Problems purging "Crypt.EPACK.Gen2" from my PC

[Warepire]

Hi

I got some problems with an infection (which I don't understand how I got...) of Crypt.EPACK.Gen2 [this is at least what AntiVir calls it], every now and then AntiVir alerts me of a file "Gg[].exe" where [] is a letter, so far I had Ggz, Ggx, Ggv and Ggy... I delete this file from my system, check my system with MBAM, AntiVir and Spybot S&D and they say I am clean, about a week later I have this infection again... I am guessing the root of the problem is still hiding somewhere in my system invisible to MBAM, AntiVir and Spybot S&D

Any help to get rid of this would be greatly appreciated. I really don't feel like formatting my hard drive and re-installing right now.

Thanks a lot.

//Warepire

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the Quick Scan button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download Rootkit Unhooker and save it to your Desktop

• Double-click on RKUnhookerLE to run it
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth and uncheck the rest
  
• Click OK
  
• Wait until it's finished and then go to File > Save Report
  
• Save the report to your Desktop
  

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• RKU log
  

Thanks and again sorry for the delay.

[Warepire]

Hi Elise.

Thank you for taking time for my problem.

The problem in detail is a bit difficult to give you because I don't know myself how I got this infection (I only use the infected computer code, browse programming forums and read the news). But when the infection takes hold of the computer I have google re-directs and random internet explorer popups (I am browsing the internet with Opera, I mostly use their beta builds because I hobby-test those for the Opera team). If the infection has taken hold of the computer only MBAM can stop it... but it seems to more cripple it, because it returns about 5-7 days later, and always on the exact moment that I shut down my browser. The files found and neutralized by MBAM are the Gg*.exe file I described in the opening post and a .job-file which doesn't really have a name, it's more like an ID that is never the same, example from the last "disinfection": {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job.

And before you ask, the disabled Security Center is my own doing, not the infection. The little red balloon telling me Windows Update is not configured properly drives me mad (I have it to install updates at shutdown instead of immediately after download).

I was unable to make a Rootkit Unhooker log, the program crashed with the error, I tried to rename it to explorer.exe and svchost.exe but there was no difference:

Do note that I have Windows XP Professional 64-bit and not Windows Server 2003 as reported.

The OTL scan went better and it produced these logs:

From OTL.txt:

OTL logfile created on: 2010-10-21 20:54:05 - Run 1

OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Warepire\Desktop

64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation

Internet Explorer (Version = 6.0.3790.1830)

Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 85,00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 74,52 Gb Total Space | 65,77 Gb Free Space | 88,26% Space Free | Partition Type: NTFS

Drive D: | 465,76 Gb Total Space | 382,59 Gb Free Space | 82,14% Space Free | Partition Type: NTFS

Computer Name: MINION | User Name: Warepire | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2010-10-21 20:34:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe

PRC - [2010-09-16 17:37:30 | 000,824,176 | ---- | M] (Opera Software) -- C:\Program Files (x86)\Opera\opera.exe

PRC - [2010-07-01 22:24:44 | 000,785,503 | ---- | M] ( ) -- C:\Applications\Internet\Miranda-IM\miranda32.exe

PRC - [2010-04-01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\avguard.exe

PRC - [2010-04-01 11:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Applications\CD & ISO\DAEMON Tools Lite\DTLite.exe

PRC - [2010-03-02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010-02-24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\sched.exe

PRC - [2010-01-14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Applications\Security\Avira\AntiVir Desktop\avshadow.exe

PRC - [2009-12-31 01:24:34 | 000,703,488 | ---- | M] (FileZilla Project) -- C:\Applications\Internet\FileZilla Server\FileZilla server.exe

PRC - [2009-06-04 00:55:16 | 000,025,600 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SysWOW64\Ctxfihlp.exe

PRC - [2009-06-04 00:49:56 | 001,213,440 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\SysWOW64\CTxfispi.exe

PRC - [2009-03-05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Applications\Security\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2009-02-23 11:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

PRC - [2008-10-14 19:33:56 | 000,061,952 | ---- | M] (NeoSmart Technologies) -- C:\Program Files (x86)\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe

========== Modules (SafeList) ==========

MOD - [2010-10-21 20:34:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe

MOD - [2010-09-07 18:04:52 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\wow64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_8D2E3180\comctl32.dll

MOD - [2007-02-18 11:05:38 | 000,177,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\MSCTFIME.IME

MOD - [2007-02-18 11:05:22 | 000,797,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comres.dll

MOD - [2005-03-25 14:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\wbem\framedyn.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\xmlprov.dll -- (xmlprov)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\wzcsvc.dll -- (WZCSVC)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\wuauserv.dll -- (wuauserv)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\advapi32.dll -- (Wmi)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\ups.exe -- (UPS)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\wdfmgr.exe -- (UMWdf)

SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\tlntsvr.exe -- (TlntSvr)

SRV:64bit: - File not found [Auto | Stopped] -- C:\WINDOWS\SysNative\smlogsvc.exe -- (SysmonLog)

SRV:64bit: - File not found [Auto | Stopped] -- C:\WINDOWS\SysNative\srsvc.dll -- (srservice)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\SCardSvr.exe -- (SCardSvr)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\sessmgr.exe -- (RDSessMgr)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\services.exe -- (PlugPlay)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\nvsvc64.exe -- (nvsvc)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\ntmssvc.dll -- (NtmsSvc)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\netdde.exe -- (NetDDEdsdm)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\netdde.exe -- (NetDDE)

SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\mnmsrvc.exe -- (mnmsrvc)

SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\msgsvc.dll -- (Messenger)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\imapi.exe -- (ImapiService)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\w3ssl.dll -- (HTTPFilter)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\services.exe -- (Eventlog)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\ersvc.dll -- (ERSvc)

SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\dmserver.dll -- (dmserver)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\dmadmin.exe -- (dmadmin)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\clipsrv.exe -- (ClipSrv)

SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\cisvc.exe -- (CiSvc)

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\appmgmts.dll -- (AppMgmt)

SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\alrsvc.dll -- (Alerter)

SRV - [2010-07-07 20:24:25 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)

SRV - [2010-06-17 09:06:38 | 000,144,712 | ---- | M] (H+H Software GmbH) [Disabled | Stopped] -- C:\Applications\CD & ISO\Virtual CD v10\System\VC10SecS.exe -- (VC10SecS)

SRV - [2010-04-01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Applications\Security\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010-02-24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Applications\Security\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2009-12-31 01:24:34 | 000,703,488 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Applications\Internet\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)

SRV - [2009-02-23 11:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)

SRV - [2008-10-14 19:33:56 | 000,061,952 | ---- | M] (NeoSmart Technologies) [Auto | Running] -- C:\Program Files (x86)\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe -- (ToolTipFixer)

SRV - [2008-07-25 11:17:02 | 000,069,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2007-02-17 00:44:20 | 000,077,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)

SRV - [2005-03-25 14:00:00 | 000,039,424 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\wdfmgr.exe -- (UMWdf)

========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\vdrv1000.sys -- (vdrv1000)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\wdmaud.sys -- (wdmaud)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\vcd9bus.sys -- (vcd9bus)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\vcd10bus.sys -- (vcd10bus)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\update.sys -- (Update)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\sysaudio.sys -- (sysaudio)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\swmidi.sys -- (swmidi)

DRV:64bit: - File not found [File_System | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\sr.sys -- (Sr)

DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\Drivers\sptd.sys -- (sptd)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\splitter.sys -- (splitter)

DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\redbook.sys -- (redbook)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\raspti.sys -- (Raspti)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\ptilink.sys -- (Ptilink)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\psched.sys -- (PSched)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctoss2k.sys -- (ossrv)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\nvnetbus.sys -- (nvnetbus)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\NVENETFD.sys -- (NVENETFD)

DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\nvata64.sys -- (nvata64)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\nv4_mini.sys -- (nv)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\kmixer.sys -- (kmixer)

DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\ipsec.sys -- (IPSec)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\ipinip.sys -- (IpInIp)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\Ip6Fw.sys -- (Ip6Fw)

DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\imapi.sys -- (imapi)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\HH10Help.sys -- (HH10Help.sys)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ha20x2k.sys -- (ha20x2k)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\msgpc.sys -- (Gpc)

DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\ftdisk.sys -- (Ftdisk)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\emupia2k.sys -- (emupia)

DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\drivers\dmload.sys -- (dmload)

DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\drivers\dmio.sys -- (dmio)

DRV:64bit: - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\SysNative\drivers\dmboot.sys -- (dmboot)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctsfm2k.sys -- (ctsfm2k)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctprxy2k.sys -- (ctprxy2k)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\CTHWIUT.SYS -- (CTHWIUT.SYS)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\CTHWIUT.SYS -- (CTHWIUT)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\CTEXFIFX.SYS -- (CTEXFIFX.SYS)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\CTEXFIFX.SYS -- (CTEXFIFX)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\ctac32k.sys -- (ctac32k)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\CT20XUT.SYS -- (CT20XUT.SYS)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\CT20XUT.SYS -- (CT20XUT)

DRV:64bit: - File not found [Kernel | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\CdaD10BA.sys -- (CdaD10BA)

DRV:64bit: - File not found [Kernel | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\CdaC15BA.sys -- (CdaC15BA)

DRV:64bit: - File not found [File_System | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\avgntflt.sys -- (avgntflt)

DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\audstub.sys -- (audstub)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\atmarpc.sys -- (Atmarpc)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\aec.sys -- (aec)

DRV - [2009-05-11 12:49:19 | 000,013,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Applications\Security\Avira\AntiVir Desktop\avgio64.sys -- (avgio)

DRV - [2006-12-04 11:09:04 | 000,084,480 | ---- | M] (Arc <arc.sourceforge.net>) [Kernel | Disabled | Stopped] -- C:\Applications\Archives\Universal Extractor\bin\arc.exe -- (arc)

DRV - [2005-03-25 14:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SysWow64\mnmdd.dll -- (mnmdd)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

Hosts file not found

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Security\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Applications\Internet\MegaManager\MegaIEMn.dll (Megaupload Limited)

O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\..\Toolbar\WebBrowser: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O4:64bit: - HKLM..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\IMKR6_1\imekrmig.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\SysNative\NvCpl.DLL File not found

O4:64bit: - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe File not found

O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\SysNative\NvMcTray.DLL File not found

O4:64bit: - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found

O4:64bit: - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found

O4 - HKLM..\Run: [avgnt] C:\Applications\Security\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\SysWow64\Ctxfihlp.exe (Creative Technology Ltd)

O4 - HKLM..\Run: [FileZilla Server Interface] C:\Applications\Internet\FileZilla Server\FileZilla Server Interface.exe (FileZilla Project)

O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002..\Run: [DAEMON Tools Lite] C:\Applications\CD & ISO\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)

O4 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002..\Run: [spybotSD TeaTimer] C:\Applications\Security\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKU\.DEFAULT..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)

O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found

O4 - HKU\S-1-5-18..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found

O4 - HKU\S-1-5-19..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)

O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found

O4 - HKU\S-1-5-20..\RunOnce: [_nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = FF 00 00 00 [binary data]

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 1

O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1463431551-875748573-3134554072-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0

O9:64bit: - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9:64bit: - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Applications\Security\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SysNative\wiascr.dll File not found

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found

O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found

O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\SysNative\logonui.exe File not found

O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: System - (lsass.exe) - File not found

O20:64bit: - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found

O20:64bit: - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found

O20:64bit: - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found

O20:64bit: - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - File not found

O20:64bit: - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found

O20:64bit: - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found

O20:64bit: - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found

O20:64bit: - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found

O20:64bit: - Winlogon\Notify\termsrv: DllName - Reg Error: Key error. - File not found

O20:64bit: - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found

O21:64bit: - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysNative\stobject.dll File not found

O24 - Desktop WallPaper: C:\Documents and Settings\Warepire\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Warepire\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010-07-07 20:17:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010-10-21 20:33:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe

[2010-10-14 23:20:15 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysWow64\drivers\mbamswissarmy.sys

[2010-09-30 12:43:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Local Settings\Application Data\Apple Computer

[2010-09-28 02:37:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Malwarebytes

[2010-09-28 02:37:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010-09-28 02:28:40 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx

[2010-09-28 00:54:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI

[2010-09-26 00:39:17 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Warepire\UserData

[2010-09-19 18:54:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[2010-09-19 18:16:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Virtual CDs

[2010-09-19 18:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\DAEMON Tools Lite

[2010-09-19 18:13:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2010-09-19 16:05:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Warepire\Application Data\Virtual CD v10

[2010-09-19 16:05:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Documents\Virtual CD v10

[2010-09-19 02:36:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\ScummVM

[2010-09-17 23:24:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype

[2010-09-17 20:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Local Settings\Application Data\AskToolbar

[2010-09-16 13:43:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Warepire\My Documents\My Videos

[2010-09-16 13:43:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos

[2010-09-06 16:43:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\ImgBurn

[2010-09-03 00:01:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2010-08-29 16:07:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Local Settings\Application Data\Canneverbe_Limited

[2010-08-28 14:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\My Documents\CDBurnerXP Projects

[2010-08-28 14:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe_Limited

[2010-08-28 13:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\My Documents\My Received Files

[2010-08-25 16:13:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Real

[2010-08-25 15:35:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\OpenOffice.org

[2010-08-25 13:43:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe Limited

[2010-08-25 13:43:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited

[2010-08-24 13:57:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun

[2010-08-21 22:40:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\VBA-M

[2010-08-21 22:39:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs

[2010-08-21 22:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\Media Player Classic

[2010-08-21 14:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Warepire\Application Data\skypePM

[2010-08-21 13:58:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Intel

[2009-06-04 00:57:38 | 000,060,928 | ---- | C] ( ) -- C:\WINDOWS\SysWow64\a3d.dll

[3 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010-10-21 20:34:07 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Warepire\Desktop\RKUnhookerLE.EXE

[2010-10-21 20:34:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Warepire\Desktop\OTL.exe

[2010-10-21 20:01:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2010-10-21 14:15:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010-10-17 02:55:36 | 000,000,984 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010-10-17 02:54:45 | 000,541,770 | ---- | M] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI

[2010-09-28 02:28:34 | 000,000,111 | ---- | M] () -- C:\WINDOWS\wininit.ini

[2010-09-25 23:28:36 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Intel SSD Toolbox.lnk

[2010-09-19 18:14:07 | 000,001,721 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk

[2010-09-17 20:32:55 | 000,000,646 | ---- | M] () -- C:\Documents and Settings\Warepire\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk

[2010-08-21 14:45:02 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\SysWow64\ezsidmv.dat

[3 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-10-21 20:34:07 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Warepire\Desktop\RKUnhookerLE.EXE

[2010-10-14 22:56:39 | 000,011,899 | ---- | C] () -- C:\Documents and Settings\Warepire\hs_err_pid2224.log

[2010-09-27 19:42:40 | 000,000,111 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2010-09-25 22:44:25 | 000,011,998 | ---- | C] () -- C:\Documents and Settings\Warepire\hs_err_pid4328.log

[2010-09-19 18:14:07 | 000,001,721 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk

[2010-08-21 14:45:02 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\SysWow64\ezsidmv.dat

[2010-08-21 13:58:08 | 000,002,533 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Intel SSD Toolbox.lnk

[2010-07-07 23:16:27 | 000,056,320 | ---- | C] () -- C:\WINDOWS\SysWow64\iyvu9_32.dll

[2010-07-07 23:13:39 | 000,085,504 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll

[2010-07-07 22:08:31 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010-07-07 20:30:19 | 000,541,770 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI

[2009-08-03 00:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\SysWow64\physxcudart_20.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelTraditionalChinese.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelSwedish.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelSpanish.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelSimplifiedChinese.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelPortugese.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelKorean.dll

[2009-08-03 00:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelJapanese.dll

[2009-08-03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelGerman.dll

[2009-08-03 00:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AgCPanelFrench.dll

[2009-06-04 01:37:08 | 000,021,093 | ---- | C] () -- C:\WINDOWS\SysWow64\instwdm.ini

[2009-06-04 01:37:06 | 000,000,054 | ---- | C] () -- C:\WINDOWS\SysWow64\ctzapxx.ini

[2009-06-04 00:55:20 | 000,002,560 | ---- | C] () -- C:\WINDOWS\SysWow64\CtxfiRes.dll

[2009-05-27 09:49:00 | 000,000,285 | ---- | C] () -- C:\WINDOWS\SysWow64\kill.ini

[2009-01-25 23:10:48 | 000,179,200 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidvfw.dll

[2009-01-09 01:01:22 | 000,629,760 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidcore.dll

[2007-02-18 11:05:48 | 000,276,992 | ---- | C] () -- C:\WINDOWS\SysWow64\sbe.dll

[2007-02-18 11:05:46 | 001,278,464 | ---- | C] () -- C:\WINDOWS\SysWow64\quartz.dll

[2007-02-18 11:05:46 | 000,512,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qedit.dll

[2007-02-18 11:05:46 | 000,385,536 | ---- | C] () -- C:\WINDOWS\SysWow64\qdvd.dll

[2007-02-18 11:05:46 | 000,279,040 | ---- | C] () -- C:\WINDOWS\SysWow64\qdv.dll

[2007-02-18 11:05:46 | 000,192,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qcap.dll

[2007-02-18 11:05:40 | 000,355,112 | ---- | C] () -- C:\WINDOWS\SysWow64\msjetoledb40.dll

[2007-02-18 11:05:34 | 000,062,464 | ---- | C] () -- C:\WINDOWS\SysWow64\mciqtz32.dll

[2007-02-18 11:05:28 | 000,396,288 | ---- | C] () -- C:\WINDOWS\SysWow64\encdec.dll

[2007-02-18 11:05:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\SysWow64\devenum.dll

[2007-02-18 11:05:20 | 000,072,704 | ---- | C] () -- C:\WINDOWS\SysWow64\amstream.dll

[2005-03-25 14:00:00 | 000,733,696 | ---- | C] () -- C:\WINDOWS\SysWow64\qedwipes.dll

[2005-03-25 14:00:00 | 000,498,742 | ---- | C] () -- C:\WINDOWS\SysWow64\dxmasf.dll

[2005-03-25 14:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\SysWow64\msencode.dll

[2005-03-25 14:00:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\SysWow64\tsd32.dll

[2005-03-25 14:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\SysWow64\msdmo.dll

[2005-03-25 14:00:00 | 000,004,126 | ---- | C] () -- C:\WINDOWS\SysWow64\msdxmlc.dll

========== LOP Check ==========

[2010-08-25 13:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited

[2010-09-19 18:13:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2010-09-28 11:40:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI

[2010-08-25 13:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe Limited

[2010-08-29 16:06:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Canneverbe_Limited

[2010-09-19 18:17:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\DAEMON Tools Lite

[2010-10-20 22:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\foobar2000

[2010-09-07 15:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\ImgBurn

[2010-08-21 16:04:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Miranda

[2010-07-07 21:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Mp3tag

[2010-08-25 15:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\OpenOffice.org

[2010-09-27 15:46:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\Opera

[2010-09-19 02:36:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\ScummVM

[2010-08-21 22:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Warepire\Application Data\VBA-M

[2010-09-19 17:45:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Warepire\Application Data\Virtual CD v10

[2010-10-21 02:47:37 | 000,032,430 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

[2010-10-21 20:01:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========

< End of report >

From Extras.txt:

OTL Extras logfile created on: 2010-10-21 20:54:05 - Run 1

OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Warepire\Desktop

64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation

Internet Explorer (Version = 6.0.3790.1830)

Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 72,00% Memory free

4,00 Gb Paging File | 3,00 Gb Available in Paging File | 85,00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 74,52 Gb Total Space | 65,77 Gb Free Space | 88,26% Space Free | Partition Type: NTFS

Drive D: | 465,76 Gb Total Space | 382,59 Gb Free Space | 82,14% Space Free | Partition Type: NTFS

Computer Name: MINION | User Name: Warepire | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.html[@ = Opera.HTML] -- C:\Program Files (x86)\Opera\opera.exe (Opera Software)

.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = Opera.HTML] -- C:\Program Files (x86)\Opera\opera.exe (Opera Software)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- Reg Error: Key error.

http [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)

https [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)

inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 File not found

InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l File not found

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

http [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)

https [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

========== System Restore Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

"C:\Program Files (x86)\Opera\opera.exe" = C:\Program Files (x86)\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)

"C:\Applications\Internet\Miranda-IM\miranda32.exe" = C:\Applications\Internet\Miranda-IM\miranda32.exe:*:Enabled:Miranda IM -- ( )

"C:\Program Files (x86)\Java\jre6\bin\javaw.exe" = C:\Program Files (x86)\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

"C:\Program Files (x86)\Opera\opera.exe" = C:\Program Files (x86)\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)

"C:\Applications\Internet\Miranda-IM\miranda32.exe" = C:\Applications\Internet\Miranda-IM\miranda32.exe:*:Enabled:Miranda IM -- ( )

"C:\Program Files (x86)\Java\jre6\bin\javaw.exe" = C:\Program Files (x86)\Java\jre6\bin\javaw.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = Media Player Classic - Home Cinema v1.3.2002.0 x64

"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"NVIDIA Drivers" = NVIDIA Drivers

"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager

"WIC" = Windows Imaging Component

"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{10C51313-A308-4B40-90E3-B368D5882660}" = Virtual CD v10

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java 6 Update 16

"{2E72DCF0-8F35-4B94-91FA-8AE38D8B7534}" = Opera 10.70

"{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}" = Mega Manager

"{41BB38A4-ED84-4682-8329-042FEBD8C30B}" = Mega Manager

"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411

"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{957E1902-30C7-4A35-890B-90EB94B956D6}" = Intel

[Elise]

Hello again,

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox. Do not include the word "Code"
   

   :otl
   O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
   O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
   
   :commands
   [emptytemp]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  
• Look for "JDK 6 Update 22 (JDK or JRE)".
  
• Click the "Download JRE" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  
• If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  
• When the Java Setup - Welcome window opens, click the Install > button.
  
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

[Warepire]

Ran that OTL fix and here is the log produced:

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 413308 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes

User: Warepire

->Temp folder emptied: 23547240 bytes

->Temporary Internet Files folder emptied: 82042250 bytes

->Java cache emptied: 10793872 bytes

->Opera cache emptied: 12932 bytes

->Flash cache emptied: 120265 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2168024 bytes

%systemroot%\System32 .tmp files removed: 202409 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 31629108 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 144,00 mb

OTL by OldTimer - Version 3.2.16.0 log created on 10212010_230235

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

The system however felt compelled to blue screen after the reboot and I noticed I had forgotten to set the "don't reboot on blue screen" flag so I was unable to catch the error... I hope however this screen shot of the "Windows recovered from a problem" contains useful information:

The blue screen happened only once... but I believe it was not supposed to happen under "normal" conditions.

(Installing jre-6u22 as I type this)

[Elise]

Hi, please let me know how things are running now.

[Warepire]

It's a little hard to tell because the infection goes unnoticed after MBAM and AntiVir "removes" it... then it comes back out of nowhere after a while (about a week). But I am crossing my fingers that it has been taken care of.

Thanks for the help (so far), it's deeply appreciated

[Elise]

In that case, please run the following scan and we'll keep this open for a few more days, so you can report any issues.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       

[Warepire]

The scanning completed and reported that I am clean... just like AntiVir and MBAM does between re-appearances of this thing.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=ebaf210aeab307489f58406392b5c1a3

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-10-22 05:10:00

# local_time=2010-10-22 07:10:00 (+0100, W. Europe Daylight Time)

# country="Sweden"

# lang=1033

# osver=5.2.3790 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1797 16775125 100 93 149625 46859589 146212 0

# compatibility_mode=8192 67108863 100 0 622 622 0 0

# scanned=40538

# found=0

# cleaned=0

# scan_time=904

[Elise]

Okay, please see how it goes, and when the problem reappears, post me an OTL log (before deleting the Gg...exe file).

[Warepire]

Alright, I did however just realize I still have the files in MBAM's quarantine from the last infection... Let me know if you wish to take a look at them (in case that would be of any help).

Otherwise please keep the thread open, it may be up to a week before the infection returns.

[Elise]

Could you post me the log from the time these items were deleted (should be available from the Logs tab)?

[Warepire]

The last infection was immediately stopped by AntiVir (I had increased the process security for the program to Resistant, before that the infection stopped AntiVir)... so I don't have a log from the last infection (which was on the 20th)

But here is the log from the infection prior to the final one (on the 14th):

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4825

Windows 5.2.3790 Service Pack 2

Internet Explorer 6.0.3790.1830

2010-10-14 23:32:47

mbam-log-2010-10-14 (23-32-47).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 165041

Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

C:\Documents and Settings\Warepire\Local Settings\Temp\Ggy.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koo9rv9k4z (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Warepire\Local Settings\Temp\Ggy.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Warepire\Local Settings\Temp\Ggv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Warepire\Local Settings\Temp\renmsxwaoc.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\SysWOW64\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Warepire\Local Settings\Temp\Ggx.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

[Warepire]

Sorry for the double posting... here is the AntiVir report from the most recent return of the malware, forgot to post it before I pressed Add Reply:

Avira AntiVir Personal

Report file date: den 20 oktober 2010 02:19

Scanning for 2944784 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP x64 Edition

Windows version : (Service Pack 2) [5.2.3790]

Boot mode : Normally booted

Username : SYSTEM

Computer name : MINION

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 11:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 11:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 17:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 22:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 08:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 18:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 16:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 15:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 10:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 20:00:59

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 20:01:03

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 10:43:04

VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 20:14:07

VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 20:14:07

VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 20:14:07

VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 20:14:07

VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 20:14:07

VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 09:24:56

VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 09:52:32

VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 09:52:33

VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 14:00:05

VBASE017.VDF : 7.10.12.38 146944 Bytes 9/27/2010 17:00:56

VBASE018.VDF : 7.10.12.64 133120 Bytes 9/29/2010 09:51:07

VBASE019.VDF : 7.10.12.99 134144 Bytes 10/1/2010 13:14:27

VBASE020.VDF : 7.10.12.122 131584 Bytes 10/5/2010 11:45:29

VBASE021.VDF : 7.10.12.148 119296 Bytes 10/7/2010 11:44:46

VBASE022.VDF : 7.10.12.175 142848 Bytes 10/11/2010 16:20:40

VBASE023.VDF : 7.10.12.198 131584 Bytes 10/13/2010 12:07:00

VBASE024.VDF : 7.10.12.216 133120 Bytes 10/14/2010 16:21:40

VBASE025.VDF : 7.10.12.238 137728 Bytes 10/18/2010 14:49:06

VBASE026.VDF : 7.10.12.239 2048 Bytes 10/18/2010 14:49:06

VBASE027.VDF : 7.10.12.240 2048 Bytes 10/18/2010 14:49:06

VBASE028.VDF : 7.10.12.241 2048 Bytes 10/18/2010 14:49:06

VBASE029.VDF : 7.10.12.242 2048 Bytes 10/18/2010 14:49:06

VBASE030.VDF : 7.10.12.243 2048 Bytes 10/18/2010 14:49:06

VBASE031.VDF : 7.10.12.244 2048 Bytes 10/18/2010 14:49:06

Engineversion : 8.2.4.82

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/19/2010 13:23:04

AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/18/2010 09:46:47

AESCN.DLL : 8.1.6.1 127347 Bytes 7/8/2010 20:01:15

AESBX.DLL : 8.1.3.1 254324 Bytes 7/8/2010 20:01:16

AERDL.DLL : 8.1.9.2 635252 Bytes 9/24/2010 14:00:07

AEPACK.DLL : 8.2.3.11 471416 Bytes 10/12/2010 16:20:45

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/22/2010 11:58:47

AEHEUR.DLL : 8.1.2.35 2961784 Bytes 10/16/2010 16:21:43

AEHELP.DLL : 8.1.14.0 246134 Bytes 10/12/2010 16:20:42

AEGEN.DLL : 8.1.3.23 401779 Bytes 10/2/2010 13:14:31

AEEMU.DLL : 8.1.2.0 393588 Bytes 7/8/2010 20:01:10

AECORE.DLL : 8.1.17.0 196982 Bytes 9/25/2010 21:44:58

AEBB.DLL : 8.1.1.0 53618 Bytes 7/8/2010 20:01:09

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 11:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 11:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 15:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 11:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 11:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 11:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 08:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 11:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 14:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 13:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 12:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 13:14:29

Configuration settings for the scan:

Jobname.............................: avguard_async_scan

Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_d6831b51\guard_slideup.avp

Logging.............................: low

Primary action......................: repair

Secondary action....................: quarantine

Scan master boot sector.............: on

Scan boot sector....................: off

Process scan........................: on

Scan registry.......................: off

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Start of the scan: den 20 oktober 2010 02:19

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'SpybotSD.exe' - '1' Module(s) have been scanned

Scan process 'foobar2000.exe' - '1' Module(s) have been scanned

Scan process 'miranda32.exe' - '1' Module(s) have been scanned

Scan process 'CTXFISPI.EXE' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'CTXFIHLP.EXE' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'DTLite.exe' - '1' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned

Scan process 'avshadow.exe' - '1' Module(s) have been scanned

Scan process 'ToolTipFixer.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'FileZilla Server.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Warepire\Local Settings\Temp\Ggw.exe'

C:\Documents and Settings\Warepire\Local Settings\Temp\Ggw.exe

[DETECTION] Is the TR/Crypt.EPACK.Gen2 Trojan

[NOTE] The file was moved to the quarantine directory under the name '491b976b.qua'.

End of the scan: den 20 oktober 2010 02:19

Used time: 00:07 Minute(s)

The scan has been done completely.

0 Scanned directories

18 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

17 Files not concerned

0 Archives were scanned

0 Warnings

1 Notes

The scan results will be transferred to the Guard.

[Elise]

It is possible you got reinfected, for example by visiting a site that installs this infection automatically multiple times. Do you recall any similarities between the times you got this infection (things you tried to access for example).

Please access this folder and list its contents: C:\WINDOWS\Tasks

[Warepire]

I have been trying to find a pattern but there is none. The only site I had visited at all 4 times that this has come back is www.thelocal.se... but I go there ~2 times a day, so in my logic I would get infected a lot more often if that site was the cause... IF I am getting re-infected the most logical reason in my book is that an infected advertisement that is used by several sites is causing this problem.

Here is the listing for C:\WINDOWS\Tasks:

C:\WINDOWS\Tasks>dir

Volume in drive C is System

Volume Serial Number is EC43-8855

Directory of C:\WINDOWS\Tasks

2010-10-23 02:45 32

[Elise]

Okay, next time, please run an OTL scan. Lets hope it will not come back though.

[Warepire]

If I get another relapse of this I'll post an OTL log... Thank you so much for all your assistance and patience. I am deeply grateful

Please keep this thread open for about a week.

[Elise]

I'll keep it open!

In case it is closed and this particular problem returns you can always PM me or the moderator that closes it so it can be reopened.

[Elise]

Bump to reset timestamp.

[Warepire]

No re-infection yet, here's to hoping I am clean

Your assistance have been deeply appreciated now, I believe this topic can be closed.

[Elise]

Hi, I'm glad to hear that! Here are some final steps and information.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

• Delete the tools used during the disinfection:
  • Rerun OTL and click the Cleanup button. Allow a reboot. This will remove all logs and tools we used.
    

Please read these advices, in order to prevent reinfecting your PC:

1. Install and update the following programs regularly:
   • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
     A comprehensive tutorial and a list of possible firewalls can be found here.
     
   • an AntiVirus Software
     It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
     
   • an Anti-Spyware program
     Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
     SUPERAntiSpyware is another good scanner with high detection and removal rates.
     Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
     
   • Spyware Blaster
     A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
     
   • MVPs hosts file
     A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
     

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

• Miekies' prevention suggestions
  
• So How did I get infected?
  
• Microsoft - 'Security at home'
  
• Calendar of Updates: See which updates have been released.
  
• How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
  
• Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
  
• osalt: Find (free) open source alternatives to known commercial software.
  

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

[Warepire]

The clean-up steps are now done, you have my deepest thanks for helping me with my problem

I'll probably purchase the full version of MBAM to assist AntiVir with keeping my PC safe.

[Elise]

You're most welcome.

I will request this topic to be closed.

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.