My home PC has been hijacked by "undetected" virus!

**tluxon** · 04-06-2010

I've followed Carrie2525's thread with great interest and it gives me a sliver of hope that I won't have to take the approach of putting in a brand new boot drive to reinstall everything from scratch. I really don't want to do that as this is a very involved setup and I hadn't yet made an image of the drive since going through all that just a few months ago.

Late last night when I had just completed transferring a program from one of our TiVoHD's to the PC, I navigated (Firefox 3.6) to Buy.com to look at their NAS offerings and then to an infomercial website that I was interested in. Shortly after (maybe after some 10-15 minutes of the browser being opened), a maroon Avast! warning (I use Avast! Pro 5.0 on my work and home PC's) popped up out of the system tray (Windows XP Pro SP3), saying a trojan had tried to do something and it had been "Moved to the Chest". I clicked on the "X" in the upper right corner of the window to send it back down to the tray. Within seconds, a "Security Alert" window popped up from the tray warning that my PC was infected and that something was trying to access the internet. This window asked me if I wanted the program to continue blocking it, with a "Yes" and a "No" button, but with no "X" to close the window. Being late and having just been reassured that Avast! was protecting me, I clicked on "Yes" (keep blocking the rogue attempt to the internet). I know better than to click anything but it was already too late - I had almost inadvertently clicked on it.

Right away I knew this wasn't good. I looked at the system tray and noticed a new icon sitting in there - the dreaded new "anti-spyware" icon. I quickly opened up Avast!, configured it for a boot-time scan, and restarted my PC.

When I got up this morning, I went straight to the PC to see what Avast! had come up with. All it found was some file in Temporary Internet Files that it had moved to the chest. Nothing else. I wasn't very hopeful, but let the PC continue starting and logged in. The first thing I did was start MalwareBytes Anti-Malware to run a scan (I wanted to hit this thing from another angle). Meanwhile, I attempted to open Task Manager to observe for any processes that looked unusual. Unfortunately, Task Manager wouldn't stay open for more than about 1 second before shutting back down. I found that I could keep the Task Manager window open by holding down CTRL-ALT-DEL, and I could even click on the Processes tab. When I did, I saw a process name that matched what I recognized as the name of the file Avast! had intercepted last night, but I was unable to stop the process. I opened Control Panel and tried to open Add/Remove Programs, and I was told the file that does that was infected and couldn't run. I tried to open "System" and confronted the same roadblock. Within a couple minutes of starting, Internet Explorer opens up to some page with the word "PORN" prominent at the top. I clicked on the Home button to go to my home page and was given a blank page with some gibberish about that page being infected or something. I then tried a search for a random term and a blank page appeared saying the google was infected or something.

I'm not sure what steps to take next. In the past I would've tried a number of antivirus programs (like Spybot's Search and Destroy) and have never had success. At this time I'm pretty sure I wouldn't even be able to install such a program, so my thinking was to take the boot drive out and hook it up via USB enclosure to my wife's PC and scan it that way, but I'm pretty sure this virus has cloned it's name and file attributes after the name and file attributes of a known good file so it will never be found if it's not caught executing something. That makes me think the fast route is to put in a brand new drive and reinstall everything from scratch, but when I did this a few months ago it still took over 24 hours of task time!

At this point I'm not even sure I can install anything or even be able to read a peripheral device (like a CD or USB drive) short of booting to it.

Is there any hope of getting this PC cleaned up? If so, how should I start?

**broni** · 05-06-2010

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
Reboot your system using the boot CD you just created.
- Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
Double-click on the OTLPE icon.
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

**tluxon** · 05-06-2010

I always wanted to use PE Builder to make my own bootCD for just this kind of diagnosis. Great tool!

First, while I awaited a reply to my original post, I was able to run a safe-mode scan with MalwareBytes Anti-Malware and it found an infection that I had it delete. Next, I ran a time-consuming Avast! boot scan and it found 3 infections that I had it delete. When I rebooted, I played around a bit and the PC was acting completely normal (opening various programs in Control Panel, opening Explorer and browsing across the network, and running Firefox to run a search and browse to a couple places). I figured it still needed some registry cleanup (CCleaner?), but before getting to that I found your reply and decided to go ahead and follow your instructions regardless.

Here's the long log file:

OTL logfile created on: 6/5/2010 2:20:34 AM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 31.25 Gb Total Space | 14.31 Gb Free Space | 45.80% Space Free | Partition Type: NTFS
Drive D: | 31.25 Gb Total Space | 3.56 Gb Free Space | 11.39% Space Free | Partition Type: NTFS
Drive E: | 63.47 Gb Total Space | 2.98 Gb Free Space | 4.69% Space Free | Partition Type: NTFS
Drive F: | 31.25 Gb Total Space | 2.20 Gb Free Space | 7.04% Space Free | Partition Type: NTFS
Drive G: | 117.80 Gb Total Space | 7.81 Gb Free Space | 6.63% Space Free | Partition Type: NTFS
Drive H: | 202.51 Gb Total Space | 4.24 Gb Free Space | 2.09% Space Free | Partition Type: NTFS
Drive I: | 62.46 Mb Total Space | 62.46 Mb Free Space | 99.99% Space Free | Partition Type: FAT
Drive J: | 867.98 Gb Total Space | 10.74 Gb Free Space | 1.24% Space Free | Partition Type: NTFS
Drive K: | 900.26 Gb Total Space | 5.02 Gb Free Space | 0.56% Space Free | Partition Type: NTFS
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/19 13:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/12 01:52:38 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/02 17:17:00 | 001,098,968 | ---- | M] (TiVo Inc.) [Disabled] -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe -- (TivoBeacon2)
SRV - [2008/12/29 14:43:48 | 000,827,392 | ---- | M] (Hauppauge Computer Works) [On_Demand] -- C:\Program Files\WinTV\HCWTVServer.exe -- (HauppaugeTVServer)
SRV - [2008/05/02 19:51:52 | 000,077,824 | ---- | M] () [Auto] -- C:\Program Files\pyTivo\pyTivoService.exe -- (pyTivo)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (NHCIENUM)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/05/06 16:41:12 | 000,307,280 | ---- | M] (ALWIL Software) [File_System | System] -- C:\WINDOWS\system32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/30 00:18:22 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/06/17 08:20:34 | 000,012,648 | ---- | M] (Secunia) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2008/04/14 04:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008/04/14 04:16:22 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/14 04:16:22 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/14 04:16:08 | 000,013,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\avcstrm.sys -- (AVCSTRM)
DRV - [2008/01/28 21:44:04 | 000,384,896 | ---- | M] (Hauppauge Computer Works, Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hcw18bda.sys -- (hcw18bda)
DRV - [2007/12/06 13:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/06/04 14:58:08 | 000,054,016 | ---- | M] (Keyspan) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nhcimono.sys -- (NHCIMONO)
DRV - [2004/02/26 12:50:38 | 000,611,820 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/02/23 23:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/11/11 11:34:00 | 000,022,891 | ---- | M] (Matsu****a Electric Industorial Co.,Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\meistb.sys -- (MEITUNER)
DRV - [2003/11/11 11:33:54 | 000,013,195 | ---- | M] (Matsu****a Electric Industorial Co.,Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\meistrm.sys -- (MEISTRM)
DRV - [2003/08/05 22:43:04 | 000,159,744 | R--- | M] (Promise Technology, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Fasttx2k.sys -- (fasttx2k)
DRV - [1997/04/22 14:16:00 | 000,006,272 | ---- | M] () [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\ CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Tim_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 1
IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892 B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\E xt [2010/04/02 22:05:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/24 04:41:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/20 00:44:56 | 000,000,000 | ---D | M]

[2010/06/04 02:16:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/20 00:44:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 20:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/13 18:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrow serrecordplugin.dll (RealPlayer)
O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll (LastPass)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll (LastPass)
O3 - HKU\Tim_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 HA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [EPSON Stylus Photo RX620 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 HA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Ptipbmf] C:\WINDOWS\System32\ptipbmf.dll (Promise Technology, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKU\Tim_ON_C..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - HKU\Tim_ON_C..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc.)
O4 - HKU\Tim_ON_C..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc.)
O4 - HKU\Tim_ON_C..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe (TiVo Inc.)
O4 - HKU\Tim_ON_C..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe (Hauppauge Computer Works)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Keyspan USB Server Task.lnk = C:\Program Files\Keyspan\USB Server\nhciTask.exe (Keyspan)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\C urrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Tim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll (LastPass)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jin...ndows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/11 04:15:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/04 22:28:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/04 22:28:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/06/04 22:27:54 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/06/04 22:27:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/06/04 22:27:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/06/04 22:27:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/06/04 22:27:54 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/06/04 22:27:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/06/04 22:27:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/06/04 22:27:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/06/04 22:27:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/06/04 22:27:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/06/04 22:27:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/06/04 22:27:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/06/04 22:27:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/06/04 22:27:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/06/04 04:01:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Local Settings\Application Data\jqrcfrgaj
[2010/06/02 00:54:19 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010/05/29 04:27:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\vlc
[2010/05/16 20:30:10 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2010/05/16 20:27:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\uTorrent
[2010/05/09 14:02:22 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/05/09 14:02:20 | 000,000,000 | ---D | C] -- C:\Program Files\Garmin
[2010/05/06 03:58:03 | 000,000,000 | ---D | C] -- C:\HEALING_CANCER
[2010/05/06 03

38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\RipIt4Me
[2010/05/06 03

01 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Decrypter
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/05 04:13:40 | 000,241,664 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/05 04:13:40 | 000,241,664 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/06/05 04:13:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/05 04:13:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/05 04:11:03 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Tim\NTUSER.DAT
[2010/06/05 04:11:03 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Tim\ntuser.ini
[2010/06/05 04:08:19 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Dr. Brownstein's Natural Way to Health.URL
[2010/06/05 03:57:39 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-299502267-1935655697-1644491937-1003.job
[2010/06/05 03:57:29 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/05 00:27:05 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/05 00:27:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/05 00:27:02 | 003,850,000 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/04 03:51:02 | 000,000,175 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\CompUSA.com DNS-321 D-Link DNS-321 Network Attached Storage Enclosure.URL
[2010/06/04 03:42:24 | 000,000,155 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Netgear ReadyNAS Duo 2TB NAS - dealnews.com.URL
[2010/06/04 03:36:05 | 000,000,113 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\CompUSA.com DNS-343 D-Link DNS-343 NAS Enclosure.URL
[2010/06/03 11:02:15 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-1935655697-1644491937-1003.job
[2010/06/01 10:54:03 | 000,000,119 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\AbbySunderland.com - 16-year old girl sailing around the world.url
[2010/05/30 04:19:50 | 000,000,158 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Live video link from the ROV monitoring the damaged riser.URL
[2010/05/29 15:47:47 | 000,000,068 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\YouTube - OLS - Global Catastrophe - Trail Of Tears - 2010.wmv.URL
[2010/05/29 15:47:24 | 000,000,084 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\YouTube - OIL RIG DISASTER - HALIBURTON SABOTAGED THE RIG !.URL
[2010/05/29 14:47:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/29 04:30:18 | 000,000,439 | ---- | M] () -- C:\WINDOWS\Ulead32.ini
[2010/05/29 04:30:18 | 000,000,052 | ---- | M] () -- C:\WINDOWS\Pex.INI
[2010/05/27 07:48:25 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/20 04:08:51 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/16 12:42:16 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/16 04:11:47 | 000,000,100 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\The Tale of Apple's Next iPhone - Iphone 4 - Gizmodo.URL
[2010/05/14 04:20:40 | 000,000,068 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\YouTube - Talk - Naomi Wolf - The End of America.URL
[2010/05/12 03:00:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/11 04:53:56 | 000,000,144 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\FOXNews.com - EXCLUSIVE Elvis Presley's Doctor Claims He Died of an 'Embarrassing' Case of Chronic Constipation.URL
[2010/05/10 03:43:21 | 000,000,067 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\Market Morning May 7, 2010 Dr. Doom on the Economy Part One [05-07-10 1030 AM].URL
[2010/05/06 22:06:48 | 000,001,409 | ---- | M] () -- C:\Documents and Settings\Tim\Desktop\DivX Movies.lnk
[2010/05/06 16:59:36 | 000,165,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/06 16:41:12 | 000,307,280 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/06 16:33:55 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/05 04:08:19 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Dr. Brownstein's Natural Way to Health.URL
[2010/06/04 22:27:56 | 000,069,632 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/06/04 22:27:56 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/04 22:27:54 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/04 03:51:02 | 000,000,175 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\CompUSA.com DNS-321 D-Link DNS-321 Network Attached Storage Enclosure.URL
[2010/06/04 03:42:24 | 000,000,155 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Netgear ReadyNAS Duo 2TB NAS - dealnews.com.URL
[2010/06/04 03:36:05 | 000,000,113 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\CompUSA.com DNS-343 D-Link DNS-343 NAS Enclosure.URL
[2010/06/01 10:53:31 | 000,000,119 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\AbbySunderland.com - 16-year old girl sailing around the world.url
[2010/05/30 04:19:50 | 000,000,158 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Live video link from the ROV monitoring the damaged riser.URL
[2010/05/29 15:47:47 | 000,000,068 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\YouTube - OLS - Global Catastrophe - Trail Of Tears - 2010.wmv.URL
[2010/05/29 15:47:24 | 000,000,084 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\YouTube - OIL RIG DISASTER - HALIBURTON SABOTAGED THE RIG !.URL
[2010/05/16 04:11:47 | 000,000,100 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\The Tale of Apple's Next iPhone - Iphone 4 - Gizmodo.URL
[2010/05/14 04:20:40 | 000,000,068 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\YouTube - Talk - Naomi Wolf - The End of America.URL
[2010/05/11 04:53:56 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\FOXNews.com - EXCLUSIVE Elvis Presley's Doctor Claims He Died of an 'Embarrassing' Case of Chronic Constipation.URL
[2010/05/10 03:43:21 | 000,000,067 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\Market Morning May 7, 2010 Dr. Doom on the Economy Part One [05-07-10 1030 AM].URL
[2010/05/07 04

24 | 000,000,003 | ---- | C] () -- C:\Documents and Settings\Tim\dxva_sig.txt
[2010/05/06 22:06:48 | 000,001,409 | ---- | C] () -- C:\Documents and Settings\Tim\Desktop\DivX Movies.lnk
[2010/05/02 17:28:23 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\nhciClassInstall.dll
[2010/05/02 16:25:12 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/05/02 16:23:23 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2010/05/02 16:23:23 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2010/05/02 16:18:59 | 000,000,193 | ---- | C] () -- C:\WINDOWS\EPSON RX620 Installer.ini
[2010/04/18 15:45:38 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/04/07 03

18 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/04/07 03

17 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/03/23 03:52:37 | 000,000,052 | ---- | C] () -- C:\WINDOWS\Pex.INI
[2010/03/23 03:50:10 | 000,000,439 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2010/02/18 06:03:28 | 000,299,454 | ---- | C] () -- C:\WINDOWS\Allsim.ini
[2010/02/18 06:03:28 | 000,061,268 | ---- | C] () -- C:\WINDOWS\Biutilsm.ini
[2010/02/18 06:03:28 | 000,057,969 | ---- | C] () -- C:\WINDOWS\Simsim.ini
[2010/02/18 06:03:28 | 000,000,580 | ---- | C] () -- C:\WINDOWS\Common.ini
[2010/02/18 06:03:25 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\Prtserv.dll
[2010/02/15 22:32:25 | 000,000,248 | ---- | C] () -- C:\WINDOWS\HCWBlast.ini
[2010/02/15 22:31:37 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll
[2010/02/15 22:31:04 | 000,217,149 | ---- | C] () -- C:\WINDOWS\System32\hcwChDB.dll
[2010/02/15 22:30:58 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI
[2010/02/13 05:58:10 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/11 09:02:55 | 000,033,117 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2010/02/11 09:02:04 | 000,002,763 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2010/02/11 05:31:11 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/02/11 05:06:05 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/02/11 04:57:08 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/02/11 04:42:02 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2010/02/11 04:37:57 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2010/02/11 04:37:54 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/02/11 04:29:50 | 000,003,753 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/02/11 04:29:49 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2010/02/11 04:19:13 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Tim\ntuser.dat.LOG
[2010/02/11 04:19:13 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Tim\ntuser.ini
[2010/02/11 04:19:12 | 005,767,168 | -H-- | C] () -- C:\Documents and Settings\Tim\NTUSER.DAT
[2010/02/11 04:18:23 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2010/02/11 04:18:22 | 000,241,664 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/02/11 04:18:22 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2010/02/11 04:18:10 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2010/02/11 04:18:09 | 000,241,664 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/02/11 04:18:09 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2006/07/21 19:50:34 | 000,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/02/27 14:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Easy Duplicate Finder
[2010/03/03 02:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\eFax Messenger
[2010/05/02 17:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\EPSON
[2010/03/03 02:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\j2 Global
[2010/05/02 16:25:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Leadertech
[2010/02/12 04:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\LEAPS
[2010/02/12 04:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Pegasys Inc
[2010/05/06 03

47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\RipIt4Me
[2010/05/17 11:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\uTorrent
[2010/06/03 03:06:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\VideoReDoPlus
[2010/03/25 02:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\VitySoft

========== Purity Check ==========

< End of report >

**broni** · 05-06-2010

Yeah, this is a great tool, when you deal with not bootable computer

Do this on the computer you are posting from:
Copy the text in the codebox below:

Code:

:OTL
IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
O4 - HKLM..\Run: [] File not found
O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jin...ndows-i586.cab  (Reg Error: Key error.)
[2010/06/04 04:01:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Local Settings\Application Data\jqrcfrgaj


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive

On the infected computer the following...

Run OTLPE

Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
- (The content of Fix.txt should appear in the box)
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log produced (you'll need to transfer it with USB stick)
Attempt to reboot normally into windows.

**tluxon** · 05-06-2010

Everything went well, but I did have to hunt the log down before finding it in the "C:/_OTL/Moved Files" folder.

Here's the log:

========== OTL ==========
HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\A ctive Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Ac tive Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\ Active Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\Tim_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFA C-0014-0002-0007-ABCDEFFEDCBA}\ not found.
C:\Documents and Settings\Tim\Local Settings\Application Data\jqrcfrgaj folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 112234362 bytes

User: Tim
->Temp folder emptied: 637873608 bytes
->Temporary Internet Files folder emptied: 674755999 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 120095304 bytes
->Flash cache emptied: 41694 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 6673 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 25489679 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10932794 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

Total Files Cleaned = 1,511.00 mb

OTLPE by OldTimer - Version 3.1.39.0 log created on 06052010_120326

------------------
I booted the PC normally and did a few things without any signs of malicious activity. Browsing the internet in Firefox was normal. I took a look at the processes running in Task Manager and all of them appear to be legitimate - I'd still like to look at all the svhost entries in greater detail, but would need to install a program to do that and I wanted to avoid that until getting the All Clear from you.

Thank you for your prompt responses!

**broni** · 05-06-2010

I wanted to avoid that until getting the All Clear from you

Good thinking

Now, I want you to update Malwarebytes, run quick scan (in normal mode) and post fresh log back here.

**tluxon** · 05-06-2010

I started MalwareBytes and clicked on "Check for Updates" in the Update tab. It responded,

"An error occurred. Please report the following error code to MalwareByte's Anti-Malware support team. Error code: 732 (12029, 0)".

I would download the latest release of MBAM from their website, uninstall my copy, and then install the latest release before running the scan, but I want to make sure that's your recommendation before continuing.

**broni** · 05-06-2010

Hold on with MBAM for now.

Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

================================================== ==========

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**tluxon** · 05-06-2010

I'm concerned that I may have a problem or two.

First, when I double-clicked on GMER I noticed that Avast! wasn't disabled and that I still had Task Manager minimized to the tray. Being certain that was important to not have those programs active, I tried to shut down Taskman and disable Avast! until the system was restarted. Apparently not such a good idea, as GMER shut down and the PC completely locked up. I cycled the power with the reset button in order to continue.

Now, I've had GMER scanning for over 3 hours and I got curious how long I should expect it to take. I saw references to as long as 24 hours and even longer, depending on the setting of the IAT/EAT option (checked by default, which is how I ran the scan). The problem as I see it is that I've got 4 HDD's (160GB with boot partition and data partition; 250GB with 2 data partitions; and two 1TB drives for audio/photo/video multimedia) in this system - and if GMER is going to scan all of them it may take weeks.

Do you have any advice regarding these two concerns?

EDIT: Never mind on the second concern. I see that only Drive C is checked in the drive list window on the right.

**tluxon** · 06-06-2010

I just came in from washing the car (I'm trying to make it rain, LOL!) and was greeted with the Windows login screen. When I logged in, I got the Windows notice saying that Windows had just recovered from a serious error. I'm sure that the scan was nearly complete when this happened because I had been taking note of the folders that were being scanned and virtually all of them had.

I don't believe I should anticipate any different results if I do exactly the same thing again. I'm going to attempt the next scan in safe mode provided it will let me.

By the way, I'm having a heckuva time trying to get my PC to start in safe mode. The first time it took me about 10 tries and I've already tried 6 or 7 times for this already. I suspect some serious kind of rootkit is getting hold of my PC really early in the process.

EDIT: My mistake. Everytime I used F8 during the boot I was getting a menu of devices to boot from that I hadn't seen before (I've usually gone into the BIOS Setup for that), so I was hitting the F7 key for the safe mode (oops!). I found that if I get that menu, I just have to keep hitting F8 key after selecting the boot device. Now I'm okay.

My home PC has been hijacked by "undetected" virus!

My home PC has been hijacked by "undetected" virus!

Similar Threads

Home page being hijacked by MSN

hijacked home page

hijacked home page

Help Please with Hijacked Home Page Log

Need help with hijacked IE home page