Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Needed Removal of Zwangi-BE


  • This topic is locked This topic is locked

#1
MiltonHolmes

MiltonHolmes

    Member

  • Member
  • PipPip
  • 11 posts
Hello Geeks, I need help with two problems which may turn out to be one:

First, and I think most important: a boot scan by Avast revealed that scanquery.dll is infected by win32:Zwangi-BE. The full message (and I can't cut and paste the log because despite the directions I can't find the darn thing on my machine, it just doesn't appear where it says it is) is
File C:\WINDOWS\Temp\nsh21.tmp\scanquery.dll is infected by win32:Zwangi-BE [Adw]

Second, the other message is File C:\WINDOWS\system\RCDSETUP.EXE|>%sys\ocxsetup.ws4 Error 42125 {installerarchive is corrupted.}

I don't know if these problems are related.

I have not had a virus in over 10 years so I'm a bit rattled. My wife wanted to watch an episode of Fringe online. I sent her to fox.com and she played a while and eventually said I need to download Xvid is it OK? I didn't realize she had navigated away from fox.com and I was watching something else on TV so I didn't give her my full attention and just said sure...d'oh.

As far as my computer proficiency is concerned, I am a mostly self-taught programmer. I can do basic programming in Java, C++ and other languages but I never bothered to learn much about other techhie things except what I needed to complete current projects (kinda weird I know but that's where I am...), so I have only a rudimentary understanding of Windows and networking. Lets just say I know enough to know that I dont know enough and need help in this area, that's why I am asking, but I will be able to understand and follow your instructions.

Here is the OTL log:

OTL logfile created on: 10/04/2011 2:12:46 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

238.00 Mb Total Physical Memory | 62.00 Mb Available Physical Memory | 26.00% Memory free
586.00 Mb Paging File | 304.00 Mb Available in Paging File | 52.00% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 17.07 Gb Total Space | 4.16 Gb Free Space | 24.36% Space Free | Partition Type: FAT32
Drive D: | 17.24 Gb Total Space | 17.24 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: ANDERSON1 | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/10 14:12:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
PRC - [2011/02/23 10:04:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/02/23 10:04:20 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 20:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) -- C:\Acer\eManager\anbmServ.exe
PRC - [2004/07/30 11:30:06 | 000,319,488 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\QtZgAcer.EXE
PRC - [2004/07/14 14:19:00 | 000,151,552 | ---- | M] (Acer Value Labs, USA) -- C:\Acer\ePM\EPM-DM.exe
PRC - [2004/05/20 19:57:30 | 000,098,304 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


========== Modules (SafeList) ==========

MOD - [2011/04/10 14:12:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2004/05/20 19:57:24 | 000,066,048 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/02/23 10:04:20 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) [Auto | Running] -- C:\Acer\eManager\anbmServ.exe -- (anbmService)
SRV - [2004/02/20 15:04:24 | 000,421,888 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbscoms.exe -- (lxbs_device)


========== Driver Services (SafeList) ==========

DRV - [2011/02/23 09:56:56 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/02/23 09:56:46 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/02/23 09:55:50 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/02/23 09:55:48 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/02/23 09:55:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/02/23 09:54:58 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/02/23 09:54:56 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2008/04/13 14:36:34 | 000,016,000 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smbbatt.sys -- (SMBBATT)
DRV - [2004/08/20 00:41:46 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/08/14 20:59:00 | 000,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
DRV - [2004/07/19 13:10:00 | 000,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
DRV - [2004/06/01 11:50:50 | 000,004,054 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm)
DRV - [2004/05/26 10:07:30 | 000,067,584 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/05/15 22:41:40 | 000,745,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/04/30 05:10:06 | 000,274,688 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA)
DRV - [2004/04/30 05:09:20 | 000,292,352 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD)
DRV - [2004/03/30 08:23:42 | 000,140,288 | ---- | M] (Inprocomm, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i2220ntx.sys -- (IPN2220)
DRV - [2004/03/11 02:40:28 | 000,199,552 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/03/11 02:37:26 | 000,682,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/03/11 02:35:48 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/09/27 01:41:12 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/05/23 01:47:12 | 000,175,360 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 13:57:56 | 000,006,784 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smbhc.sys -- (SMBHC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll (SMART Technologies ULC.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll ()
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll ()
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [EPM-DM] c:\Acer\ePM\EPM-DM.exe (Acer Value Labs, USA)
O4 - HKLM..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe (Acer Value Labs, Taiwan)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [LXBSCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.DLL (Lexmark International, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} http://www.dcdsb.ca/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/30 13:39:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\Shell - "" = AutoRun
O33 - MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/10 14:11:48 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2011/04/07 21:16:08 | 000,000,000 | -HSD | C] -- C:\FOUND.002
[2011/04/01 21:28:09 | 000,000,000 | ---D | C] -- C:\Program Files\ScanQuery
[2011/04/01 21:28:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ScanQuery
[2011/03/22 20:42:48 | 000,000,000 | -HSD | C] -- C:\FOUND.001
[2011/03/21 09:12:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/10 14:12:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2011/04/10 13:56:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/10 13:38:44 | 250,073,088 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/10 13:37:48 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2011/04/10 08:35:22 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{58DDF41F-4C1F-4A06-A597-86C0AF76D342}.job
[2011/04/06 08:38:34 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/23 21:33:28 | 000,032,376 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\wklnhst.dat
[2011/03/23 08:37:38 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\Microsoft Word.lnk
[2011/03/20 16:12:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/18 13:50:04 | 000,329,096 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/14 10:46:52 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/09 09:53:48 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxbsih.exe
[2010/09/09 09:53:48 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbsvs.dll
[2010/09/09 09:53:48 | 000,001,456 | ---- | C] () -- C:\WINDOWS\System32\lxbsprod.ini
[2009/09/30 10:25:35 | 000,000,317 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\turing_files.ini
[2009/09/21 21:29:38 | 000,000,051 | ---- | C] () -- C:\WINDOWS\rblky.sys
[2008/03/14 00:53:22 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPeg32.dll
[2007/10/11 11:22:58 | 000,003,501 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\evpro32.prf
[2007/10/11 10:36:05 | 000,001,020 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\evmanage.prf
[2007/09/19 12:36:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2007/09/14 13:47:08 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2007/03/15 12:47:48 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\BuEResNT.dll
[2006/08/09 16:17:05 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
[2006/01/11 21:18:25 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2006/01/03 21:57:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/12/29 09:15:10 | 000,032,376 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\wklnhst.dat
[2004/12/29 08:52:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/30 14:03:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/30 13:57:35 | 000,000,012 | ---- | C] () -- C:\WINDOWS\bthservsdp.dat
[2004/08/30 13:55:50 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Acer.ini
[2004/08/30 13:55:49 | 000,000,321 | ---- | C] () -- C:\WINDOWS\uninstall.ini
[2004/08/30 13:55:49 | 000,000,225 | ---- | C] () -- C:\WINDOWS\FlashSaver.dat
[2004/08/30 13:55:26 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\ntiembed.dll
[2004/08/30 13:54:11 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2004/08/30 13:54:11 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK32.dll
[2004/08/30 13:49:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2004/08/30 13:43:44 | 000,037,684 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/30 13:43:43 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMOVE.EXE
[2004/08/30 13:42:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/30 13:37:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/30 13:36:22 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/30 13:32:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/30 13:31:32 | 000,329,096 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/12/26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1998/10/11 00:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
[1980/01/01 00:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[1980/01/01 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[1980/01/01 00:00:00 | 000,589,824 | ---- | C] () -- C:\WINDOWS\ANTIV.EXE
[1980/01/01 00:00:00 | 000,376,832 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[1980/01/01 00:00:00 | 000,313,514 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[1980/01/01 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[1980/01/01 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[1980/01/01 00:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[1980/01/01 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[1980/01/01 00:00:00 | 000,041,066 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[1980/01/01 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[1980/01/01 00:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[1980/01/01 00:00:00 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[1980/01/01 00:00:00 | 000,002,134 | ---- | C] () -- C:\WINDOWS\ANTIV.INI
[1980/01/01 00:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[1980/01/01 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1980/01/01 00:00:00 | 000,000,093 | ---- | C] () -- C:\WINDOWS\ALAUNCH.INI

========== LOP Check ==========

[2006/08/09 15:36:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2006/08/09 16:17:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2006/08/09 16:17:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2007/09/14 13:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/09/10 08:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SMART Technologies
[2010/09/14 10:47:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/04/01 21:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanQuery
[2006/08/09 15:37:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Nikon
[2006/08/09 16:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\pictmotion Technologies
[2010/09/10 08:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\SMART Technologies Inc
[2011/04/10 08:35:22 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{58DDF41F-4C1F-4A06-A597-86C0AF76D342}.job

========== Purity Check ==========



< End of report >

Here is the OTL Extras if it helps:

OTL Extras logfile created on: 10/04/2011 2:12:46 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

238.00 Mb Total Physical Memory | 62.00 Mb Available Physical Memory | 26.00% Memory free
586.00 Mb Paging File | 304.00 Mb Available in Paging File | 52.00% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 17.07 Gb Total Space | 4.16 Gb Free Space | 24.36% Space Free | Partition Type: FAT32
Drive D: | 17.24 Gb Total Space | 17.24 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: ANDERSON1 | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05410044-64A6-4248-A026-9745C1E9E159}" = Microsoft Encarta Encyclopedia Standard 2005
"{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD}" = QuickTime
"{1BF7D613-9EED-487C-AF57-3FA070D7BFC7}" = Turing
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{23C7348E-131C-4BFF-9763-2C804D6B87AE}" = TIxx21/x515
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 24
"{32A3A4F4-B792-11D6-A78A-00B0D0150040}" = J2SE Development Kit 5.0 Update 4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}" = Macromedia Flash MX
"{3F262ADC-5AD2-48E5-A586-44315E04A9E2}" = Microsoft Picture It! Library 10
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{42756145-9997-4D28-809B-8756BFD00106}" = Microsoft Picture It! Premium 10
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D826618-59C6-11D4-976E-00C04F8EEB39}" = Macromedia FreeHand 10
"{4E68EAA3-775A-4542-A08A-47DB8E8E74A6}" = NTI Backup NOW! 3
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePowerManagement
"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{754DFFFD-91E2-4983-AB99-7A4D85AA7921}" = MarkBook 2010 - DCDSB
"{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{930B2432-43D4-11D5-9871-00C04F8EEB39}" = Macromedia Fireworks MX
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A5F68DC8-0278-4AD8-B413-861509B5F25B}" = ArcSoft Panorama Maker 3
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.6
"{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}" = NTI CD & DVD-Maker
"{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}" = Microsoft Works Suite Add-in for Microsoft Word
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{EECDDEA0-DB76-4488-8E52-0EF1DF63700A}" = Microsoft IntelliPoint 5.4
"{F581DF68-CAE9-4064-A6CD-705D95D1C756}" = Notebook Software
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"avast" = avast! Free Antivirus
"ClassicCard" = Parker Brothers Classic Card Games
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_00641025" = SoftV92 Data Fax Modem with SmartCP
"Conexant PCI Audio" = Conexant AC-Link Audio
"ExamView Pro" = ExamView Assessment Suite
"ie8" = Windows Internet Explorer 8
"InstallShield_{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD}" = QuickTime
"InstallShield_{23C7348E-131C-4BFF-9763-2C804D6B87AE}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{4E68EAA3-775A-4542-A08A-47DB8E8E74A6}" = NTI Backup NOW! 3
"InstallShield_{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
"InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}" = NTI CD & DVD-Maker Gold
"InterActual Player" = InterActual Player
"jGRASP" = jGRASP
"Lexmark 810 Series" = Lexmark 810 Series
"LManager" = Launch Manager
"Money2005b" = Microsoft Money 2005
"PCFriendly" = PCFriendly
"PictureItPrem_v10" = Microsoft Picture It! Premium 10
"ScanQuery" = ScanQuery 1.0 build 115 powered by FIRST SEARCHBAR
"Shockwave" = Shockwave
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows XP Service Pack" = Windows XP Service Pack 3
"Works2005Setup" = Microsoft Works 2005 Setup Launcher

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 18/09/2009 5:27:21 PM | Computer Name = ANDERSON1 | Source = avast! | ID = 33554522
Description =

Error - 18/09/2009 5:27:21 PM | Computer Name = ANDERSON1 | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 17/04/2007 10:40:57 PM | Computer Name = ANDERSON1 | Source = Application Error | ID = 1000
Description = Faulting application freecell.exe, version 5.1.2600.0, faulting module
cards.dll, version 5.1.2600.0, fault address 0x00001294.

[ System Events ]
Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 05/03/2011 4:03:12 PM | Computer Name = ANDERSON1 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 18/03/2011 2:21:43 PM | Computer Name = ANDERSON1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 18/03/2011 2:21:43 PM | Computer Name = ANDERSON1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 20/03/2011 12:01:43 PM | Computer Name = ANDERSON1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.101 for the Network Card with network
address 000E9B595698 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

Thanks in advance for your assistance,
Regards,
Milton Holmes
  • 0

Advertisements


#2
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Hi Milton Holmes,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your malware problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O33 - MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\Shell - "" = AutoRun
    O33 - MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
    [2007/09/14 13:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

  • 0

#3
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank you very much SpySentinal. No worries about the time, I just appreciate the help. I did what you asked. Below is the result. Let me know what is next.

Thanks,
Milton

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48dffa71-eae4-11dc-93ea-ea4685ec2054}\ not found.
File F:\LaunchU3.exe not found.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell\AOL9 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 1397009 bytes

User: Jim
->Temp folder emptied: 130436729 bytes
->Temporary Internet Files folder emptied: 119504155 bytes
->Java cache emptied: 20866718 bytes
->Flash cache emptied: 2928693 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3485355 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 62464 bytes

Total Files Cleaned = 266.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Jim
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 04192011_221005

Files\Folders moved on Reboot...
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\BOSIK8RJ\emily[1].html moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\2XWWIQA4\Mississauga,+ON[1].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\2XWWIQA4\grab[1].cur moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\2XWWIQA4\xd_proxy[1].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\034U8SPT\page__p__1994072__fromsearch__1[1].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\BR1RP90P\widget_iframe_en_300x250_c411[1].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\BR1RP90P\like[1].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

Registry entries deleted on Reboot...
  • 0

#4
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Hi Milton,

You're welcome :D


Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.





Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.
  • 0

#5
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi again SpySentinel, I took care of those scans here are the results:

First the Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6416

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/04/2011 9:00:37 PM
mbam-log-2011-04-21 (21-00-37).txt

Scan type: Quick scan
Objects scanned: 140699
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ScanQuery (Adware.ScanQuery) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScanQuery (Adware.ScanQuery) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCANQUERY_SERVICE (Adware.ScanQuery) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\scanquery (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\scanquery (Adware.ScanQuery) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\scanquery\scanquery.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\scanquery\uninstall.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.


And the ESET Online Scan:

C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038830.exe a variant of Win32/Adware.OneStep.Y application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038831.exe a variant of Win32/Adware.OneStep.Y application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038864.dll a variant of Win32/Adware.OneStep.Z application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038865.exe a variant of Win32/Adware.OneStep.Y application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038866.dll a variant of Win32/Adware.OneStep.W application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038867.exe a variant of Win32/Adware.OneStep.Y application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038898.dll a variant of Win32/Adware.HotBar.J application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038899.exe probably a variant of Win32/Adware.180Solutions application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038900.dll probably a variant of Win32/Adware.HotBar.E application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038902.exe probably a variant of Win32/Adware.HotBar.E application deleted - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP169\A0038913.exe a variant of Win32/Adware.OneStep.Y application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP174\A0041105.dll a variant of Win32/Adware.OneStep.Z application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP174\A0041107.dll a variant of Win32/Adware.Toolbar.Shopper.AB application cleaned by deleting - quarantined


Again, thanks. I await your further instructions.

Regards,
Milton Holmes

P.S. Once this issue is resolved I think I would like to apply for GeekU and see if I can help people out...I'll also pass this along to my programming students once (and if) I finish.
  • 0

#6
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
You're welcome! :D

P.S. Once this issue is resolved I think I would like to apply for GeekU and see if I can help people out...I'll also pass this along to my programming students once (and if) I finish.


GeekU is a great program and I encourage you to join after we are finished cleaning your system. I also went through the GeekU program quite some time ago, and enjoy helping members remove malware.



Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.



Please let me know how your system is running afterwards.
  • 0

#7
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi SpySentinel, Didn't have much chance to work on my machine over the Easter weekend. So I ran TFC and also ran CCleaner to boot. Then I ran an Avast! boot scan and the news wasn't the best...

I still get:

File C:\WINDOWS\system\RCDSETUP.EXE|>%sys\ocxsetup.ws4 Error 42125 {installerarchive is corrupted.}

I also got a new one:

File C:\System Volume Information \ _restore{9B7BB700-9269-4E60-AD1A-F3FF79AO262A}\RP174\A0041106.exe|>$PLUGINSDIR\InstallerHelperPlugin.dll is infected by win32:PuP - gen [PUP]

Avast could not fix these so I put them in what they call the Chest. So as far as I can tell they are contained but not removed. As for the installer archive corrupted...I don't know if that is something I need.
I'm not sure if I need to go further. I ideally would like them removed, but if we can't do that as long as they are contained I'm fine. What is your suggestion?


I've included two screenshots from Avast! so you can see what I'm talking about.

Thanks again,

I wait your further ideas,
Milton
Avast Report 2.JPG Avast Report 1.JPG
  • 0

#8
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
When do you receive this error:

File C:\WINDOWS\system\RCDSETUP.EXE|>%sys\ocxsetup.ws4 Error 42125 {installerarchive is corrupted.}


  • 0

#9
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

When do you receive this error:

File C:\WINDOWS\system\RCDSETUP.EXE|>%sys\ocxsetup.ws4 Error 42125 {installerarchive is corrupted.}


I only receive this error when I do an Avast! boot-time scan.
  • 0

#10
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Do you have the Windows XP CD by any chance?
  • 0

Advertisements


#11
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Do you have the Windows XP CD by any chance?


No sorry I don't the machine came from my father and was preloaded...
  • 0

#12
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Click Start, then Run, type cmd in the Open box and click "Ok". At the command prompt, type the following, pressing "Enter" after each one: (Again, note the spaces in the commands.)

chkdsk /f /r c: (To manually run a full chkdsk operation)
Y (To accept having it run on the next boot)
exit (To close the command session)
  • 0

#13
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Click Start, then Run, type cmd in the Open box and click "Ok". At the command prompt, type the following, pressing "Enter" after each one: (Again, note the spaces in the commands.)

chkdsk /f /r c: (To manually run a full chkdsk operation)
Y (To accept having it run on the next boot)
exit (To close the command session)


Hi Spy, I followed the instructions, I semi-watched it do its stuff, left for a bit and when I returned windows had booted and I was logged on...so I guess that means that there were no messages generated.

It may be coincidence, but I thought it worth mentioning: last nite I was typing a document in Microsoft Word and it quit on me 3 time - I got an unexpected winword.exe error and it shut down. Word could not recover the document, so I retyped it saving after ever line or so...

Otherwise the machine seems to be running fine.

Do you have more ideas / suggestions?

Thanks,
Milton
  • 0

#14
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Are you still having this issue?
  • 0

#15
MiltonHolmes

MiltonHolmes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
No I only experienced it once. I tried to reproduce the error but couldn't. I really feel like I am monopolizing your time and attention.

I am concerned about the archive that Avast! tells me is corrupted and the now two viruses that are in Avast!'s Chest. Am I fine to leave them there?

When this started there was the corrupt archive and one virus, now I still have the corrupt archive but two viruses (bad timing I guess that you were involved or maybe it came to light because you were involved, I don't know where the second one came from...I'm pretty sure I isolated where the first one was from, but afterwards we were surfing very safely). However, they seem to be contained and this machine is rather old and a secondary machine, it is running as best it can. If you think I should just go merrily along status quo, that`s fine. If you want to investigate further to `beat` this, I`m good with that and will follow your instructions.

Let me know what you think.

Thanks,
Milton
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP