[Txman700]

Avira keeps finding Trash.gen and malwarebytes keeps finding Trogen.dropper.bcm....


Need some help for a supernoob at computers please....

Thank you.


here is the OTL report:


OTL logfile created on: 12/12/2011 09:08:09 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = D:\Documents and Settings\winslow\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

3.00 Gb Total Physical Memory | 2.30 Gb Available Physical Memory | 76.78% Memory free
7.34 Gb Paging File | 6.67 Gb Available in Paging File | 90.82% Paging File free
Paging file location(s): D:\pagefile.sys 4605 4605 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 78.13 Gb Total Space | 78.05 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
Drive D: | 107.42 Gb Total Space | 80.28 Gb Free Space | 74.73% Space Free | Partition Type: NTFS

Computer Name: MAIN | User Name: winslow | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/12 21:07:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\winslow\desktop\OTL.exe
PRC - [2011/11/20 22:04:51 | 000,924,632 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefoxx\firefox.exe
PRC - [2011/11/20 22:04:51 | 000,016,856 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefoxx\plugin-container.exe
PRC - [2011/10/19 15:56:50 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/10/19 15:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/10/19 15:56:24 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/10/19 15:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/08/10 19:55:22 | 000,302,184 | ---- | M] () -- D:\Program Files\EVGA Precision\EVGAPrecision.exe
PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/20 22:04:51 | 001,989,592 | ---- | M] () -- D:\Program Files\Mozilla Firefoxx\mozjs.dll
MOD - [2011/11/11 21:07:04 | 008,527,008 | ---- | M] () -- D:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/10/19 15:56:38 | 000,398,288 | ---- | M] () -- D:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2010/08/10 19:55:22 | 000,302,184 | ---- | M] () -- D:\Program Files\EVGA Precision\EVGAPrecision.exe
MOD - [2010/08/09 11:52:06 | 000,258,048 | ---- | M] () -- D:\Program Files\EVGA Precision\RTHAL.dll
MOD - [2010/08/09 11:51:58 | 000,229,376 | ---- | M] () -- D:\Program Files\EVGA Precision\RTCore.dll
MOD - [2010/08/09 11:51:54 | 000,139,264 | ---- | M] () -- D:\Program Files\EVGA Precision\RTUI.dll
MOD - [2010/08/09 11:51:50 | 000,061,440 | ---- | M] () -- D:\Program Files\EVGA Precision\RTFC.dll
MOD - [2009/11/14 12:11:32 | 000,024,576 | ---- | M] () -- D:\WINDOWS\system32\mkunicode.dll
MOD - [2009/01/10 16:15:44 | 000,159,744 | ---- | M] () -- D:\WINDOWS\system32\mmfinfo.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/10/19 15:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- D:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/19 15:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- D:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/09/02 03:09:59 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [On_Demand | Stopped] -- D:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/08/31 16:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/13 22:09:22 | 000,267,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2010/01/15 06:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- D:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)


========== Driver Services (SafeList) ==========

DRV - [2011/12/12 16:29:19 | 000,138,520 | ---- | M] () [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2011/12/08 15:29:18 | 000,134,856 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/10/19 15:56:50 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- D:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/10/19 15:56:50 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/08/31 16:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- D:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/16 19:20:26 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/16 19:20:26 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/06/17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/02/20 15:22:20 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- D:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/11 06:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/10/30 11:11:00 | 000,233,136 | ---- | M] (PC Tools) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2008/04/14 06:00:00 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/14 06:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2008/04/14 06:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2008/04/14 06:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/03/26 12:37:26 | 004,713,472 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/02/02 09:54:00 | 000,036,864 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/12/17 16:14:06 | 000,012,400 | R--- | M] () [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2005/10/20 14:00:04 | 000,243,328 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)
DRV - [2005/05/25 13:39:06 | 000,004,608 | ---- | M] () [Kernel | On_Demand | Running] -- D:\Program Files\EVGA Precision\RTCore32.sys -- (RTCore32)
DRV - [2004/08/13 04:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 08 52 7A 84 BF AF CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: d:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: D:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: D:\Program Files\Mozilla Firefoxx\components [2011/12/12 15:48:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: D:\Program Files\Mozilla Firefoxx\plugins [2011/09/14 08:39:45 | 000,000,000 | ---D | M]

[2009/10/09 23:16:29 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\winslow\Application Data\Mozilla\Extensions
[2011/07/16 01:13:26 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\winslow\Application Data\Mozilla\Firefox\Profiles\cvqql2a2.default\extensions
[2010/05/06 05:46:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\winslow\Application Data\Mozilla\Firefox\Profiles\cvqql2a2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

O1 HOSTS File: ([2011/09/20 21:49:59 | 000,437,605 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 15053 more lines...
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] D:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] D:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [EVGAPrecision] D:\Program Files\EVGA Precision\EVGAPrecision.exe ()
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.updat...b?1314343435796 (MUCatalogWebControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1255153682171 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1256032599424 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.180.83.133 208.180.42.68
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{45F14FCD-A638-4FE6-AF97-FED8C08C4D5F}: DhcpNameServer = 208.180.83.133 208.180.42.68
O20 - HKLM Winlogon: Shell - (Explorer.exe) -D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (D:\WINDOWS\system32\userinit.exe) -D:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\cryptnet: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\cscdll: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\ScCertProp: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\Schedule: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\sclgntfy: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\SensLogn: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\termsrv: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
O24 - Desktop WallPaper: D:\Documents and Settings\winslow\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\winslow\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/09 22:01:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b04bfd26-d24b-11de-a7ea-002215202f7d}\Shell - "" = AutoRun
O33 - MountPoints2\{b04bfd26-d24b-11de-a7ea-002215202f7d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b04bfd26-d24b-11de-a7ea-002215202f7d}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/12 21:10:21 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/12/12 21:07:35 | 000,584,192 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\winslow\Desktop\OTL.exe
[2011/12/12 16:24:59 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\winslow\Recent
[2011/12/05 20:42:14 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft Calculator Plus
[2011/12/05 20:42:14 | 000,000,000 | ---D | C] -- D:\Documents and Settings\winslow\Start Menu\Programs\Microsoft Calculator Plus
[2011/11/30 18:28:47 | 000,000,000 | ---D | C] -- D:\Documents and Settings\winslow\Local Settings\Application Data\FixItCenter
[2011/11/30 18:26:00 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft Fix it Center
[2011/11/30 18:26:00 | 000,000,000 | ---D | C] -- D:\WINDOWS\MATS
[2011/11/30 18:23:01 | 000,000,000 | ---D | C] -- D:\Documents and Settings\winslow\Application Data\ElevatedDiagnostics
[2011/11/30 18:22:31 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2011/11/30 18:22:25 | 000,000,000 | ---D | C] -- D:\WINDOWS\System32\windowspowershell
[2011/11/30 17:52:00 | 000,000,000 | -H-D | C] -- D:\WINDOWS\ie8
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2049/12/31 15:00:00 | 000,038,827 | R--- | M] () -- D:\Documents and Settings\winslow\My Documents\image004.jpg
[2011/12/12 21:07:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\winslow\Desktop\OTL.exe
[2011/12/12 16:29:19 | 000,138,520 | ---- | M] () -- D:\WINDOWS\System32\drivers\PnkBstrK.sys
[2011/12/12 16:28:55 | 000,234,536 | ---- | M] () -- D:\WINDOWS\System32\PnkBstrB.xtr
[2011/12/12 15:48:21 | 000,000,749 | ---- | M] () -- D:\Documents and Settings\winslow\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/12/12 15:48:21 | 000,000,731 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/12/12 15:28:54 | 000,436,026 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2011/12/12 15:28:54 | 000,068,796 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2011/12/12 15:24:09 | 000,013,646 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2011/12/12 15:24:05 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2011/12/10 17:05:01 | 000,000,284 | ---- | M] () -- D:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/09 19:54:19 | 000,002,571 | ---- | M] () -- D:\Documents and Settings\winslow\Desktop\Microsoft Calculator Plus.lnk
[2011/12/08 15:29:18 | 000,134,856 | ---- | M] (Avira GmbH) -- D:\WINDOWS\System32\drivers\avipbb.sys
[2011/12/03 22:32:20 | 000,002,497 | ---- | M] () -- D:\Documents and Settings\winslow\Desktop\Microsoft Office Word 2003.lnk
[2011/12/01 18:53:02 | 000,000,682 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/12/01 17:24:20 | 000,000,202 | ---- | M] () -- D:\WINDOWS\wininit.ini
[2011/11/30 18:26:02 | 000,000,720 | ---- | M] () -- D:\Documents and Settings\winslow\My Documents\Microsoft Fix it Center.lnk
[2011/11/30 17:56:15 | 000,000,815 | ---- | M] () -- D:\Documents and Settings\winslow\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/13 04:34:47 | 000,084,888 | ---- | M] () -- D:\Documents and Settings\winslow\My Documents\us with Ruthie.jpg
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/05 20:42:14 | 000,002,571 | ---- | C] () -- D:\Documents and Settings\winslow\Desktop\Microsoft Calculator Plus.lnk
[2011/11/30 18:26:02 | 000,000,726 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Fix it Center.lnk
[2011/11/30 18:26:02 | 000,000,720 | ---- | C] () -- D:\Documents and Settings\winslow\My Documents\Microsoft Fix it Center.lnk
[2011/11/13 04:34:47 | 000,084,888 | ---- | C] () -- D:\Documents and Settings\winslow\My Documents\us with Ruthie.jpg
[2011/08/06 00:56:17 | 000,024,576 | R--- | C] () -- D:\WINDOWS\System32\AsIO.dll
[2011/08/06 00:56:17 | 000,012,400 | R--- | C] () -- D:\WINDOWS\System32\drivers\AsIO.sys
[2010/10/04 12:28:53 | 000,000,097 | ---- | C] () -- D:\WINDOWS\System32\PICSDK.ini
[2010/10/04 12:28:52 | 000,073,220 | ---- | C] () -- D:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/10/04 12:28:52 | 000,031,053 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern131.dat
[2010/10/04 12:28:52 | 000,029,114 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern1.dat
[2010/10/04 12:28:52 | 000,027,417 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern121.dat
[2010/10/04 12:28:52 | 000,021,021 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern3.dat
[2010/10/04 12:28:52 | 000,015,670 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern5.dat
[2010/10/04 12:28:52 | 000,013,280 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern2.dat
[2010/10/04 12:28:52 | 000,010,673 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern4.dat
[2010/10/04 12:28:52 | 000,004,943 | ---- | C] () -- D:\WINDOWS\System32\EPPICPattern6.dat
[2010/10/04 12:28:52 | 000,001,140 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/10/04 12:28:52 | 000,001,140 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/10/04 12:28:52 | 000,001,137 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/10/04 12:28:52 | 000,001,130 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/10/04 12:28:52 | 000,001,130 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/10/04 12:28:52 | 000,001,104 | ---- | C] () -- D:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/10/03 00:45:06 | 000,180,992 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/02 22:02:13 | 000,094,208 | ---- | C] () -- D:\WINDOWS\System32\GTW32N50.dll
[2010/08/25 23:43:09 | 000,233,952 | ---- | C] () -- D:\WINDOWS\System32\nvdrsdb0.bin
[2010/08/25 23:43:07 | 000,233,948 | ---- | C] () -- D:\WINDOWS\System32\nvdrsdb1.bin
[2010/08/25 23:43:07 | 000,000,001 | ---- | C] () -- D:\WINDOWS\System32\nvdrssel.bin
[2010/06/15 16:26:45 | 000,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2010/05/08 14:07:02 | 000,067,276 | -H-- | C] () -- D:\WINDOWS\System32\mlfcache.dat
[2010/05/05 23:19:24 | 002,195,030 | ---- | C] () -- D:\WINDOWS\System32\nvdata.bin
[2010/04/29 01:41:31 | 000,013,824 | ---- | C] () -- D:\Documents and Settings\winslow\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/04 11:48:45 | 002,434,856 | ---- | C] () -- D:\WINDOWS\System32\pbsvc_bc2.exe
[2010/04/03 02:09:57 | 000,000,202 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2010/03/20 15:01:18 | 000,138,056 | ---- | C] () -- D:\Documents and Settings\winslow\Application Data\PnkBstrK.sys
[2010/03/20 15:00:49 | 000,000,319 | ---- | C] () -- D:\WINDOWS\game.ini
[2010/03/02 18:00:00 | 004,555,278 | ---- | C] () -- D:\WINDOWS\System32\libavcodec.dll
[2010/03/02 18:00:00 | 001,449,935 | ---- | C] () -- D:\WINDOWS\System32\ffmpegmt.dll
[2010/03/02 18:00:00 | 000,882,688 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll
[2010/03/02 18:00:00 | 000,877,385 | ---- | C] () -- D:\WINDOWS\System32\ff_x264.dll
[2010/03/02 18:00:00 | 000,556,491 | ---- | C] () -- D:\WINDOWS\System32\libmplayer.dll
[2010/03/02 18:00:00 | 000,336,384 | ---- | C] () -- D:\WINDOWS\System32\ff_libfaad2.dll
[2010/03/02 18:00:00 | 000,324,096 | ---- | C] () -- D:\WINDOWS\System32\TomsMoComp_ff.dll
[2010/03/02 18:00:00 | 000,248,320 | ---- | C] () -- D:\WINDOWS\System32\ff_kernelDeint.dll
[2010/03/02 18:00:00 | 000,216,576 | ---- | C] () -- D:\WINDOWS\System32\ff_libdts.dll
[2010/03/02 18:00:00 | 000,169,984 | ---- | C] () -- D:\WINDOWS\System32\ff_samplerate.dll
[2010/03/02 18:00:00 | 000,151,552 | ---- | C] () -- D:\WINDOWS\System32\ff_libmad.dll
[2010/03/02 18:00:00 | 000,145,408 | ---- | C] () -- D:\WINDOWS\System32\libmpeg2_ff.dll
[2010/03/02 18:00:00 | 000,121,856 | ---- | C] () -- D:\WINDOWS\System32\ff_liba52.dll
[2010/03/02 18:00:00 | 000,116,736 | ---- | C] () -- D:\WINDOWS\System32\ff_tremor.dll
[2010/03/02 18:00:00 | 000,100,864 | ---- | C] () -- D:\WINDOWS\System32\ff_wmv9.dll
[2010/03/02 18:00:00 | 000,097,792 | ---- | C] () -- D:\WINDOWS\System32\ff_unrar.dll
[2010/03/02 18:00:00 | 000,085,504 | ---- | C] () -- D:\WINDOWS\System32\ff_vfw.dll
[2010/01/09 11:31:30 | 008,892,928 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\atscie.msi
[2009/11/30 21:06:18 | 000,767,952 | ---- | C] () -- D:\WINDOWS\BDTSupport.dll.old
[2009/11/28 09:35:20 | 000,000,256 | ---- | C] () -- D:\WINDOWS\System32\pool.bin
[2009/11/24 15:34:47 | 000,040,960 | ---- | C] () -- D:\WINDOWS\System32\IPPCPUID.DLL
[2009/11/24 15:34:34 | 000,011,776 | ---- | C] () -- D:\WINDOWS\System32\pmsbfn32.dll
[2009/11/14 12:37:08 | 000,154,112 | ---- | C] () -- D:\WINDOWS\System32\ts.dll
[2009/11/14 12:33:40 | 000,357,888 | ---- | C] () -- D:\WINDOWS\System32\gdsmux.exe
[2009/11/14 12:33:38 | 000,249,856 | ---- | C] () -- D:\WINDOWS\System32\dxr.dll
[2009/11/14 12:11:50 | 000,093,184 | ---- | C] () -- D:\WINDOWS\System32\avss.dll
[2009/11/14 12:11:42 | 000,150,016 | ---- | C] () -- D:\WINDOWS\System32\mkx.dll
[2009/11/14 12:11:42 | 000,141,824 | ---- | C] () -- D:\WINDOWS\System32\mp4.dll
[2009/11/14 12:11:40 | 000,123,392 | ---- | C] () -- D:\WINDOWS\System32\ogm.dll
[2009/11/14 12:11:40 | 000,109,568 | ---- | C] () -- D:\WINDOWS\System32\avi.dll
[2009/11/14 12:11:38 | 000,097,792 | ---- | C] () -- D:\WINDOWS\System32\avs.dll
[2009/11/14 12:11:36 | 000,136,704 | ---- | C] () -- D:\WINDOWS\System32\mkv2vfr.exe
[2009/11/14 12:11:36 | 000,113,152 | ---- | C] () -- D:\WINDOWS\System32\dsmux.exe
[2009/11/14 12:11:32 | 000,080,384 | ---- | C] () -- D:\WINDOWS\System32\mkzlib.dll
[2009/11/14 12:11:32 | 000,024,576 | ---- | C] () -- D:\WINDOWS\System32\mkunicode.dll
[2009/11/05 10:07:31 | 000,000,754 | ---- | C] () -- D:\WINDOWS\WORDPAD.INI
[2009/10/10 01:16:21 | 000,138,520 | ---- | C] () -- D:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/10/10 01:16:12 | 000,234,536 | ---- | C] () -- D:\WINDOWS\System32\PnkBstrB.exe
[2009/10/10 01:15:23 | 000,075,064 | ---- | C] () -- D:\WINDOWS\System32\PnkBstrA.exe
[2009/10/09 23:16:25 | 000,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2009/10/09 22:09:30 | 000,049,152 | R--- | C] () -- D:\WINDOWS\System32\ChCfg.exe
[2009/10/09 22:07:02 | 000,005,810 | R--- | C] () -- D:\WINDOWS\System32\drivers\ASACPI.sys
[2009/10/09 22:06:53 | 000,032,391 | ---- | C] () -- D:\WINDOWS\Ascd_tmp.ini
[2009/10/09 22:06:53 | 000,010,296 | ---- | C] () -- D:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/10/09 22:05:09 | 000,000,552 | ---- | C] () -- D:\WINDOWS\System32\d3d8caps.dat
[2009/10/09 22:02:09 | 000,002,048 | --S- | C] () -- D:\WINDOWS\bootstat.dat
[2009/10/09 21:58:56 | 000,021,640 | ---- | C] () -- D:\WINDOWS\System32\emptyregdb.dat
[2009/10/09 15:50:48 | 000,004,161 | ---- | C] () -- D:\WINDOWS\ODBCINST.INI
[2009/08/11 15:21:26 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\ac3config.exe
[2009/06/07 10:24:04 | 000,180,224 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll
[2009/01/10 16:15:44 | 000,159,744 | ---- | C] () -- D:\WINDOWS\System32\mmfinfo.dll
[2008/11/06 10:37:32 | 003,596,288 | ---- | C] () -- D:\WINDOWS\System32\qt-dx331.dll
[2008/04/14 06:00:00 | 013,107,200 | ---- | C] () -- D:\WINDOWS\System32\oembios.bin
[2008/04/14 06:00:00 | 000,673,088 | ---- | C] () -- D:\WINDOWS\System32\mlang.dat
[2008/04/14 06:00:00 | 000,436,026 | ---- | C] () -- D:\WINDOWS\System32\perfh009.dat
[2008/04/14 06:00:00 | 000,272,128 | ---- | C] () -- D:\WINDOWS\System32\perfi009.dat
[2008/04/14 06:00:00 | 000,218,003 | ---- | C] () -- D:\WINDOWS\System32\dssec.dat
[2008/04/14 06:00:00 | 000,068,796 | ---- | C] () -- D:\WINDOWS\System32\perfc009.dat
[2008/04/14 06:00:00 | 000,046,258 | ---- | C] () -- D:\WINDOWS\System32\mib.bin
[2008/04/14 06:00:00 | 000,028,626 | ---- | C] () -- D:\WINDOWS\System32\perfd009.dat
[2008/04/14 06:00:00 | 000,004,569 | ---- | C] () -- D:\WINDOWS\System32\secupd.dat
[2008/04/14 06:00:00 | 000,004,461 | ---- | C] () -- D:\WINDOWS\System32\oembios.dat
[2008/04/14 06:00:00 | 000,001,804 | ---- | C] () -- D:\WINDOWS\System32\Dcache.bin
[2008/04/14 06:00:00 | 000,000,741 | ---- | C] () -- D:\WINDOWS\System32\noise.dat
[2008/01/03 16:26:00 | 000,286,720 | ---- | C] () -- D:\WINDOWS\System32\nvnt4cpl.dll
[2007/10/13 03:30:20 | 000,000,137 | ---- | C] () -- D:\WINDOWS\System32\Registration.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- D:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/08/06 00:48:35 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\AVG10
[2009/11/11 13:11:05 | 000,000,000 | -H-D | M] -- D:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/07/18 01:06:07 | 000,000,000 | -H-D | M] -- D:\Documents and Settings\All Users\Application Data\Common Files
[2010/04/04 13:44:22 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\EA Logs
[2010/02/17 16:26:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\LightScribe
[2011/08/05 17:38:18 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/08 19:44:46 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Napster
[2011/04/25 23:02:34 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/12/05 22:28:43 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2011/09/20 23:19:33 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\YouTube Downloader
[2010/05/08 14:06:31 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/13 16:34:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/07/19 03:12:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\AVG
[2011/07/18 01:10:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\AVG10
[2011/09/20 21:02:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\Canon
[2011/04/16 15:55:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\DVDVideoSoftIEHelpers
[2011/11/30 18:23:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\ElevatedDiagnostics
[2010/10/06 14:31:50 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\EPSON
[2010/03/03 18:20:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\GetRightToGo
[2010/01/20 12:35:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\NewSoft
[2009/11/12 19:05:41 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\PCToolsFirewallPlus
[2011/04/25 23:05:50 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\Research In Motion
[2009/11/12 19:05:18 | 000,000,000 | ---D | M] -- D:\Documents and Settings\winslow\Application Data\Spam Monitor

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\walt.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\Resume.rtf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\resignation.txt:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\parade of lights.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\Mikk.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\me.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\Justin, Amy, and, me.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\image004.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\Getting ready for the rodeo1.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\Getting ready for the rodeo.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> D:\Documents and Settings\winslow\My Documents\Coby and Ali @ Ali's 10th b-day party.JPG:Roxio EMC Stream
@Alternate Data Stream - 137 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 123 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:5160F090
@Alternate Data Stream - 105 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 103 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 103 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

[Advertisements]

Hello Txman700 and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Can you write locations where Avira and Malwarebytes finds this infection?

Step 2

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

Step 3

Please don't forget to include these items in your reply:

• VRT log

It would be helpful if you could post each log in separate post

[maliprog]

Hello Txman700 and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Can you write locations where Avira and Malwarebytes finds this infection?

Step 2

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

Step 3

Please don't forget to include these items in your reply:

• VRT log

It would be helpful if you could post each log in separate post

[Txman700]

softomat.an and trash.gen from Avira are in:

A0117737.exe
A0117568.cpl


dropper is in according to malwarebytes

d:\WINDOWS\system32\fsquirt.exe

I will download the virus removal and update...

[maliprog]

OK. Continue with VRT scan and post log.

[Txman700]

it will not let me attach or copy and paste the log file, but no items were detected....the file is too big to attache and for some reason it will not paste.

[maliprog]

OK. Leave it for now.

Step 1

Please go to: VirusTotal

• 
• Click the Browse button and search for the following file:
  
  

  D:\WINDOWS\system32\fsquirt.exe

• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

NOTE: If it says already scanned -- click Reanalyze now button

Step 2

Please update Malwarebytes and do QuickScan. This time don't remove anything (skip all findings) and post log for me.

Step 3

Open Avira interface and click on Reports under Overview on the left. Double click last scan report and post it here for me.

Step 4


Please don't forget to include these items in your reply:

• VirusTotal log
• Malwarebytes log
• Avira report

It would be helpful if you could post each log in separate post

[Txman700]

can't connect to virustotal.com says, the server is taking too long to respond. I'll keep trying.

Here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8365

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2011 07:14:07 AM
mbam-log-2011-12-13 (07-14-07).txt

Scan type: Quick scan
Objects scanned: 156445
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Txman700]

and here is the Avira log:



Avira Free Antivirus
Report file date: December 12, 2011 20:46

Scanning for 3560421 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MAIN

Version information:
BUILD.DAT : 12.0.0.870 41827 Bytes 12/09/2011 15:01:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 10/19/2011 21:56:25
AVSCAN.DLL : 12.1.0.17 54224 Bytes 10/19/2011 21:56:46
LUKE.DLL : 12.1.0.17 68304 Bytes 10/19/2011 21:56:34
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/08/2011 21:29:20
AVREG.DLL : 12.1.0.27 227536 Bytes 12/09/2011 21:29:00
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/06/2009 23:52:06
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 23:52:06
VBASE002.VDF : 7.11.3.0 1950720 Bytes 02/09/2011 23:52:06
VBASE003.VDF : 7.11.5.225 1980416 Bytes 04/07/2011 23:52:08
VBASE004.VDF : 7.11.8.178 2354176 Bytes 05/31/2011 23:52:08
VBASE005.VDF : 7.11.10.251 1788416 Bytes 07/07/2011 23:52:08
VBASE006.VDF : 7.11.13.60 6411776 Bytes 08/16/2011 23:52:08
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/05/2011 23:52:08
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 23:52:08
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 23:52:08
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 23:52:08
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 23:52:08
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 23:52:08
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 23:52:08
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/01/2011 23:52:08
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/02/2011 21:28:50
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/05/2011 21:28:52
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/06/2011 21:28:52
VBASE018.VDF : 7.11.19.36 171520 Bytes 12/09/2011 21:28:54
VBASE019.VDF : 7.11.19.37 2048 Bytes 12/09/2011 21:28:55
VBASE020.VDF : 7.11.19.38 2048 Bytes 12/09/2011 21:28:55
VBASE021.VDF : 7.11.19.39 2048 Bytes 12/09/2011 21:28:55
VBASE022.VDF : 7.11.19.40 2048 Bytes 12/09/2011 21:28:56
VBASE023.VDF : 7.11.19.41 2048 Bytes 12/09/2011 21:28:56
VBASE024.VDF : 7.11.19.42 2048 Bytes 12/09/2011 21:28:56
VBASE025.VDF : 7.11.19.43 2048 Bytes 12/09/2011 21:28:57
VBASE026.VDF : 7.11.19.44 2048 Bytes 12/09/2011 21:28:57
VBASE027.VDF : 7.11.19.45 2048 Bytes 12/09/2011 21:28:57
VBASE028.VDF : 7.11.19.46 2048 Bytes 12/09/2011 21:28:57
VBASE029.VDF : 7.11.19.47 2048 Bytes 12/09/2011 21:28:58
VBASE030.VDF : 7.11.19.48 2048 Bytes 12/09/2011 21:28:58
VBASE031.VDF : 7.11.19.72 136192 Bytes 12/12/2011 21:29:13
Engineversion : 8.2.6.134
AEVDF.DLL : 8.1.2.2 106868 Bytes 12/01/2011 23:52:04
AESCRIPT.DLL : 8.1.3.90 491899 Bytes 12/08/2011 21:29:04
AESCN.DLL : 8.1.7.2 127349 Bytes 12/01/2011 23:52:04
AESBX.DLL : 8.2.4.5 434549 Bytes 12/01/2011 23:52:04
AERDL.DLL : 8.1.9.15 639348 Bytes 12/01/2011 23:52:04
AEPACK.DLL : 8.2.14.5 741751 Bytes 12/08/2011 21:29:02
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/01/2011 23:52:04
AEHEUR.DLL : 8.1.3.6 3895670 Bytes 12/08/2011 21:29:00
AEHELP.DLL : 8.1.18.0 254327 Bytes 12/01/2011 23:52:04
AEGEN.DLL : 8.1.5.17 405877 Bytes 12/08/2011 21:28:55
AEEMU.DLL : 8.1.3.0 393589 Bytes 12/01/2011 23:52:04
AECORE.DLL : 8.1.24.0 196983 Bytes 12/01/2011 23:52:04
AEBB.DLL : 8.1.1.0 53618 Bytes 12/01/2011 23:52:04
AVWINLL.DLL : 12.1.0.17 27344 Bytes 10/19/2011 21:56:27
AVPREF.DLL : 12.1.0.17 51920 Bytes 10/19/2011 21:56:24
AVREP.DLL : 12.1.0.17 172136 Bytes 12/02/2011 21:28:57
AVARKT.DLL : 12.1.0.19 208848 Bytes 12/08/2011 21:29:05
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 10/19/2011 21:56:23
SQLITE3.DLL : 3.7.0.0 398288 Bytes 10/19/2011 21:56:38
AVSMTP.DLL : 12.1.0.17 62928 Bytes 10/19/2011 21:56:25
NETNT.DLL : 12.1.0.17 17104 Bytes 10/19/2011 21:56:34
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 10/19/2011 21:56:49
RCTEXT.DLL : 12.1.0.16 96208 Bytes 10/19/2011 21:56:49

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: D:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4ee67107\guard_slideup.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: on
Integrity checking of system files..: off
Optimised scan......................: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Deviating archive types.............: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, +ISO 9660,
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: December 12, 2011 20:46

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'vssvc.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'EVGAPrecision.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'D:\System Volume Information\_restore{4D36AA51-B434-49D8-9134-D7F575E765AD}\RP592\A0117737.exe'
D:\System Volume Information\_restore{4D36AA51-B434-49D8-9134-D7F575E765AD}\RP592\A0117737.exe
[DETECTION] Is the TR/Trash.Gen Trojan

Beginning disinfection:
D:\System Volume Information\_restore{4D36AA51-B434-49D8-9134-D7F575E765AD}\RP592\A0117737.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c941941.qua'.


End of the scan: December 12, 2011 20:48
Used time: 00:49 Minute(s)

The scan has been done completely.

0 Scanned directories
29 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
28 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes
35051 Objects were scanned with rootkit scan
0 Hidden objects were found


The scan results will be transferred to the Guard.

[Txman700]

still can't connect to virustotal.com but internet is working fine and tried it in two different browsers

[maliprog]

Good news is that Avira finds this infection in System Restore. We will clean System restore later so that's not problem any more.

Malwarebytes is clean but let's check this file on another site.

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  

  D:\WINDOWS\system32\fsquirt.exe

• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

[Txman700]

virustotal says file not found, check file path to make sure it is correct

and virscan.org says forbidden error 403

[Txman700]

I did a search for the file and found fsquirt.exe in system32 dllcache and this is what virustotal said:

2 VT Community user(s) with a total of 2 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is malware.
File name:
fsquirt.exe
Submission date:
2011-12-13 23:18:48 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

controversial
Safety score: 66.7%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.12.12.00 2011.12.12 -
AntiVir 7.11.19.98 2011.12.13 -
Antiy-AVL 2.0.3.7 2011.12.13 -
Avast 6.0.1289.0 2011.12.13 -
AVG 10.0.0.1190 2011.12.13 -
BitDefender 7.2 2011.12.14 -
ByteHero 1.0.0.1 2011.12.07 -
CAT-QuickHeal 12.00 2011.12.13 -
ClamAV 0.97.3.0 2011.12.13 -
Commtouch 5.3.2.6 2011.12.13 -
Comodo 10940 2011.12.13 -
DrWeb 5.0.2.03300 2011.12.13 -
Emsisoft 5.1.0.11 2011.12.13 -
eSafe 7.0.17.0 2011.12.13 -
eTrust-Vet 37.0.9622 2011.12.13 -
F-Prot 4.6.5.141 2011.12.13 -
F-Secure 9.0.16440.0 2011.12.13 -
Fortinet 4.3.388.0 2011.12.13 -
GData 22.306/22.574 2011.12.13 -
Ikarus T3.1.1.109.0 2011.12.13 -
Jiangmin 13.0.900 2011.12.13 -
K7AntiVirus 9.119.5671 2011.12.13 -
Kaspersky 9.0.0.837 2011.12.13 -
McAfee 5.400.0.1158 2011.12.13 -
McAfee-GW-Edition 2010.1E 2011.12.13 -
Microsoft 1.7903 2011.12.13 -
NOD32 6709 2011.12.13 -
Norman 6.07.13 2011.12.13 -
nProtect 2011-12-13.01 2011.12.13 -
Panda 10.0.3.5 2011.12.13 -
PCTools 8.0.0.5 2011.12.14 -
Prevx 3.0 2011.12.14 -
Rising 23.88.01.02 2011.12.13 -
Sophos 4.72.0 2011.12.13 -
SUPERAntiSpyware 4.40.0.1006 2011.12.13 -
Symantec 20111.2.0.82 2011.12.14 -
TheHacker 6.7.0.1.356 2011.12.11 -
TrendMicro 9.500.0.1008 2011.12.13 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.14 -
VBA32 3.12.16.4 2011.12.13 -
VIPRE 11249 2011.12.14 -
ViRobot 2011.12.13.4823 2011.12.13 -
VirusBuster 14.1.114.0 2011.12.13 -
Additional information
MD5 : 11b050d9474681405b07a6f47681590f
SHA1 : 73c7217d336faa50ae1cf6447ed57e40206bf904
SHA256: 8f7e68ae96c36c434e8c6290e55c79c51d7032bcbebab742cf1013be8db54ba2

VT Community

User:
Anonymous
Reputation:
1 credits
Comment date:
2011-12-12 15:28:05 (UTC)
MBAM 1.50 version: 5230 reports Trojan.Dropper.BCM as a trojan
Tags: Malware,

Was this comment helpful? Yes (1) | No (0) | Report abuse

User:
Anonymous
Reputation:
1 credits
Comment date:
2011-12-12 16:41:25 (UTC)
MBAM false-positive. Not malware. Part of Windows OS.
Tags: Goodware,

Was this comment helpful? Yes (0) | No (0) | Report abuse

User:
Anonymous
Reputation:
1 credits
Comment date:
2011-12-12 20:45:57 (UTC)
file size 188 KB (193,024 bytes))
Version 5.1.2600.5512
MBAM ver 1.51.2.1300 reports this as a trojan
Tags: Goodware,

Was this comment helpful? Yes (1) | No (0) | Report abuse

[Txman700]

also found it in driver cache\i386\sp3.cab and here is what virus total said about it:

well the page timed out, but it returned on hit on it....I will try to copy and paste it again. Sorry! and thank you VERY much for all your help thus far!

[maliprog]

Hi Txman700,

This file is Windows system file and it's not malware. This is false positive for Malwarebytes.

Your logs and system are clean now. We need to clean up your PC from programs we used and we need to delete Restore points.

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Commands
  [purity]
  [emptytemp]
  [clearallrestorepoints]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update

• Click Start, click Run, type sysdm.cpl, and then press ENTER.
• Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
• Click OK button

2. Delete Temp files

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

[Txman700]

Thanks maliprog!

Here is the log you requested, and I have updated everything as outlined. Thank you for all your help! I'm sure this is a thankless job at times, especially for volunteers! Please know you are appreciated!


All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41044 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Flash cache emptied: 456 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: winslow
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 524820 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 32298804 bytes
->Flash cache emptied: 487 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 79104786 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 15616112 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 12142011_012336

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...