Windows security center

[thespeedbag]

I have a bunch of fake "windows security center" popups that won't go away, and I can't run mbam or any antivirus. Hope you guys can help!

I followed the instructions for what to do when mbam can't run, and it didn't work (including using rootrepeal). I was able to run all the tools recommended, and have pasted their logs below. Please advise.

The rogue process is called av.exe

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/02/27 18:02

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

==EOF==

Gmer logs:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-28 15:58:22

Windows 5.1.2600 Service Pack 2

Running: assneck_6mhfuqmy.exe; Driver: D:\DOCUME~1\Rob\LOCALS~1\Temp\uxriqpob.sys

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1836] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \FileSystem\Fastfat \Fat A684EC8A

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----

OTL Logs:

OTL logfile created on: 2/27/2010 7:41:56 PM - Run 1

OTL by OldTimer - Version 3.1.30.3 Folder = D:\

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files

Drive C: | 27.07 Gb Total Space | 2.41 Gb Free Space | 8.90% Space Free | Partition Type: NTFS

Drive D: | 264.08 Gb Total Space | 5.65 Gb Free Space | 2.14% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ACER-LAPTOP-XP

Current User Name: Rob

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/27 19:24:55 | 000,549,888 | ---- | M] (OldTimer Tools) -- D:\OTL.exe

PRC - [2010/02/26 01:32:38 | 000,199,680 | -HS- | M] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe

PRC - [2009/09/21 15:36:12 | 000,305,440 | ---- | M] (Apple Inc.) -- D:\Program Files\iTunes\iTunesHelper.exe

PRC - [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.) -- D:\Program Files\iPod\bin\iPodService.exe

PRC - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2009/02/10 09:43:42 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- D:\Program Files\Bonjour\mDNSResponder.exe

PRC - [2008/07/01 09:02:28 | 000,468,224 | ---- | M] (ESET) -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

PRC - [2008/07/01 09:01:04 | 001,447,168 | ---- | M] (ESET) -- D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

PRC - [2008/04/09 21:42:00 | 000,492,896 | ---- | M] () -- D:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

PRC - [2008/04/09 20:14:18 | 000,431,384 | ---- | M] (Acronis) -- D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

PRC - [2007/12/07 16:42:02 | 000,376,832 | ---- | M] (The Eraser Project) -- D:\Program Files\Eraser\Eraser.exe

PRC - [2007/06/13 02:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/02/27 19:24:55 | 000,549,888 | ---- | M] (OldTimer Tools) -- D:\OTL.exe

MOD - [2006/08/25 07:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- D:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/05/22 15:34:34 | 000,851,968 | ---- | M] () [On_Demand | Stopped] -- D:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)

SRV - [2009/02/10 09:43:42 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- D:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- D:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/07/01 09:08:00 | 000,019,200 | ---- | M] (ESET) [On_Demand | Stopped] -- D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)

SRV - [2008/07/01 09:02:28 | 000,468,224 | ---- | M] (ESET) [Auto | Running] -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)

SRV - [2008/04/09 21:42:00 | 000,492,896 | ---- | M] () [Auto | Running] -- D:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)

SRV - [2008/04/09 20:14:18 | 000,431,384 | ---- | M] (Acronis) [Auto | Running] -- D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)

SRV - [2004/08/03 23:56:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- D:\WINDOWS\system32\irmon.dll -- (Irmon)

SRV - [2001/08/23 04:00:00 | 000,003,584 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- D:\WINDOWS\System32\regedt32.exe -- (NOD32FiXTemDono)

========== Driver Services (SafeList) ==========

DRV - [2009/11/26 16:08:46 | 000,399,424 | ---- | M] (TASCAM) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tascusb2.sys -- (TASCAM_US122144)

DRV - [2009/11/26 16:08:42 | 000,039,488 | ---- | M] (TASCAM) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tscusb2a.sys -- (TASCAM_US122L_WDM)

DRV - [2009/11/26 16:08:40 | 000,026,688 | ---- | M] (TASCAM) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tscusb2m.sys -- (TASCAM_US122L_MIDI)

DRV - [2009/08/28 18:42:52 | 000,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)

DRV - [2009/05/18 13:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV - [2009/01/04 22:14:55 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)

DRV - [2009/01/04 22:14:55 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- D:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)

DRV - [2009/01/04 22:14:50 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)

DRV - [2009/01/04 22:14:44 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)

DRV - [2008/11/17 18:26:51 | 000,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)

DRV - [2008/07/02 03:06:03 | 002,530,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®

DRV - [2008/07/01 09:04:40 | 000,034,312 | ---- | M] () [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)

DRV - [2008/07/01 08:57:14 | 000,053,256 | ---- | M] (ESET) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)

DRV - [2008/07/01 08:56:22 | 000,039,944 | ---- | M] (ESET) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

DRV - [2008/05/27 11:11:54 | 000,096,896 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)

DRV - [2008/05/20 18:33:50 | 000,022,784 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb)

DRV - [2008/05/07 18:21:40 | 004,739,072 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2008/04/02 07:15:26 | 006,008,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2007/11/13 02:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)

DRV - [2007/10/24 10:47:26 | 000,023,288 | ---- | M] (SIA Syncrosoft) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\synasUSB.sys -- (SynasUSB)

DRV - [2007/02/16 14:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)

DRV - [2007/01/18 09:24:58 | 000,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)

DRV - [2005/01/07 16:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)

DRV - [2004/08/03 23:10:12 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\61883.sys -- (61883)

DRV - [2004/08/03 23:10:12 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\avc.sys -- (Avc)

DRV - [2004/08/03 23:10:00 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)

DRV - [2004/08/03 22:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2004/08/03 22:00:52 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)

DRV - [2001/08/23 04:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)

DRV - [2001/08/23 04:00:00 | 000,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-73586283-1275210071-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-73586283-1275210071-725345543-1003\S-1-5-21-73586283-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: orbit_ffext@orbitdownloader:2.02

FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: D:\Program Files\eMusic Download Manager\xulrunner\components [2009/07/05 18:29:11 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: D:\Program Files\eMusic Download Manager\xulrunner\plugins [2009/10/14 01:29:05 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2009/12/27 14:59:27 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2009/12/27 14:59:27 | 000,000,000 | ---D | M]

[2008/07/02 22:20:26 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Rob\Application Data\Mozilla\Extensions

[2009/12/19 22:47:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\iatxpb4n.default\extensions

[2009/12/27 15:10:20 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2001/08/23 04:00:00 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Program Files\Orbitdownloader\GrabPro.dll ()

O3 - HKU\S-1-5-21-73586283-1275210071-725345543-1003\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKU\S-1-5-21-73586283-1275210071-725345543-1003\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Program Files\Orbitdownloader\GrabPro.dll ()

O4 - HKLM..\Run: [egui] D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)

O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [QuickTime Task] D:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKU\S-1-5-21-73586283-1275210071-725345543-1003..\Run: [Eraser] D:\Program Files\Eraser\eraser.exe (The Eraser Project)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-73586283-1275210071-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-73586283-1275210071-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O8 - Extra context menu item: &Download by Orbit - D:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)

O8 - Extra context menu item: &Grab video by Orbit - D:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)

O8 - Extra context menu item: Do&wnload selected by Orbit - D:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)

O8 - Extra context menu item: Down&load all by Orbit - D:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} http://bartelldrugs.lifepics.com/net/Uploa...PUploader45.cab (Image Uploader Control)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)

O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} http://riteaid.storefront.com/images/globa...geUpload1_8.CAB (SFImageUpload1_8.ImageUpload)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab (Java Plug-in 1.6.0_12)

O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://bartelldrugs.lifepics.com/net/Uploa...PUploader57.cab (Image Uploader Control)

O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - D:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop WallPaper: D:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: D:\WINDOWS\Web\Wallpaper\Bliss.bmp

O30 - LSA: Authentication Packages - (relog_ap) - D:\WINDOWS\System32\relog_ap.dll (Acronis)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{22070ba2-48b1-11dd-9693-001cbfb0b685}\Shell\AutoRun\command - "" = H:\wdsync.exe -- File not found

O33 - MountPoints2\{b5d031d5-0bb5-11de-96e2-001cbfb0b685}\Shell\AutoRun\command - "" = I:\WDSetup.exe -- File not found

O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\wdsync.exe -- File not found

O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\WDSetup.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/27 19:24:46 | 000,549,888 | ---- | C] (OldTimer Tools) -- D:\OTL.exe

[2010/02/27 18:32:08 | 000,000,000 | ---D | C] -- D:\processexplorer

[2010/02/26 23:52:10 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Rob\Desktop\mbam-setup-renamed.exe

[2010/02/24 18:22:52 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft Silverlight

[2010/02/09 22:38:06 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Rob\My Documents\imule Downloads

[2010/02/09 22:35:22 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Rob\Application Data\I2P

[2010/02/09 22:34:20 | 000,000,000 | ---D | C] -- D:\Program Files\i2p

[2010/02/09 22:32:49 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Rob\Desktop\imule install

[2009/03/05 19:53:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\ESET

[2009/01/04 22:42:48 | 000,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/01/04 22:41:50 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/01/04 22:41:49 | 000,000,000 | --SD | M] -- D:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/01/04 22:41:49 | 000,000,000 | --SD | M] -- D:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/01/04 22:38:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Application Data\Acronis

[2008/11/17 18:26:51 | 000,047,360 | ---- | C] (VSO Software) -- D:\Documents and Settings\Rob\Application Data\pcouffin.sys

[3 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/27 19:43:01 | 000,508,956 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI

[2010/02/27 19:43:01 | 000,432,924 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat

[2010/02/27 19:43:01 | 000,067,714 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat

[2010/02/27 19:40:57 | 000,014,056 | -HS- | M] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\rQVN4I4g

[2010/02/27 19:40:54 | 000,013,646 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl

[2010/02/27 19:38:22 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT

[2010/02/27 19:38:20 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat

[2010/02/27 19:27:33 | 000,293,376 | ---- | M] () -- D:\assneck_6mhfuqmy.exe

[2010/02/27 19:24:55 | 000,549,888 | ---- | M] (OldTimer Tools) -- D:\OTL.exe

[2010/02/27 19:05:26 | 010,747,904 | -H-- | M] () -- D:\Documents and Settings\Rob\NTUSER.DAT

[2010/02/27 19:05:26 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Rob\ntuser.ini

[2010/02/27 19:05:21 | 005,408,388 | -H-- | M] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\IconCache.db

[2010/02/27 18:52:00 | 000,000,970 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1275210071-725345543-1003UA.job

[2010/02/27 18:26:56 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- D:\RootRepeal.exe

[2010/02/27 15:52:00 | 000,000,918 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1275210071-725345543-1003Core.job

[2010/02/27 14:53:32 | 000,000,000 | ---- | M] () -- D:\settings.dat

[2010/02/27 14:50:03 | 000,472,064 | ---- | M] ( ) -- D:\RootRepeal_realdeal.exe

[2010/02/26 23:52:15 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Rob\Desktop\mbam-setup-renamed.exe

[2010/02/26 01:32:38 | 000,199,680 | -HS- | M] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe

[2010/02/25 01:22:52 | 000,000,112 | ---- | M] () -- D:\WINDOWS\System32\w3data.vss

[2010/02/25 01:22:52 | 000,000,112 | ---- | M] () -- D:\WINDOWS\System32\msvcsv60.dll

[2010/02/25 01:22:52 | 000,000,112 | ---- | M] () -- D:\WINDOWS\msocreg32.dat

[2010/02/24 03:00:28 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK

[2010/02/23 14:55:35 | 000,239,104 | ---- | M] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/23 14:52:56 | 000,020,750 | ---- | M] () -- D:\Documents and Settings\Rob\Desktop\wilco i'll fight lyrics (partial).gif

[2010/02/13 20:16:34 | 000,000,038 | ---- | M] () -- D:\WINDOWS\AviSplitter.INI

[2010/02/09 23:21:44 | 000,000,566 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Anonine.lnk

[3 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/27 19:27:24 | 000,293,376 | ---- | C] () -- D:\assneck_6mhfuqmy.exe

[2010/02/27 14:53:32 | 000,000,000 | ---- | C] () -- D:\settings.dat

[2010/02/26 01:32:39 | 000,014,056 | -HS- | C] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\rQVN4I4g

[2010/02/26 01:32:38 | 000,199,680 | -HS- | C] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe

[2010/02/23 14:52:56 | 000,020,750 | ---- | C] () -- D:\Documents and Settings\Rob\Desktop\wilco i'll fight lyrics (partial).gif

[2010/02/09 23:21:44 | 000,000,566 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Anonine.lnk

[2009/07/13 00:10:25 | 000,000,466 | ---- | C] () -- D:\WINDOWS\ULEAD32.INI

[2009/06/22 22:01:26 | 000,000,702 | ---- | C] () -- D:\WINDOWS\NewsRover.INI

[2009/03/14 19:05:32 | 000,007,680 | ---- | C] () -- D:\WINDOWS\System32\ff_vfw.dll

[2009/03/14 19:05:32 | 000,000,547 | ---- | C] () -- D:\WINDOWS\System32\ff_vfw.dll.manifest

[2009/02/01 01:20:22 | 000,000,112 | ---- | C] () -- D:\WINDOWS\System32\msvcsv60.dll

[2009/01/25 13:10:48 | 000,179,200 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll

[2009/01/08 15:01:22 | 000,629,760 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll

[2008/11/17 18:26:59 | 000,000,034 | ---- | C] () -- D:\Documents and Settings\Rob\Application Data\pcouffin.log

[2008/11/17 18:26:51 | 000,087,608 | ---- | C] () -- D:\Documents and Settings\Rob\Application Data\inst.exe

[2008/11/17 18:26:51 | 000,007,887 | ---- | C] () -- D:\Documents and Settings\Rob\Application Data\pcouffin.cat

[2008/11/17 18:26:51 | 000,001,144 | ---- | C] () -- D:\Documents and Settings\Rob\Application Data\pcouffin.inf

[2008/11/15 22:50:56 | 000,000,038 | ---- | C] () -- D:\WINDOWS\AviSplitter.INI

[2008/10/10 23:22:44 | 000,000,754 | ---- | C] () -- D:\WINDOWS\WORDPAD.INI

[2008/07/06 11:02:34 | 000,239,104 | ---- | C] () -- D:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/07/02 15:44:23 | 000,002,892 | ---- | C] () -- D:\WINDOWS\System32\audcon.sys

[2008/07/02 13:32:13 | 000,147,456 | ---- | C] () -- D:\WINDOWS\System32\igfxCoIn_v4943.dll

[2008/07/01 11:14:05 | 000,000,008 | RHS- | C] () -- D:\WINDOWS\System32\Desktop_.ini

[2008/07/01 09:04:40 | 000,034,312 | ---- | C] () -- D:\WINDOWS\System32\drivers\epfwtdir.sys

[2008/05/30 09:22:22 | 003,596,288 | ---- | C] () -- D:\WINDOWS\System32\qt-dx331.dll

[2008/05/30 09:18:56 | 000,000,416 | ---- | C] () -- D:\WINDOWS\System32\dtu100.dll.manifest

[2008/05/30 09:18:56 | 000,000,416 | ---- | C] () -- D:\WINDOWS\System32\dpl100.dll.manifest

[2008/05/30 09:18:00 | 000,012,288 | ---- | C] () -- D:\WINDOWS\System32\DivXWMPExtType.dll

[2002/10/15 14:54:04 | 000,153,088 | ---- | C] () -- D:\WINDOWS\System32\unrar.dll

< End of report >

OTL extras log:

OTL Extras logfile created on: 2/27/2010 7:41:56 PM - Run 1

OTL by OldTimer - Version 3.1.30.3 Folder = D:\

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files

Drive C: | 27.07 Gb Total Space | 2.41 Gb Free Space | 8.90% Space Free | Partition Type: NTFS

Drive D: | 264.08 Gb Total Space | 5.65 Gb Free Space | 2.14% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ACER-LAPTOP-XP

Current User Name: Rob

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- D:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-73586283-1275210071-725345543-1003\SOFTWARE\Classes\<extension>]

.exe [@ = secfile] -- D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe ()

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [TVersity] -- "D:\Program Files\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "D:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 1

"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"D:\Program Files\uTorrent\uTorrent.exe" = D:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

[thespeedbag]

Hello,

I hope this doesn't come off as too bold. I count 18 people whose first post came after mine that have been helped, and I'm afraid that my issue has slipped between the cracks. I realize that the forum is very busy, and I'm so very appreciative of the help that's given here. I'm humbly bumping my post in case it was simply missed, and am more than happy to wait my turn.

Cheers, and thanks.

[Maurice Naggar]

Hello and welcome to Malwarebytes forums,

You may have been overlooked for any number of reasons. Posting a reply to your post before a helper answered just only pushed your thread out of range. Most of our helpers work the oldest ones first.

Do as much as you can of the following tasks. If you run into a hitch, proceed to the next task.

If you have questions, post to this thread and state the issue.

I'll be helping you. Please follow my guidance.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not thespeedbag and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :files
  D:\Documents and Settings\Rob\Local Settings\Application Data\rQVN4I4g
  D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  :Commands
  [purity]
  [emptytemp]
  [CREATERESTOREPOINT]
  *****************************************************************
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

• Trend Micro Damage Cleanup Engine
  
• Make sure you read this document to understand how to use the program.
  Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded and SAVED from these links:
  
  • Download Sysclean Package
    
  • Download Virus Pattern Files that will be a LPTxxx.ZIP file
    
  • Download Spyware Pattern Files this is a SSAPIPTNxxx.ZIP
    It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) Ssapiptn.Da5"
    

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Reply with copy of the OTL MovedFiles log

the latest MBAM scan log

the Sysclean log

[thespeedbag]

This is strange - I haven't touched my infected system since I gathered all the logs for my initial post. I was careful not to modify anything. I am now unable to run any executable, so I couldn't install ERUNT per your instructions.

The problem is that the file "av.exe" is now GONE. I didn't intentionally remove it, but perhaps one of the scanning tools I used to get those first logs did remove it?

Now when I try to run any exe (including the ERUNT setup file, or internet explorer), I'm asked what program I'd like to use to run the app, similar to what windows asks you when you try to open a file with an unknown extension.

There's a registry entry in my first post that looks like it associates all ".exe" with av.exe:

[HKEY_USERS\S-1-5-21-73586283-1275210071-725345543-1003\SOFTWARE\Classes\<extension>]

.exe [@ = secfile] -- D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe ()

But I'm not familiar with the syntax to fix and will wait for further instruction.

I should add that I have a dual-boot system here (vista/XP, where the XP side is the infected one). Just thought I'd throw that out there if it makes anything easier (it certainly makes it easy to download things on the vista side & save them for use once back in the XP side).

[Maurice Naggar]

Good sleuthing !

Get this next reg-fix and then apply in an active XP session.

For Windows XP systems only:

Download >> this reg file << from Kelly's Korner

and save it to your system. Right-click on it and then select Merge

Now, you will be able once more to run exe programs normally.

Next, Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  

Next, Proceed with the steps I had outlined before.

[thespeedbag]

Whew, that took a long time :-). Here are the three logs you instructed me to post.

*************** OTL MovedFiles log *****************

All processes killed

========== FILES ==========

D:\Documents and Settings\Rob\Local Settings\Application Data\rQVN4I4g moved successfully.

File\Folder D:\Documents and Settings\Rob\Local Settings\Application Data\av.exe not found.

C:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1004 folder moved successfully.

C:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1003 folder moved successfully.

C:\RECYCLER folder moved successfully.

D:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1006 folder moved successfully.

D:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1005 folder moved successfully.

D:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1004\Dd5 folder moved successfully.

D:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1004 folder moved successfully.

D:\RECYCLER\S-1-5-21-73586283-1275210071-725345543-1003 folder moved successfully.

D:\RECYCLER folder moved successfully.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: jake

->Temp folder emptied: 1116436 bytes

->Temporary Internet Files folder emptied: 112094 bytes

User: Kitty

->Temp folder emptied: 4104925 bytes

->Temporary Internet Files folder emptied: 8792350 bytes

->Java cache emptied: 1949580 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 3738477192 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: Rob

->Temp folder emptied: 1648516 bytes

->Temporary Internet Files folder emptied: 96067119 bytes

->Java cache emptied: 8193538 bytes

->FireFox cache emptied: 55689961 bytes

User: Sweet Janice

->Temp folder emptied: 107857099 bytes

->Temporary Internet Files folder emptied: 7226583 bytes

->Java cache emptied: 21486474 bytes

->FireFox cache emptied: 15232496 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 1119049 bytes

%systemroot%\System32 .tmp files removed: 398353 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 18480588 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23942636 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 3,922.00 mb

Restore point Set: OTL Restore Point (64424509440)

OTL by OldTimer - Version 3.1.30.3 log created on 03052010_092201

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

*********** latest MBAM scan log *******************

Malwarebytes' Anti-Malware 1.44

Database version: 3830

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

3/6/2010 7:59:11 PM

mbam-log-2010-03-06 (19-59-10).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|Z:\|)

Objects scanned: 479812

Time elapsed: 5 hour(s), 54 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*********** Sysclean log ***************************

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2010-03-06, 20:02:59, Auto-clean mode specified.

2010-03-06, 20:03:00, Initialized Rootkit Driver version 2.2.0.1004.

2010-03-06, 20:03:00, Running scanner "D:\DCE\TSC.BIN"...

2010-03-06, 20:03:09, Scanner "D:\DCE\TSC.BIN" has finished running.

2010-03-06, 20:03:09, TSC Log:

[Maurice Naggar]

This system had a rogue "security center" trojan, now gone.

The last MBAM run cleared out the last "crud" done by the rogue.

The Sysclean run only found ad-ware cookies.

The OTL fix did what we need for it to do, plus --- freed up an awesome 3922 MB by cleaning out temp folders !

You are good to go after the cleanups below. And I highly suggest you get XP Service Pack 3 {note at bottom}.

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  

• Delete the SYSCLEAN downloads and the D:\DCE folder
  
• Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP
  http://bertk.mvps.org/html/diskclean.html
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  

You need to plan and prepare and apply XP Service Pack 3

Use this as a guide Windows XP Service Pack 3 (SP3): Installation Guide

Read and digest all of it.

Special focus on how to disable your antivirus (NOD32 in your case) plus any other real-time anti-malware that auto-starts with Windows. Those need to be disabled just before & during the setup of the service pack.

Also see "How to obtain the latest Windows XP service pack"

http://support.microsoft.com/kb/322389

Microsoft Support for Windows XP service pack 2 will cease after July 13, 2010.

Source http://blogs.technet.com/msrc/default.aspx

Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.

On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:

Kaspersky Webscan Online Virus Scanner

ESET Online Scanner

Panda ActiveScan

Trend Micro Housecall

F-Secure Online Scanner

• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.