Malware from whitesmoke - Help!

oldman960 · Mar 11, 2011

Hi kennyart,

Some additional instructions:

Please reboot your computer after the fix then obtain the new OTL log.

Thanks

kennyart · Mar 11, 2011

Must be getting better by now

Hi, Here are the two new log files, OTL fix and OTL:

========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{669C4C34-7457-4490-A642-A2ED3BF3BBBE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669C4C34-7457-4490-A642-A2ED3BF3BBBE}\ deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"dvprpt"|"C:\\Program Files\\Authentium\\Command AntiVirus\\dvprpt.exe" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"untray"|"C:\\Program Files\\Authentium\\Command AntiVirus\\untray.exe" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"avtray"|"C:\\Program Files\\Authentium\\Command AntiVirus\\avtray.exe" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"CSAV_CheckViruses"|"C:\\Program Files\\Authentium\\Command AntiVirus\\vchk.exe" /E : value set successfully!
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.2 log created on 03102011_182106

*******************************************************

OTL logfile created on: 3/10/2011 6:22:14 PM - Run 6
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 103.00 Mb Available Physical Memory | 41.00% Memory free
626.00 Mb Paging File | 459.00 Mb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.50 Gb Free Space | 76.53% Space Free | Partition Type: NTFS
Drive E: | 250.72 Mb Total Space | 212.93 Mb Free Space | 84.93% Space Free | Partition Type: FAT

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\removal tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

========== Modules (SafeList) ==========

MOD - C:\removal tools\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (schscnt) -- C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
SRV - (avinitnt) -- C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe (Authentium, Inc.)
SRV - (dvpapi) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (Authentium, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (SMSIVZAM5) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys (Smith Micro Inc.)
DRV - (NWUSBCDFIL) -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (CSS DVP) -- C:\WINDOWS\system32\drivers\Css-Dvp.sys (Authentium, Inc.)
DRV - (NWUSBPort2) -- C:\WINDOWS\system32\drivers\nwusbser2.sys (Novatel Wireless Inc.)
DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (BCM44X2) -- C:\WINDOWS\system32\drivers\BCM4E5.SYS (Broadcom Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/03/09 11:04:01 | 000,429,909 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14825 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [avtray] C:\Program Files\Authentium\Command AntiVirus\avtray.exe (Authentium, Inc.)
O4 - HKLM..\Run: [CSAV_CheckViruses] C:\Program Files\Authentium\Command AntiVirus\vchk.exe (Authentium, Inc.)
O4 - HKLM..\Run: [dvprpt] C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe (Authentium, Inc.)
O4 - HKLM..\Run: [untray] C:\Program Files\Authentium\Command AntiVirus\untray.exe (Authentium, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38170.3375115741 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/07/01 12:52:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/09 17:09:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/09 17:07:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/03/09 16:58:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/09 06:37:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/09 05:02:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/09 04:59:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/09 04:59:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/09 04:59:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/09 04:59:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/09 04:58:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/09 04:56:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/08 20:20:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/07 06:25:00 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/07 05:57:32 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/06 21:10:48 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/06 17:02:11 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/06 16:50:09 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/06 16:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/03/06 16:10:54 | 000,000,000 | ---D | C] -- C:\removal tools

========== Files - Modified Within 30 Days ==========

[2011/03/10 18:20:38 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
[2011/03/09 17:00:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/09 17:00:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/09 11:04:01 | 000,429,909 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/09 06:28:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-110401.backup
[2011/03/09 05:02:32 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/09 04:53:28 | 004,283,816 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/08 04:40:25 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/07 06:56:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 06:49:21 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/07 06:49:21 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/07 05:22:49 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/07 05:22:49 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/03/06 21:20:48 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2011/03/06 17:02:10 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/03 21:10:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/10 18:00:11 | 000,001,753 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/02/10 17:38:39 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-044208.backup

========== Files Created - No Company Name ==========

[2011/03/09 05:02:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/09 05:02:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/09 04:59:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/09 04:59:26 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/09 04:59:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/09 04:59:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/09 04:59:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/09 04:54:13 | 004,283,816 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/06 19:13:59 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/03/06 16:36:34 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/06 16:36:34 | 000,000,963 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/02/23 10:18:59 | 000,000,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2010/09/26 21:13:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/02 15:23:35 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/30 17:53:49 | 000,000,604 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2006/06/29 19:58:51 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/09/09 03:32:53 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/02 09:40:28 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2004/07/02 09:02:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/02 07:41:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/07/02 06:53:41 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2004/07/02 06:53:15 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2004/07/01 12:54:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/07/01 12:49:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/07/01 04:06:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/01 04:05:01 | 000,223,224 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:17:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 09:16:59 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 08:52:01 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 08:52:00 | 000,432,686 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 08:51:58 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 08:51:54 | 000,067,516 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 08:49:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 08:41:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 08:41:43 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 08:32:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 08:30:33 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1998/10/01 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1998/10/01 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

< End of report >

kennyart · Mar 11, 2011

Computer got stuck

OK, so I rebooted, seemed to come up alright but there was a constant hourglass on the task bar, nothing would open. Waiting 3 or 4 minutes then used ALT CTL DEL to open task mgr and watch for awhile, the program csrss.exe kept appearing and disappearing. Then when moving the task mgr window around it made a bunch of image trails. Tried opening write.exe to do a screen capture and save the file so I could send it to you. File save dialog got stuck. Finally just took a photo, it is attached. Opened OTL from the task mgr and ran a scan which is below. Rebooted the computer again. Booted up ok this time. Programs seem to work ok at the moment. Not convience yet....

OTL logfile created on: 3/10/2011 6:59:29 PM - Run 7
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 40.00 Mb Available Physical Memory | 16.00% Memory free
626.00 Mb Paging File | 449.00 Mb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.51 Gb Free Space | 76.55% Space Free | Partition Type: NTFS

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\removal tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Windows NT\Accessories\wordpad.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\msfeedssync.exe (Microsoft Corporation)
PRC - C:\Program Files\Authentium\Command AntiVirus\untray.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\avtray.exe (Authentium, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

========== Modules (SafeList) ==========

MOD - C:\removal tools\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (schscnt) -- C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
SRV - (avinitnt) -- C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe (Authentium, Inc.)
SRV - (dvpapi) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (Authentium, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (SMSIVZAM5) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys (Smith Micro Inc.)
DRV - (NWUSBCDFIL) -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (CSS DVP) -- C:\WINDOWS\system32\drivers\Css-Dvp.sys (Authentium, Inc.)
DRV - (NWUSBPort2) -- C:\WINDOWS\system32\drivers\nwusbser2.sys (Novatel Wireless Inc.)
DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (BCM44X2) -- C:\WINDOWS\system32\drivers\BCM4E5.SYS (Broadcom Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/03/09 11:04:01 | 000,429,909 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14825 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [avtray] C:\Program Files\Authentium\Command AntiVirus\avtray.exe (Authentium, Inc.)
O4 - HKLM..\Run: [CSAV_CheckViruses] C:\Program Files\Authentium\Command AntiVirus\vchk.exe (Authentium, Inc.)
O4 - HKLM..\Run: [dvprpt] C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe (Authentium, Inc.)
O4 - HKLM..\Run: [untray] C:\Program Files\Authentium\Command AntiVirus\untray.exe (Authentium, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38170.3375115741 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/07/01 12:52:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/09 17:09:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/09 16:58:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/09 06:37:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/09 05:02:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/09 04:59:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/09 04:59:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/09 04:59:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/09 04:59:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/09 04:58:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/09 04:56:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/08 20:20:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/07 06:25:00 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/07 05:57:32 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/06 21:10:48 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/06 17:02:11 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/06 16:50:09 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/06 16:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/03/06 16:10:54 | 000,000,000 | ---D | C] -- C:\removal tools

========== Files - Modified Within 30 Days ==========

[2011/03/10 18:50:14 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
[2011/03/10 18:47:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/10 18:46:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/09 11:04:01 | 000,429,909 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/09 06:28:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-110401.backup
[2011/03/09 05:02:32 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/09 04:53:28 | 004,283,816 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/08 04:40:25 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/07 06:56:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 06:49:21 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/07 06:49:21 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/07 05:22:49 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/07 05:22:49 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/03/06 21:20:48 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2011/03/06 17:02:10 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/03 21:10:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/10 18:00:11 | 000,001,753 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/02/10 17:38:39 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-044208.backup

========== Files Created - No Company Name ==========

[2011/03/09 05:02:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/09 05:02:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/09 04:59:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/09 04:59:26 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/09 04:59:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/09 04:59:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/09 04:59:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/09 04:54:13 | 004,283,816 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/06 19:13:59 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/03/06 16:36:34 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/06 16:36:34 | 000,000,963 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/02/23 10:18:59 | 000,000,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2010/09/26 21:13:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/02 15:23:35 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/30 17:53:49 | 000,000,604 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2006/06/29 19:58:51 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/09/09 03:32:53 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/02 09:40:28 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2004/07/02 09:02:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/02 07:41:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/07/02 06:53:41 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2004/07/02 06:53:15 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2004/07/01 12:54:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/07/01 12:49:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/07/01 04:06:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/01 04:05:01 | 000,223,224 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:17:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 09:16:59 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 08:52:01 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 08:52:00 | 000,432,686 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 08:51:58 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 08:51:54 | 000,067,516 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 08:49:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 08:41:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 08:41:43 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 08:32:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 08:30:33 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1998/10/01 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1998/10/01 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

< End of report >

oldman960 · Mar 11, 2011

Hi kennyart,

All your logs indicate the computer is clean. This is what we restored in the last fix, they are related to your antivirus program. Perhaps one of them is responsible for updates or a quick scan at start up and seized the resources.

O4 - HKLM..\Run: [avtray] C:\Program Files\Authentium\Command AntiVirus\avtray.exe (Authentium, Inc.)
O4 - HKLM..\Run: [CSAV_CheckViruses] C:\Program Files\Authentium\Command AntiVirus\vchk.exe (Authentium, Inc.)
O4 - HKLM..\Run: [dvprpt] C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe (Authentium, Inc.)
O4 - HKLM..\Run: [untray] C:\Program Files\Authentium\Command AntiVirus\untray.exe (Authentium, Inc.)

The one in red was not running when you made the OTL.txt.

The reinfection you experienced came from these files. They were set to run at startup. They have since been replaced with the legitamate copies.

Code:

c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe

I can't make out anything in the attached jpg. What am I looking for? An easy way to do a screen cature is use the alt and print screen keys. It will save the top window to the clipboard, you can then paste it into Paint.

Unless you have some ssues I think it's time we cleaned up the tools and took the computer for a test drive.

kennyart · Mar 11, 2011

Thanks a bunch!!

Thank your very much, I really appreciate all your help and advice!!

I have uninstalled command antivirus and installed the new microsoft security essentials. I hope this will work much better. The computer is working much more like it is suppose to now.

Thank you again.

Kennny :bigthumb:

oldman960 · Mar 11, 2011

Hi kennyart,

From your desktop, please delete, if present

any notepads/logs that we created
GMER1exe
DDS.com

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK

Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

ESET online scan can be removed via add/remove programs.

* you can install the MS updates. *

Don't forget to re-enable Teatimer.

Updates and upgrades

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 8.1.2 first. Be sure to move any PDF documents to another folder first though.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)

You have a Custom Hosts file . :bigthumb:

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879

Please post back if you have any problems.

Take care :greeting:

Malware from whitesmoke - Help!

oldman960

New member

kennyart

New member

kennyart

New member

oldman960

New member

kennyart

New member

oldman960

New member