OTL and Extra - pasted and attached

Also, should we save or delete the mbam logs that accumulate?

Nothing bad. Just looks like it detected ComboFix that we used. No biggie.

Thank you, looks good. I deleted the download and reran MBAM
and no issues were found.

Now that the Acer is clear, I will start a new topic for
my desktop pc. It has zeroaccess quarantined by mbam
at the moment, along with several other trojan files.

Dave

Post the log from this MBAM scan then, please.

Had a serious error recovery message prior to doing
this scan today.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.09.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
David :: DUCKEL [administrator]

9/9/2012 9:47:22 AM
mbam-log-2012-09-09 (09-47-22).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 274416
Time elapsed: 1 hour(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I just realized that you meant for me to post the desktop machine's infected mbam log.

Before I do that, I wanted to ask if you could check my logs and give me a link for the HOST files I need for this machine, or, just tell me which of the many downloads on that page are the right ones. Thanks!

My Desktop pc's MBAM log will be posted next, along with the quarantine list from AVG.
MBAM has zeroaccess quarantined, and AVG has
Agent_r.BMS and Backdoor.Generic15.BIXF quarantined.

Please advise. Thanks.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4051

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

4/29/2010 8:29:14 AM
mbam-log-2010-04-29 (08-29-14).txt

Scan type: Full scan (A:\|C:\|)
Objects scanned: 207385
Time elapsed: 23 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbcamiyd (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lbcamiyd (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\xrovqpfof\eeenncntssd.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\RaaH.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\yCVO.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CEZD4KV5\n002102304801r0409J11000601R83a99fdaW046d99ddX9c4de30dYd79ec259Z03009f350[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WK60Y5LU\n002102304801r0409J11000601R83a99fdaW046d99ddX9430cb2fYdfe815a9Z03009f350[1] (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Here are quarantine notes in AVG:
Malware Win32/Adware.Toolbar.Dealio C:\PROGRAMFILES\PDFFORGETOOLBAR\IE\4.5\PDFFORGETOOLBARIE.DLL
Malware Win32/Adware.Toolbar.Dealio C:\PROGRAMFILES\COMMONFILES\SPIGOT\SEARCH SETTINGS\SEARCHSETTINGS.EXE
Malware UNKNOWN C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\F4D55F3B0001836367169D4ED151FC84\F4D55F3B0001836367169D4ED151FC84.EXE
Corrupted executable file C:\Documents and Settings\Owner\Local Settings\Temp\SkypeSetup.exe
Infection Trojan horse Agent_r.BMS C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\80000032.@.vir
Infection Trojan horse Backdoor.Generic15.BIXF C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\000000cb.@.vir

And a Quarantine Report:


Time : 01/09/2012 19:43:26
--------------------------
[LaunchPad.exe.vir] -> C:\Documents and Settings\Owner\Application Data\U3\000015EBBA6133D1\LaunchPad.exe
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.


Time : 01/09/2012 19:48:38
--------------------------
[LaunchPad.exe.vir] -> C:\Documents and Settings\Owner\Application Data\U3\000015EBBA6133D1\LaunchPad.exe
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.


Time : 01/09/2012 19:49:12
--------------------------
[LaunchPad.exe.vir] -> C:\Documents and Settings\Owner\Application Data\U3\000015EBBA6133D1\LaunchPad.exe
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.


Time : 01/09/2012 19:57:51
--------------------------
[LaunchPad.exe.vir] -> C:\Documents and Settings\Owner\Application Data\U3\000015EBBA6133D1\LaunchPad.exe
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.
ERROR [n..vir] -> C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.


Time : 01/09/2012 21:16:58
--------------------------


Time : 01/09/2012 21:25:50
--------------------------


Time : 05/09/2012 00:22:53
--------------------------

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/01/2012 19:43:27

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] LaunchPad.exe -- C:\Documents and Settings\Owner\Application Data\U3\000015EBBA6133D1\LaunchPad.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1614895754-861567501-682003330-1003\$4da03db75501abe897a6efc6a820fe37\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAKS-22VSA0 +++++
--- User ---
[MBR] d1dd1b46542915a868a86177a5d1c98b
[BSP] dc1586e26c5e2a65ee56087b0c6cae52 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/05/2012 00:22:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAKS-22VSA0 +++++
--- User ---
[MBR] d1dd1b46542915a868a86177a5d1c98b
[BSP] dc1586e26c5e2a65ee56087b0c6cae52 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[7].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt

System is currently not connected to the internet.

Why is this last MBAM log posted, when it's from 4/29/2010 8:29:14 AM ?

I posted the old one because it showed what was shown as infected. I have not updated MBAM in 5 days as I have disconnected pc from the internet. AVG is showing something that appears to be reinstallers.
MBAM is below:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.05.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: OWNER-1EFEC9199 [administrator]

9/9/2012 10:11:28 PM
mbam-log-2012-09-09 (22-11-28).txt

Scan type: Full scan (A:\|C:\|E:\|F:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 376969
Time elapsed: 1 hour(s), 20 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\80000000.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

Let's look over a couple more things, then honestly I believe this PC is very clean!

AdwCleaner Scan
Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

I am currently disconnected. I ran the first program from the desktop.
Report is below. I put aswMBR on a stick and copied it to desktop.
When I clicked on it, it says "This application can use the Avast Free Antivirus for scanning. It is recommended to download it for better detection results. Would you like to download latest Avast virus definitions?

This will require reconnecting, unless I just click NO.

Please advise if it is safe for me to reconnect pc to internet.

# AdwCleaner v2.000 - Logfile created 09/02/2012 at 14:40:28
# Updated 30/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - OWNER-1EFEC9199
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : Application Updater

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\extensions\pdfforge@mybrowserbar.com
File Found : C:\Program Files\Mozilla Firefox\extensions\wtxpcom@mybrowserbar.com
Folder Found : C:\Documents and Settings\Owner\Application Data\pdfforge

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\pdfforge
Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\pdfforge
Key Found : HKCU\Software\Search Settings
Key Found : HKLM\Software\pdfforge
Key Found : HKLM\Software\Search Settings

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\18uaxcra.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\duw4v4k6.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1447 octets] - [02/09/2012 14:40:28]

########## EOF - C:\AdwCleaner[R1].txt - [1507 octets] ##########

I ran the aswMBR that I had saved to the desktop from my stick/not as downloaded with updates. Here are the results.
I am still waiting to hear if it is ok to reconnect the LAN cable to my pc.
Let me know if you'd like me to reconnect the LAN cable and then to
download aswMBR directly to the desktop, then to click on the YES button to update definitions and run it again.


Results follow:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-11 07:00:54
-----------------------------
07:00:54.906 OS Version: Windows 5.1.2600 Service Pack 3
07:00:54.906 Number of processors: 2 586 0x170A
07:00:54.906 ComputerName: OWNER-1EFEC9199 UserName: Owner
07:00:55.421 Initialize success
07:01:02.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
07:01:02.656 Disk 0 Vendor: WDC_WD2500AAKS-22VSA0 01.01B01 Size: 238475MB BusType: 3
07:01:02.687 Disk 0 MBR read successfully
07:01:02.687 Disk 0 MBR scan
07:01:02.687 Disk 0 Windows XP default MBR code
07:01:02.687 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
07:01:02.687 Disk 0 scanning sectors +488376000
07:01:02.734 Disk 0 scanning C:\WINDOWS\system32\drivers
07:01:07.343 Service scanning
07:01:16.593 Modules scanning
07:01:18.906 Disk 0 trace - called modules:
07:01:18.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
07:01:18.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b3abab8]
07:01:18.921 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x8b3b2f18]
07:01:18.921 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8b3add98]
07:01:18.921 Scan finished successfully
07:04:19.250 Disk 0 MBR has been saved successfully to "J:\Reports from Desktop Computer September 2012\New Folder\MBR.dat"
07:04:19.250 The log file has been saved successfully to "J:\Reports from Desktop Computer September 2012\New Folder\aswMBR.txt"