NT Authority Shutdown [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

NT Authority Shutdown [Solved]

#1 jeannelouise

Group: Member
Posts: 11
Joined: 21-January 10

Posted 22 January 2010 - 08:30 PM

I can run my computer anywhere from 5 to 30 minutes when inevitably the little box pops up that says 'this computer will be shut down by NT Authority System' it gives me 60 seconds and then automatically reboots the computer. I have followed your malware and spyware cleanup page, I have run Malwarebytes and avast! antivirus, but none have seemed to kick the problem. Here are my logs:

OTL Extras logfile created on: 1/22/2010 9:13:20 PM - Run 1
OTL by OldTimer - Version 3.1.25.4 Folder = C:\Documents and Settings\What!\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 83.77 Gb Free Space | 56.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LICENSEDUSER
Current User Name: What!
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{2C9A62F0-D1B3-4E2C-A7D9-24F38FF2A379}" = GEAR driver installer for x86 and x64
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{70CEDB87-A750-498A-B168-36F66C4A2090}" = TIxx21/x515
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = Bluetooth by hp
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.5
"ASIO4ALL" = ASIO4ALL
"ATT-HSI" = ATT-HSI
"avast5" = avast! Free Antivirus
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C" = SoftV90 Data Fax Modem with SmartCP
"Collab" = Collab
"Conexant PCI Audio" = Conexant AC-Link Audio
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"ERUNT_is1" = ERUNT 1.1j
"Free Sound Recorder_is1" = Free Sound Recorder v8.1.1
"ie8" = Windows Internet Explorer 8
"IL Download Manager" = IL Download Manager
"InstallShield_{70CEDB87-A750-498A-B168-36F66C4A2090}" = Texas Instruments PCIxx21/x515 drivers.
"Instant CD & DVD Burner_is1" = Instant CD & DVD Burner
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/4/2009 11:44:03 PM | Computer Name = LICENSEDUSER | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3593, faulting module
unknown, version 0.0.0.0, fault address 0x05450c55.

[ System Events ]
Error - 1/22/2010 9:54:52 PM | Computer Name = LICENSEDUSER | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/22/2010 9:54:52 PM | Computer Name = LICENSEDUSER | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/22/2010 9:57:29 PM | Computer Name = LICENSEDUSER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Zwunzi Service service
to connect.

Error - 1/22/2010 9:57:30 PM | Computer Name = LICENSEDUSER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eabfiltr

Error - 1/22/2010 9:57:33 PM | Computer Name = LICENSEDUSER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/22/2010 9:57:33 PM | Computer Name = LICENSEDUSER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/22/2010 10:11:23 PM | Computer Name = LICENSEDUSER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Zwunzi Service service
to connect.

Error - 1/22/2010 10:11:24 PM | Computer Name = LICENSEDUSER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eabfiltr

Error - 1/22/2010 10:11:27 PM | Computer Name = LICENSEDUSER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/22/2010 10:11:27 PM | Computer Name = LICENSEDUSER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

< End of report >

and

OTL logfile created on: 1/22/2010 9:13:20 PM - Run 1
OTL by OldTimer - Version 3.1.25.4 Folder = C:\Documents and Settings\What!\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 83.77 Gb Free Space | 56.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LICENSEDUSER
Current User Name: What!
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - File not found -- C:\Documents and Settings\What!\My Documents\Downloads\OTL.exe
PRC - [2010/01/19 06:57:44 | 02,743,104 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/12/12 20:39:45 | 00,289,584 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2009/10/28 19:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 19:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/14 08:45:34 | 00,319,488 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/15 01:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/17 19:48:08 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2004/06/17 19:43:58 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/06/03 12:14:16 | 00,163,840 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2004/06/02 16:48:22 | 00,565,309 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2004/06/02 16:46:52 | 01,249,364 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe

========== Modules (SafeList) ==========

========== Win32 Services (SafeList) ==========

SRV - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/01/14 15:54:16 | 00,058,720 | ---- | M] () [Auto | Stopped] -- C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi137.exe -- (Zwunzi Service)
SRV - [2009/10/28 19:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/08/14 08:45:34 | 00,319,488 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2004/06/03 12:14:16 | 00,163,840 | ---- | M] (WIDCOMM, Inc.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.52

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/23 02:59:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/23 02:59:27 | 00,000,000 | ---D | M]

[2009/10/25 00:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Mozilla\Extensions
[2010/01/05 23:12:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Mozilla\Firefox\Profiles\uc80jkrl.default\extensions
[2010/01/05 23:10:38 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\What!\Application Data\Mozilla\Firefox\Profiles\uc80jkrl.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/01/15 08:45:52 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/15 08:45:52 | 00,000,000 | ---D | M] (Zwunzi) -- C:\Program Files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}
[2009/10/30 11:39:46 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi121.xml
[2009/11/04 12:38:36 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi125.xml
[2009/11/12 21:57:04 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi127.xml
[2009/11/28 18:08:08 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi129.xml
[2009/12/21 18:26:24 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi133.xml
[2010/01/15 08:45:52 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi137.xml

O1 HOSTS File: ([2003/03/31 07:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\What!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (WIDCOMM, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (WIDCOMM, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\What!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\What!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/26 12:21:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{19a02b5d-c925-11de-84e6-00c09f5ce157}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/09/26 12:20:38 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (50950363808792576)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/22 21:11:57 | 00,547,840 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\What!\Desktop\OTL.exe
[2010/01/21 21:27:56 | 00,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/21 21:27:56 | 00,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/21 21:27:55 | 00,023,248 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/21 21:27:53 | 00,046,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/21 21:27:51 | 00,100,304 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/21 21:27:51 | 00,094,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/21 21:27:51 | 00,028,240 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/21 21:27:38 | 00,152,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/21 21:27:38 | 00,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/01/21 21:27:27 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/21 21:27:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/21 21:21:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/21 21:21:08 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/11/09 11:48:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/11/04 12:38:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2009/11/04 11:39:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2009/10/29 02:09:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/09/26 12:32:59 | 23,405,072 | ---- | C] ( ) -- C:\Program Files\AdobRedr8.exe
[2009/09/26 12:32:59 | 00,623,950 | ---- | C] ( ) -- C:\Program Files\instantcdburnersetup.exe
[2009/09/26 12:23:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/09/26 12:21:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/09/26 12:21:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/22 21:12:07 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\What!\Desktop\OTL.exe
[2010/01/22 21:11:25 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/22 21:11:09 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/22 21:10:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/22 21:05:01 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/22 21:01:32 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/22 21:01:32 | 00,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/22 21:01:32 | 00,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/22 20:55:59 | 05,505,024 | -H-- | M] () -- C:\Documents and Settings\What!\NTUSER.DAT
[2010/01/22 20:55:59 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\What!\ntuser.ini
[2010/01/22 20:54:04 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1383384898-1417001333-1003UA.job
[2010/01/21 21:27:57 | 00,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/01/21 21:27:52 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/20 02:54:02 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1383384898-1417001333-1003Core.job
[2010/01/19 08:13:58 | 00,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/19 06:57:59 | 00,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/01/19 06:57:39 | 00,152,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/19 06:46:52 | 00,046,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/19 06:43:40 | 00,023,248 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/19 06:43:12 | 00,100,304 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/19 06:43:08 | 00,094,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/19 06:42:57 | 00,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/19 06:42:40 | 00,028,240 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/17 18:03:50 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/15 21:13:02 | 00,001,399 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\quothes.rtf
[2010/01/14 21:09:19 | 00,001,277 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\Americatown the movie the show.rtf
[2010/01/14 08:36:44 | 00,000,584 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/13 19:23:15 | 00,001,880 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\internet.rtf
[2010/01/12 19:44:31 | 00,001,182 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\zatchmo.rtf
[2010/01/11 16:30:05 | 00,004,800 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\carolina beach apt. info.rtf
[2010/01/09 19:28:38 | 00,001,626 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\cowboynotes.rtf

========== Files Created - No Company Name ==========

[2010/01/22 21:07:39 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\What!\Desktop\gmer.exe
[2010/01/21 21:27:57 | 00,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/01/14 21:09:19 | 00,001,277 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\Americatown the movie the show.rtf
[2010/01/12 19:44:31 | 00,001,182 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\zatchmo.rtf
[2010/01/11 21:44:30 | 00,001,399 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\quothes.rtf
[2010/01/11 16:30:05 | 00,004,800 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\carolina beach apt. info.rtf
[2010/01/11 15:23:48 | 00,001,880 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\internet.rtf
[2009/12/17 03:05:44 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\What!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/25 11:38:34 | 00,000,104 | ---- | C] () -- C:\Program Files\Internet Explorer
[2009/10/25 11:38:15 | 00,000,104 | ---- | C] () -- C:\Program Files\My Bluetooth Places.lnk
[2004/06/02 16:28:30 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2002/05/15 22:29:04 | 00,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 17:18:00 | 00,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/01/21 21:27:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/15 08:45:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zwunzi
[2009/10/31 19:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
[2009/10/25 00:42:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/05 12:12:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Amazon
[2009/12/17 03:04:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Cool Record Edit Pro
[2009/10/30 11:42:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Free Sound Recorder
[2009/10/25 17:42:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\FUJIFILM
[2010/01/22 21:07:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\uTorrent

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/04/14 04:51:44 | 20,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 04:51:44 | 20,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/01/21 19:58:25 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 04:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 04:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 04:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >

Thank you for your time and any help you may be able to give.

#2 Onaipian

Group: Retired Staff
Posts: 2,130
Joined: 04-September 08

Posted 23 January 2010 - 09:29 AM

Hello, jeannelouise!

Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly:

Please be patient. I am still in training and there may be delays between posts.
I must check everything with a moderator before posting.
Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous.
Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise.
This makes things easier for me, and the moderator looking over this topic.
Ensure "WordWrap" is disabled in Notepad.
To everyone except jeannelouise: The instructions following were created specifically for jeannelouise, please do not perform these steps unless instructed by a Trusted Helper.

I'll post back some instructions shortly.

#3 Onaipian

Group: Retired Staff
Posts: 2,130
Joined: 04-September 08

Posted 23 January 2010 - 11:10 AM

Hello.

Quite an interesting infection you have.
For now, when you see the shutdown message do the following:

Go to Start > Run
Type in the following and hit OK
shutdown -a
Note the space between shutdown and -a

Step One
Run OTL (Double click to run)

Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
[2010/01/15 08:45:52 | 00,000,000 | ---D | M] (Zwunzi) -- C:\Program Files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}
[2009/10/30 11:39:46 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi121.xml
[2009/11/04 12:38:36 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi125.xml
[2009/11/12 21:57:04 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi127.xml
[2009/11/28 18:08:08 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi129.xml
[2009/12/21 18:26:24 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi133.xml
[2010/01/15 08:45:52 | 00,002,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zwunzi137.xml
[2010/01/15 08:45:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zwunzi

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, and accept to reboot when it's finished.
During start-up, a log will open. Paste the contents of it back here
Open OTL again.
- Click the Quick Scan button.
- Post the log it produces in your next reply.

Step Two
I can see that you downloaded GMER to your desktop. May I please see the log it produced? (if you previously ran it)
If you haven't run it yet, follow the instructions in the Malware and Spyware Cleaning Guide regarding GMER. (Step Four: Rootkit Detection)

Logs&Info
Remember to post back the following logs:

OTL Fix Results
OTL.txt
GMER Results (ark.txt)

#4 jeannelouise

Group: Member
Posts: 11
Joined: 21-January 10

Posted 23 January 2010 - 07:29 PM

otl fix results:
All processes killed
========== OTL ==========
C:\Program Files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\defaults\preferences folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\defaults folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{F270F1AF-34D6-41CB-A9F5-8200EF7DB41F} folder moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\zwunzi121.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\zwunzi125.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\zwunzi127.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\zwunzi129.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\zwunzi133.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\zwunzi137.xml moved successfully.
C:\Documents and Settings\All Users\Application Data\Zwunzi folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: What!
->Temp folder emptied: 52070398 bytes
->Temporary Internet Files folder emptied: 881307 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 163990441 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49635 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 207.00 mb

OTL by OldTimer - Version 3.1.25.4 log created on 01232010_193032

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

otl quick scan results:

OTL logfile created on: 1/23/2010 7:38:42 PM - Run 2
OTL by OldTimer - Version 3.1.25.4 Folder = C:\Documents and Settings\What!\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 83.85 Gb Free Space | 56.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LICENSEDUSER
Current User Name: What!
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/22 21:12:07 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\What!\Desktop\OTL.exe
PRC - [2010/01/19 06:57:44 | 02,743,104 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/12/12 20:39:45 | 00,289,584 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2009/12/09 18:22:33 | 00,921,072 | ---- | M] (Google Inc.) -- C:\Documents and Settings\What!\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/10/28 19:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 19:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/14 08:45:34 | 00,319,488 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/10/15 01:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/17 19:48:08 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2004/06/17 19:43:58 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/06/03 12:14:16 | 00,163,840 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2004/06/02 16:48:22 | 00,565,309 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2004/06/02 16:46:52 | 01,249,364 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe

========== Modules (SafeList) ==========

MOD - [2010/01/22 21:12:07 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\What!\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Zwunzi Service)
SRV - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/01/19 06:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/10/28 19:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/08/14 08:45:34 | 00,319,488 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2004/06/03 12:14:16 | 00,163,840 | ---- | M] (WIDCOMM, Inc.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.52

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/23 02:59:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/23 02:59:27 | 00,000,000 | ---D | M]

[2009/10/25 00:57:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Mozilla\Extensions
[2010/01/05 23:12:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Mozilla\Firefox\Profiles\uc80jkrl.default\extensions
[2010/01/05 23:10:38 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\What!\Application Data\Mozilla\Firefox\Profiles\uc80jkrl.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/01/15 08:45:52 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2003/03/31 07:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\What!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (WIDCOMM, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (WIDCOMM, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\What!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\What!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/26 12:21:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{19a02b5d-c925-11de-84e6-00c09f5ce157}\Shell\AutoRun\command - "" = wd_windows_tools\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/23 19:30:32 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/22 21:11:57 | 00,547,840 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\What!\Desktop\OTL.exe
[2010/01/21 21:27:56 | 00,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/21 21:27:56 | 00,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/21 21:27:55 | 00,023,248 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/21 21:27:53 | 00,046,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/21 21:27:51 | 00,100,304 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/21 21:27:51 | 00,094,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/21 21:27:51 | 00,028,240 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/21 21:27:38 | 00,152,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/21 21:27:38 | 00,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/01/21 21:27:27 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/21 21:27:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/21 21:21:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/21 21:21:08 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/11/09 11:48:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/11/04 12:38:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2009/11/04 11:39:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2009/10/29 02:09:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/09/26 12:32:59 | 23,405,072 | ---- | C] ( ) -- C:\Program Files\AdobRedr8.exe
[2009/09/26 12:32:59 | 00,623,950 | ---- | C] ( ) -- C:\Program Files\instantcdburnersetup.exe
[2009/09/26 12:23:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/09/26 12:21:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/09/26 12:21:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/23 19:40:14 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/23 19:37:11 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/23 19:37:11 | 00,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/23 19:37:11 | 00,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/23 19:33:10 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/23 19:32:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/23 19:32:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/23 19:31:36 | 05,505,024 | -H-- | M] () -- C:\Documents and Settings\What!\NTUSER.DAT
[2010/01/23 19:31:36 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\What!\ntuser.ini
[2010/01/23 08:54:01 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1383384898-1417001333-1003UA.job
[2010/01/22 21:12:07 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\What!\Desktop\OTL.exe
[2010/01/21 21:27:57 | 00,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/01/21 21:27:52 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/20 02:54:02 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1383384898-1417001333-1003Core.job
[2010/01/19 08:13:58 | 00,162,640 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/19 06:57:59 | 00,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/01/19 06:57:39 | 00,152,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/19 06:46:52 | 00,046,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/19 06:43:40 | 00,023,248 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/19 06:43:12 | 00,100,304 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/19 06:43:08 | 00,094,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/19 06:42:57 | 00,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/19 06:42:40 | 00,028,240 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/17 18:03:50 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/15 21:13:02 | 00,001,399 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\quothes.rtf
[2010/01/14 21:09:19 | 00,001,277 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\Americatown the movie the show.rtf
[2010/01/14 08:36:44 | 00,000,584 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/13 19:23:15 | 00,001,880 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\internet.rtf
[2010/01/12 19:44:31 | 00,001,182 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\zatchmo.rtf
[2010/01/11 16:30:05 | 00,004,800 | ---- | M] () -- C:\Documents and Settings\What!\My Documents\carolina beach apt. info.rtf

========== Files Created - No Company Name ==========

[2010/01/22 21:07:39 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\What!\Desktop\gmer.exe
[2010/01/21 21:27:57 | 00,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/01/14 21:09:19 | 00,001,277 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\Americatown the movie the show.rtf
[2010/01/12 19:44:31 | 00,001,182 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\zatchmo.rtf
[2010/01/11 21:44:30 | 00,001,399 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\quothes.rtf
[2010/01/11 16:30:05 | 00,004,800 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\carolina beach apt. info.rtf
[2010/01/11 15:23:48 | 00,001,880 | ---- | C] () -- C:\Documents and Settings\What!\My Documents\internet.rtf
[2009/12/17 03:05:44 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\What!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/25 11:38:34 | 00,000,104 | ---- | C] () -- C:\Program Files\Internet Explorer
[2009/10/25 11:38:15 | 00,000,104 | ---- | C] () -- C:\Program Files\My Bluetooth Places.lnk
[2004/06/02 16:28:30 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2002/05/15 22:29:04 | 00,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 17:18:00 | 00,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/01/21 21:27:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/10/31 19:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
[2009/10/25 00:42:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/05 12:12:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Amazon
[2009/12/17 03:04:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Cool Record Edit Pro
[2009/10/30 11:42:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\Free Sound Recorder
[2009/10/25 17:42:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\FUJIFILM
[2010/01/23 09:04:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\What!\Application Data\uTorrent

========== Purity Check ==========

< End of report >

gmer results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 20:28:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\What!\LOCALS~1\Temp\awlyifoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA0D73BBC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA0D73A78]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA0D7402C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA0D73F56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA0D7364E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA0D73B52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA0D7358E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA0D735F2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA0D73C72]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA0D740FA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA0D73C32]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA0D73DB2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA0D80322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA0D8014C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA0D80280]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 897D1856

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thanks so much for your help!

#5 Onaipian

Group: Retired Staff
Posts: 2,130
Joined: 04-September 08

Posted 25 January 2010 - 04:29 PM

Sorry for the delay.

Please download Combofix from any of the links below. Save it to your desktop.

Download Link #1
Download Link #2

==================================

Temporarily disable Anti-Virus\Anti-Malware real-time protection.
Double click on ComboFix and follow the prompts.
Be patient. It could take a while to load\run.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

#6 jeannelouise

Group: Member
Posts: 11
Joined: 21-January 10

Posted 25 January 2010 - 05:30 PM

here's the combofix log:

ComboFix 10-01-25.02 - What! 01/25/2010 18:15:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1502.1170 [GMT -5:00]
Running from: c:\documents and settings\What!\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\oem11.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZWUNZI_SERVICE

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-24 15:53 . 2010-01-24 15:53 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-24 00:30 . 2010-01-24 00:30 -------- d-----w- C:\_OTL
2010-01-22 02:27 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-22 02:27 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-22 02:27 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-22 02:27 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-22 02:27 . 2010-01-19 11:43 100304 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-22 02:27 . 2010-01-19 11:43 94672 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-22 02:27 . 2010-01-19 11:42 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-22 02:27 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-22 02:27 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-22 02:27 . 2010-01-22 02:27 -------- d-----w- c:\program files\Alwil Software
2010-01-22 02:27 . 2010-01-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-22 02:21 . 2010-01-22 02:21 -------- d-----w- c:\program files\ERUNT
2010-01-17 17:54 . 2010-01-17 17:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-12 21:21 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 03:31 . 2010-01-05 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-01-05 03:31 . 2010-01-05 03:31 -------- d-----w- c:\program files\Common Files\Motive
2010-01-05 03:31 . 2010-01-05 03:31 -------- d-----w- c:\program files\ATT
2009-12-29 01:43 . 2010-01-25 04:44 -------- d-----w- c:\documents and settings\What!\Application Data\vlc
2009-12-29 01:43 . 2009-12-29 01:43 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 23:13 . 2009-10-25 19:04 -------- d-----w- c:\documents and settings\What!\Application Data\uTorrent
2010-01-24 15:53 . 2009-12-01 19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 00:58 . 2008-04-14 04:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-17 23:03 . 2009-11-04 09:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-07 21:07 . 2009-12-01 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-01 19:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 18:05 . 2009-10-25 21:02 -------- d-----w- c:\program files\VstPlugins
2010-01-04 18:05 . 2009-10-25 21:01 -------- d-----w- c:\program files\Image-Line
2010-01-04 03:18 . 2009-09-26 18:07 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-04 03:18 . 2009-09-26 18:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 22:11 . 2009-10-29 03:13 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-24 22:11 . 2009-10-29 03:12 -------- d-----w- c:\program files\AVS4YOU
2009-12-24 18:56 . 2009-10-29 03:14 -------- d-----w- c:\documents and settings\What!\Application Data\AVS4YOU
2009-12-21 19:14 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 00:44 . 2009-10-30 02:53 -------- d-----w- c:\program files\Java
2009-12-19 00:43 . 2009-12-19 00:43 152576 ----a-w- c:\documents and settings\What!\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-19 00:43 . 2009-12-19 00:43 79488 ----a-w- c:\documents and settings\What!\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-17 08:04 . 2009-10-30 16:46 -------- d-----w- c:\documents and settings\What!\Application Data\Cool Record Edit Pro
2009-12-15 02:39 . 2009-10-29 16:46 -------- d-----w- c:\documents and settings\What!\Application Data\dvdcss
2009-12-05 23:33 . 2009-12-05 23:33 -------- d-----w- c:\program files\DivX
2009-12-05 23:33 . 2009-12-05 23:33 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-01 19:24 . 2009-12-01 19:24 -------- d-----w- c:\documents and settings\What!\Application Data\Malwarebytes
2009-12-01 19:24 . 2009-12-01 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 01:42 . 2009-10-25 05:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-01 01:15 . 2009-12-01 01:15 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-12-01 01:15 . 2009-12-01 01:15 -------- d-----w- c:\documents and settings\What!\Application Data\AccurateRip
2009-12-01 01:15 . 2009-12-01 01:15 -------- d-----w- c:\program files\Illustrate
2009-12-01 01:13 . 2009-12-01 01:15 5640880 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-11-21 15:51 . 2008-04-14 09:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-30 02:53 . 2009-10-30 02:53 152576 ----a-w- c:\documents and settings\What!\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-29 00:58 . 2009-10-29 00:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-25 16:38 . 2009-10-25 16:38 104 ----a-w- c:\program files\Internet Explorer.lnk
2009-10-25 16:38 . 2009-10-25 16:38 104 ----a-w- c:\program files\My Bluetooth Places.lnk
2008-01-13 05:00 . 2009-09-26 17:32 23405072 ----a-w- c:\program files\AdobRedr8.exe
2007-12-12 04:23 . 2009-09-26 17:32 623950 ----a-w- c:\program files\instantcdburnersetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-13 289584]
"Google Update"="c:\documents and settings\What!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-13 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-18 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-30 113664]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-6-2 565309]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/21/2010 9:27 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/21/2010 9:27 PM 19024]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1383384898-1417001333-1003Core.job
- c:\documents and settings\What!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-13 07:49]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1383384898-1417001333-1003UA.job
- c:\documents and settings\What!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-13 07:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\What!\Application Data\Mozilla\Firefox\Profiles\uc80jkrl.default\
FF - plugin: c:\documents and settings\What!\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2010-01-25 18:24:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 23:24

Pre-Run: 89,619,156,992 bytes free
Post-Run: 89,591,590,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9B4BD0A905D0E736C79A0B4A96A350C3

and take your time, im just grateful for the help.

thanks again.

#7 Onaipian

Group: Retired Staff
Posts: 2,130
Joined: 04-September 08

Posted 26 January 2010 - 12:47 PM

Are you still experiencing the shutdown messages?

If you are:
What exactly does it say? Does it say something about "The system process '...' terminated unexpectedly with status code '...'. ..." What process was it, and what is the status code?

If not, then great.

#8 jeannelouise

Group: Member
Posts: 11
Joined: 21-January 10

Posted 27 January 2010 - 07:21 PM

Seems to be all taken care of! Thanks for everything!

#9 Onaipian

Group: Retired Staff
Posts: 2,130
Joined: 04-September 08

Posted 27 January 2010 - 07:58 PM

Would you mind going through a set of post-malware cleanup instructions? It's procedure.

#10 jeannelouise

Group: Member
Posts: 11
Joined: 21-January 10

Posted 28 January 2010 - 06:00 PM

absolutely, lay it on me...or is it there a post in the forums already about how to do that that I may have missed?

#11 Onaipian

Group: Retired Staff
Posts: 2,130
Joined: 04-September 08

Posted 28 January 2010 - 07:37 PM

Your Welcome. Let me know if the problem comes back. If this topic is closed...
feel free to shoot me a PM and I'll open it up.

Okay, so these last steps are just to properly remove any tools we used, quarantined files, etc. There are also some programs and stuff that I like to recommend to people. Just leaf through it and ask any questions or let me know if a problem occurs. You don't have to give any formal response or let me know if you followed each step.

ComboFix /Uninstall
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run,
Copy/Paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Posted Image

Tools Used
This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Open OTL.
In the top right corner will be a button called "Clean Up!"; click it.
Follow any prompts, and reboot if necessary.

Windows Updates
You should visit the Windows Update site about once a month. If you're feeling lazy you can turn on Automatic Updates which will do most of the work for you. (ask me how)

Go to update.microsoft.com using Internet Explorer. Click High Priority Updates and then check all of the updates and then click the Download botton. A windows should pop up giving the status of each update. Restart if asked to.

Prevention Tools

Two AntiSpyware \ AntiMalware programs that are effective, easy to use, and free. A weekly scanning with one or both of these tools can be very useful in preventing\removing a wide variety of infections. I strongly recommend both of these products:
- MalwareBytes' Anti-Malware
- SUPERantispyware
The following are two alternative web-browsers. Both are great choices (And can be installed and used with Internet Explorer still present!) You may wish to experiment with the two, to decide which you prefer.
- Firefox
- Opera
Cleans out temporary files safely and effectivelt. It does not clean out URL history, prefetch, cookies, or empty the recycle bin.
- TFC - Temp File Cleaner

======================================================

If you are wondering how you got infected in the first place please visit this cool page called:
How did I get infected in the first place?

Glad I could help, piano9playa5

#12 Essexboy

Group: GeekU Moderator
Posts: 55,570
Joined: 31-May 06

Posted 02 February 2010 - 01:13 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

NT Authority Shutdown [Solved] - Geeks to Go Forums