I have read every forum on every website i can find and still have no clue why it won’t go away. Avast finds it in C:\Windows\System32\otmspr.exe. I have moved to chest, deleted and deleted manually. I have HijackThis, Malwarebytes, Combofix, Spybot, and of course avast and none of them can fix it. Malware bytes finds it and says it deletes it just as Avast does but on rescan it is back again.
Also my Regedit.exe will not work anymore. I tried searching for the app and using “run” but to no avail. Pleas help me!

HijackThis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:43 AM, on 2/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Intel Audio Studio\INTELAUDIOSTUDIO.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\jwtch32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [IntelAudioStudio] “C:\Program Files\Intel Audio Studio\INTELAUDIOSTUDIO.EXE” TRAY
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Microsoft netswitch] C:\WINDOWS\system32\jwtch32.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\Wcescomm.exe”
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212970239343
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

–
End of file - 8485 bytes

I would post my Combo fix report but it wont allow that many characters on my post.

I have Zonealarm as my firewall if that makes any difference.
Thank you in advance for your help!

C:\Windows\System32\otmspr.exe
C:\WINDOWS\system32\jwtch32.exe

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis if found.

Otmspr.exe results were already posted from previous scans. The other file came up negative.

File 988db663bb61c964ba7a4c1a78aa8660. received on 02.16.2009 20:02:02 (CET)
Current status: finished
Result: 20/39 (51.28%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared - - Trojan.Win32.Agent!IK
AhnLab-V3 - - -
AntiVir - - TR/Agent.bprl
Authentium - - W32/Threat-HLLSI-based!Maximus
Avast - - Win32:Trojan-gen {Other}
AVG - - -
BitDefender - - Generic.Malware.SYd!.D75B86A7
CAT-QuickHeal - - -
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - Win32.Malware
eTrust-Vet - - -
F-Prot - - W32/Threat-HLLSI-based!Maximus
F-Secure - - Trojan.Win32.Agent.bprl
Fortinet - - PossibleThreat
GData - - Generic.Malware.SYd!.D75B86A7
Ikarus - - Trojan.Win32.Agent
K7AntiVirus - - Trojan.Win32.Agent.bprl
Kaspersky - - Trojan.Win32.Agent.bprl
McAfee - - -
McAfee+Artemis - - Generic!Artemis
Microsoft - - -
NOD32 - - -
Norman - - W32/Agent.LMJU
nProtect - - Generic.Malware.SYd!.D75B86A7
Panda - - Trj/Downloader.MDW
PCTools - - -
Prevx1 - - -
Rising - - -
SecureWeb-Gateway - - Trojan.Agent.bprl
Sophos - - -
Sunbelt - - -
Symantec - - Backdoor.Trojan
TheHacker - - Trojan/Agent.bprl
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: 988db663bb61c964ba7a4c1a78aa8660
SHA1: 15b2fd9f68a9d66f7db64d92961c528bc1e7ce54
SHA256: 9248dc6f03af1aa5a872f62c2f06aec28e97f0a8b5f73d2817a24599c34a550a
SHA512: dc95baf920b205558cc7c7873150d419e9b2fc695e115c73ca6cc56446af969436e28a68706a52d2533d2cc4d57456cbc65adf686f9f5d4db90cbe40a6a8c5f0

Please advise the next step. I am desperate to get rid of this thing.

If…

C:\WINDOWS\system32\jwtch32.exe

…is not malware, then I’m a female ardvark!

Did it really come back 100% negative? No “suspicious” warnings?

Please resubmit the file and if you are told that the file has already been analysed, do not click the “view previous analysis” button- click the other button that runs a new analysis.

Please post the exact results here.

Looks like it’s Vundo and MalwareBytes will clean it:

http://www.forospyware.com/t229300.html

Malwarebytes’ Anti-Malware

Here are the newest results of the scan. It still comes back negative. Also i have fun Malwarebytes and it finds it but after deletion it comes right back upon rescan. It’s recreating itself somehow. I dont get it.

File jwtch32.exe received on 02.19.2009 06:50:16 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information…
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.19 -
AhnLab-V3 2009.2.19.0 2009.02.18 -
AntiVir 7.9.0.83 2009.02.18 -
Authentium 5.1.0.4 2009.02.18 -
Avast 4.8.1335.0 2009.02.18 -
AVG 8.0.0.237 2009.02.19 -
BitDefender 7.2 2009.02.19 -
CAT-QuickHeal 10.00 2009.02.19 -
ClamAV 0.94.1 2009.02.18 -
Comodo 983 2009.02.18 -
DrWeb 4.44.0.09170 2009.02.19 -
eSafe 7.0.17.0 2009.02.18 -
eTrust-Vet 31.6.6365 2009.02.19 -
F-Prot 4.4.4.56 2009.02.18 -
F-Secure 8.0.14470.0 2009.02.19 -
Fortinet 3.117.0.0 2009.02.18 -
GData 19 2009.02.19 -
Ikarus T3.1.1.45.0 2009.02.19 -
K7AntiVirus 7.10.630 2009.02.18 -
Kaspersky 7.0.0.125 2009.02.19 -
McAfee 5529 2009.02.17 -
McAfee+Artemis 5529 2009.02.17 -
Microsoft 1.4306 2009.02.18 -
NOD32 3866 2009.02.18 -
Norman 6.00.06 2009.02.18 -
nProtect 2009.1.8.0 2009.02.19 -
Panda 9.4.3.20 2009.02.18 -
PCTools 4.4.2.0 2009.02.18 -
Prevx1 V2 2009.02.19 -
Rising 21.17.30.00 2009.02.19 -
SecureWeb-Gateway 6.7.6 2009.02.18 -
Sophos 4.38.0 2009.02.19 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.19 -
TheHacker 6.3.2.2.259 2009.02.18 -
TrendMicro 8.700.0.1004 2009.02.19 -
VBA32 3.12.10.0 2009.02.18 -
ViRobot 2009.2.19.1614 2009.02.19 -
VirusBuster 4.5.11.0 2009.02.18 -
Additional information
File size: 15524064 bytes
MD5…: 157d0c0c8a1fec25cfb48833561db360
SHA1…: e910f22dfdd7c666e572f10c9ee2e3728458eed4
SHA256: c173a566165e467943984746ee01b0ac04207559e3b20cd664338fcf58a14222
SHA512: 68fc88a56989bff4c31d7ba01ad01a533c7a76155b51484e3ab43c82b4c9fce8
dc8ae6900e2b061ec2385fcdc53f5e0e8eea2ff4a96aa27dfcc638dafc231c51
ssdeep: 384:u5dwSgCZsS8un0E3IHFsfcbKm6MYZwptAM:UHsSP0E3i9em6RZG
PEiD…: -
TrID…: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp…: 0x49900e7a (Mon Feb 09 11:07:38 2009)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16ba 0x1800 6.98 4ecae3973fbead3c854b30d1c167239a
.data 0x3000 0x4084 0x4200 4.53 621e6cf5ffd8a87fb371eafeea6ec736
.rsrc 0x8000 0x120 0x200 1.87 f6e133e44cf15f48bcff965b7e8315eb

( 3 imports )

kernel32.dll: CreateMutexA, GetLastError, GetModuleHandleA, LoadLibraryA, GetProcAddress, Sleep, FreeLibrary, ExitProcess, RtlZeroMemory, RtlMoveMemory, CreateFileA, WriteFile, CloseHandle, TerminateThread, TerminateProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GlobalHandle, GlobalUnlock, GlobalFree, FlushFileBuffers
user32.dll: DialogBoxParamA, LoadIconA, SendMessageA, SetDlgItemTextA, EndDialog, GetClassNameA, GetWindowThreadProcessId, ShowWindowAsync
comctl32.dll: InitCommonControls

( 0 exports )

It looks to me like the file is not uploading properly because I’ve noticed it detected as malware elsewhere.

I think it should go. First disable Spybot’s “Teatimer” function:

http://forums.spybot.info/showthread.php?t=2827

Then run HijackThis! again, tick this entry, close all other windows including this one if open and click ‘Fix’.

O4 - HKLM..\Run: [Microsoft netswitch] C:\WINDOWS\system32\jwtch32.exe

Reboot into Safe Mode and delete the above file and otmspr.exe if found.

Reboot and run Malwarebytes again.

Then if necessary try these free virus scanners:

DrWeb CureIT!
Kaspersky Virus removal Tool

Try this free adware/spyware scanners. Download, install and update.

SUPERAntiSpyware Free

You are amazing. I did exactly what you said and voila, it is no more. Upon boot up it did not detect it and after running Malwarebytes it found on thing, I removed it and did another full scan which came back negative. Avast did detect something different in the System restore folder but after turning off system restore it found nothing.

Thank you so much for your help! I hope to not have to bother you again.

Thanx again

No problem. I’m glad it was that easy to fix in the end! I’d still recommend running Malwarebytes one more time. And also, check for out-of-date and insecure software and update- this will reduce the risk of similar infections.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)