Desktop\dds.scr
[2011/04/14 00:48:32 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\John\Desktop\ERUNT.lnk
[2011/03/26 12:47:17 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/03/23 11:31:35 | 000,307,275 | ---- | C] () -- C:\Documents and Settings\John\My Documents\Floor plan 60 broadway.pdf
[2011/01/11 10:15:38 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/01/05 12:54:09 | 000,000,600 | -H-- | C] () -- C:\Documents and Settings\John\Application Data\56F6.0CB
[2010/12/21 20:40:59 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\EDnmY36.dat
[2010/11/10 15:22:11 | 000,000,051 | ---- | C] () -- C:\WINDOWS\iTouch.ini
[2010/10/06 11:38:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/31 00:25:32 | 000,000,032 | ---- | C] () -- C:\WINDOWS\vb_mconf.ini
[2009/12/01 19:02:29 | 000,001,100 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/10/16 17:25:04 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS69.DLL
[2009/10/10 12:22:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/10/05 15:46:44 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/10/02 16:38:45 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/10/02 16:38:45 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\uninscpw.exe
[2009/10/02 16:32:43 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/02 16:32:43 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2009/10/02 16:28:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2009/10/02 10:56:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/10/02 10:51:19 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/10/02 06:43:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/10/02 06:42:47 | 000,172,280 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/03/19 18:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[2002/03/19 17:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

< End of report >

[johnallanchambers]

Hi Ken,
After I ran OTL, as a fix the first time, everything came back on my screen the way it was before this happenned. All icons came back, except the startup file is empty and all the entertainment file where the games that came with the OS are also gone.
I then ran the OTL scan (not fix) again and went out with my wife . I came home and posted the OTL and found that it returned again with my icons missing and the startup file still empty along with the entertainment file -this thing does not want to be killed.
Please advise
Thank you
John

[johnallanchambers]

Hi Ken,
I removed the trojan fake alert.
The machince is still infected somehow.
John

[ken545]

John,

Copy and paste the logs in the thread, its easier for me to analyze

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/17/2011 11:31:44 AM
mbam-log-2011-04-17 (11-31-44).txt

Scan type: Quick scan
Objects scanned: 179341
Time elapsed: 12 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\John\local settings\application data\djt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



This was in your Extras log so uninstall iTunes

Security Risk Found!Risk: Trojan.Gen in File: c:\program files\itunes\ituneshelper.exe




Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.