can't get rid of win32.fraudload.edt

[mavson]

Hello, I have picked up a trojan that spybot can't seem to get rid of. Everytime I run spybot it finds it but then says can't clear it because it is still being used in memory. It asks to run again on restart so that it can clear it but it still cannot. I would really appreciate any help you can give, thank you.

here is dds:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 0:58:02.50 on Mon 09/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2699 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Me\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {996D4E16-517F-474a-870F-F882C6133C47} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\me\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.2\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.93/FreeRealmsInstaller.cab?v=1044
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.59/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: dailybucks_install.exe - c:\windows\system32\ctfmon.exe
IFEO: install.48349.exe - c:\windows\system32\ctfmon.exe

============= SERVICES / DRIVERS ===============

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]

=============== Created Last 30 ================

2010-09-20 03:52:56 7168 --sha-w- c:\documents and settings\me\Thumbs.db
2010-09-20 03:15:11 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-20 03:10:00 0 d-----w- c:\program files\AnVi
2010-09-17 18:49:28 120 ----a-w- c:\windows\Tvaxevalanahifu.dat
2010-09-17 18:49:28 0 ----a-w- c:\windows\Xqavi.bin
2010-09-17 18:47:52 0 d-----w- c:\windows\PRAGMApeqqftirxt
2010-09-15 15:24:18 0 d-----w- c:\program files\InterActual

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 0:59:05.43 ===============

 

[ken545]

:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.

Looks like you may be infected with a rootkit type infection



Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[mavson]

ok I ran combofix and have the log below. I did start to get a redirect again as soon as I came onto the forums to post the reply. I thank you for your time and help. I await to hear what to do next.




ComboFix 10-09-22.05 - Me 09/22/2010 20:44:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.3266 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Me\Application Data\~tmp.html
c:\documents and settings\Me\Application Data\Bitrix Security
c:\documents and settings\Me\Application Data\Bitrix Security\arm
c:\documents and settings\Me\Application Data\Bitrix Security\fadosvlk.dll
c:\documents and settings\Me\Application Data\Bitrix Security\fadosvlk_shrd
c:\documents and settings\Me\Application Data\Bitrix Security\fg.txt
c:\documents and settings\Me\Application Data\Bitrix Security\jje.txt
c:\documents and settings\Me\Application Data\Bitrix Security\ljgh.txt
c:\documents and settings\Me\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\Me\Application Data\Bitrix Security\plk.txt
c:\documents and settings\Me\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\Me\Application Data\wiaserva.log
c:\documents and settings\Me\Desktop\Antivirus Support.lnk
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\chrome.manifest
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\chrome\content\_cfg.js
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\chrome\content\overlay.xul
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\install.rdf
c:\documents and settings\Me\Start Menu\Programs\AnVi
c:\documents and settings\program files for Edrive\InstallShield Installation Information
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.ilg
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.ilg
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\setup.inx
c:\program files\AnVi
c:\program files\AnVi\about.ico
c:\program files\AnVi\activate.ico
c:\program files\AnVi\avt.exe
c:\program files\AnVi\avtext.dll
c:\program files\AnVi\avthook.dll
c:\program files\AnVi\buy.ico
c:\program files\AnVi\help.ico
c:\program files\AnVi\scan.ico
c:\program files\AnVi\settings.ico
c:\program files\AnVi\Uninstall.exe
c:\program files\AnVi\update.ico
c:\program files\sFX
c:\windows\934fdfg34fgjf23
c:\windows\PRAGMApeqqftirxt
c:\windows\PRAGMApeqqftirxt\PRAGMAc.dll
c:\windows\PRAGMApeqqftirxt\PRAGMAcfg.ini
c:\windows\system32\9502523.dat
c:\windows\system32\certstore.dat
c:\windows\system32\nk.dat
c:\windows\system32\wsnpoem
c:\windows\tmp5361666.log
c:\windows\tmp7291406.log
c:\windows\tmp8076598.log
c:\windows\tmp8838909.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFXDRV


((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-21 05:27 . 2010-09-21 05:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-21 05:24 . 2010-09-21 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-21 05:24 . 2010-09-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS(2)
2010-09-21 04:41 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\program files for Edrive\uTorrent
2010-09-20 07:32 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(3)
2010-09-20 04:45 . 2010-09-21 04:41 -------- d-----w- c:\program files\ERUNT
2010-09-20 04:25 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(5)
2010-09-19 05:55 . 2010-09-21 05:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(4)
2010-09-18 23:41 . 2010-09-18 23:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-18 12:47 . 2010-09-21 05:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(3)
2010-09-17 20:07 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-09-17 19:55 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2010-09-17 19:41 . 2010-09-17 19:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-17 18:49 . 2010-09-17 18:49 120 ----a-w- c:\windows\Tvaxevalanahifu.dat
2010-09-17 18:49 . 2010-09-17 18:49 0 ----a-w- c:\windows\Xqavi.bin
2010-09-15 15:24 . 2010-09-15 15:24 -------- d-----w- c:\program files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 00:58 . 2007-08-04 16:10 -------- d-----w- c:\documents and settings\Me\Application Data\OpenOffice.org2
2010-09-22 09:02 . 2008-10-12 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-21 05:41 . 2007-10-10 05:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-21 05:12 . 2007-08-04 08:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-20 04:06 . 2010-07-03 14:42 -------- d-----w- c:\program files\Viva Media
2010-07-10 19:12 . 2010-01-09 13:59 251705 ----a-w- c:\documents and settings\Me\Application Data\Sony Online Entertainment\npsoeact.dll
2010-06-30 12:31 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\Me\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-1-6 63696]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-1-26 54776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 9:55 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-09-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-12 19:17]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -

BHO-{996D4E16-517F-474a-870F-F882C6133C47} - (no file)
ActiveSetup-{FDC32A47-A70D-4F9E-97DD-7E08EA9C6BF8} - wonder what is going through her headdont know if she is just trying to remain friends because I told her I wouldnt see her or talk to her until the court date
AddRemove-Free Realms Installer - c:\program files\Sony Online Entertainment\uninst.exe
AddRemove-Microsoft Visual C# 2005 Express Edition - ENU - c:\program files\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-22 20:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD5FC76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme Gigabit Ethernet for hp -> SendCompleteHandler -> NDIS.sys @ 0xf7426bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7433a21
SendHandler -> NDIS.sys @ 0xf741187b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-220523388-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\program files\OpenOffice.org 2.2\program\soffice.BIN
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-09-22 21:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 01:07

Pre-Run: 3,461,459,968 bytes free
Post-Run: 3,966,644,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 180A9DF50831B37D2A1AF74DDC41D74C

 

[ken545]

Hi,

Still some things we need to fix , run both these programs and post the log from Malwarebytes.

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

 

[mavson]

ok I downloaded and ran both of those TFC and Malwarbytes. Here is the resultant log from malwarebytes. Again I appreciate your quick response to this problem.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4675

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/23/2010 7:50:55 AM
mbam-log-2010-09-23 (07-50-55).txt

Scan type: Quick scan
Objects scanned: 132090
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{996d4e16-517f-474a-870f-f882c6133c47} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{996d4e16-517f-474a-870f-f882c6133c47} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ucozejowedigo.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Desktop\AntiVirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gacaq32.dll (Password.Stealer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spnmld.dll (Password.Stealer) -> Quarantined and deleted successfully.

 

[ken545]

One of the files that Malwarebytes removed was a Password Stealer, you need to change all your passwords to be on the safe side.

See if you can find these and delete them, leave them in the Recycle Bin for a day or two
c:\windows\Tvaxevalanahifu.dat
c:\windows\Xqavi.bin

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

How are things running now ?

 

[mavson]

things seem to be running better, didn't get any redirects when I did a search, however I did get another window open up to a spyware ad site, so not sure about that. Here is the log from the ESET, again thanks for prompt help.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6d5297124acd584bb9581b5e2615dbb2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-23 01:43:05
# local_time=2010-09-23 09:43:05 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=143215
# found=78
# cleaned=78
# scan_time=4340
C:\Qoobox\Quarantine\C\Documents and Settings\Me\Application Data\Bitrix Security\fadosvlk.dll.vir a variant of Win32/AutoRun.Spy.Ambler.CA worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AnVi\avt.exe.vir Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AnVi\avthook.dll.vir a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AnVi\Uninstall.exe.vir a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp5361666.log.vir probably a variant of Win32/Kryptik.HD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp7291406.log.vir a variant of Win32/Kryptik.HV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp8076598.log.vir probably a variant of Win32/Kryptik.HD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp8838909.log.vir a variant of Win32/Kryptik.HV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\PRAGMApeqqftirxt\PRAGMAc.dll.vir a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP911\A0057402.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP913\A0057435.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP959\A0058427.sys Win32/Olmarik.YA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP959\A0058428.dll a variant of Win32/Kryptik.GVH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP960\A0059520.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP960\A0059522.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP960\A0059527.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060104.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060340.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060352.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060353.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0061115.dll Win32/Chksyn.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062267.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062498.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062510.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062511.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062796.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062798.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062803.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062813.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0066745.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0066757.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP964\A0067777.exe Win32/Sirefef.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069282.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069294.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069816.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069818.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069823.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070080.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070088.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070091.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070603.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070605.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070610.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070612.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073693.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073695.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073700.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073939.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073947.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073959.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073960.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074467.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074469.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074474.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074477.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075171.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075926.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075928.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075933.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076171.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076179.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076182.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076626.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076628.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076633.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076635.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076876.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084000.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084052.dll a variant of Win32/AutoRun.Spy.Ambler.CA worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084071.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084073.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084078.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084080.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\gasac32.dll probably a variant of Win32/AutoRun.Spy.Ambler.NAC worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\afd.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
E:\WINDOWS\Shared\05 Track 5 (women).wma probably a variant of Win32/Agent.FCJWLFS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\WINDOWS\Shared\02 Track 2 (women).wma WMA/TrojanDownloader.Wimad.L trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\WINDOWS\Shared\07 Track 7 (women).wma WMA/TrojanDownloader.Wimad.D trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

 

[ken545]

You have a ton of stuff in System Restore, lets flush it all out and create a new Restore Point.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

• Right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

• Right-click My Computer.
• ClickProperties.
• Click the System Restore tab.
• UN-Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

• Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial <-- If you need it





Lets run this Rootkit detector to make sure your not infected by one
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

 

[mavson]

Ok I ran gmer. the first time throught the computer locked up but then was able to run through it the second time. After running it and saving the ark.txt log to desktop when I tried to log on to post it the pc locked up again but seems to be ok now, here is the log.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 15:40:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Me\LOCALS~1\Temp\pxtdipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB904C380, 0x346307, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
.text C:\WINDOWS\System32\svchost.exe[1060] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1060] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1660] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

---- EOF - GMER 1.0.15 ----

 

[ken545]

Hi,

You shouldn't have another window opening up to a spyware site, what is the name of the site that's popping up ?

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Under the Custom Scan box paste this in
  

  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  

  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

 

[mavson]

ok I can't remember what the ad was that popped up but had another one earlier also for like an airline ad or something that just opened up in another window. Sorry about not knowing should have written it down I guess. here is the logs you requested:

OTL logfile created on: 9/23/2010 5:07:46 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Me\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.78 Gb Free Space | 28.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 25.21 Gb Total Space | 16.37 Gb Free Space | 64.93% Space Free | Partition Type: FAT32
Drive F: | 2.72 Gb Total Space | 0.91 Gb Free Space | 33.31% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP1
Current User Name: Me
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Me\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft)
PRC - C:\Program Files\OpenOffice.org 2.2\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 2.2\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe ()
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe (Hewlett-Packard)
PRC - C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Me\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (Blfp) -- C:\WINDOWS\system32\drivers\baspxp32.sys (Broadcom Corporation)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/09/22 20:58:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsushita Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe ()
O4 - Startup: C:\Documents and Settings\Me\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} http://www-cdn.freerealms.com/gamedata/plugins/1.0.3.93/FreeRealmsInstaller.cab?v=1044 (SonyOnlineInstallerX)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://a.download.toontown.com/sv1.0.38.59/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/20 14:50:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/06/18 15:18:14 | 000,000,262 | ---- | M] () - E:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [2000/06/20 16:58:32 | 000,000,027 | -H-- | M] () - E:\AUTOEXEC.DOS -- [ FAT32 ]
O32 - AutoRun File - [2006/06/18 15:18:14 | 000,000,194 | ---- | M] () - E:\autoexec.bat -- [ FAT32 ]
O32 - AutoRun File - [2006/06/18 13:16:32 | 000,000,194 | ---- | M] () - E:\AUTOEXEC.001 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/23 17:06:31 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/09/23 13:21:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Desktop\gmer
[2010/09/23 08:28:08 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/09/23 07:43:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\Malwarebytes
[2010/09/23 07:43:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/23 07:43:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/23 07:43:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/23 07:43:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/23 07:40:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/23 07:37:20 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\mbam-setup.exe
[2010/09/23 07:33:20 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\TFC.exe
[2010/09/22 20:35:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/22 20:32:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/22 20:32:46 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/22 20:32:46 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/22 20:32:46 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/22 20:31:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/21 09:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/09/21 01:40:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/09/21 01:24:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/09/21 01:24:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS(2)
[2010/09/20 03:32:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe(3)
[2010/09/20 00:47:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/20 00:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/09/20 00:25:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(5)
[2010/09/19 01:55:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(4)
[2010/09/18 19:41:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/09/18 19:41:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/09/18 08:47:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(3)
[2010/09/17 16:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/09/17 16:07:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
[2010/09/17 15:55:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe(2)
[2010/09/17 15:42:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/09/17 15:26:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/16 08:20:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/09/15 11:24:18 | 000,000,000 | ---D | C] -- C:\Program Files\InterActual

========== Files - Modified Within 30 Days ==========

[2010/09/23 17:08:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/23 17:06:32 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/09/23 16:15:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/23 15:48:22 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/09/23 15:48:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/23 15:48:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/23 15:48:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/23 15:45:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Me\ntuser.ini
[2010/09/23 15:45:41 | 004,980,736 | ---- | M] () -- C:\Documents and Settings\Me\ntuser.dat
[2010/09/23 15:45:04 | 004,836,196 | -H-- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\IconCache.db
[2010/09/23 13:20:42 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/09/23 10:01:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/23 07:43:38 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/23 07:37:24 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\mbam-setup.exe
[2010/09/23 07:33:21 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\TFC.exe
[2010/09/22 21:00:06 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/22 20:58:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/22 20:36:07 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/22 20:31:52 | 003,850,032 | R--- | M] () -- C:\Documents and Settings\Me\Desktop\ComboFix.exe
[2010/09/20 17:06:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/09/20 01:02:01 | 000,004,167 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\Attach.zip
[2010/09/20 00:09:06 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/19 22:44:57 | 000,103,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/27 14:49:37 | 000,001,323 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\Shortcut to DSCN1185[1].JPG.lnk
[2010/08/25 14:04:03 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\CM_Pee_Wee_Football_Schedule_2010.doc

========== Files Created - No Company Name ==========

[2010/09/23 13:20:41 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/09/23 07:43:38 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/22 20:36:07 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/22 20:36:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/22 20:32:46 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/22 20:32:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/22 20:32:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/22 20:32:46 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/22 20:32:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/22 20:25:22 | 003,850,032 | R--- | C] () -- C:\Documents and Settings\Me\Desktop\ComboFix.exe
[2010/09/20 01:02:01 | 000,004,167 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\Attach.zip
[2010/09/19 23:52:56 | 000,007,168 | -HS- | C] () -- C:\Documents and Settings\Me\Thumbs.db
[2010/09/09 21:10:37 | 004,980,736 | ---- | C] () -- C:\Documents and Settings\Me\ntuser.dat
[2010/08/27 14:49:37 | 000,001,323 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\Shortcut to DSCN1185[1].JPG.lnk
[2010/08/25 14:04:03 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\CM_Pee_Wee_Football_Schedule_2010.doc
[2010/05/02 09:57:06 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/08/01 18:03:50 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/14 20:39:10 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/01/25 14:03:49 | 000,000,069 | ---- | C] () -- C:\WINDOWS\MediaManager.INI
[2008/05/22 13:49:45 | 000,000,324 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/02/19 07:50:14 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/01/06 13:40:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2008/01/06 13:14:29 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/12/10 07:27:16 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Me\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/20 18:56:31 | 000,010,605 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2007/09/29 11:18:11 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\Me\Local Settings\Application Data\fusioncache.dat
[2007/07/21 17:01:39 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2006/10/22 12:22:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/06 11:41:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\AMV_DecDLL.dll
[2004/09/16 14:26:40 | 000,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS

========== LOP Check ==========

[2010/07/03 11:39:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/07/03 10:49:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2008/09/28 00:07:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2008/09/28 00:06:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2010/05/01 20:02:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
[2010/04/19 20:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/11/24 10:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2010/03/26 07:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\LPECommon
[2008/01/06 13:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Panasonic
[2010/07/03 10:49:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\SecretIslandUSA
[2010/07/10 15:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Sony Online Entertainment

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 18:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 01:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 01:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/07/20 09:29:55 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/07/20 09:29:55 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/07/20 09:29:55 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D17C178
< End of report >

 

[mavson]

for some reason it isn't letting me post the extras log; keeps saying there is a problem and get the diagnosis screen?

 

[ken545]

Not a problem on the extras. Looks like your host file was reset a few times.

Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper left corner.
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Let me know if the pop up windows has stopped ?

 

[mavson]

ok I reset the host files then exited out. I brought up explorer and ran a few searches and didn't get no redirects but did get another explorer window open up with a birthday card site, (one of the searches I did do was for cards) so not sure what could be wrong with that.

 

[ken545]

Lets see what this finds

Download OTS.exe by OldTimer to your Desktop.

1. Close any open browsers.
2. Double-click on OTS.exe to start the program.
3. Leave all settings as they appear as default, except for the following:
   • Under Drivers, select "All".
   • Under Additional Scans, click on the "Extra" button.
4. Now click the Run Scan button on the toolbar.
5. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
6. When the scan is complete Notepad will open with the report file loaded in it.
7. Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

 

[mavson]

ok I ran the ots program. It didn't take very long at all thought so I don't know if that is a bad thing. I am attaching the log file to this. Again I appreciate all the help you are giving me. I had to zip the file to attach it so I hope that is ok.

 

[ken545]

Good Morning,

OTS does not take long, not to worry.

Start OTS.

Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Alternate Data Streams]
NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D17C178
[Purity]
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.





Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.



Let me know if your still getting that extra window

 

[mavson]

Good morning. I ran OTS again and after it ran it had to reboot my computer, when it came back on I had the notepad log but it did not create a new OTS log though. Here is the other though:

All Processes Killed
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5D17C178 deleted successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]


User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8485936 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 5954 bytes

User: Me
->Temp folder emptied: 139167 bytes
->Temporary Internet Files folder emptied: 5156826 bytes
->Java cache emptied: 9287 bytes
->Flash cache emptied: 1492 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 60114540 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 8215 bytes

User: program files for Edrive

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1113810 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 120 bytes

Total Files Cleaned = 72.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.38.1 fix logfile created on 09242010_070909

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF1295.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF12A4.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF136C.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF14B3.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DFF42.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DFF58.tmp not found!
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\MGNUFXE3\showthread[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VZB7260K\PortalServe[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VZB7260K\search1[2].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JBXE0PRV\breakingnews[1].txt moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JBXE0PRV\mevio_com[1].txt not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JBXE0PRV\sitetvratings[1].html not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\;subTagID=100;subTagName=;clickTrack=;impactTrack=;cb=318012186[1].htm not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\fw-nonplayer-banner[4].htm moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\login_status[2].php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\mucinex_monsterrevision_us_450x360_h264[1].mp4 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\na[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FVEZW0TQ\fw-nonplayer-banner[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FVEZW0TQ\news[1].aspx moved successfully.
File\Folder C:\WINDOWS\temp\fla7.tmp not found!

Registry entries deleted on Reboot...

 

[mavson]

I ran the flush.bat and it restarted my computer, when I got back on explorer the first thing I did was search for this site and it redirected me to another spyware blocker site. I clicked on the spybot home page and it took me to a spyware hunter blocker site.

Thanks for your help I really appreciate it.

 

[ken545]

Open Internet Explorer and do this.

Go to Tools > Internet Options > Advanced Tab > Reset Internet Explorer Setting > Reset.....if will take a few seconds...then ok your way out , close IE and reopen it and see if this helped