Solved Please help remove a virus

arvnranger · Apr 4, 2012

OTL Extras logfile created on: 5/04/2012 10:38:45 a.m. - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\ivan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy

1.99 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 69.02% Memory free
2.58 Gb Paging File | 2.08 Gb Available in Paging File | 80.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 11.21 Gb Free Space | 30.09% Space Free | Partition Type: NTFS
Drive H: | 67.83 Gb Total Space | 29.41 Gb Free Space | 43.37% Space Free | Partition Type: NTFS
Drive O: | 67.83 Gb Total Space | 29.41 Gb Free Space | 43.37% Space Free | Partition Type: NTFS
Drive P: | 67.83 Gb Total Space | 29.41 Gb Free Space | 43.37% Space Free | Partition Type: NTFS
Drive X: | 67.83 Gb Total Space | 29.41 Gb Free Space | 43.37% Space Free | Partition Type: NTFS
Drive Z: | 67.83 Gb Total Space | 29.41 Gb Free Space | 43.37% Space Free | Partition Type: NTFS

Computer Name: IVAN2_PC | User Name: ivan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-217054336-590899114-1854122260-1119\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled

xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled

xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\SQLANY70\dbeng7.exe" = C:\SQLANY70\dbeng7.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.)
"C:\Documents and Settings\ivan\Desktop\utorrent.exe" = C:\Documents and Settings\ivan\Desktop\utorrent.exe:*:Enabled:µTorrent
"C:\WT_DESKB\DeskBank.exe" = C:\WT_DESKB\DeskBank.exe:*:Enabled:Main DeskBank Program -- (Westpac)
"\\pcrak\premier\MYOBPremNew\Myobp.exe" = \\pcrak\premier\MYOBPremNew\Myobp.exe:*:Enabled:Myobp.exe
"\\PCRAK\engineering\drivers\printer drivers\hp colourlaserjet 3800\original disk\Temp\InstEng\Setup.exe" = \\PCRAK\engineering\drivers\printer drivers\hp colourlaserjet 3800\original disk\Temp\InstEng\Setup.exe:*:Enabled:Hewlett-Packard Installer
"\\PCRAK\engineering\drivers\printer drivers\hp P3005N\Temp\InstEng\Setup.exe" = \\PCRAK\engineering\drivers\printer drivers\hp P3005N\Temp\InstEng\Setup.exe:*:Enabled:Hewlett-Packard Installer
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\msnneb32.exe" = C:\WINDOWS\system32\msnneb32.exe:*:Enabled:MsnUpdate
"C:\WINDOWS\system32\dllhost32.exe" = C:\WINDOWS\system32\dllhost32.exe:*:Enabled:schost
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server -- (PeeringPortal)
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server -- (PeeringPortal)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\SQLANY70\dbeng7.exe" = C:\SQLANY70\dbeng7.exe:*:Enabled:Adaptive Server Anywhere Database Engine -- (Sybase, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2411" = CanoScan LiDE 70
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{29D851C2-048C-4B5E-8D1F-25D473342BB5}" = ScanSoft OmniPage SE 4.0
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Management Programs
"{307B9D04-A1F4-48EA-809C-DF7FA9C4BB6D}" = Presto! PageManager 7.15.13
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D122AF9-1E02-4035-8003-334D378C1B62}_is1" = PDF OCR 3.0
"{403BC48C-BCAA-47EA-9841-F26599A81E48}" = HP LaserJet P3005 Install Notes
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D5795B4-76AC-473B-82DA-0AE6CBB4BD8C}" = HP Color LaserJet 3800
"{526E8C7A-8709-49E8-8D6D-58A90CE37AB3}" = MYOB Premier v12
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{748B1880-9025-439D-B5D1-E078F2329993}" = HP LaserJet P3005
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{875C8982-4147-423D-9A81-4346DAD25ACA}" = MYOB ODBC Direct v8 NZ
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AC76BA86-7AD7-5760-0000-800000000003}" = Japanese Fonts Support For Adobe Reader 8
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C1}" = WinZip 15.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CEF89BE7-8948-478A-A452-3F0E9F69233D}" = HP LaserJet P3005 User Guide
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CanoScan Toolbox 5.0" = Canon CanoScan Toolbox 5.0
"CCleaner" = CCleaner
"CutePDF Writer Installation" = CutePDF Writer 2.5
"DeskBank" = DeskBank
"DivX Setup.divx.com" = DivX Setup
"HP Color LaserJet 3800" = HP Color LaserJet 3800
"HP LaserJet P3005" = HP LaserJet P3005
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Management Programs
"InstallShield_{526E8C7A-8709-49E8-8D6D-58A90CE37AB3}" = MYOB Premier v12
"InstallShield_{875C8982-4147-423D-9A81-4346DAD25ACA}" = MYOB ODBC Direct v8 NZ
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mp3tag" = Mp3tag v2.48
"MusicBrainz Picard" = MusicBrainz Picard
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Ogg Codecs" = Ogg Codecs 0.81.15562
"Software Setup" = Software Setup
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/04/2012 10:43:16 p.m. | Computer Name = IVAN2_PC | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module medialibrarynse.dll, version 2.0.16.0, fault address 0x00002736.

Error - 3/04/2012 11:40:04 p.m. | Computer Name = IVAN2_PC | Source = Application Error | ID = 1000
Description = Faulting application pev.3xe, version 0.0.0.0, faulting module pev.3xe,
version 0.0.0.0, fault address 0x0008d1c0.

[ System Events ]
Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The Nnsvc service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The LRMINIPORT service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The Ntsvcmgr service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The W550mdfl service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The Vrfwsvc service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The Ha20x2k service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The Portio service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The KMW_USB service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7023
Description = The Naiavfilter1 service terminated with the following error: %%126

Error - 4/04/2012 6:37:22 p.m. | Computer Name = IVAN2_PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

< End of report >

Broni · Apr 4, 2012

At this point your computer should be fairly clean so I want you to use it more and report on any issues.

You're not running any AV program, so AFTER you run OTL fix listed below...
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

==================================================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

=================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

==================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

arvnranger · Apr 4, 2012

OTL.RunFix has been sitting (idle?) for about an hour. I've just realised I negelected to halt Malwarebytes and SuperAntiSpyware before pasting the parameters you gave me and clicking Run Fix. Is it ok for me to reboot and start over? The system's currently not accepting any input.

Broni · Apr 4, 2012

Reboot manually to safe mode and run OTL fix from there.

arvnranger · Apr 4, 2012

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 405 bytes

User: Administrator.PCRENTALSAUCKLA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

User: ivan
->Temp folder emptied: 1430089 bytes
->Temporary Internet Files folder emptied: 6003036 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1879 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 9438 bytes

User: __0X00AC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: __0X00D0
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: __0X00F4
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb

[EMPTYJAVA]

User: Administrator

User: Administrator.PCRENTALSAUCKLA

User: All Users

User: Default User

User: ivan
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: __0X00AC

User: __0X00D0

User: __0X00F4

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Administrator.PCRENTALSAUCKLA

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: ivan
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: __0X00AC

User: __0X00D0

User: __0X00F4

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.39.2 log created on 04052012_150240

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

arvnranger · Apr 4, 2012

Could I possibly further impose upon you to suspend our work for the next little while? It's Easter here and I've taken next week off work to head away with my kids. I can't adequately express how grateful I am for your calm, patient and effective assistance and I feel a little remiss to baulk you now we appear to be in the home stretch. perhaps I could catch up with you again on April 16?

Broni · Apr 4, 2012

No problem

Possibly your topic will get closed by then.
Simply PM me and I'll reopen it.

Broni · Apr 10, 2012

Let me know when you're back...

Broni · Apr 15, 2012

Still with me?

arvnranger · Apr 16, 2012

Back on deck today. Currently downloading and installing various av and test software per your last instructions.

arvnranger · Apr 16, 2012

CHECKUP.TXT
===================================================
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware
CCleaner
Java(TM) 6 Update 31
Java 2 Runtime Environment, SE v1.4.2_03
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````

======================================
FSS.txt

Farbar Service Scanner Version: 16-04-2012
Ran by ivan (administrator) on 17-04-2012 at 14:50:03
Running from "C:\Documents and Settings\ivan\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
aswTdi(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****

arvnranger · Apr 17, 2012

ESET.txt
==========================================================================
C:\Documents and Settings\ivan\My Documents\SoftonicDownloader_for_cricket-scorer.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\J3d8QFa3.exe.vir Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104350.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104418.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104419.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104420.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104421.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104422.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104423.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104424.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104425.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104426.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104427.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104428.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104429.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104430.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104431.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104432.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104433.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104434.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104435.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104436.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104437.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104438.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP891\A0104440.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP894\A0109429.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP894\A0112691.exe Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP894\A0115090.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP894\A0116237.exe Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined

Broni · Apr 17, 2012

Uninstall Java 2 Runtime Environment, SE v1.4.2_03.

You have one registry key missing which affects Security Center.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Registry Editor will open.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip downloaded file.
You'll find several files inside.
Double-click legacy_wscsvc.reg and confirm the prompt.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
Restart computer.
Post new FSS log.

arvnranger · Apr 17, 2012

Farbar Service Scanner Version: 16-04-2012
Ran by ivan (administrator) on 18-04-2012 at 09:35:30
Running from "C:\Documents and Settings\ivan\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
aswTdi(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****

Broni · Apr 17, 2012

Good job

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

arvnranger · Apr 17, 2012

I've run OTL twice using the parameters given but I can't locate the log file. OTL is gone now; should I download and run OTL again to get this info to you?

Broni · Apr 17, 2012

Run the fix from safe mode.

arvnranger · Apr 17, 2012

Roger that (I have found I had to boot the machine in safe mode to get OTL to run on each occasion). The absence of, or my inability to locate, the log file(s) for the recent OTL operations is causing concern. The file on the desktop titled OTL.txt appeared to be that written 5 April when we started this process.

Everything on the cleaned machine seems to be running aok (and I have downloaded and installed the ancillary software mentioned in your last substantive post). Should I download OTL over again and execute your last instructions once more (deleting old restore points et al)?

Broni · Apr 17, 2012

No, just run the fix from safe mode.

arvnranger · Apr 18, 2012

Sorry I wasn't making myself clear - I could not locate the OTL application (having inadvertantly deleted it suspecting that the OTL.Clean-up procedure had deleted itself).

I've since downloaded and rerun (in Safe mode) OTL with your custom fix parameters:

User: ivan
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: __0X00AC

User: __0X00D0

User: __0X00F4

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: Administrator.PCRENTALSAUCKLA

User: All Users

User: Default User

User: ivan
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: __0X00AC

User: __0X00D0

User: __0X00F4

Total Java Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.40.0 log created on 04182012_160623
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

Broni · Apr 18, 2012

Very well.
Go on with other steps from my reply #40.

arvnranger · Apr 18, 2012

All done. Avast AV and malwarebytes are running, TFC will be run weekly, PSI has updated Adobe Reader and Flashplayer and WinAmp.

Broni · Apr 18, 2012

Way to go!!

Good luck and stay safe

arvnranger · Apr 18, 2012

Thank you again for your invaluable assistance. I thought you managed the intricacies of the process in an efficient and abiding manner with evident skill and clarity. Your help really made a difference to me.

Cheers,
Ivan.

Broni · Apr 18, 2012

You're very welcome

Solved Please help remove a virus

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 28 +0

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 28 +0

Posts: 28 +0

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Posts: 28 +0

Posts: 56,041 +516

Similar threads