Malware from whitesmoke - Help!

Status
Not open for further replies.
K

kennyart

New member
I am having trouble with removing malware that was installed when a program called whitesmoke appeared on a computer. I have tried removing with spybot, malware bytes, hijackthis and before reading your "fixes" disclaimer also ran combofix rootbusteter and otl, hope this didn't mess things up. Sorry, my misstake. Two programs will show multiple times in the task manager under processes, QIP7WVCA.EXE AND HKI876.EXE. Ending the task will stop them but they come back, also there are enteries in the scheduler for starting these programs which when removed also come back eventually. Also I did a seach for these programs, found and removed them from the prefech and user application folders. They will eventually come back. Here is the DDS.TXT file and I am attaching the ATTACH.TXT from running DDS.COM


Please help me!

Kenny


*************
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 19:20:30.81 on Sun 03/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.62 [GMT -8:00]
.
AV: Command AntiVirus for Windows *Disabled/Updated* {FEC5E682-ED0A-49C9-8BA8-63374386B103}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\removal tools\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AOL Search Class: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - c:\program files\moviefone toolbar\moviefonetb.dll
mURLSearchHooks: AOL Search Class: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - c:\program files\moviefone toolbar\moviefonetb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Moviefone Toolbar: {669c4c34-7457-4490-a642-a2ed3bf3bbbe} - c:\program files\moviefone toolbar\moviefonetb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [untray] c:\progra~1\authen~1\comman~1\untray.exe
mRun: [dvprpt] c:\progra~1\authen~1\comman~1\dvprpt.exe
mRun: [CSAV_CheckViruses] c:\progra~1\authen~1\comman~1\vchk.exe
mRun: [avtray] c:\progra~1\authen~1\comman~1\avtray.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38170.3375115741
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2004-7-2 26568]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
.
=============== Created Last 30 ================
.
2011-03-07 01:02:11 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-07 00:36:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-07 00:36:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-07 00:10:54 -------- d-----w- C:\removal tools
2011-02-11 18:24:13 77826 ----a-w- c:\docume~1\alluse~1\applic~1\QIP7WVcA.exe
.
==================== Find3M ====================
.
.
============= FINISH: 19:22:22.01 ===============
 
Hi kennyart, welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


If you still have OTL please run a scan.
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • In the Extra Registry section change it to All
  • Check the boxes beside LOP Check and Purity Check.
  • In the window under Custom Scans/Fixes copy and paste the following


    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lîk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Deskuop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    iexplore.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Thanks
 
Ran OTL as asked

OK, I have ran OTL with your instructions. Here is the first result from OTL.TXT


OTL logfile created on: 3/8/2011 4:54:29 AM - Run 2
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 131.00 Mb Available Physical Memory | 51.00% Memory free
626.00 Mb Paging File | 381.00 Mb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.86 Gb Free Space | 77.48% Space Free | Partition Type: NTFS

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\removal tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe ()
PRC - C:\WINDOWS\system32\msfeedssync.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Authentium\Command AntiVirus\untray.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\avtray.exe (Authentium, Inc.)
PRC - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe (Authentium, Inc.)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (Authentium, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe (Musicmatch Inc.)


========== Modules (SafeList) ==========

MOD - C:\removal tools\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (schscnt) -- C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
SRV - (avinitnt) -- C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe (Authentium, Inc.)
SRV - (dvpapi) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (Authentium, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)


========== Driver Services (SafeList) ==========

DRV - (SMSIVZAM5) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys (Smith Micro Inc.)
DRV - (NWUSBCDFIL) -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (CSS DVP) -- C:\WINDOWS\system32\drivers\Css-Dvp.sys (Authentium, Inc.)
DRV - (NWUSBPort2) -- C:\WINDOWS\system32\drivers\nwusbser2.sys (Novatel Wireless Inc.)
DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (BCM44X2) -- C:\WINDOWS\system32\drivers\BCM4E5.SYS (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2011/02/10 17:38:39 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (Moviefone Toolbar) - {669C4C34-7457-4490-A642-A2ED3BF3BBBE} - File not found
O4 - HKLM..\Run: [avtray] C:\Program Files\Authentium\Command AntiVirus\avtray.exe (Authentium, Inc.)
O4 - HKLM..\Run: [CSAV_CheckViruses] C:\Program Files\Authentium\Command AntiVirus\vchk.exe (Authentium, Inc.)
O4 - HKLM..\Run: [dvprpt] C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe (Authentium, Inc.)
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe ()
O4 - HKLM..\Run: [untray] C:\Program Files\Authentium\Command AntiVirus\untray.exe (Authentium, Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ()
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ()
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38170.3375115741 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/07/01 12:52:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{40bd9205-19bc-11da-b6a2-000874bac88c}\Shell\AutoRun\command - "" = E:\JDSecure\Windows\JDSecure31.exe
O33 - MountPoints2\{eaf1ac66-f995-11de-bbfd-000874bac88c}\Shell - "" = AutoRun
O33 - MountPoints2\{eaf1ac66-f995-11de-bbfd-000874bac88c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{eaf1ac66-f995-11de-bbfd-000874bac88c}\Shell\AutoRun\command - "" = E:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\{eaf1ac6a-f995-11de-bbfd-000874bac88c}\Shell - "" = AutoRun
O33 - MountPoints2\{eaf1ac6a-f995-11de-bbfd-000874bac88c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{eaf1ac6a-f995-11de-bbfd-000874bac88c}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/03/07 06:25:00 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/07 05:57:32 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/06 21:10:48 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/06 17:02:11 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/06 16:50:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/03/06 16:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/03/06 16:10:54 | 000,000,000 | ---D | C] -- C:\removal tools
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/08 04:43:03 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
[2011/03/08 04:41:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/08 04:40:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/08 04:40:25 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/07 06:56:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 06:49:21 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/07 06:49:21 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/07 05:35:09 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat
[2011/03/07 05:22:49 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/07 05:22:49 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/03/06 21:20:48 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2011/03/06 17:02:10 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/03 21:10:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/10 18:00:11 | 000,001,753 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/06 19:13:59 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/03/06 16:36:34 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/06 16:36:34 | 000,000,963 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/02/23 10:18:59 | 000,000,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2011/02/11 10:24:02 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat
[2010/09/26 21:13:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/02 15:23:35 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/30 17:53:49 | 000,000,604 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2006/06/29 19:58:51 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/09/09 03:32:53 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/02 09:40:28 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2004/07/02 09:02:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/02 07:41:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/07/02 06:53:41 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2004/07/02 06:53:15 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2004/07/01 12:54:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/07/01 12:49:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/07/01 04:06:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/01 04:05:01 | 000,223,224 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:17:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 09:16:59 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 08:52:01 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 08:52:00 | 000,432,686 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 08:51:58 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 08:51:54 | 000,067,516 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 08:49:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 08:41:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 08:41:43 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 08:32:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 08:30:33 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1998/10/01 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1998/10/01 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2007/04/21 13:55:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Command Software
[2008/12/20 10:49:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Moviefone Toolbar
[2010/12/16 22:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pKlLa05701
[2004/07/02 09:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AddIns
[2004/07/02 09:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Address Book
[2004/07/02 09:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CLR Security Config
[2004/07/02 09:50:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Command Software
[2004/07/02 09:04:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Credentials
[2004/07/02 09:04:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Crypto
[2004/07/02 09:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Encarta Reference Library
[2004/07/02 09:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HTML Help
[2004/07/02 09:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Internet Explorer
[2004/07/02 09:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Media Player
[2004/07/02 09:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MMC
[2004/07/02 09:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Movie Maker
[2004/07/02 09:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSDAIPP
[2006/06/29 19:56:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Musicmatch
[2004/07/02 09:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Office
[2004/07/02 09:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Picture It! 7
[2004/07/02 09:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Proof
[2004/07/02 09:05:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Protect
[2010/11/17 21:25:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Smith Micro
[2004/07/02 09:05:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\SystemCertificates
[2004/07/02 09:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Templates
[2011/01/27 16:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WhiteSmokeTranslator
[2004/07/02 09:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows
[2004/07/02 09:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Word
[2011/03/08 04:43:03 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2004/07/01 12:52:24 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2004/07/21 17:46:49 | 000,000,040 | ---- | M] () -- C:\avinitnt.log
[2004/09/09 06:41:12 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2004/07/01 12:52:24 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2004/07/01 12:52:24 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2004/07/01 12:52:24 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/09/09 06:28:21 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/29 21:47:05 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/03/08 04:40:23 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
[2011/03/06 16:21:36 | 000,038,574 | ---- | M] () -- C:\TDSSKiller.2.4.20.0_06.03.2011_16.20.26_log.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/07/01 12:51:57 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 04:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 02:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >
[2005/08/30 17:12:11 | 000,577,003 | ---- | M] () -- C:\WINDOWS\drbrauer.jpg
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/07/01 04:04:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/07/01 04:04:10 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/07/01 04:04:10 | 000,389,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lîk /x >
[2008/10/29 21:57:24 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
[2004/10/02 18:06:55 | 000,001,992 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
[2004/10/02 18:06:55 | 000,002,002 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
[2008/10/29 21:57:24 | 000,001,563 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2004/07/01 12:52:29 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2005/11/14 17:56:20 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Deskuop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-07 14:57:23


< MD5 for: EXPLORER.EXE >
[2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 03:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 02:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/03 23:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: EXPLORER.EXE.000 >
[2004/08/03 23:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe.000

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2011/03/08 04:49:54 | 000,089,886 | ---- | M] () MD5=27B982F1FEC4F3EF49DD19EE8C88318B -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2002/09/03 08:32:50 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2009/02/21 00:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2004/07/17 10:40:16 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie8\iexplore.chm
[2004/07/17 10:40:16 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ServicePackFiles\i386\iexplore.chm

< MD5 for: IEXPLORE.CHW >
[2009/06/15 20:18:54 | 000,153,185 | ---- | M] () MD5=4108732632AAB3CC4AB05C20B44F63B7 -- C:\WINDOWS\Help\iexplore.chw

< MD5 for: IEXPLORE.EXE >
[2008/04/13 16:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie8\iexplore.exe
[2008/04/13 16:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
[2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2004/08/03 23:56:50 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- C:\WINDOWS\$NtServicePackUninstall$\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 13:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 13:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2011/03/07 06:22:40 | 000,078,678 | ---- | M] () MD5=A8458829FF95540B3F91EA1F9D10C38D -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HLP >
[2002/09/03 08:35:04 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: WINLOGON.EXE >
[2004/08/03 23:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< >

< End of report >
 
Second part of OTL run

Here is the log from OTL extras.txt. I await your next instructions and thank you very much for your help!

Kenny



OTL Extras logfile created on: 3/8/2011 4:54:29 AM - Run 2
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 131.00 Mb Available Physical Memory | 51.00% Memory free
626.00 Mb Paging File | 381.00 Mb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.86 Gb Free Space | 77.48% Space Free | Partition Type: NTFS

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{03410014-3975-4267-9F39-1DC4745090B7}" = Microsoft Encarta Encyclopedia Standard 2003
"{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}" = Dell Picture Studio - Dell Image Expert
"{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}" = Microsoft Streets and Trips 2002
"{2C4ED6CF-B084-4166-8308-6A2D5520A3E6}" = Command AntiVirus for Windows
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{369B36BE-3D64-4641-9AEA-808D436FE132}" = Microsoft Picture It! Photo 7.0
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{7641FD7D-E94E-424E-A95C-0593C84DC0C0}" = VZAccess Manager
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7B2ADCB5-3F3D-478A-90A9-A8C04EF82BF6}" = Mobile Broadband Generic Drivers
"{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}" = Microsoft Works Suite Add-in for Microsoft Word
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{936B64E8-458D-4E3B-855C-44B4B6E7BD7D}" = Command AntiVirus for Windows
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}" = Works Suite OS Pack
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Ad-aware 6 Personal" = Ad-aware 6 Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CSCLIB" = Canon Camera Support Core Library
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"EOS Utility" = Canon Utilities EOS Utility
"Hotbara" = Web Tools by Spam Blocker Utility
"Hotbarb" = Spam Blocker Utility
"Hotbarc" = Shopper Reports by Spam Blocker Utility
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mobile Broadband Generic Drivers" = Mobile Broadband Generic Drivers
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Moviefone Toolbar" = Moviefone Toolbar for Internet Explorer
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"PhotoStitch" = Canon Utilities PhotoStitch
"PPTView97" = Microsoft PowerPoint Viewer 97
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Shockwave" = Shockwave
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2003Setup" = Microsoft Works 2003 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/5/2011 2:40:49 AM | Computer Name = BRAUER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/6/2011 8:52:25 PM | Computer Name = BRAUER | Source = MsiInstaller | ID = 11328
Description = Product: Command AntiVirus for Windows -- Error 1328. Error applying
patch to file C:\Config.Msi\PT29.tmp. It has probably been updated by other means,
and can no longer be modified by this patch. For more information contact your
patch vendor. System Error: -1072807676

Error - 3/6/2011 8:52:38 PM | Computer Name = BRAUER | Source = MsiInstaller | ID = 11328
Description = Product: Command AntiVirus for Windows -- Error 1328. Error applying
patch to file C:\Config.Msi\PT28.tmp. It has probably been updated by other means,
and can no longer be modified by this patch. For more information contact your
patch vendor. System Error: -1072807676

Error - 3/6/2011 8:52:46 PM | Computer Name = BRAUER | Source = MsiInstaller | ID = 11328
Description = Product: Command AntiVirus for Windows -- Error 1328. Error applying
patch to file C:\Config.Msi\PT27.tmp. It has probably been updated by other means,
and can no longer be modified by this patch. For more information contact your
patch vendor. System Error: -1072807676

Error - 3/6/2011 9:17:34 PM | Computer Name = BRAUER | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/6/2011 9:17:34 PM | Computer Name = BRAUER | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/7/2011 10:13:16 AM | Computer Name = BRAUER | Source = Application Error | ID = 1000
Description = Faulting application qip7wvca.exe, version 0.0.0.0, faulting module
qip7wvca.exe, version 0.0.0.0, fault address 0x00001980.

Error - 3/7/2011 10:18:53 AM | Computer Name = BRAUER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/7/2011 10:18:53 AM | Computer Name = BRAUER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/7/2011 10:20:07 AM | Computer Name = BRAUER | Source = Application Error | ID = 1001
Description = Fault bucket -1951364574.

[ System Events ]
Error - 3/6/2011 8:31:40 PM | Computer Name = BRAUER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 3/6/2011 8:31:40 PM | Computer Name = BRAUER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Verizon Wireless\VZAccess
Manager\ATTExtension.dll. Reference error message: The operation completed successfully.
.

Error - 3/6/2011 9:05:35 PM | Computer Name = BRAUER | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 3/6/2011 9:17:42 PM | Computer Name = BRAUER | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_TMCOMM\0000 disappeared from the system without
first being prepared for removal.

Error - 3/6/2011 9:21:26 PM | Computer Name = BRAUER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 3/6/2011 9:21:26 PM | Computer Name = BRAUER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 3/6/2011 9:21:26 PM | Computer Name = BRAUER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Verizon Wireless\VZAccess
Manager\ATTExtension.dll. Reference error message: The operation completed successfully.
.

Error - 3/7/2011 1:22:38 AM | Computer Name = BRAUER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 3/7/2011 1:22:38 AM | Computer Name = BRAUER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 3/7/2011 1:22:38 AM | Computer Name = BRAUER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Verizon Wireless\VZAccess
Manager\ATTExtension.dll. Reference error message: The operation completed successfully.
.


< End of report >
 
Hi kennyart,

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Safe Mode

Next

Please open OTL.

  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, click the None button near the top (it may looked greyed out)
  • In the window under Custom Scans/Fixes copy and paste the following


    C:\Documents and Settings\All Users\Application Data\pKlLa05701\*.* /s
    /md5start
    QIP7WVCA.EXE
    HKI876.EXE
    kXMRTNU.dat
    /md5stop


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with
  • GMER log
  • OTL.txt
Thanks
 
New logs gmer, otl

Ok, sorry took so long, had to go to work, home at lunch now. Here is Gmer log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-08 11:17:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.3.16
Running: gmer1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uftdqpog.sys


---- System - GMER 1.0.15 ----

Code 81A1F520 ZwDuplicateObject
Code 81A1F780 ZwSetInformationFile
Code FFB809E0 ZwSetSystemInformation
Code 81A1F8B0 ZwWriteFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE Fastfat.SYS EFE189C8 7 Bytes JMP 81A1F654

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom Code 81A1F650
Device \FileSystem\Fastfat \Fat Code 81A1F650

---- EOF - GMER 1.0.15 ----


And the OTL log:


OTL logfile created on: 3/8/2011 11:21:46 AM - Run 3
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 120.00 Mb Available Physical Memory | 47.00% Memory free
820.00 Mb Paging File | 529.00 Mb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.66 Gb Free Space | 76.95% Space Free | Partition Type: NTFS
Drive E: | 250.72 Mb Total Space | 191.63 Mb Free Space | 76.43% Space Free | Partition Type: FAT

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< C:\Documents and Settings\All Users\Application Data\pKlLa05701\*.* /s >
[2010/12/16 22:00:33 | 000,000,094 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\pKlLa05701\pKlLa05701
[2010/12/16 22:00:21 | 000,332,800 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\pKlLa05701\pKlLa05701.exe


< MD5 for: KXMRTNU.DAT >
[2011/03/07 05:35:09 | 000,000,112 | ---- | M] () MD5=16C0F41F6E718E2818225EFAEF6653DA -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat

< End of report >
 
Hi kennyart,

Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
Code: 
:Services

:OTL
[2011/02/11 10:24:02 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat

:Files
C:\Documents and Settings\All Users\Application Data\pKlLa05701
c:\docume~1\alluse~1\applic~1\QIP7WVcA.exe

:Commands
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.



You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with
  • OTL fix log
  • MBAM log
How's the computer?
 
Malware came back upon first reboot

OK, I have run OTL with the options provided, here is the log file:

:Services

:OTL
[2011/02/11 10:24:02 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat

:Files
C:\Documents and Settings\All Users\Application Data\pKlLa05701
c:\docume~1\alluse~1\applic~1\QIP7WVcA.exe

:Commands
[emptytemp]
[Reboot]


The computer rebooted, was slow and stuck while trying to load the verizion dialer for internet. (I am not using that here right now, and have a lan for connection, which was unplugged) Used task manager to stop and restart explorer. Downloaded updates for Malwarebytes and ran with options as noted. It was running really slow so looked in task manager under processes and saw the two programs running QIP7WCA.EXE and HKI876.EXE. Killed those process and looked in scheduled tasks and saw that there were many scheduled to start these programs. Removed those. MBAM finished and listed a number of whitesmoke entries. Set to Mbam remove those, here is the log file:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5995

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/8/2011 9:00:51 PM
mbam-log-2011-03-08 (21-00-50).txt

Scan type: Quick scan
Objects scanned: 136697
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{52794457-af6c-4c50-9def-f2e24f4c8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\whitesmoketranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\log.txt (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\preferences.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\stat-history.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\stats.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\uninstallie.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\uninstallstatie.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.


I think I still have a problem.....

Microsoft autoupdate did download some new updates while it was attached to the internet. Should these be loaded?

I have been unconnecting the lan cable when the internet is not needed during this process and copying the log files to a usb key and transferring to another computer to log in this forum. The internet explorer on the infected box will close on it's own after a few minutes and doesn't allow for much browsing. In the past, it would reload the infection when connected.

Thanks again for your assitance, hope for more help yet.

Kenny
 
Posted wrong OTL log

I think I copied and posted the wrong text file in my previous post, here is the correct OTL log:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat moved successfully.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\pKlLa05701 folder moved successfully.
File\Folder c:\docume~1\alluse~1\applic~1\QIP7WVcA.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 12275721 bytes
->Flash cache emptied: 1847 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4194438 bytes
->Flash cache emptied: 50531 bytes

User: Owner
->Temp folder emptied: 165224 bytes
->Temporary Internet Files folder emptied: 27683243 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145933 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 109022 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 91241582 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 131.00 mb


OTL by OldTimer - Version 3.2.22.2 log created on 03082011_202012

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Hi kennyart,

Microsoft autoupdate did download some new updates while it was attached to the internet. Should these be loaded?
Click to expand...
Hold off on those for now, until we find out what we are dealing with.

Sounds like we may have a downloader. In the future please do not stop any processes or delete any files. Sometimes the only way our tools find things are when they are active. Letting them run may also show us where they are loading from.


We need a bigger stick but first disable this program as it may interfere.


SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done and reboot your computer.
    (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]


Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Link 1or Link 2 to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, before you save it to your desktop, rename Combofix to jgh.exe

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------​
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    -----------------------------------------------------------​
  • Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
  • combofix log
How is the computer?

Thanks
 
Last edited:
Combofix has been run

OK, I have downloaded and run combofix (jgh.exe) as directed. I have not rebooted the computer yet and was not sure which program to disable for command antivirus, did disable avinitnt.exe in task manager when combofix asked to disable command antivirus. Command doesn't have an exit option from the task bar. Computer seems ok at the moment. Here is the log:

ComboFix 11-03-08.07 - Owner 03/09/2011 5:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.113 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\jgh.exe
AV: Command AntiVirus for Windows *Enabled/Updated* {FEC5E682-ED0A-49C9-8BA8-63374386B103}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QIP7WVcA.exe
c:\documents and settings\Owner\Application Data\Windows
c:\documents and settings\Owner\Application Data\Windows\Themes\Custom.theme
c:\documents and settings\Owner\My Documents\Readiris.DUS
c:\program files\Messenger\msmsgs.exe
E:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_SSHNAS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 04:20 . 2011-03-09 04:20 -------- d-----w- C:\_OTL
2011-03-07 00:36 . 2011-03-07 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-07 00:36 . 2011-03-07 01:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-07 00:10 . 2011-03-08 19:30 -------- d-----w- C:\removal tools
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 00:22 . 2002-09-03 16:47 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-01-21 14:44 . 2002-09-03 16:59 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-09-03 16:27 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-09-03 17:11 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-09-03 16:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-21 02:09 . 2010-12-02 00:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-12-02 00:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 23:59 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-09-03 16:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-09-03 16:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2002-09-03 16:39 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-09-03 16:49 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2002-09-03 16:50 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
.
Code: 
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Authentium\Command AntiVirus\avtray .exe
c:\program files\Authentium\Command AntiVirus\dvprpt .exe
c:\program files\Authentium\Command AntiVirus\untray .exe
c:\program files\Authentium\Command AntiVirus\vchk .exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2011-01-31 35332]
"untray"="c:\progra~1\AUTHEN~1\COMMAN~1\untray.exe" [2008-06-02 140592]
"dvprpt"="c:\progra~1\AUTHEN~1\COMMAN~1\dvprpt.exe" [2008-06-02 206128]
"CSAV_CheckViruses"="c:\progra~1\AUTHEN~1\COMMAN~1\vchk.exe" [2008-06-02 75056]
"avtray"="c:\progra~1\AUTHEN~1\COMMAN~1\avtray.exe" [2008-06-02 144688]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2011-01-31 35332]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-31 35332]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [7/2/2004 6:51 AM 26568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/1/2010 4:29 PM 38224]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 12:23 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 11:08 AM 174336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 05:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,09,72,6e,7e,97,9d,4e,bf,1a,79,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,09,72,6e,7e,97,9d,4e,bf,1a,79,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Authentium\Command AntiVirus\avinitnt.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Authentium\Command AntiVirus\schscnt.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
.
**************************************************************************
.
Completion time: 2011-03-09 05:22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-09 13:22
.
Pre-Run: 30,904,066,048 bytes free
Post-Run: 30,780,821,504 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 57143BCEC2B62E1ED83A43C622BE72EF
 
Hi kennyart,

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code: 
RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Authentium\Command AntiVirus\avtray .exe
c:\program files\Authentium\Command AntiVirus\dvprpt .exe
c:\program files\Authentium\Command AntiVirus\untray .exe
c:\program files\Authentium\Command AntiVirus\vchk .exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

CFScriptB-4.gif


Please post back with the combofix log.

Thanks
 
New Combofix log file

Had to go to work before the log file was done. Here it is now:

ComboFix 11-03-08.07 - Owner 03/09/2011 6:18.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.117 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Command AntiVirus for Windows *Enabled/Updated* {FEC5E682-ED0A-49C9-8BA8-63374386B103}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 04:20 . 2011-03-09 04:20 -------- d-----w- C:\_OTL
2011-03-07 00:36 . 2011-03-07 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-07 00:36 . 2011-03-07 01:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-07 00:10 . 2011-03-08 19:30 -------- d-----w- C:\removal tools
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 00:22 . 2002-09-03 16:47 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-01-21 14:44 . 2002-09-03 16:59 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-09-03 16:27 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-09-03 17:11 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-09-03 16:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-21 02:09 . 2010-12-02 00:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-12-02 00:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 23:59 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-09-03 16:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-09-03 16:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2002-09-03 16:39 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-09-03 16:49 718336 ----a-w- c:\windows\system32\ntdll.dll
.
Code: 
<pre>
c:\program files\Authentium\Command AntiVirus\avtray .exe
c:\program files\Authentium\Command AntiVirus\dvprpt .exe
c:\program files\Authentium\Command AntiVirus\untray .exe
c:\program files\Authentium\Command AntiVirus\vchk .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"untray"="c:\progra~1\AUTHEN~1\COMMAN~1\untray.exe" [2008-06-02 140592]
"dvprpt"="c:\progra~1\AUTHEN~1\COMMAN~1\dvprpt.exe" [2008-06-02 206128]
"CSAV_CheckViruses"="c:\progra~1\AUTHEN~1\COMMAN~1\vchk.exe" [2008-06-02 75056]
"avtray"="c:\progra~1\AUTHEN~1\COMMAN~1\avtray.exe" [2008-06-02 144688]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [7/2/2004 6:51 AM 26568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/1/2010 4:29 PM 38224]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 12:23 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 11:08 AM 174336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 06:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,09,72,6e,7e,97,9d,4e,bf,1a,79,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,09,72,6e,7e,97,9d,4e,bf,1a,79,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Authentium\Command AntiVirus\avinitnt.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Authentium\Command AntiVirus\schscnt.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2011-03-09 06:37:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-09 14:37
ComboFix2.txt 2011-03-09 13:22
.
Pre-Run: 30,760,448,000 bytes free
Post-Run: 30,753,468,416 bytes free
.
- - End Of File - - 50C8ACC66D771451F9551D3897F3517D
 
Hi kennyart,

Looking better. Don't worry these are not Authentium files in this next fix.

Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
Code: 
:Services

:Files
c:\program files\Authentium\Command AntiVirus\avtray .exe
c:\program files\Authentium\Command AntiVirus\dvprpt .exe
c:\program files\Authentium\Command AntiVirus\untray .exe
c:\program files\Authentium\Command AntiVirus\vchk .exe

:Commands
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.


Next
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
  • Click Scan.
  • Wait for the scan to finish.
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. or C:\Program Files\ESET\log.txtWe will need this later.
Please post back with the ESET log.


Next
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • UNCheck the boxes beside LOP Check and Purity Check.
  • In the window under Custom scans/fixes copy and paste all the text in the code box
    Code: 
    /md5start
msmsgs.*
/md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad windows, OTL.Txt


Please post back with
  • OTL fix log
  • MBAM log
  • OTL.txt
How's the computer?

Thanks
 
Whew! Took awhile for the scans

Thanks again so much for your assistance! The computer seems much better so far. OK, here are the three log files, OTL fix, Eset and OTL in this order:

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
c:\program files\Authentium\Command AntiVirus\avtray .exe moved successfully.
c:\program files\Authentium\Command AntiVirus\dvprpt .exe moved successfully.
c:\program files\Authentium\Command AntiVirus\untray .exe moved successfully.
c:\program files\Authentium\Command AntiVirus\vchk .exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 112 bytes
->Temporary Internet Files folder emptied: 5576360 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.00 mb


OTL by OldTimer - Version 3.2.22.2 log created on 03092011_165845

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



************************

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=2d7822e92a9cd5418fe4218326e1d555
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-10 01:51:11
# local_time=2011-03-09 05:51:11 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=43797
# found=31
# cleaned=0
# scan_time=2043
C:\Program Files\hbinst\Hbinst.exe Win32/Adware.HotBar.D application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\QIP7WVcA.exe.vir a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1800\A0130988.exe a variant of Win32/Kryptik.JYR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1800\A0131004.exe a variant of Win32/Kryptik.JYR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1804\A0132076.rbf a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1804\A0132087.rbf a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1804\A0132088.rbf a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1804\A0132103.rbf a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1806\A0132153.exe a variant of Win32/Kryptik.JYR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1807\A0132160.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1808\A0132173.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1808\A0132180.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1808\A0132181.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1813\A0138267.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1813\A0139276.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1813\A0139282.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1816\A0143306.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1817\A0146344.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1817\A0146363.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1818\A0146364.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1818\A0147363.exe a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1818\A0147364.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1818\A0147369.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1820\A0147678.exe a variant of Win32/Kryptik.KKD trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1820\A0147679.exe a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1821\A0147774.exe a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1821\A0147779.exe a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{710B2812-B5F3-449F-83EA-0BD8C0592045}\RP1821\A0147780.exe a variant of Win32/Kryptik.JYH trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\03082011_202012\C_Documents and Settings\All Users\Application Data\pKlLa05701\pKlLa05701.exe a variant of Win32/Kryptik.IXE trojan (unable to clean) 00000000000000000000000000000000 I
E:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1643\A0111176.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I





**********************

OTL logfile created on: 3/9/2011 5:59:03 PM - Run 4
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 143.00 Mb Available Physical Memory | 56.00% Memory free
626.00 Mb Paging File | 468.00 Mb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.55 Gb Free Space | 76.65% Space Free | Partition Type: NTFS
Drive E: | 250.72 Mb Total Space | 213.02 Mb Free Space | 84.96% Space Free | Partition Type: FAT

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\removal tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)


========== Modules (SafeList) ==========

MOD - C:\removal tools\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (schscnt) -- C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
SRV - (avinitnt) -- C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe (Authentium, Inc.)
SRV - (dvpapi) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (Authentium, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)


========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (SMSIVZAM5) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys (Smith Micro Inc.)
DRV - (NWUSBCDFIL) -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (CSS DVP) -- C:\WINDOWS\system32\drivers\Css-Dvp.sys (Authentium, Inc.)
DRV - (NWUSBPort2) -- C:\WINDOWS\system32\drivers\nwusbser2.sys (Novatel Wireless Inc.)
DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (BCM44X2) -- C:\WINDOWS\system32\drivers\BCM4E5.SYS (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2011/03/09 11:04:01 | 000,429,909 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14825 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (Moviefone Toolbar) - {669C4C34-7457-4490-A642-A2ED3BF3BBBE} - File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38170.3375115741 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.20.1 205.171.3.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/07/01 12:52:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/09 17:09:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/09 17:07:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/03/09 16:58:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/09 06:37:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/09 05:02:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/09 04:59:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/09 04:59:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/09 04:59:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/09 04:59:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/09 04:58:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/09 04:56:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/08 20:20:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/07 06:25:00 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/07 05:57:32 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/06 21:10:48 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/06 17:02:11 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/06 16:50:09 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/06 16:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/03/06 16:10:54 | 000,000,000 | ---D | C] -- C:\removal tools

========== Files - Modified Within 30 Days ==========

[2011/03/09 17:19:39 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
[2011/03/09 17:00:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/09 17:00:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/09 11:04:01 | 000,429,909 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/09 06:28:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-110401.backup
[2011/03/09 05:02:32 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/09 04:53:28 | 004,283,816 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/08 20:38:28 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat
[2011/03/08 04:40:25 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/07 06:56:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 06:49:21 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/07 06:49:21 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/07 05:22:49 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/07 05:22:49 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/03/06 21:20:48 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2011/03/06 17:02:10 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/03 21:10:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/10 18:00:11 | 000,001,753 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/02/10 17:38:39 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-044208.backup

========== Files Created - No Company Name ==========

[2011/03/09 05:02:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/09 05:02:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/09 04:59:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/09 04:59:26 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/09 04:59:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/09 04:59:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/09 04:59:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/09 04:54:13 | 004,283,816 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/08 20:38:28 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat
[2011/03/06 19:13:59 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/03/06 16:36:34 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/06 16:36:34 | 000,000,963 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/02/23 10:18:59 | 000,000,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2010/09/26 21:13:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/02 15:23:35 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/30 17:53:49 | 000,000,604 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2006/06/29 19:58:51 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/09/09 03:32:53 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/02 09:40:28 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2004/07/02 09:02:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/02 07:41:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/07/02 06:53:41 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2004/07/02 06:53:15 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2004/07/01 12:54:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/07/01 12:49:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/07/01 04:06:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/01 04:05:01 | 000,223,224 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:17:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 09:16:59 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 08:52:01 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 08:52:00 | 000,432,686 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 08:51:58 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 08:51:54 | 000,067,516 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 08:49:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 08:41:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 08:41:43 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 08:32:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 08:30:33 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1998/10/01 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1998/10/01 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Custom Scans ==========



< MD5 for: MSMSGS.CAT >
[2008/04/13 18:04:35 | 000,012,363 | ---- | M] () MD5=6ECFDA4520A03F507D26FF95B2B2FA87 -- C:\WINDOWS\ServicePackFiles\i386\msmsgs.cat
[2008/04/13 18:04:35 | 000,012,363 | --S- | M] () MD5=6ECFDA4520A03F507D26FF95B2B2FA87 -- C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\msmsgs.cat
[2004/08/04 00:58:40 | 000,009,581 | ---- | M] () MD5=DA06B5FE87D35407B53AC4365B47233D -- C:\WINDOWS\$NtServicePackUninstall$\msmsgs.cat

< MD5 for: MSMSGS.CAT.000 >
[2004/08/04 00:58:40 | 000,009,581 | ---- | M] () MD5=DA06B5FE87D35407B53AC4365B47233D -- C:\WINDOWS\$NtServicePackUninstall$\msmsgs.cat.000

< MD5 for: MSMSGS.EXE >
[2004/10/13 08:21:24 | 001,694,208 | ---- | M] (Microsoft Corporation) MD5=32C08C70FDD7CD745A723C1DA521161C -- C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
[2008/04/13 16:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) MD5=3E930C641079443D4DE036167A69CAA2 -- C:\Program Files\Messenger\msmsgs.exe
[2008/04/13 16:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) MD5=3E930C641079443D4DE036167A69CAA2 -- C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
[2008/04/13 16:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) MD5=3E930C641079443D4DE036167A69CAA2 -- C:\WINDOWS\ServicePackFiles\ServicePackCache\i386\msmsgs.exe
[2004/08/03 23:56:53 | 001,667,584 | ---- | M] (Microsoft Corporation) MD5=B53343FE60A33EE765C2476D50D27B26 -- C:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe
[2004/08/03 23:56:53 | 001,667,584 | ---- | M] (Microsoft Corporation) MD5=B53343FE60A33EE765C2476D50D27B26 -- C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe

< MD5 for: MSMSGS.EXE.000 >
[2004/10/13 08:24:37 | 001,694,208 | ---- | M] (Microsoft Corporation) MD5=74E6E96C6F0E2ECA4EDBB7F7A468F259 -- C:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe.000

< MD5 for: MSMSGS.EXE.VIR >
[2011/02/11 21:55:25 | 000,035,336 | ---- | M] () MD5=4EB6DB2933A472F85C679EEA587328C1 -- C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir

< MD5 for: MSMSGS.INF >
[2004/08/03 21:23:22 | 000,051,427 | ---- | M] () MD5=EF5175CE56D762931C468699B935B8ED -- C:\WINDOWS\inf\msmsgs.inf
[2004/08/03 21:23:22 | 000,051,427 | ---- | M] () MD5=EF5175CE56D762931C468699B935B8ED -- C:\WINDOWS\ServicePackFiles\i386\msmsgs.inf

< MD5 for: MSMSGS.PNF >
[2004/09/09 06:44:50 | 000,087,456 | ---- | M] () MD5=186FCB2B2B431677CA6355261A82DB49 -- C:\WINDOWS\inf\msmsgs.PNF

< End of report >
 
Gigantic host file!

Is that right? Should all those entries for 127.0.0.1 be in the host file? Are those all redirects? Looks bad to me...


Kenny
 
Hi kennyart,

I'm about to tie on the old feedbag. Soon as I finish I'll review your logs. The 127.0.0.1 are fine. I'll explain more when I post back.
 
Hi kennyart,


You are correct they are redirects. Those 127.0.0.1 are the result of a custom Hosts file installed on your computer. A Hosts file is like a phonebook for Windows. When you type an address in your browser Windows will first check the Hosts file to see if the name you typed is listed there. If it is then windows will use that address. Since 127.0.0.1 is actually your computer the site won't be found thus protecting you from going to a site you might not want to go to.

More information can be found here

The ESET detections are old infected System Restore points that will be removed along with the quarantined file when we remove the tools.

Did you happen to run a scan other than those requested between the time you last ran combofix and the ESET scan? We seem to have lost some registry entries.

Next

Please open OTL if it is not opened after the reboot.

  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, click the None button near the top (it may looked greyed out)
  • In the window under Custom Scans/Fixes copy and paste the following


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Thanks
 
Scan complete

Ok, the OTL scan log is below. On the last procedures I did follow your instructions and ran OTL, Eset and then OTL again. Was I suppose to wait on the last OTL run? I see the "please post back with the Eset log" in the instructions. Hope this didn't cause a problem that is not fixable. Sorry. I didn't do anything else except look at the host file and disconnect the network lan cable after running eset.


OTL logfile created on: 3/10/2011 5:44:05 AM - Run 5
OTL by OldTimer - Version 3.2.22.2 Folder = C:\removal tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 111.00 Mb Available Physical Memory | 44.00% Memory free
626.00 Mb Paging File | 457.00 Mb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 28.55 Gb Free Space | 76.67% Space Free | Partition Type: NTFS
Drive E: | 250.72 Mb Total Space | 212.97 Mb Free Space | 84.94% Space Free | Partition Type: FAT

Computer Name: BRAUER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\removal tools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)


========== Modules (SafeList) ==========

MOD - C:\removal tools\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (schscnt) -- C:\Program Files\Authentium\Command AntiVirus\schscnt.exe (Authentium, Inc.)
SRV - (avinitnt) -- C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe (Authentium, Inc.)
SRV - (dvpapi) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (Authentium, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)


========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (SMSIVZAM5) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys (Smith Micro Inc.)
DRV - (NWUSBCDFIL) -- C:\WINDOWS\system32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (CSS DVP) -- C:\WINDOWS\system32\drivers\Css-Dvp.sys (Authentium, Inc.)
DRV - (NWUSBPort2) -- C:\WINDOWS\system32\drivers\nwusbser2.sys (Novatel Wireless Inc.)
DRV - (NWUSBPort) -- C:\WINDOWS\system32\drivers\nwusbser.sys (Novatel Wireless Inc.)
DRV - (NWUSBModem) -- C:\WINDOWS\system32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (BCM44X2) -- C:\WINDOWS\system32\drivers\BCM4E5.SYS (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {b253725d-8341-4b61-81d5-fc9f2ecb021c} - File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2011/03/09 11:04:01 | 000,429,909 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14825 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (Moviefone Toolbar) - {669C4C34-7457-4490-A642-A2ED3BF3BBBE} - File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38170.3375115741 (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/07/01 12:52:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/09 17:09:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/09 17:07:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/03/09 16:58:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/09 06:37:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/09 05:02:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/09 04:59:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/09 04:59:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/09 04:59:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/09 04:59:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/09 04:58:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/09 04:56:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/08 20:20:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/07 06:25:00 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/03/07 05:57:32 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/03/06 21:10:48 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/03/06 17:02:11 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/06 16:50:09 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/06 16:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/06 16:36:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/03/06 16:10:54 | 000,000,000 | ---D | C] -- C:\removal tools

========== Files - Modified Within 30 Days ==========

[2011/03/10 05:35:21 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7602F2D7-6280-43DF-BE0C-E96C4EF5D0E0}.job
[2011/03/09 17:00:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/09 17:00:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/09 11:04:01 | 000,429,909 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/09 06:28:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-110401.backup
[2011/03/09 05:02:32 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/09 04:53:28 | 004,283,816 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/08 20:38:28 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat
[2011/03/08 04:40:25 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/07 06:56:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 06:49:21 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/07 06:49:21 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/07 05:22:49 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/07 05:22:49 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/03/06 21:20:48 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2011/03/06 17:02:10 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/03 21:10:41 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/10 18:00:11 | 000,001,753 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/02/10 17:38:39 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110309-044208.backup

========== Files Created - No Company Name ==========

[2011/03/09 05:02:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/09 05:02:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/09 04:59:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/09 04:59:26 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/09 04:59:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/09 04:59:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/09 04:59:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/09 04:54:13 | 004,283,816 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\jgh.exe
[2011/03/08 20:38:28 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat
[2011/03/06 19:13:59 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Scheduled Tasks.lnk
[2011/03/06 16:36:34 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/06 16:36:34 | 000,000,963 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2011/02/23 10:18:59 | 000,000,961 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\VZAccess Manager 7.lnk
[2010/09/26 21:13:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/02 15:23:35 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/30 17:53:49 | 000,000,604 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2006/06/29 19:58:51 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/09/09 03:32:53 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/02 09:40:28 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2004/07/02 09:02:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/02 07:41:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/07/02 06:53:41 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2004/07/02 06:53:15 | 000,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
[2004/07/01 12:54:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/07/01 12:49:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/07/01 04:06:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/07/01 04:05:01 | 000,223,224 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:17:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 09:16:59 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 08:52:01 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 08:52:00 | 000,432,686 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 08:51:58 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 08:51:54 | 000,067,516 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 08:49:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 08:41:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 08:41:43 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 08:32:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 08:30:33 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1998/10/01 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1998/10/01 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1998/10/01 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Custom Scans ==========


< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe -- [2005/10/19 07:59:14 | 000,155,648 | ---- | M] (Intel Corporation)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe -- [2005/10/19 07:59:12 | 000,126,976 | ---- | M] (Intel Corporation)
"Microsoft Works Update Detection" = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe -- [2002/07/16 17:21:48 | 000,028,672 | ---- | M] (Microsoft® Corporation)
"mmtask" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" -- [2006/01/17 13:03:06 | 000,053,248 | ---- | M] (Musicmatch Inc.)
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" -- [2008/01/11 21:16:38 | 000,039,792 | ---- | M] (Adobe Systems Incorporated)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

< End of report >
 
Hi kennyart,

No you didn't do anything wrong.

Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
Code: 
:Services

:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (Moviefone Toolbar) - {669C4C34-7457-4490-A642-A2ED3BF3BBBE} - File not found

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dvprpt"="C:\\Program Files\\Authentium\\Command AntiVirus\\dvprpt.exe"
"untray"="C:\\Program Files\\Authentium\\Command AntiVirus\\untray.exe"
"avtray"="C:\\Program Files\\Authentium\\Command AntiVirus\\avtray.exe"
"CSAV_CheckViruses"="C:\\Program Files\\Authentium\\Command AntiVirus\\vchk.exe"

:Files
C:\Documents and Settings\All Users\Application Data\kXMRTNU.dat

:Commands
[createrestorepoint]

Then click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.

Please obtain a new OTL.txt just to see how it looks now.

Please post back with
  • OTL fix log
  • new OTL.txt
 
Status
Not open for further replies.
Back
Top