[flefster]

I woke up yesterday morning to 25 internet explorer ads. Settings were changed, one or two things were missing, and constant pop-ups from this rouge program trying to trick me. The first thing I did is try to run Anti-Malware, but when i clicked the .exe file, a window came up that says missing shortcut, windows is searching for mbam.exe. To locate the file yourself, click browse. I then came on here and tried to do the first step on your malware removal guide. It says to install Anti-Malware and run it. After I install the program, an error pops up that says Unable to execute file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe CreateProcess failed; code 2. The system cannot find the file specified. Any ideas on how I can get around this and proceed with your guide? Thanks.

[Advertisements]

First I need to see what you have - two programmes to run

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

THEN

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[Essexboy]

First I need to see what you have - two programmes to run

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

THEN

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[flefster]

Ok, ran OTS and attached the .txt to this post. After gmer starts to run though it closes by itself with no explanation.

Attached Files

•  OTS.Txt   152.05KB   239 downloads

[Essexboy]

I can see why, there is a lot of garbage here - so I will make roads to removing it

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> mvmdh.exe -> G:\mvmdh.exe
YY -> win16.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\win16.exe
YY -> lsass.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\lsass.exe
YY -> login.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\login.exe
YY -> ld2t2iods1.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\ld2t2iods1.exe
YY -> csrss.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrss.exe
YY -> win32.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\win32.exe
YY -> notepad.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\notepad.exe
YY -> setup.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\setup.exe
YY -> dnwmw.exe -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\dnwmw.exe
YY -> lsm32.sys -> C:\WINDOWS\System32\lsm32.sys
[Modules - Safe List]
YY -> daholose.dll -> C:\WINDOWS\system32\daholose.dll
YY -> cvasds0.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\cvasds0.dll
YY -> f4gmh.dll -> C:\WINDOWS\system32\f4gmh.dll
YY -> imepuzim.dll -> C:\WINDOWS\imepuzim.dll
[Win32 Services - Safe List]
YY -> (srservice) System Restore Service [Auto | Running] -> C:\WINDOWS\system32\srsvc.dll
YY -> (6to4) Network Security [Auto | Running] -> C:\WINDOWS\system32\6to4v32.dll
[Driver Services - Safe List]
YY -> (ndismgr) ndismgr [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\ndismgr.sys
YY -> (diskmgr) diskmgr [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\diskmgr.sys
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {C4BF49A2-94F1-42BD-F034-3604811C807D} [HKLM] -> C:\WINDOWS\system32\f4gmh.dll [C:\WINDOWS\system32\f4gmh.dll]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fcayuh" -> C:\WINDOWS\imepuzim.DLL [rundll32.exe "C:\WINDOWS\imepuzim.dll",Startup]
YY -> "smss32.exe" -> C:\WINDOWS\System32\smss32.exe [C:\WINDOWS\system32\smss32.exe]
YY -> "vokijeyoh" -> C:\WINDOWS\System32\gehuseda.DLL [Rundll32.exe "c:\windows\system32\gehuseda.dll",a]
YY -> "Windows Login Services" -> C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe ["C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe"]
< Run [HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007\] > -> HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "asg984jgkfmgasi8ug98jgkfgfb" -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrss.exe [C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrss.exe]
YY -> "cdoosoft" -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\herss.exe [C:\DOCUME~1\Jeff\LOCALS~1\Temp\herss.exe]
YY -> "sefjhf98jfoidsfoishgoiusgdgfgd" -> C:\DOCUME~1\Jeff\LOCALS~1\Temp\dnwmw.exe [C:\DOCUME~1\Jeff\LOCALS~1\Temp\dnwmw.exe]
YY -> "smss32.exe" -> C:\WINDOWS\System32\smss32.exe [C:\WINDOWS\system32\smss32.exe]
YY -> "Windows Login Services" -> C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe ["C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe"]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YY -> \Run\\"Windows Login Services" -> C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe ["C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe"]
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableCMD" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007] > -> HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \\"NoFolderOptions" -> [1]
YN -> \\"NoRun" -> [1]
YY -> \Run\\"Windows Login Services" -> C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe ["C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe"]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007] > -> HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
YN -> \\"DisableCMD" -> [1]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007\] > -> HKEY_USERS\S-1-5-21-3498710358-508759280-2891502529-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> buy-internet-security10.com .[http] -> Trusted sites
YN -> is-soft-download.com .[http] -> Trusted sites
YN -> is-software-download25.com .[http] -> Trusted sites
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> daholose.dll -> C:\WINDOWS\System32\daholose.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\winlogon32.exe -> C:\WINDOWS\System32\winlogon32.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{5ac949cd-110b-429e-8da8-b96147a09de5}" [HKLM] -> C:\WINDOWS\System32\gehuseda.dll [golohohul]
YY -> "{9fdf0c48-e32a-49f5-8b48-00bbce408d2a}" [HKLM] -> C:\WINDOWS\System32\hapowoko.dll [jinosiruh]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{5ac949cd-110b-429e-8da8-b96147a09de5}" [HKLM] -> C:\WINDOWS\System32\gehuseda.dll [jugezatag]
YY -> "{9fdf0c48-e32a-49f5-8b48-00bbce408d2a}" [HKLM] -> C:\WINDOWS\System32\hapowoko.dll [gahurihor]
YY -> "{C4BF49A2-94F1-42BD-F034-3604811C807D}" [HKLM] -> C:\WINDOWS\system32\f4gmh.dll [lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{4220685f-0ccb-11df-9b8e-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4220685f-0ccb-11df-9b8e-001676491453}\Shell\AutoRun\command -> 
YY -> \{4220685f-0ccb-11df-9b8e-001676491453}\Shell\AutoRun\command\\"" -> G:\y.exe [G:\y.exe]
YN -> \{4220685f-0ccb-11df-9b8e-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4220685f-0ccb-11df-9b8e-001676491453}\Shell\open\Command -> 
YY -> \{4220685f-0ccb-11df-9b8e-001676491453}\Shell\open\Command\\"" -> G:\y.exe [G:\y.exe]
YN -> \{861cef3c-0a29-11df-9b8d-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{861cef3c-0a29-11df-9b8d-001676491453}\Shell\AutoRun\command -> 
YY -> \{861cef3c-0a29-11df-9b8d-001676491453}\Shell\AutoRun\command\\"" -> F:\SYSTEM\SYSTEM.exe [F:\SYSTEM\SYSTEM.exe]
YN -> \{861cef3c-0a29-11df-9b8d-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{861cef3c-0a29-11df-9b8d-001676491453}\Shell\eXpLorE\CoMmAnD -> 
YY -> \{861cef3c-0a29-11df-9b8d-001676491453}\Shell\eXpLorE\CoMmAnD\\"" -> F:\SYSTEM\SYSTEM.exe [F:\SYSTEM\SYSTEM.exe]
YN -> \{861cef3c-0a29-11df-9b8d-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{861cef3c-0a29-11df-9b8d-001676491453}\Shell\oPeN\cOmMaNd -> 
YY -> \{861cef3c-0a29-11df-9b8d-001676491453}\Shell\oPeN\cOmMaNd\\"" -> F:\SYSTEM\SYSTEM.exe [F:\SYSTEM\SYSTEM.exe]
YN -> \{ad8bb889-9f56-11de-9b78-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ad8bb889-9f56-11de-9b78-001676491453}\Shell\AutoRun\command -> 
YY -> \{ad8bb889-9f56-11de-9b78-001676491453}\Shell\AutoRun\command\\"" -> F:\SYSTEM\SYSTEM.exe [F:\SYSTEM\SYSTEM.exe]
YN -> \{ad8bb889-9f56-11de-9b78-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ad8bb889-9f56-11de-9b78-001676491453}\Shell\eXpLorE\CoMmAnD -> 
YY -> \{ad8bb889-9f56-11de-9b78-001676491453}\Shell\eXpLorE\CoMmAnD\\"" -> F:\SYSTEM\SYSTEM.exe [F:\SYSTEM\SYSTEM.exe]
YN -> \{ad8bb889-9f56-11de-9b78-001676491453} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ad8bb889-9f56-11de-9b78-001676491453}\Shell\oPeN\cOmMaNd -> 
YY -> \{ad8bb889-9f56-11de-9b78-001676491453}\Shell\oPeN\cOmMaNd\\"" -> F:\SYSTEM\SYSTEM.exe [F:\SYSTEM\SYSTEM.exe]
[Files/Folders - Created Within 30 Days]
NY ->  scbxf.exe -> C:\scbxf.exe
NY ->  rqhieilm.exe -> C:\rqhieilm.exe
NY ->  isonwnj.exe -> C:\isonwnj.exe
NY ->  S85-28348346-UIT83-G3-72366-GDSG-1732735 -> C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735
NY ->  5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  bowagina.exe -> C:\WINDOWS\System32\bowagina.exe
NY ->  peyofise.dll -> C:\WINDOWS\System32\peyofise.dll
NY ->  zafufovi.dll -> C:\WINDOWS\System32\zafufovi.dll
NY ->  yovopepa.dll -> C:\WINDOWS\System32\yovopepa.dll
NY ->  wojawiho.dll -> C:\WINDOWS\System32\wojawiho.dll
NY ->  norobeta.dll -> C:\WINDOWS\System32\norobeta.dll
NY ->  daholose.dll -> C:\WINDOWS\System32\daholose.dll
NY ->  tosetono.dll -> C:\WINDOWS\System32\tosetono.dll
NY ->  mekerozu.dll -> C:\WINDOWS\System32\mekerozu.dll
NY ->  jefotumo.dll -> C:\WINDOWS\System32\jefotumo.dll
NY ->  divasalo.dll -> C:\WINDOWS\System32\divasalo.dll
NY ->  kuzogora -> C:\WINDOWS\System32\kuzogora
NY ->  autorun.inf -> C:\autorun.inf
NY ->  kjpnisji.job -> C:\WINDOWS\tasks\kjpnisji.job
NY ->  qx55rhzonv.dll -> C:\WINDOWS\System32\qx55rhzonv.dll
NY ->  scbxf.exe -> C:\scbxf.exe
NY ->  qmhrpt.exe -> C:\qmhrpt.exe
NY ->  cvdxq.exe -> C:\cvdxq.exe
NY ->  helper32.dll -> C:\WINDOWS\System32\helper32.dll
NY ->  IS15.exe -> C:\WINDOWS\System32\IS15.exe
NY ->  Mxadit.dat -> C:\WINDOWS\Mxadit.dat
NY ->  c5b2p7dqd.dll -> C:\WINDOWS\System32\c5b2p7dqd.dll
NY ->  rqhieilm.exe -> C:\rqhieilm.exe
NY ->  Uwedukovikerev.bin -> C:\WINDOWS\Uwedukovikerev.bin
NY ->  uses32.dat -> C:\WINDOWS\System32\uses32.dat
NY ->  mvmdh.exe -> C:\mvmdh.exe
NY ->  isonwnj.exe -> C:\isonwnj.exe
NY ->  d6wqhbq69g.dll -> C:\WINDOWS\System32\d6wqhbq69g.dll
NY ->  htmp.030 -> C:\WINDOWS\System32\htmp.030
NY ->  C2H3 -> C:\WINDOWS\System32\C2H3
NY ->  iphy.dll -> C:\WINDOWS\System32\iphy.dll
NY ->  ajpg51pcgs.dll -> C:\WINDOWS\System32\ajpg51pcgs.dll
NY ->  y.exe -> C:\y.exe
NY ->  fhpatch.dll -> C:\WINDOWS\System32\fhpatch.dll
NY ->  fiplock.dll -> C:\WINDOWS\System32\fiplock.dll
NY ->  IPHACTION.dll -> C:\WINDOWS\System32\IPHACTION.dll
NY ->  srsvc.dll -> C:\WINDOWS\System32\srsvc.dll
NY ->  winlogon32.exe -> C:\WINDOWS\System32\winlogon32.exe
NY ->  smss32.exe -> C:\WINDOWS\System32\smss32.exe
NY ->  f4gmh.dll -> C:\WINDOWS\System32\f4gmh.dll
NY ->  f2kmj.exe -> C:\f2kmj.exe
NY ->  5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp
NY ->  163 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
NY ->  163 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files - No Company Name]
NY ->  bowagina.exe -> C:\WINDOWS\System32\bowagina.exe
NY ->  zafufovi.dll -> C:\WINDOWS\System32\zafufovi.dll
NY ->  yovopepa.dll -> C:\WINDOWS\System32\yovopepa.dll
NY ->  wojawiho.dll -> C:\WINDOWS\System32\wojawiho.dll
NY ->  norobeta.dll -> C:\WINDOWS\System32\norobeta.dll
NY ->  daholose.dll -> C:\WINDOWS\System32\daholose.dll
NY ->  tosetono.dll -> C:\WINDOWS\System32\tosetono.dll
NY ->  mekerozu.dll -> C:\WINDOWS\System32\mekerozu.dll
NY ->  jefotumo.dll -> C:\WINDOWS\System32\jefotumo.dll
NY ->  divasalo.dll -> C:\WINDOWS\System32\divasalo.dll
NY ->  kuzogora -> C:\WINDOWS\System32\kuzogora
NY ->  aaw7boot.cmd -> C:\aaw7boot.cmd
NY ->  qx55rhzonv.dll -> C:\WINDOWS\System32\qx55rhzonv.dll
NY ->  c5b2p7dqd.dll -> C:\WINDOWS\System32\c5b2p7dqd.dll
NY ->  kjpnisji.job -> C:\WINDOWS\tasks\kjpnisji.job
NY ->  smss32.exe -> C:\WINDOWS\System32\smss32.exe
NY ->  flags.ini -> C:\WINDOWS\System32\flags.ini
NY ->  mvmdh.exe -> C:\mvmdh.exe
NY ->  d6wqhbq69g.dll -> C:\WINDOWS\System32\d6wqhbq69g.dll
NY ->  C2H3 -> C:\WINDOWS\System32\C2H3
NY ->  ajpg51pcgs.dll -> C:\WINDOWS\System32\ajpg51pcgs.dll
NY ->  y.exe -> C:\y.exe
NY ->  uses32.dat -> C:\WINDOWS\System32\uses32.dat
NY ->  Uwedukovikerev.bin -> C:\WINDOWS\Uwedukovikerev.bin
NY ->  Mxadit.dat -> C:\WINDOWS\Mxadit.dat
NY ->  IS15.exe -> C:\WINDOWS\System32\IS15.exe
NY ->  fhpatch.dll -> C:\WINDOWS\System32\fhpatch.dll
NY ->  fiplock.dll -> C:\WINDOWS\System32\fiplock.dll
NY ->  helper32.dll -> C:\WINDOWS\System32\helper32.dll
NY ->  IPHACTION.dll -> C:\WINDOWS\System32\IPHACTION.dll
NY ->  htmp.030 -> C:\WINDOWS\System32\htmp.030
NY ->  iphy.dll -> C:\WINDOWS\System32\iphy.dll
NY ->  winlogon32.exe -> C:\WINDOWS\System32\winlogon32.exe
NY ->  cvdxq.exe -> C:\cvdxq.exe
NY ->  f4gmh.dll -> C:\WINDOWS\System32\f4gmh.dll
NY ->  qmhrpt.exe -> C:\qmhrpt.exe
NY ->  webct_upload_applet.properties -> C:\Documents and Settings\Jeff\webct_upload_applet.properties
NY ->  f2kmj.exe -> C:\f2kmj.exe
NY ->  srsvc.dll -> C:\WINDOWS\System32\srsvc.dll
NY ->  6to4v32.dll -> C:\WINDOWS\System32\6to4v32.dll
NY ->  ndismgr.sys -> C:\WINDOWS\System32\ndismgr.sys
NY ->  diskmgr.sys -> C:\WINDOWS\System32\diskmgr.sys
NY ->  imepuzim.dll -> C:\WINDOWS\imepuzim.dll
[File - Lop Check]
NY ->  kjpnisji.job -> C:\WINDOWS\Tasks\kjpnisji.job
[Custom Scans]
YY ->  cvdxq.exe -> C:\cvdxq.exe
YY ->  f2kmj.exe -> C:\f2kmj.exe
YY ->  isonwnj.exe -> C:\isonwnj.exe
YY ->  mbdm.exe -> C:\mbdm.exe
YY ->  mvmdh.exe -> C:\mvmdh.exe
YY ->  qmhrpt.exe -> C:\qmhrpt.exe
YY ->  rqhieilm.exe -> C:\rqhieilm.exe
YY ->  scbxf.exe -> C:\scbxf.exe
YY ->  wu1n.exe -> C:\wu1n.exe
YY ->  y.exe -> C:\y.exe
YY ->  fiplock.dll : Unable to obtain MD5  -> C:\WINDOWS\system32\fiplock.dll
NY ->  5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Could you then retry GMER please

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[flefster]

I copied the above information into the paste fix here window, hit run, then right when the program begins to start the scan and kill all processes, my computer restarts.

[Essexboy]

OK the malware is getting uppity - lets try a different route

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
  
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
  
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[flefster]

Sorry, avz instantly closes when i run it.

Edited by flefster, 30 January 2010 - 10:29 AM.

[Essexboy]

OK I will try to hit it a piece at a time, this will probably fail - but is worth a shot. If this does fail do you have access to a cd burner to download and burn a PE environment - that will work

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
6to4
BtwSvc
diskmgr
ndismgr
srservice

Files to delete:
c:\cvdxq.exe
c:\docume~1\jeff\locals~1\temp\csrss.exe
c:\docume~1\jeff\locals~1\temp\dnwmw.exe
c:\docume~1\jeff\locals~1\temp\herss.exe
c:\isonwnj.exe
c:\mvmdh.exe
c:\qmhrpt.exe
c:\rqhieilm.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\ajpg51pcgs.dll
c:\windows\system32\bowagina.exe
c:\windows\system32\btwsvc.dll
c:\windows\system32\d6wqhbq69g.dll
c:\windows\system32\daholose.dll
c:\windows\system32\diskmgr.sys
c:\windows\system32\divasalo.dll
c:\windows\system32\f4gmh.dll
c:\windows\system32\gehuseda.dll
c:\windows\system32\hapowoko.dll
c:\windows\system32\is15.exe
c:\windows\system32\jefotumo.dll
c:\windows\system32\kuzogora
c:\windows\system32\mekerozu.dll
c:\windows\system32\ndismgr.sys
c:\windows\system32\norobeta.dll
c:\windows\system32\peyofise.dll
c:\windows\system32\qx55rhzonv.dll
c:\windows\system32\smss32.exe
c:\windows\system32\srsvc.dll
c:\windows\system32\tosetono.dll
c:\windows\system32\uses32.dat
c:\windows\system32\wojawiho.dll
c:\windows\system32\yovopepa.dll
c:\windows\system32\zafufovi.dll
c:\windows\tasks\kjpnisji.job
c:\windows\uwedukovikerev.bin
c:\y.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

ON COMPLETION

Retry the OTS fix as previously posted

[flefster]

Sorry, this method didn't work either. Avenger closes as soon as I open it. I do have a cd burner.

[Essexboy]

OK this will work but it is not fast

OK this file is big about 276.7Mb, print these instruction out so that you know what you are doing.
File details :
Bytes - 290,234,368
MB - 276.7
MD5 - C1F65EAFC453367E12E242BFCDFB68A2

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7 in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
  
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[flefster]

Burned the cd, loaded it up, and after about five minutes of "starting reatogo-x-pe" a message came up that said the file SYSRAID1.SY_ is corrupted.

EDIT: I tried it again, and now it seems to be working, so far.

Edited by flefster, 30 January 2010 - 11:38 AM.

[flefster]

This time it worked. Attached is the OTL.txt document.

OTL logfile created on: 1/30/2010 12:44:11 PM - Run
OTLPE by OldTimer - Version 3.1.27.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 84.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 59.35 Gb Free Space | 31.86% Space Free | Partition Type: NTFS
Drive D: | 372.61 Gb Total Space | 92.79 Gb Free Space | 24.90% Space Free | Partition Type: NTFS
Drive E: | 1.86 Gb Total Space | 1.25 Gb Free Space | 67.02% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/01/29 14:55:47 | 01,181,328 | ---- | M] (Lavasoft) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/01/29 00:47:48 | 00,004,608 | ---- | M] () [Auto] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2009/05/28 16:00:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/02/18 23:30:20 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/02/03 23:41:55 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/03 21:05:00 | 00,593,920 | ---- | M] () [Auto] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/09/19 03:03:58 | 00,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto] -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2007/07/16 10:58:02 | 01,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/10/26 23:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/06/30 21:56:08 | 00,065,536 | ---- | M] (New Boundary Technologies, Inc.) [Auto] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/08/04 14:00:00 | 00,053,248 | ---- | M] () [Auto] -- C:\WINDOWS\system32\6to4v32.dll -- (6to4)
SRV - [2004/08/04 14:00:00 | 00,038,912 | ---- | M] () [Auto] -- C:\WINDOWS\system32\BtwSvc.dll -- (BtwSvc)
SRV - [2004/08/04 14:00:00 | 00,034,816 | ---- | M] (Netopsystems AG) [Auto] -- C:\WINDOWS\system32\PeerSvc.exe -- (peersvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (SANDRA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/01/29 06:43:30 | 00,046,592 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\4DW4R3KvSTXuuCxi.sys -- (4DW4R3)
DRV - [2009/12/02 08:19:06 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)
DRV - [2009/02/04 02:27:21 | 03,488,768 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/12/18 22:44:00 | 00,028,816 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/12/18 22:43:48 | 00,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/12/18 22:43:40 | 00,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/12/18 22:43:18 | 00,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/12/18 22:43:06 | 00,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2008/08/20 12:58:58 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/03/06 10:51:14 | 00,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/07/16 10:57:12 | 00,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/03/01 17:27:26 | 04,484,608 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/02/26 17:15:22 | 00,061,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2007/01/31 12:45:06 | 00,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 14:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/10/12 15:07:12 | 00,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iaStor)
DRV - [2005/07/20 08:35:00 | 00,240,384 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/01/26 08:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2005/01/07 17:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService)
DRV - [2004/08/04 14:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 14:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280)
DRV - [2004/08/04 14:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160)
DRV - [2004/08/04 14:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080)
DRV - [2004/08/04 14:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra)
DRV - [2004/08/04 14:00:00 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 14:00:00 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 14:00:00 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 14:00:00 | 00,027,440 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/08/04 14:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\asc.sys -- (asc)
DRV - [2004/08/04 14:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 14:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 14:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 14:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810)
DRV - [2004/08/04 14:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550)
DRV - [2004/08/04 14:00:00 | 00,007,936 | ---- | M] (Microsoft Corporation) [Recognizer | System] -- C:\WINDOWS\system32\drivers\fs_rec.sys -- (Fs_Rec)
DRV - [2004/08/04 14:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 14:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde)
DRV - [2004/08/04 14:00:00 | 00,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand] -- C:\WINDOWS\system32\winsock.dll -- (Winsock)
DRV - [2004/08/04 14:00:00 | 00,002,304 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\ndismgr.sys -- (ndismgr)
DRV - [2004/08/04 14:00:00 | 00,002,304 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\diskmgr.sys -- (diskmgr)
DRV - [2004/08/03 18:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\AMDAGP.SYS -- (amdagp)
DRV - [2004/08/03 18:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGP.SYS -- (sisagp)
DRV - [2001/08/17 07:10:58 | 00,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\Jeff_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0





FF - HKLM\software\mozilla\Firefox\extensions\\{8ED61C25-90CA-4307-9725-32ED83C514F3}: C:\Documents and Settings\Jeff\Local Settings\Application Data\{8ED61C25-90CA-4307-9725-32ED83C514F3} [2010/01/29 00:50:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/25 23:03:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/26 22:22:13 | 00,000,000 | ---D | M]

[2010/01/29 18:04:02 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 14:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (C:\WINDOWS\system32\f4gmh.dll) - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\f4gmh.dll ()
O4 - HKLM..\Run: [5-Day Forecast] C:\Program Files\5-Day Forecast\5-Day Forecast\5-Day Forecast.exe ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Fcayuh] C:\WINDOWS\imepuzim.DLL (RAD Game Tools, Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vokijeyoh] C:\WINDOWS\System32\gehuseda.DLL File not found
O4 - HKLM..\Run: [Windows Login Services] C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe ()
O4 - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKU\Jeff_ON_C..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Documents and Settings\Jeff\Local Settings\Temp\win16.exe ()
O4 - HKU\Jeff_ON_C..\Run: [cdoosoft] C:\Documents and Settings\Jeff\Local Settings\Temp\herss.exe ()
O4 - HKU\Jeff_ON_C..\Run: [sefjhf98jfoidsfoishgoiusgdgfgd] C:\Documents and Settings\Jeff\Local Settings\Temp\gftuaqfz3.exe ()
O4 - HKU\Jeff_ON_C..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe ()
O4 - HKU\Jeff_ON_C..\Run: [Windows Login Services] C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Windows Login Services = "C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe" ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 1
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Windows Login Services = "C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735\winlogon.exe" ()
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\Jeff_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 1
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\postgres_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\Jeff_ON_C\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites)
O15 - HKU\Jeff_ON_C\..Trusted Domains: is-soft-download.com ([]http in Trusted sites)
O15 - HKU\Jeff_ON_C\..Trusted Domains: is-software-download25.com ([]http in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll) - C:\WINDOWS\system32\kbdsock.dll ()
O20 - AppInit_DLLs: (daholose.dll) - C:\WINDOWS\System32\daholose.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\winlogon32.exe) - C:\WINDOWS\system32\winlogon32.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: golohohul - {5ac949cd-110b-429e-8da8-b96147a09de5} - C:\WINDOWS\System32\gehuseda.dll File not found
O21 - SSODL: jinosiruh - {9fdf0c48-e32a-49f5-8b48-00bbce408d2a} - C:\WINDOWS\System32\hapowoko.dll File not found
O22 - SharedTaskScheduler: {5ac949cd-110b-429e-8da8-b96147a09de5} - jugezatag - C:\WINDOWS\System32\gehuseda.dll File not found
O22 - SharedTaskScheduler: {9fdf0c48-e32a-49f5-8b48-00bbce408d2a} - gahurihor - C:\WINDOWS\System32\hapowoko.dll File not found
O22 - SharedTaskScheduler: {C4BF49A2-94F1-42BD-F034-3604811C807D} - lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf - C:\WINDOWS\system32\f4gmh.dll ()
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 19:38:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/01/30 12:30:40 | 00,000,057 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/01/30 12:30:40 | 00,000,057 | RHS- | M] () - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/01/30 12:44:36 | 00,000,049 | RHS- | M] () - E:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 00,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{4220685e-0ccb-11df-9b8e-001676491453}\Shell - "" = AutoRun
O33 - MountPoints2\{4220685e-0ccb-11df-9b8e-001676491453}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4220685e-0ccb-11df-9b8e-001676491453}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{4220685f-0ccb-11df-9b8e-001676491453}\Shell\AutoRun\command - "" = G:\y.exe -- File not found
O33 - MountPoints2\{4220685f-0ccb-11df-9b8e-001676491453}\Shell\open\Command - "" = G:\y.exe -- File not found
O33 - MountPoints2\{861cef3c-0a29-11df-9b8d-001676491453}\Shell\AutoRun\command - "" = F:\SYSTEM\SYSTEM.exe -- File not found
O33 - MountPoints2\{861cef3c-0a29-11df-9b8d-001676491453}\Shell\eXpLorE\CoMmAnD - "" = F:\SYSTEM\SYSTEM.exe -- File not found
O33 - MountPoints2\{861cef3c-0a29-11df-9b8d-001676491453}\Shell\oPeN\cOmMaNd - "" = F:\SYSTEM\SYSTEM.exe -- File not found
O33 - MountPoints2\{ad8bb889-9f56-11de-9b78-001676491453}\Shell\AutoRun\command - "" = F:\SYSTEM\SYSTEM.exe -- File not found
O33 - MountPoints2\{ad8bb889-9f56-11de-9b78-001676491453}\Shell\eXpLorE\CoMmAnD - "" = F:\SYSTEM\SYSTEM.exe -- File not found
O33 - MountPoints2\{ad8bb889-9f56-11de-9b78-001676491453}\Shell\oPeN\cOmMaNd - "" = F:\SYSTEM\SYSTEM.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
O36 - AppCertDlls: AppSecDll - (C:\WINDOWS\system32\mshlps.dll) - C:\WINDOWS\system32\mshlps.dll ()

========== Files/Folders - Created Within 30 Days ==========

[2010/01/30 11:06:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/01/30 10:07:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\help
[2010/01/30 09:58:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/30 09:58:25 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/30 09:58:25 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/30 09:48:37 | 00,043,008 | ---- | C] (Xiph.Org Foundation) -- C:\scbxf.exe
[2010/01/30 02:24:14 | 00,153,600 | ---- | C] (Microsoft Corporation) -- C:\rqhieilm.exe
[2010/01/29 15:02:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Desktop
[2010/01/29 14:56:18 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/01/29 14:45:50 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/29 14:05:23 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/29 00:50:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\{8ED61C25-90CA-4307-9725-32ED83C514F3}
[2010/01/29 00:48:09 | 01,474,048 | ---- | C] (Internet Security) -- C:\WINDOWS\System32\IS15.exe
[2010/01/29 00:47:10 | 00,180,736 | ---- | C] (Microsoft Corporation) -- C:\isonwnj.exe
[2010/01/26 22:22:00 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/01/26 22:21:50 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2010/01/26 15:24:47 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735
[2010/01/03 17:02:38 | 00,000,000 | ---D | C] -- C:\Program Files\5-Day Forecast
[2010/01/03 17:02:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\5-Day Forecast
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2099/01/01 12:00:00 | 00,135,168 | -HS- | M] () -- C:\WINDOWS\System32\bowagina.exe
[2099/01/01 12:00:00 | 00,092,672 | -HS- | M] () -- C:\WINDOWS\System32\peyofise.dll
[2099/01/01 12:00:00 | 00,061,952 | -HS- | M] () -- C:\WINDOWS\System32\zafufovi.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | M] () -- C:\WINDOWS\System32\yovopepa.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | M] () -- C:\WINDOWS\System32\wojawiho.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | M] () -- C:\WINDOWS\System32\norobeta.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | M] () -- C:\WINDOWS\System32\daholose.dll
[2099/01/01 12:00:00 | 00,045,568 | -HS- | M] () -- C:\WINDOWS\System32\tosetono.dll
[2099/01/01 12:00:00 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\mekerozu.dll
[2099/01/01 12:00:00 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\jefotumo.dll
[2099/01/01 12:00:00 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\divasalo.dll
[2010/01/30 12:44:11 | 04,194,304 | -H-- | M] () -- C:\Documents and Settings\Jeff\NTUSER.DAT
[2010/01/30 12:31:09 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3.sys
[2010/01/30 12:31:09 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3c.dll
[2010/01/30 12:31:08 | 00,786,432 | -H-- | M] () -- C:\Documents and Settings\postgres\NTUSER.DAT
[2010/01/30 12:31:08 | 00,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/01/30 12:31:08 | 00,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/01/30 12:31:07 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/30 12:30:47 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Jeff\ntuser.ini
[2010/01/30 12:30:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/30 12:30:44 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\kuzogora
[2010/01/30 12:30:40 | 00,000,057 | RHS- | M] () -- C:\autorun.inf
[2010/01/30 12:25:09 | 00,000,053 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3sv.dat
[2010/01/30 12:00:00 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\kjpnisji.job
[2010/01/30 11:46:50 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Mxadit.dat
[2010/01/30 11:18:47 | 00,000,132 | -H-- | M] () -- C:\aaw7boot.cmd
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/30 11:14:23 | 00,475,154 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/30 11:14:23 | 00,404,298 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/30 11:14:23 | 00,063,392 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/30 11:13:37 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\vr6i0.dll
[2010/01/30 11:13:35 | 00,052,224 | ---- | M] () -- C:\qmhrpt.exe
[2010/01/30 11:13:34 | 00,043,008 | ---- | M] (Xiph.Org Foundation) -- C:\scbxf.exe
[2010/01/30 11:13:34 | 00,039,424 | ---- | M] () -- C:\cvdxq.exe
[2010/01/30 11:11:18 | 01,474,048 | ---- | M] (Internet Security) -- C:\WINDOWS\System32\IS15.exe
[2010/01/30 11:11:14 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\helper32.dll
[2010/01/30 11:10:00 | 16,082,65728 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/30 11:08:07 | 00,094,208 | RHS- | M] () -- C:\1hqup.exe
[2010/01/30 09:48:39 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\qx55rhzonv.dll
[2010/01/30 02:24:18 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\c5b2p7dqd.dll
[2010/01/30 02:24:15 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\rqhieilm.exe
[2010/01/30 02:17:06 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3IkwJYxuBRB.sys
[2010/01/30 02:17:06 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3dtXaEoGytK.dll
[2010/01/30 01:55:35 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Uwedukovikerev.bin
[2010/01/29 18:51:21 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3UNLonBRFIf.sys
[2010/01/29 18:51:21 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3CaoGyoxMXW.dll
[2010/01/29 17:50:30 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3dXlFrYMtLt.sys
[2010/01/29 17:50:30 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3VAdyUNOfqi.dll
[2010/01/29 15:31:59 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3xtksUkWooV.sys
[2010/01/29 15:31:59 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3iNUjEYXDPl.dll
[2010/01/29 15:29:30 | 00,000,225 | ---- | M] () -- C:\WINDOWS\System32\uses32.dat
[2010/01/29 15:29:30 | 00,000,100 | ---- | M] () -- C:\WINDOWS\System32\flags.ini
[2010/01/29 15:27:44 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\postgres\ntuser.ini
[2010/01/29 14:57:01 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3KiqLQQMOUP.sys
[2010/01/29 14:57:01 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3fTEoyKJvdU.dll
[2010/01/29 14:56:07 | 00,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/29 13:53:53 | 00,097,280 | RHS- | M] () -- C:\mvmdh.exe
[2010/01/29 07:02:44 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3YhXwxhKXtN.sys
[2010/01/29 07:02:44 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3LhnTrLdgXj.dll
[2010/01/29 07:02:29 | 00,180,736 | ---- | M] (Microsoft Corporation) -- C:\isonwnj.exe
[2010/01/29 07:02:28 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\d6wqhbq69g.dll
[2010/01/29 06:57:33 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3LAWYkyrcQi.sys
[2010/01/29 06:57:33 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3JIaxmpoBDm.dll
[2010/01/29 06:43:44 | 00,008,192 | ---- | M] () -- C:\WINDOWS\System32\htmp.030
[2010/01/29 06:43:44 | 00,004,608 | ---- | M] () -- C:\WINDOWS\System32\C2H3
[2010/01/29 06:43:44 | 00,000,006 | ---- | M] () -- C:\WINDOWS\System32\iphy.dll
[2010/01/29 06:43:30 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3KvSTXuuCxi.sys
[2010/01/29 06:43:30 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3qefGfwrwig.dll
[2010/01/29 06:43:26 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\ajpg51pcgs.dll
[2010/01/29 06:41:28 | 00,100,864 | RHS- | M] () -- C:\y.exe
[2010/01/29 00:48:09 | 00,000,003 | ---- | M] () -- C:\WINDOWS\System32\fhpatch.dll
[2010/01/29 00:48:09 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\fiplock.dll
[2010/01/29 00:47:53 | 00,561,152 | ---- | M] () -- C:\WINDOWS\System32\IPHACTION.dll
[2010/01/29 00:47:48 | 00,004,608 | ---- | M] () -- C:\WINDOWS\System32\srsvc.dll
[2010/01/29 00:47:12 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\winlogon32.exe
[2010/01/29 00:47:12 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\smss32.exe
[2010/01/29 00:47:10 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\f4gmh.dll
[2010/01/28 19:25:54 | 00,086,016 | ---- | M] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/28 18:34:04 | 00,034,076 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\iambusy.xlsx
[2010/01/23 22:23:47 | 00,000,124 | ---- | M] () -- C:\Documents and Settings\Jeff\webct_upload_applet.properties
[2010/01/07 23:37:09 | 00,121,344 | RHS- | M] () -- C:\f2kmj.exe
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,135,168 | -HS- | C] () -- C:\WINDOWS\System32\bowagina.exe
[2099/01/01 12:00:00 | 00,092,672 | -HS- | C] () -- C:\WINDOWS\System32\peyofise.dll
[2099/01/01 12:00:00 | 00,061,952 | -HS- | C] () -- C:\WINDOWS\System32\zafufovi.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | C] () -- C:\WINDOWS\System32\yovopepa.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | C] () -- C:\WINDOWS\System32\wojawiho.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | C] () -- C:\WINDOWS\System32\norobeta.dll
[2099/01/01 12:00:00 | 00,053,248 | -HS- | C] () -- C:\WINDOWS\System32\daholose.dll
[2099/01/01 12:00:00 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\tosetono.dll
[2099/01/01 12:00:00 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\mekerozu.dll
[2099/01/01 12:00:00 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\jefotumo.dll
[2099/01/01 12:00:00 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\divasalo.dll
[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\kuzogora
[2010/01/30 11:18:47 | 00,000,132 | -H-- | C] () -- C:\aaw7boot.cmd
[2010/01/30 11:13:37 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\vr6i0.dll
[2010/01/30 11:08:34 | 00,094,208 | RHS- | C] () -- C:\1hqup.exe
[2010/01/30 09:48:39 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\qx55rhzonv.dll
[2010/01/30 02:24:18 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\c5b2p7dqd.dll
[2010/01/30 01:52:24 | 00,000,296 | ---- | C] () -- C:\WINDOWS\tasks\kjpnisji.job
[2010/01/29 15:32:47 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\smss32.exe
[2010/01/29 15:29:30 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\flags.ini
[2010/01/29 15:27:46 | 00,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/29 13:54:19 | 00,097,280 | RHS- | C] () -- C:\mvmdh.exe
[2010/01/29 07:02:28 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\d6wqhbq69g.dll
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3YhXwxhKXtN.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3xtksUkWooV.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3UNLonBRFIf.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3LAWYkyrcQi.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3KiqLQQMOUP.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3IkwJYxuBRB.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3dXlFrYMtLt.sys
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3.sys
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3VAdyUNOfqi.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3LhnTrLdgXj.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3JIaxmpoBDm.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3iNUjEYXDPl.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3fTEoyKJvdU.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3dtXaEoGytK.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3CaoGyoxMXW.dll
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3c.dll
[2010/01/29 06:43:44 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\C2H3
[2010/01/29 06:43:34 | 00,000,053 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3sv.dat
[2010/01/29 06:43:30 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3KvSTXuuCxi.sys
[2010/01/29 06:43:30 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3qefGfwrwig.dll
[2010/01/29 06:43:26 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\ajpg51pcgs.dll
[2010/01/29 06:41:55 | 00,100,864 | RHS- | C] () -- C:\y.exe
[2010/01/29 06:38:31 | 00,000,225 | ---- | C] () -- C:\WINDOWS\System32\uses32.dat
[2010/01/29 00:50:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Uwedukovikerev.bin
[2010/01/29 00:50:54 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Mxadit.dat
[2010/01/29 00:48:09 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\fhpatch.dll
[2010/01/29 00:48:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\fiplock.dll
[2010/01/29 00:47:55 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\helper32.dll
[2010/01/29 00:47:51 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\IPHACTION.dll
[2010/01/29 00:47:48 | 00,008,192 | ---- | C] () -- C:\WINDOWS\System32\htmp.030
[2010/01/29 00:47:48 | 00,000,006 | ---- | C] () -- C:\WINDOWS\System32\iphy.dll
[2010/01/29 00:47:16 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\winlogon32.exe
[2010/01/29 00:47:11 | 00,039,424 | ---- | C] () -- C:\cvdxq.exe
[2010/01/29 00:47:10 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\f4gmh.dll
[2010/01/29 00:47:09 | 00,052,224 | ---- | C] () -- C:\qmhrpt.exe
[2010/01/23 22:23:47 | 00,000,124 | ---- | C] () -- C:\Documents and Settings\Jeff\webct_upload_applet.properties
[2010/01/07 23:37:36 | 00,121,344 | RHS- | C] () -- C:\f2kmj.exe
[2009/08/29 17:41:11 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/03/17 13:55:46 | 00,086,016 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/15 18:41:29 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\srsvc.dll
[2009/03/15 18:41:20 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2009/03/15 18:40:14 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\6to4v32.dll
[2009/03/15 18:40:14 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\ndismgr.sys
[2009/03/15 18:40:14 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\diskmgr.sys
[2009/03/15 18:39:13 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2007/07/16 10:58:10 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/07/16 10:58:00 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/07/01 01:01:25 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 19:24:27 | 00,000,431 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/05/06 19:24:27 | 00,000,358 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/06 19:24:16 | 00,003,072 | ---- | C] () -- C:\WINDOWS\System32\mshlps.dll
[2006/05/06 19:24:16 | 00,003,072 | ---- | C] () -- C:\WINDOWS\System32\kbdsock.dll
[2004/08/04 14:00:00 | 00,038,912 | ---- | C] () -- C:\WINDOWS\System32\BtwSvc.dll
[2004/08/04 14:00:00 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\FInstall.sys

========== LOP Check ==========

[2010/01/29 06:06:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\.purple
[2009/07/13 00:07:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Azureus
[2009/11/01 23:51:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\gtk-2.0
[2009/05/28 16:01:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\OpenOffice.org
[2010/01/26 15:24:47 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735
[2010/01/20 16:37:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\uTorrent
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/01/30 11:18:46 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/01/30 12:00:00 | 00,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\kjpnisji.job

========== Purity Check ==========


< End of report >

Attached Files

•  OTL.Txt   80.76KB   224 downloads

Edited by Essexboy, 30 January 2010 - 11:56 AM.

[Essexboy]

OK it's showtime

Download the attached fix.txt
Copy to the USB you are using for transfers


Start OTLPE as you did previously from CD

• Insert your USB drive with fix.txt on it
• Start OTLPE
• Drag and drop fix.txt into the Custom scans and fixes box
• If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done to normal mode if possible
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Also run MBAM once back in normal mode
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

[flefster]

Ok, thank you very much.

Ran OTLPE from the CD with the included fixes you gave me. Then won't back to normal Windows (no CD), and ran OTL. I attached the log from that OTL scan in this post.

Then I ran Anti-Malware and it removed dozens of infected files, but said it couldn't remove two of them. I clicked ok and restart like you said. I attached the log from the Anti-Malware scan here.

OTL logfile created on: 1/30/2010 1:25:30 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\Jeff\Desktop\help
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 59.35 Gb Free Space | 31.86% Space Free | Partition Type: NTFS
Drive D: | 372.61 Gb Total Space | 92.79 Gb Free Space | 24.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CEDARMILL
Current User Name: Jeff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/29 15:42:24 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\help\OTL.exe
PRC - [2010/01/29 14:55:48 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/29 14:55:47 | 01,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/12/22 01:57:28 | 00,035,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2009/07/29 12:23:36 | 00,876,544 | ---- | M] () -- C:\Program Files\5-Day Forecast\5-Day Forecast\5-day forecast.exe
PRC - [2009/05/28 16:00:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/28 16:00:05 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/02/18 23:33:08 | 00,809,488 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/02/18 23:28:52 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/02/03 23:41:55 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/09/19 07:30:34 | 03,674,112 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
PRC - [2008/09/19 03:03:58 | 00,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
PRC - [2007/09/26 17:05:58 | 00,734,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
PRC - [2007/07/16 10:58:02 | 01,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/06/30 21:56:08 | 00,065,536 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2004/08/04 14:00:00 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 14:00:00 | 00,034,816 | ---- | M] (Netopsystems AG) -- C:\WINDOWS\system32\PeerSvc.exe
PRC - [2004/08/04 14:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe


========== Modules (SafeList) ==========

MOD - [2010/01/29 15:42:24 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\help\OTL.exe
MOD - [2009/02/18 23:31:16 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2006/12/01 22:54:32 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
MOD - [2004/08/04 14:00:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/29 14:55:47 | 01,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/05/28 16:00:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/02/18 23:30:20 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/02/03 23:41:55 | 00,602,112 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/02/03 21:05:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/09/19 03:03:58 | 00,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2007/07/16 10:58:02 | 01,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/10/26 23:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/06/30 21:56:08 | 00,065,536 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/08/04 14:00:00 | 00,038,912 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\BtwSvc.dll -- (BtwSvc)
SRV - [2004/08/04 14:00:00 | 00,034,816 | ---- | M] (Netopsystems AG) [Auto | Running] -- C:\WINDOWS\system32\PeerSvc.exe -- (peersvc)


========== Driver Services (SafeList) ==========

DRV - [2009/12/02 08:19:06 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/02/04 02:27:21 | 03,488,768 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/12/18 22:44:00 | 00,028,816 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/12/18 22:43:48 | 00,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/12/18 22:43:40 | 00,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/12/18 22:43:18 | 00,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/12/18 22:43:06 | 00,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2008/08/20 12:58:58 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/03/06 10:51:14 | 00,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/07/16 10:57:12 | 00,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/03/01 17:27:26 | 04,484,608 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/02/26 17:15:22 | 00,061,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2007/01/31 12:45:06 | 00,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 14:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/10/12 15:07:12 | 00,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2005/07/20 08:35:00 | 00,240,384 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/01/26 08:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2005/01/07 17:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService)
DRV - [2004/08/04 14:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 14:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 14:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 14:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 14:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 14:00:00 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 14:00:00 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 14:00:00 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 14:00:00 | 00,027,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/08/04 14:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 14:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 14:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 14:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 14:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 14:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 14:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 14:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 18:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 18:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2001/08/17 07:10:58 | 00,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mail.google....orjobs.asp?x=x"
FF - prefs.js..extensions.enabledItems: [email protected]:3.1.2
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20091209.4
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:6.3.1.1
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.6.2
FF - prefs.js..extensions.enabledItems: {8ED61C25-90CA-4307-9725-32ED83C514F3}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{8ED61C25-90CA-4307-9725-32ED83C514F3}: C:\Documents and Settings\Jeff\Local Settings\Application Data\{8ED61C25-90CA-4307-9725-32ED83C514F3} [2010/01/29 00:50:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/25 23:03:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/26 22:22:13 | 00,000,000 | ---D | M]

[2009/03/15 16:48:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Extensions
[2010/01/29 18:04:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\gjh72pj9.default\extensions
[2010/01/03 17:34:32 | 00,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\gjh72pj9.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2009/12/15 07:00:20 | 00,000,000 | ---D | M] (ReloadEvery) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\gjh72pj9.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2010/01/25 22:49:51 | 00,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\gjh72pj9.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/01/26 14:47:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\gjh72pj9.default\extensions\[email protected]
[2010/01/29 18:04:02 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 14:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [5-Day Forecast] C:\Program Files\5-Day Forecast\5-Day Forecast\5-Day Forecast.exe ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 19:38:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/01/30 12:30:40 | 00,000,057 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/01/30 12:30:40 | 00,000,057 | RHS- | M] () - D:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{4220685e-0ccb-11df-9b8e-001676491453}\Shell - "" = AutoRun
O33 - MountPoints2\{4220685e-0ccb-11df-9b8e-001676491453}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4220685e-0ccb-11df-9b8e-001676491453}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/30 13:20:40 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/30 11:06:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/01/30 10:07:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\help
[2010/01/30 09:58:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/30 09:58:25 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/30 09:58:25 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/29 14:56:18 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/01/29 14:46:04 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/01/29 14:45:50 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/29 14:45:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/29 14:05:23 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/29 13:52:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/29 00:50:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\{8ED61C25-90CA-4307-9725-32ED83C514F3}
[2010/01/29 00:48:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/26 22:22:00 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/01/26 22:21:50 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2010/01/26 15:24:47 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Jeff\Application Data\S85-28348346-UIT83-G3-72366-GDSG-1732735
[2010/01/03 17:02:38 | 00,000,000 | ---D | C] -- C:\Program Files\5-Day Forecast
[2010/01/03 17:02:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Local Settings\Application Data\5-Day Forecast
[2010/01/03 17:02:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\5-Day Forecast
[2009/08/29 17:51:58 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/29 17:51:58 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/30 13:25:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/30 13:25:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/30 13:25:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/30 13:25:22 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/30 13:25:22 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/30 13:24:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/30 13:24:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/30 13:24:13 | 16,082,69824 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/30 13:22:52 | 04,194,304 | -H-- | M] () -- C:\Documents and Settings\Jeff\NTUSER.DAT
[2010/01/30 12:31:09 | 00,046,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\4DW4R3.sys
[2010/01/30 12:31:09 | 00,028,160 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3c.dll
[2010/01/30 12:30:47 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Jeff\ntuser.ini
[2010/01/30 12:30:40 | 00,000,057 | RHS- | M] () -- C:\autorun.inf
[2010/01/30 12:25:09 | 00,000,053 | ---- | M] () -- C:\WINDOWS\System32\4DW4R3sv.dat
[2010/01/30 11:14:23 | 00,475,154 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/30 11:14:23 | 00,404,298 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/30 11:14:23 | 00,063,392 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/30 11:13:37 | 00,020,000 | ---- | M] () -- C:\WINDOWS\System32\vr6i0.dll
[2010/01/29 14:56:07 | 00,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/29 14:46:03 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/01/29 13:53:53 | 00,097,280 | RHS- | M] () -- C:\mvmdh.exe
[2010/01/28 19:25:54 | 00,086,016 | ---- | M] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/28 18:34:04 | 00,034,076 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\iambusy.xlsx
[2010/01/25 23:03:23 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/01/23 22:23:47 | 00,000,124 | ---- | M] () -- C:\Documents and Settings\Jeff\webct_upload_applet.properties
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/30 11:13:37 | 00,020,000 | ---- | C] () -- C:\WINDOWS\System32\vr6i0.dll
[2010/01/29 15:27:46 | 00,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/29 14:56:56 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/29 14:46:03 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/01/29 13:54:19 | 00,097,280 | RHS- | C] () -- C:\mvmdh.exe
[2010/01/29 06:57:33 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3.sys
[2010/01/29 06:57:33 | 00,028,160 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3c.dll
[2010/01/29 06:43:34 | 00,000,053 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3sv.dat
[2010/01/23 22:23:47 | 00,000,124 | ---- | C] () -- C:\Documents and Settings\Jeff\webct_upload_applet.properties
[2009/08/29 17:41:11 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/06/10 20:53:46 | 00,004,987 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ojvzdisj.xda
[2009/03/17 13:55:46 | 00,086,016 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/15 18:41:20 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2009/03/15 18:39:13 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2007/07/16 10:58:10 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/07/16 10:58:00 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/07/01 01:01:25 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 19:24:27 | 00,000,431 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/05/06 19:24:27 | 00,000,358 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/04 14:00:00 | 00,038,912 | ---- | C] () -- C:\WINDOWS\System32\BtwSvc.dll
[2004/08/04 14:00:00 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\FInstall.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8CEFE51A
< End of report >

Attached Files

•  OTL2.Txt   57.04KB   226 downloads
•  mbam_log_2010_01_30__13_35_44_.txt   20.89KB   536 downloads

Edited by Essexboy, 30 January 2010 - 12:48 PM.

[Essexboy]

OK one of the rootkits is hanging on for grim death - lets push it over the edge

On completion of this run can you let me know of any problems

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.