56 replies to this topic

[JigDog]

I downloaded a program called erunt, which is a registry backup program, and it contained malware (a2hooks32.dll) that caused my system to increase the virtual memory because it was running low and to also lock up the system. Upon reboot Online Armor blocked the program a2hooks32.dll and I havenot had any problems since...I just wont to get it off the system before I do a baclup. The scan shows the 2 traces that have not caused any problems that I know of. I do not think you will see a2hooks32.dll because OA has it blocked. The scan did not show how to save the scan log??

OTL logfile created on: 6/28/2012 7:16:17 PM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Documents and Settings\JAMES\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 67.35% Memory free
3.85 Gb Paging File | 2.74 Gb Available in Paging File | 71.22% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 67.94 Gb Free Space | 45.58% Space Free | Partition Type: NTFS
Drive J: | 465.76 Gb Total Space | 389.18 Gb Free Space | 83.56% Space Free | Partition Type: NTFS

Computer Name: JAMES-7AE16D29A | User Name: JAMES | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\JAMES\Desktop\EmsisoftEmergencyKit\Run\a2emergencykit.exe (Emsisoft GmbH)
PRC - C:\Documents and Settings\JAMES\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH)
PRC - C:\Program Files\Emsisoft Anti-Malware\a2guard.exe (Emsisoft GmbH)
PRC - C:\Program Files\KeyScrambler\KeyScrambler.exe (QFX Software Corporation)
PRC - C:\Program Files\Tall Emu\Online Armor\oaui.exe (Emsi Software GmbH)
PRC - C:\Program Files\Tall Emu\Online Armor\OAsrv.exe (Emsi Software GmbH)
PRC - C:\Program Files\Tall Emu\Online Armor\oahlp.exe (Emsi Software GmbH)
PRC - C:\Program Files\Tall Emu\Online Armor\oacat.exe (Emsi Software GmbH)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe (Webroot Software, Inc. )
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
PRC - C:\Program Files\TrojanHunter 5.3\THGuard.exe (Mischel Internet Security)
PRC - C:\Program Files\CMS Products\BounceBack Ultimate\CMSITLauncher.exe (CMS)
PRC - C:\Program Files\CMS Products\BounceBack Ultimate\BBLauncher.exe ()
PRC - C:\Program Files\CMS Products\BounceBack Ultimate\CMSITService.exe ()
PRC - C:\Program Files\CMS Products\BounceBack Ultimate\BBWatcherService.exe (CMS Products, Inc.)
PRC - C:\WINDOWS\system32\regsvr32.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - C:\Program Files\NVIDIA Corporation\nView\nvShell.dll ()
MOD - C:\Program Files\CMS Products\BounceBack Ultimate\BBLauncher.exe ()
MOD - C:\Program Files\CMS Products\BounceBack Ultimate\CMSITService.exe ()
MOD - C:\Program Files\CMS Products\BounceBack Ultimate\DMO.dll ()
MOD - C:\Program Files\Common Files\Acronis\Common\rpc_client.dll ()


========== Win32 Services (SafeList) ==========

SRV - (XXKCUNK) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\XXKCUNK.exe File not found
SRV - (SAIYI) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\SAIYI.exe File not found
SRV - (QVEK) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\QVEK.exe File not found
SRV - (KU) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\KU.exe File not found
SRV - (K) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\K.exe File not found
SRV - (EAPFWJ) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\EAPFWJ.exe File not found
SRV - (CXNVOEH) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\CXNVOEH.exe File not found
SRV - (a2AntiMalware) -- C:\Program Files\Emsisoft Anti-Malware\a2service.exe (Emsisoft GmbH)
SRV - (SvcOnlineArmor) -- C:\Program Files\Tall Emu\Online Armor\OAsrv.exe (Emsi Software GmbH)
SRV - (OAcat) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe (Emsi Software GmbH)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (WRConsumerService) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe (Webroot Software, Inc. )
SRV - (ekrn) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (WebrootSpySweeperService) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (Webroot Software, Inc. (www.webroot.com))
SRV - (CMSITService) -- C:\Program Files\CMS Products\BounceBack Ultimate\CMSITService.exe ()
SRV - (BBWatcherService) -- C:\Program Files\CMS Products\BounceBack Ultimate\BBWatcherService.exe (CMS Products, Inc.)
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (a2acc) -- C:\Program Files\Emsisoft Anti-Malware\a2accx86.sys (Emsisoft GmbH)
DRV - (a2injectiondriver) -- C:\Program Files\Emsisoft Anti-Malware\a2dix86.sys (Emsisoft GmbH)
DRV - (OAnet) -- C:\WINDOWS\system32\drivers\OAnet.sys (Emsisoft)
DRV - (OAmon) -- C:\WINDOWS\system32\drivers\OAmon.sys (Emsisoft)
DRV - (oahlpXX) -- C:\WINDOWS\system32\drivers\oahlp32.sys ()
DRV - (OADevice) -- C:\WINDOWS\system32\drivers\OADriver.sys ()
DRV - (KeyScrambler) -- C:\WINDOWS\system32\drivers\keyscrambler.sys (QFX Software Corporation)
DRV - (eamon) -- C:\WINDOWS\system32\drivers\eamon.sys (ESET)
DRV - (epfwtdir) -- C:\WINDOWS\system32\drivers\epfwtdir.sys (ESET)
DRV - (ehdrv) -- C:\WINDOWS\system32\drivers\ehdrv.sys (ESET)
DRV - (A2DDA) -- C:\Program Files\Emsisoft Anti-Malware\a2ddax86.sys (Emsi Software GmbH)
DRV - (ssidrv) -- C:\WINDOWS\system32\drivers\ssidrv.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (ssfs0bbc) -- C:\WINDOWS\system32\drivers\ssfs0bbc.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (sshrmd) -- C:\WINDOWS\system32\drivers\sshrmd.sys (Webroot Software, Inc. (www.webroot.com))
DRV - (a2util) -- C:\Program Files\Emsisoft Anti-Malware\a2util32.sys (Emsi Software GmbH)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (SSKBFD) -- C:\WINDOWS\system32\drivers\sskbfd.sys (Webroot Software Inc (www.webroot.com))
DRV - (timounter) -- C:\WINDOWS\system32\drivers\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\drivers\snapman.sys (Acronis)
DRV - (iComp) -- C:\WINDOWS\system32\drivers\HCWUSB2.sys (Hauppauge Computer Works, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (ip100xp) -- C:\WINDOWS\system32\drivers\ipfnd51.sys (ENCORE ELECTRONICS, INC. )
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (LHidUsb) -- C:\WINDOWS\system32\drivers\LHidUsb.sys (Logitech, Inc.)
DRV - (LHidFlt2) -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys (Logitech, Inc.)
DRV - (cdudf_xp) -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys (Roxio)
DRV - (UdfReadr_xp) -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys (Roxio)
DRV - (pwd_2k) -- C:\WINDOWS\System32\drivers\pwd_2K.sys (Roxio)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (mmc_2K) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys (Roxio)
DRV - (dvd_2K) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys (Roxio)
DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...6-82D9CA3B54EC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071101000055
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/28 21:28:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/14 15:31:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/02/04 16:07:24 | 000,000,000 | ---D | M]

[2009/01/13 11:40:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Extensions
[2012/06/28 14:46:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\extensions
[2010/04/29 16:41:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/21 15:53:15 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2012/03/19 13:03:55 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\extensions\firefox@ghostery.com
[2009/01/11 15:59:20 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\extensions\moveplayer@movenetworks.com
[2012/06/28 14:46:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\extensions\staged
[2011/11/17 20:25:44 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\JAMES\Application Data\Mozilla\Firefox\Profiles\c7zto7ez.default\searchplugins\askcom.xml
[2012/06/12 20:22:29 | 000,525,301 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\JAMES\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\C7ZTO7EZ.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2012/01/06 19:27:14 | 000,634,964 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\JAMES\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\C7ZTO7EZ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/03/12 21:52:29 | 000,138,614 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\JAMES\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\C7ZTO7EZ.DEFAULT\EXTENSIONS\{D40F5E7B-D2CF-4856-B441-CC613EEFFBE3}.XPI
[2012/05/28 21:28:00 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2002/11/21 15:10:52 | 000,774,144 | ---- | M] (Belarc, Inc.) -- C:\Program Files\mozilla firefox\plugins\NPBelv32.dll

O1 HOSTS File: ([2012/03/17 16:46:14 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [@OnlineArmor GUI] C:\Program Files\Tall Emu\Online Armor\oaui.exe (Emsi Software GmbH)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [emsisoft anti-malware] c:\program files\emsisoft anti-malware\a2guard.exe (Emsisoft GmbH)
O4 - HKLM..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe (QFX Software Corporation)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)
O4 - HKLM..\Run: [THGuard] C:\Program Files\TrojanHunter 5.3\THGuard.exe (Mischel Internet Security)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BounceBack Launcher.lnk = C:\Program Files\CMS Products\BounceBack Ultimate\BBStartup.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O4 - Startup: C:\Documents and Settings\JAMES\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O12 - Plugin for: .bcf - C:\Program Files\Internet Explorer\PLUGINS\NPBelv32.dll (Belarc, Inc.)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.micros...cs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6D39D1D3-39EF-44EF-AE08-9EB8CF5D5929}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6D39D1D3-39EF-44EF-AE08-9EB8CF5D5929}: NameServer = 65.40.202.102,76.7.255.188
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Program Files\Tall Emu\Online Armor\oaevent.dll (Emsi Software GmbH)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/08 03:00:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/12/08 03:00:42 | 000,000,000 | ---- | M] () - J:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/02/27 12:35:28 | 000,000,031 | ---- | M] () - J:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/28 16:20:58 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JAMES\Desktop\OTL.exe
[2012/06/28 16:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JAMES\Desktop\EmsisoftEmergencyKit
[2012/06/26 12:48:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/06/26 12:48:13 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/06/25 14:53:06 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\JAMES\Desktop\erunt-setup.exe
[2012/06/13 12:07:37 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/28 16:21:05 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JAMES\Desktop\OTL.exe
[2012/06/27 12:18:34 | 000,005,754 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/27 12:14:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/27 05:00:18 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2012/06/26 12:48:48 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\JAMES\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/06/26 12:48:20 | 000,000,629 | ---- | M] () -- C:\Documents and Settings\JAMES\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2012/06/26 12:48:20 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\JAMES\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2012/06/25 21:11:40 | 000,002,994 | ---- | M] () -- C:\Documents and Settings\JAMES\Desktop\Acronis2012 INFO.rtf
[2012/06/25 17:28:26 | 068,072,688 | ---- | M] () -- C:\Documents and Settings\JAMES\Desktop\ATIH2012PP_6131_en-US.exe
[2012/06/25 17:19:24 | 223,761,912 | ---- | M] () -- C:\Documents and Settings\JAMES\Desktop\ATIH2012_6131_en-US.exe
[2012/06/25 14:53:12 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\JAMES\Desktop\erunt-setup.exe
[2012/06/22 12:30:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\CMS Application Updater.job
[2012/06/22 01:00:00 | 000,001,656 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L9312DB2A71514C6AB5054961A8D7BA77.job
[2012/06/18 20:09:07 | 000,000,766 | ---- | M] () -- C:\Documents and Settings\JAMES\Desktop\cc_20120618_2009.reg
[2012/06/13 13:05:33 | 000,134,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/13 12:56:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/13 12:44:03 | 000,426,812 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/13 12:44:03 | 000,065,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/09 23:58:49 | 000,000,417 | -HS- | M] () -- C:\boot.ini
[2012/06/04 02:00:38 | 010,889,034 | ---- | M] () -- C:\Documents and Settings\JAMES\Desktop\New Bitmap Image (4).bmp
[2012/06/02 15:19:44 | 000,022,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wucltui.dll
[2012/06/02 15:19:38 | 000,219,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaucpl.cpl
[2012/06/02 15:19:38 | 000,210,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll
[2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdm.dll
[2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cdm.dll
[2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauclt.exe
[2012/06/02 15:19:34 | 000,045,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2012/06/02 15:19:34 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll
[2012/06/02 15:19:34 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wups.dll
[2012/06/02 15:19:34 | 000,015,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuapi.dll
[2012/06/02 15:19:18 | 001,933,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaueng.dll
[2012/05/31 08:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2012/05/30 22:01:48 | 000,031,912 | ---- | M] (Emsisoft) -- C:\WINDOWS\System32\drivers\OAnet.sys
[2012/05/30 21:58:22 | 000,027,632 | ---- | M] (Emsisoft) -- C:\WINDOWS\System32\drivers\OAmon.sys
[2012/05/30 21:57:29 | 000,044,592 | ---- | M] () -- C:\WINDOWS\System32\drivers\oahlp32.sys
[2012/05/30 21:54:12 | 000,208,312 | ---- | M] () -- C:\WINDOWS\System32\drivers\OADriver.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/26 12:48:48 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\JAMES\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/06/26 12:48:20 | 000,000,629 | ---- | C] () -- C:\Documents and Settings\JAMES\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2012/06/26 12:48:20 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\JAMES\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2012/06/25 21:10:04 | 000,002,994 | ---- | C] () -- C:\Documents and Settings\JAMES\Desktop\Acronis2012 INFO.rtf
[2012/06/25 17:25:38 | 068,072,688 | ---- | C] () -- C:\Documents and Settings\JAMES\Desktop\ATIH2012PP_6131_en-US.exe
[2012/06/25 17:08:14 | 223,761,912 | ---- | C] () -- C:\Documents and Settings\JAMES\Desktop\ATIH2012_6131_en-US.exe
[2012/06/18 20:09:03 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\JAMES\Desktop\cc_20120618_2009.reg
[2012/06/04 02:00:20 | 010,889,034 | ---- | C] () -- C:\Documents and Settings\JAMES\Desktop\New Bitmap Image (4).bmp
[2012/03/13 13:41:19 | 000,292,700 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2012/03/13 13:41:19 | 000,292,700 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2012/03/13 13:41:19 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2012/02/14 15:57:06 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/26 00:10:41 | 000,081,920 | R--- | C] () -- C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
[2011/05/21 06:01:00 | 002,783,770 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/03/22 11:14:16 | 000,031,104 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2011/03/22 11:14:10 | 000,016,256 | ---- | C] () -- C:\WINDOWS\System32\SsiEfr.exe
[2010/12/03 18:30:46 | 000,000,069 | ---- | C] () -- C:\WINDOWS\minipdf2word.INI
[2010/12/01 12:11:55 | 000,001,029 | ---- | C] () -- C:\WINDOWS\docimg.INI
[2010/09/10 08:53:22 | 000,042,176 | ---- | C] () -- C:\WINDOWS\System32\BBUninstall.exe
[2010/08/31 22:05:11 | 000,044,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\oahlp32.sys
[2008/03/24 09:47:02 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\JAMES\Application Data\userdic.tlx
[2006/12/15 02:11:33 | 000,000,538 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2006/12/15 01:59:31 | 000,000,538 | RHS- | C] () -- C:\Documents and Settings\JAMES\ntuser.pol
[2006/12/11 20:48:44 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\JAMES\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2006/12/28 04:43:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2007/11/07 02:31:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ActiveSMART
[2010/10/14 12:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2012/02/04 16:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2007/09/20 00:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/04/23 07:49:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OnlineArmor
[2012/02/27 20:03:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QFX Software
[2012/06/26 19:29:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2011/07/16 11:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TrojanHunter
[2011/12/23 12:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\Internet Password Manager
[2006/12/11 04:35:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\Jasc
[2006/12/11 18:29:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\Leadertech
[2010/12/01 11:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\miniPDF
[2009/10/30 15:05:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\OnlineArmor
[2012/02/27 20:03:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\QFX Software
[2009/10/26 15:33:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\Quicken WillMaker
[2007/11/29 09:02:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\Smart Panel
[2008/01/29 08:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\SoundSpectrum
[2006/12/08 19:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JAMES\Application Data\TrojanHunter
[2012/06/22 12:30:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\Tasks\CMS Application Updater.job
[2012/06/22 01:00:00 | 000,001,656 | ---- | M] () -- C:\WINDOWS\Tasks\wrSpySweeper_L9312DB2A71514C6AB5054961A8D7BA77.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2008/01/27 00:30:55 | 000,000,000 | ---D | M](C:\Documents an? Settings) -- C:\Documents anࡤ Settings
[2008/01/27 00:30:55 | 000,000,000 | ---D | C](C:\Documents an? Settings) -- C:\Documents anࡤ Settings

< End of report >
OTL Extras logfile created on: 6/28/2012 7:16:17 PM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Documents and Settings\JAMES\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 67.35% Memory free
3.85 Gb Paging File | 2.74 Gb Available in Paging File | 71.22% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 67.94 Gb Free Space | 45.58% Space Free | Partition Type: NTFS
Drive J: | 465.76 Gb Total Space | 389.18 Gb Free Space | 83.56% Space Free | Partition Type: NTFS

Computer Name: JAMES-7AE16D29A | User Name: JAMES | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe" = C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Spy Sweeper
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79
"{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}" = Easy CD & DVD Creator 6
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8537ABE9-DCE4-4149-A0B4-9926E449AD01}" = ESET NOD32 Antivirus
"{86439DA4-3FA0-491C-8FC4-8E9C3F0C469B}" = BounceBack Ultimate
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}" = EPSON Photo Print
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B1914265-0D07-48E0-A937-F20A76D0032D}" = Acronis True Image Home
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.85
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{B79FBFDD-8B0C-4B8E-B70E-499E39978281}" = Windows Vista Upgrade Advisor
"{BC30E5E7-047D-4232-A7E8-F2CB7CC7B2E0}_is1" = Emsisoft Anti-Malware
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Acez Mp3 Wav Converter v3.0_is1" = Acez Mp3 Wav Converter v3.0
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Belarc Advisor 2.0" = Belarc Advisor 5.1
"CCleaner" = CCleaner (remove only)
"DCMillenniumUnInstall" = DCart32 Millennium
"DiamondCS Port Explorer_is1" = DiamondCS Port Explorer v2.000
"ERUNT_is1" = ERUNT 1.1j
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v4.20
"G-Force" = G-Force
"Hauppauge WinTV Radio" = Hauppauge WinTV Radio
"Hauppauge WinTV2000" = Hauppauge WinTV2000
"Hauppauge WinTV-PVR2 USB2 Drivers" = Hauppauge WinTV-PVR2 USB2 Drivers
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Internet Password Manager_is1" = Internet Password Manager 1.0
"KeyScrambler" = KeyScrambler
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OnlineArmor_is1" = Online Armor 3.5
"Quicken WillMaker Plus 2009" = Quicken WillMaker Plus 2009
"Security Task Manager" = Security Task Manager 1.7
"Silent Package Run-Time Sample" = EPSON PERF 3170Guide
"SyncBack_is1" = SyncBack
"TrojanHunter_is1" = TrojanHunter 5.3
"Uninstall Presto! BizCard 4.1 Eng" = Presto! BizCard 4.1 Eng
"Winamp" = Winamp
"Window Washer 5" = Window Washer 5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/18/2012 8:25:35 PM | Computer Name = JAMES-7AE16D29A | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 62 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/18/2012 8:25:47 PM | Computer Name = JAMES-7AE16D29A | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 62 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/19/2012 4:37:30 AM | Computer Name = JAMES-7AE16D29A | Source = Application Hang | ID = 1002
Description = Hanging application mspaint.exe, version 5.1.2600.5918, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/19/2012 4:37:30 AM | Computer Name = JAMES-7AE16D29A | Source = Application Hang | ID = 1002
Description = Hanging application mspaint.exe, version 5.1.2600.5918, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/19/2012 1:36:03 PM | Computer Name = JAMES-7AE16D29A | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070005: InitEventCollector fail

Error - 6/20/2012 7:08:54 AM | Computer Name = JAMES-7AE16D29A | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070005: InitEventCollector fail

Error - 6/21/2012 6:33:14 AM | Computer Name = JAMES-7AE16D29A | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070005: InitEventCollector fail

Error - 6/21/2012 1:36:20 PM | Computer Name = JAMES-7AE16D29A | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070005: InitEventCollector fail

Error - 6/21/2012 5:10:11 PM | Computer Name = JAMES-7AE16D29A | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070005: InitEventCollector fail

Error - 6/27/2012 1:18:30 PM | Computer Name = JAMES-7AE16D29A | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070005: InitEventCollector fail

[ System Events ]
Error - 6/27/2012 2:12:02 AM | Computer Name = JAMES-7AE16D29A | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 6/27/2012 2:12:08 AM | Computer Name = JAMES-7AE16D29A | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147943860

Error - 6/27/2012 1:18:21 PM | Computer Name = JAMES-7AE16D29A | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147943860

Error - 6/27/2012 1:18:29 PM | Computer Name = JAMES-7AE16D29A | Source = Service Control Manager | ID = 7000
Description = The COM+ System Application service failed to start due to the following
error: %%5

Error - 6/27/2012 1:18:30 PM | Computer Name = JAMES-7AE16D29A | Source = DCOM | ID = 10005
Description = DCOM got error "%5" attempting to start the service COMSysApp with
arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}

Error - 6/27/2012 1:18:33 PM | Computer Name = JAMES-7AE16D29A | Source = Service Control Manager | ID = 7034
Description = The MS Software Shadow Copy Provider service terminated unexpectedly.
It has done this 1 time(s).

Error - 6/27/2012 1:22:19 PM | Computer Name = JAMES-7AE16D29A | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 6/27/2012 1:22:20 PM | Computer Name = JAMES-7AE16D29A | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147943860

Error - 6/28/2012 1:25:33 PM | Computer Name = JAMES-7AE16D29A | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 6/28/2012 1:25:34 PM | Computer Name = JAMES-7AE16D29A | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147943860


< End of report >
 Extras.Txt   34.52K   23 downloads  OTL.Txt   59.48K   18 downloads

[ShadowPuterDude]

ERUNT is not malware nor does it contain malware. a2hooks32.dll is a component of Emsisoft Anti-malware.

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTLSRV - (XXKCUNK) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\XXKCUNK.exe File not foundSRV - (SAIYI) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\SAIYI.exe File not foundSRV - (QVEK) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\QVEK.exe File not foundSRV - (KU) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\KU.exe File not foundSRV - (K) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\K.exe File not foundSRV - (EAPFWJ) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\EAPFWJ.exe File not foundSRV - (CXNVOEH) -- C:\DOCUME~1\JAMES\LOCALS~1\Temp\CXNVOEH.exe File not foundO4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not foundO4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not foundO16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ][3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ][2008/01/27 00:30:55 | 000,000,000 | ---D | M](C:\Documents an? Settings) -- C:\Documents anࡤ Settings[2008/01/27 00:30:55 | 000,000,000 | ---D | C](C:\Documents an? Settings) -- C:\Documents anࡤ Settings:Commands[Purity][EmptyTemp][EmptyFlash][EmptyJava][Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[JigDog]

I can copy your scan, but OTL will not accept the paste into the box. The cursor blinks with a blank box. What should I do??

[ShadowPuterDude]

Boot the system to Safe Mode with Networking and run the fix.

[JigDog]

If I send you a message by clicking your Icon at the right of the post page you do not seem to get it???

I have tried the safe boot with networking twice or more and the browser message I get is no server access.

In the OTL box, it will let me type into it but not paste??

Why did Online Armor automatically block program a2hooks32.dll since it is part of the OA program??

What to do next......Thanks for your help

[ShadowPuterDude]

Do not send PM's, keep all communication in your thread. PM's will not be answered.

a2hooks is part of Emsisoft Anti-Malware not Online Armor. I'm not sure why OA blocked a2hooks, you will need to unblock a2hooks in OA.

Since you can't copy & paste to OTL, do the following:

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[JigDog]

If combofix needs to download the recovery console will I be able to enable my virus and firewall software software for the download and then disable it for combofix to continue or will the combofix message want a reply before I can do that??

[ShadowPuterDude]

The instructions, do not say you can turn back on your protection software at any point while ComboFix is running. So, No. Don't turn them back on, for any reason, while ComboFix is running.

[JigDog]

if after running combofix, I cannot reboot computer, how can I contact you for instructions????

[ShadowPuterDude]

Run ComboFix. The longer you take to follow the instructions I am giving you to clean your system, the longer you are using an infected system.

[JigDog]

if after running combofix, I cannot reboot computer, how can I contact you for instructions????

Can you please answer the question...I need to know while I still have access to you, if I can not boot up. What good is the recovery console if you cannot tell me what to enter into it??

[ShadowPuterDude]

Quit stalling and run ComboFix. If I thought ComboFix would render your system inoperable I wouldn't have told you to run it.

[JigDog]

Here is the combo log...it deleted a lot of my stuff that could not all have been malware and inserted folders called found+ #,of which a lot are empty. One download folder had programs I recently bought and had not installed yet because I wanted to get this problem fixed first, that folder had all the execs and zip files of all the software on my system.  ComboFix.txt   14.11K   25 downloads

[JigDog]

Disregard the last post about folder missing, I was looking in the wrong place...sorry..but I do have two problems with the system when you advise me you are ready for them....Thanks

[ShadowPuterDude]

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Driver::
CXNVOEH
EAPFWJ
K
KU
QVEK
SAIYI
XXKCUNK

File::
c:\docume~1\JAMES\LOCALS~1\Temp\CXNVOEH.exe
c:\docume~1\JAMES\LOCALS~1\Temp\EAPFWJ.exe
c:\docume~1\JAMES\LOCALS~1\Temp\K.exe
c:\docume~1\JAMES\LOCALS~1\Temp\KU.exe
c:\docume~1\JAMES\LOCALS~1\Temp\QVEK.exe
c:\docume~1\JAMES\LOCALS~1\Temp\SAIYI.exe
c:\docume~1\JAMES\LOCALS~1\Temp\XXKCUNK.exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

[JigDog]

Questions:
ComboFix.exe was renamed Combo-Fix.exe in the last set of rules. Should I leave it at that or rename it back to ComboFix.exe. At this time their is no Folder named ComboFix. Will this operation generate one. The instructions say not to rename CombFix folder?

[ShadowPuterDude]

Don't over think the instructions. The instructions for running CFscript have absolutely nothing to do with the initial set of instructions for downloading and running combofix.

Do NOT rename ComboFix, which means do NOT change it's name again. Otherwise things will not work as expected.

Follow the instructions as writtne and don't over think things.

[JigDog]

The name of the program right now on my desktop is not combofix, it is combo-fix. I do not want any more problems than I already have. Just want to make sure we are on the same page before I execute something. All you have to tell me is which name should it be.

[ShadowPuterDude]

The name of the program right now on my desktop is not combofix, it is combo-fix. I do not want any more problems than I already have. Just want to make sure we are on the same page before I execute something. All you have to tell me is which name should it be.

IT DOESN"T MATTER. The second set of instructions for running CFScript have ABSOLUTELY NOTHING to do with the first set of instructions for downloading and running ComboFix.

Quit over analyzing what the instructions are telling you to do, just do them.

[JigDog]

Why can't you answer a simple question. You have not answered one of the many questions I have asked without pissing and moanilng....I worked in IT for 30 years continuous and probably forgot more than a dip like you will ever know! I will inform the company hieracy why I will not renew my License...because of a dip like you...

[ShadowPuterDude]

Your question has been answered more than once. The first set of instructions have ABSOLUTELY NOTHING TO DO WITH THE SECOND SET OF INSTRUCTIONS. Leave ComboFix as named and execute the instructions I posted 7 posts ago. More than 2000 people have been able to follow the instructions as written without any difficulty.

Stop reading into what I post.

[JigDog]

Here is the log

Attached Files

•  ComboFix.txt   14.28K   15 downloads

[ShadowPuterDude]

OK, that appears to have removed the suspicious services and related files.

Run a fresh scan with OTL, attach the new OTL log to your next reply.

Be sure to tell me how things a running.

[JigDog]

Log

Attached Files

•  OTL.Txt   57.58K   24 downloads

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTLDRV - (WDICA) --  File not foundDRV - (PDRFRAME) --  File not foundDRV - (PDRELI) --  File not foundDRV - (PDFRAME) --  File not foundDRV - (PDCOMP) --  File not foundDRV - (PCIDump) --  File not foundDRV - (lbrtfdc) --  File not foundDRV - (i2omgmt) --  File not foundDRV - (Changer) --  File not foundDRV - (catchme) -- C:\ComboFix\catchme.sys File not foundO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ][1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]:Commands[Purity][EmptyTemp][EmptyFlash][EmptyJava][Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[JigDog]

Log

Attached Files

•  07032012_011428.log   12.13K   18 downloads

[ShadowPuterDude]

How are things running?

[JigDog]

It looks like you have cleaned it up.....After the cleaning I looked at Online Armor and it has blocked swxcacls.3XE which emsisoft says is malware.

Freeware implementation of XCACLS, 1.0.1.1, (1.0.1.1)
C:\32788R22FWJFW\swxcacls.3XE
Hash(MD5): B1A9CF0B6F80611D31987C247EC630B4
Blocked in Programs

and this one which is ERUNT exe I downloaded and started having a problem although it may have been a coincidence??
Created: 7/3/2012 1:24:47 PM
Summary: Program Guard: AUTOBACK.EXE
Description: C:\WINDOWS\explorer.exe -> C:\Program Files\ERUNT\AUTOBACK.EXE
Event type: Program Guard(9)
Event action: Blocked(3)

Can you check them out, maybe unblock them and run anothe scan....what do you think??

[ShadowPuterDude]

Freeware implementation of XCACLS, 1.0.1.1, (1.0.1.1)
C:\32788R22FWJFW\swxcacls.3XE
Hash(MD5): B1A9CF0B6F80611D31987C247EC630B4
Blocked in Programs

swcacls is legitimate, normally it would have an exe extension. sUBs the author of ComboFix changes the extension to 3xe and loads it from within ComboFix, when it needs to be ran. This is an execution "trick" to avoid detection by malware. You don't need to unblock that as it will be removed with the final set of instructions.

Created: 7/3/2012 1:24:47 PM
Summary: Program Guard: AUTOBACK.EXE
Description: C:\WINDOWS\explorer.exe -> C:\Program Files\ERUNT\AUTOBACK.EXE
Event type: Program Guard(9)
Event action: Blocked(3)

Autoback.exe is part of ERUNT. You can unblock autoback.exe.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following from your Desktop (If they exist)
CFscript.txt
TDSSKiller.exe
Anything else I had you use

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

• Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
• The following should be selected by default, if not, please select:
  
• Click and choose
• Uncheck
• Then go back to and click to run it.
• Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[JigDog]

I appreciated your help and wish you the best. Thank you...I will begin the clean up ASAP...neighbors need some help at the moment......Later

[JigDog]

Following the instruction list, I have finished with CCleaner, but have left 2 issues at this point.

Erunt is blocked at reboot, although it and AUTOback.exe shows to be Allowed in Online Armor Program tab,.The History tab in OA shows it blocked by Program guard. I cleared the History page before reboot so it is not an old entry.

The second issue is I cannot delete the C:\Qoobox folder because Its subfolder named BackEnv gives the error Access Denied.
How can I enable Erunt from being blocked and delete theQoobox folder??
See attachments for the error shots.

Attach says file was to big, so will try to slim it down....and try again.

Attached Files

•  Attach to More.rtf   296bytes   11 downloads

[ShadowPuterDude]

Erunt is blocked at reboot, although it and AUTOback.exe shows to be Allowed in Online Armor Program tab,.The History tab in OA shows it blocked by Program guard. I cleared the History page before reboot so it is not an old entry.

Mostly likely it is EAM that is blocking autoback.exe. In EAM, click on "Guard", in the "Application Rules" tab, make sure autoback.exe is not blocked, if it is edit the rule and change to "Always allow this application". Otherwise, click "Add new rule" and add autoback.exe and set to "Always allow this application".

The second issue is I cannot delete the C:\Qoobox folder because Its subfolder named BackEnv gives the error Access Denied.
How can I enable Erunt from being blocked and delete theQoobox folder??

You will need to take ownership of the folder and its contents.

Windows XP Home Edition
Boot to Safe ModeWindows XP Professional

• Disable Simple File Sharing
  
• Click Start, and then click My Computer.
• On the Tools menu, click Folder Options.
• Click the View tab.
• In the Advanced Settings section, click to clear the Use simple file sharing (Recommended) check box.
• Click OK.

To take ownership of a file or a folder

How to take ownership of a file
You must have ownership of a protected file in order to access it. If another user has restricted access and you are the computer administrator, you can access the file by taking ownership.

To take ownership of a file, follow these steps:

• Right-click the file that you want to take ownership of, and then click Properties.
• Click the Security tab, and then click OK on the Security message (if one appears).
• Click Advanced, and then click the Owner tab.
• In the Name list, click Administrator, or click the Administrators group, and then click OK.
  
  The administrator or the administrators group now owns the file.

To change the permissions on the file that you now own, follow these steps:

• Click Add.
• In the Enter the object names to select (examples) list, type the user or group account that you want to have access to the file. For example, type Administrator.
• Click OK.
• In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
• When you are finished assigning permissions, click OK.
• You can now access the file.

How to take ownership of a folder
You must have ownership of a protected folder in order to access it. If another user has restricted access and you are the computer administrator, you can access the folder by taking ownership.

To take ownership of a folder, follow these steps:

• Right-click the folder that you want to take ownership of, and then click Properties.
• Click the Security tab, and then click OK on the Security message (if one appears).
• Click Advanced, and then click the Owner tab.
• In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of the folder, select the Replace owner on subcontainers and objects check box.
• Click OK, and then click Yes when you receive the following message:
  
  You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?
  
  All permissions will be replaced if you click Yes.
  
  Note folder name is the name of the folder that you want to take ownership of.
• Click OK, and then reapply the permissions and security settings that you want for the folder and its contents.

[JigDog]

We are rid of the Qoobox folder and contents.....In EAM Guard I excluded the Autoback.exe using the path that OA had for it. I still get the same message "LAUNCH ERUNT FAILED" so I tried to change the path to what Window has it as, but now I have lost some permissions....EAM will not let me change the rule,edit it, but I can delete it, and Wordpad is not saving something but saving others??

[ShadowPuterDude]

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  
  • Reset Registry Permissions
  • Reset File Permissions
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Repair Volume Shadow Copy Service
  • Set Windows Services To Default Startup
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

Any change?

[JigDog]

I have been doing some test and when I deleted the files and pics I created associated with ERUNT, I was abled to work with Wordpad OK now? It seems like all my problems have been due to ERUNT in some way. So rather than run the repair at this time I would like you to help me get ERUNT off my system and go from their. I think you are correct in that EAM has it blocked but I do not know where, so I don't know if (Windows Remove Program) will work. The only problem I am having now is EAM will not let me edit or add a rule and I get the msg "ERROR launch ERUNT failed" on the desktop on bootup. Your opinion.

[ShadowPuterDude]

Uninstall Erunt 1.1j via Add/Remove Programs in the Control Panel.

Run Windows Repair by Tweaking.com with the settings I specified in my previous post.

[JigDog]

Does Repair Windows.exe require internet connection to run?

[ShadowPuterDude]

Only to check that the latest version is being ran.

[JigDog]

So I have to leave my anti malware programs running...correct?

[ShadowPuterDude]

Yes, leave them running.

[JigDog]

windows cant access, oa has it blocked and tweaking folder has erunt in it. Pics attached  For More.rtf   229bytes   11 downloads

[ShadowPuterDude]

OK, disable both EAM and OA and then run Windows Repair by Tweaking.com.

[JigDog]

Windows repair has finished. Seems like it booted faster. it was taking over 6 minutes to boot. That has been going on for a long time. EAM still will not let me add a rule, maybe I want need to. I will try to install the software from ACRONIS and see if EAM blocks it.

[ShadowPuterDude]

Disable NOD 32. Make any difference?

[JigDog]

Disable NOD 32. Make any difference?
You talking about boot time, rule change, or installing software???
Sorry for the long delay times, trying to save my dog....very ill!!

[ShadowPuterDude]

Both boot time and rule edit.

[JigDog]

In trying to Disable NOD 32, it said to disable it in advanced section, their the only thing I could find was tabs to disable file protection and HIPS,so disabled both. Had tried to disable it in msconfig start up but it must start with registry key? Anyway boot time the same and could not edit EAM rule. The long boot happens when it get to start up programs as you probably already knew..

[ShadowPuterDude]

Long load times are caused by applications competing for resources and how many application are loading at Windows startup.

Let's see if we can figure out what is causing the issue.

Download Runscanner to your desktop and run it.

• When the first page comes up select Beginner Mode
• On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
• At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
• On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
• Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Zip the .run and attach the zip-file to your next reply.

[JigDog]

Win Zip didnot recognize run file as a zip file and it was only 221kb so I just attached it.

To big didnot work. The only options to unzip when I right click on file was to zip and email...so that is what I did to get it zipped. I emailed it to myself and then saved it to the desktop. I am not familiar with WinZip so their may be a differemt way but the WinZip wizard did not show one that I could determine.

[JigDog]

I will try to attach it again??

Attached Files

•  emailzip.zip   219.39K   15 downloads