Kazzaa
-
Content Count
8 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by Kazzaa
-
-
Hey,
Yes the netbook is running much smoother. No freezing problems for the last while anyhooo, it is starting up quicker & it actually accessed Windows Update today & downloaded & installed updates which it has been unable to do for months. I ran the last few scans you suggested & the results were as follows:
Malwarebytes Anti-Malware Results:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5706
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
07/02/2011 22:40:32
mbam-log-2011-02-07 (22-40-32).txt
Scan type: Quick scan
Objects scanned: 146499
Time elapsed: 5 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ESET Online Scanner:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=1f927064c5e65c40b6d422b018175e37
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-08 12:01:37
# local_time=2011-02-08 12:01:37 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 818926 818926 0 0
# compatibility_mode=1797 16775125 100 93 3826 33653416 42712 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 5279 5279 0 0
# scanned=120688
# found=0
# cleaned=0
# scan_time=2832
OTL Log:OTL logfile created on: 08/02/2011 00:03:59 - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\miss madigan\Desktop\new
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1,015.00 Mb Total Physical Memory | 462.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 133.68 Gb Free Space | 89.70% Space Free | Partition Type: NTFS
Computer Name: CLAIRE | User Name: miss madigan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/01/30 18:44:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\miss madigan\desktop\new\OTL.exe
PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/03/30 20:47:00 | 000,254,042 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\WDM\stacsv.exe
PRC - [2008/04/15 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
========== Modules (SafeList) ==========
MOD - [2011/01/30 18:44:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\miss madigan\desktop\new\OTL.exe
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
========== Win32 Services (SafeList) ==========
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (BOTService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/03/30 20:47:00 | 000,254,042 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
========== Driver Services (SafeList) ==========
DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/06/05 12:18:50 | 001,735,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/03/30 20:47:00 | 001,550,891 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2009/03/19 18:55:06 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2009/03/02 21:03:48 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/01/16 02:41:00 | 000,206,512 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/11/22 01:36:46 | 000,160,256 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - [2008/04/15 12:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 23:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 23:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/15 22:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/18 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/18 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/18 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/18 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/18 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/18 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/18 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/18 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/18 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/18 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/18 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\cmdide.sys -- (CmdIde)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7C 18 AE 8D B9 C6 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2011/02/04 15:06:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoControlPanel = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: microsoft.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289937724671 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll (PCPitstop AntiVirus)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285972845937 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\miss madigan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\miss madigan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/02/07 22:46:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/02/07 22:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\Desktop\mon+tues results
[2011/02/07 22:32:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/02/07 22:32:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2011/02/07 22:32:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/07 22:32:21 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2011/02/07 22:32:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/07 13:59:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/02/07 11:36:05 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\ndproxy.sys
[2011/02/07 11:23:04 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\wab.exe
[2011/02/04 15:12:07 | 000,000,000 | ---D | C] -- C:\windows\temp
[2011/02/04 15:08:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\Desktop\new
[2011/01/31 21:07:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
[2011/01/31 21:07:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/01/31 21:07:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/01/31 21:07:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/01/31 20:56:26 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/01/31 20:42:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/31 11:38:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Rootkit Unhooker LE
[2011/01/30 17:56:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/01/30 17:56:04 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/01/30 15:29:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\Application Data\Avira
[2011/01/30 15:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/01/30 15:27:27 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\ssmdrv.sys
[2011/01/30 15:27:23 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avipbb.sys
[2011/01/30 15:27:23 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntflt.sys
[2011/01/30 15:27:23 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntdd.sys
[2011/01/30 15:27:23 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntmgr.sys
[2011/01/30 15:27:21 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/01/30 15:27:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/01/30 14:24:56 | 000,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2011/01/29 12:45:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/01/28 21:26:21 | 000,000,000 | ---D | C] -- C:\windows\setup.pss
[2011/01/28 20:03:09 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\82495002.sys
[2011/01/28 20:02:55 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\82495001.sys
[2011/01/28 20:02:39 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\8249500.sys
[2011/01/28 19:51:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL
[2011/01/28 17:21:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2011/01/18 22:22:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\My Documents\Downloads
[2010/12/18 22:17:15 | 000,004,224 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\beep.sys
[2010/12/18 22:17:10 | 029,634,504 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\scan.exe
[2010/12/18 22:17:10 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\tskill.exe
========== Files - Modified Within 30 Days ==========
[2011/02/08 00:02:10 | 000,001,158 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2011/02/07 23:32:04 | 000,000,330 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Scan.job
[2011/02/07 23:16:29 | 000,442,334 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2011/02/07 23:16:29 | 000,071,912 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2011/02/07 23:11:41 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2011/02/07 23:11:40 | 1064,620,032 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/07 22:32:29 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/07 14:15:13 | 000,000,230 | ---- | M] () -- C:\windows\tasks\BackOnTrack Update.job
[2011/02/07 14:15:06 | 000,247,904 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2011/02/07 14:11:55 | 000,001,355 | ---- | M] () -- C:\windows\imsins.BAK
[2011/02/04 15:06:04 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
[2011/02/04 14:44:23 | 004,263,406 | R--- | M] () -- C:\Documents and Settings\miss madigan\Desktop\schrauber.exe
[2011/02/02 17:11:20 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MpSigStub.exe
[2011/01/31 11:39:02 | 000,034,560 | ---- | M] () -- C:\windows\System32\drivers\Normandy.sys
[2011/01/30 17:56:13 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\miss madigan\Desktop\Spybot - Search & Destroy.lnk
[2011/01/30 15:28:18 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/01/28 22:19:09 | 000,000,254 | -HS- | M] () -- C:\BOOT.BAK
========== Files Created - No Company Name ==========
[2011/02/07 22:32:29 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/04 14:40:18 | 1064,620,032 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/31 21:07:00 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2011/01/31 21:07:00 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/01/31 21:07:00 | 000,089,088 | ---- | C] () -- C:\windows\MBR.exe
[2011/01/31 21:07:00 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/01/31 21:07:00 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/01/31 20:41:21 | 004,263,406 | R--- | C] () -- C:\Documents and Settings\miss madigan\Desktop\schrauber.exe
[2011/01/30 19:13:41 | 000,034,560 | ---- | C] () -- C:\windows\System32\drivers\Normandy.sys
[2011/01/30 17:56:13 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\miss madigan\Desktop\Spybot - Search & Destroy.lnk
[2011/01/30 15:28:18 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/01/28 21:30:29 | 000,000,254 | -HS- | C] () -- C:\BOOT.BAK
[2010/12/18 22:17:15 | 000,951,291 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\remregfix.reg
[2010/12/18 22:17:15 | 000,610,455 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\HOSTS
[2010/12/18 22:17:15 | 000,018,308 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\IEDef.reg
[2010/12/18 22:17:15 | 000,005,228 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\nfig.reg
[2010/12/18 22:17:15 | 000,004,994 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\s.reg
[2010/12/18 22:17:15 | 000,004,512 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\hpregfix.reg
[2010/12/18 22:17:15 | 000,003,008 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\bgregfix.reg
[2010/12/18 22:17:15 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\exefix.reg
[2010/12/18 22:17:15 | 000,001,754 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\regf.reg
[2010/12/18 22:17:15 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\databasepath.reg
[2010/12/18 22:17:15 | 000,000,890 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\Remove-itRestorePoint.vbs
[2010/10/29 20:28:30 | 000,044,800 | ---- | C] () -- C:\windows\System32\drivers\imzbwcdrxu.sys
[2010/10/20 20:18:53 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\housecall.guid.cache
[2010/10/18 20:44:52 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI
[2010/10/01 19:16:14 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\77381BC7-E504-403C-B58D-E4A40A94395D.txt
[2010/10/01 19:16:01 | 000,004,190 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\77381BC7-E504-403C-B58D-E4A40A94395D.txt
[2010/06/29 22:11:48 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\KFr2df.dat
[2010/05/24 17:07:30 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/24 08:30:04 | 003,706,235 | ---- | C] () -- C:\Documents and Settings\miss madigan\Application Data\Katy Perry ft Snoop Dogg - California Girls.zip
[2010/05/19 11:18:04 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\miss madigan\Application Data\Windowz.exe
[2010/03/03 00:00:00 | 004,555,278 | ---- | C] () -- C:\windows\System32\libavcodec.dll
[2010/03/03 00:00:00 | 001,449,935 | ---- | C] () -- C:\windows\System32\ffmpegmt.dll
[2010/03/03 00:00:00 | 000,882,688 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2010/03/03 00:00:00 | 000,877,385 | ---- | C] () -- C:\windows\System32\ff_x264.dll
[2010/03/03 00:00:00 | 000,556,491 | ---- | C] () -- C:\windows\System32\libmplayer.dll
[2010/03/03 00:00:00 | 000,336,384 | ---- | C] () -- C:\windows\System32\ff_libfaad2.dll
[2010/03/03 00:00:00 | 000,324,096 | ---- | C] () -- C:\windows\System32\TomsMoComp_ff.dll
[2010/03/03 00:00:00 | 000,248,320 | ---- | C] () -- C:\windows\System32\ff_kernelDeint.dll
[2010/03/03 00:00:00 | 000,216,576 | ---- | C] () -- C:\windows\System32\ff_libdts.dll
[2010/03/03 00:00:00 | 000,169,984 | ---- | C] () -- C:\windows\System32\ff_samplerate.dll
[2010/03/03 00:00:00 | 000,151,552 | ---- | C] () -- C:\windows\System32\ff_libmad.dll
[2010/03/03 00:00:00 | 000,145,408 | ---- | C] () -- C:\windows\System32\libmpeg2_ff.dll
[2010/03/03 00:00:00 | 000,121,856 | ---- | C] () -- C:\windows\System32\ff_liba52.dll
[2010/03/03 00:00:00 | 000,116,736 | ---- | C] () -- C:\windows\System32\ff_tremor.dll
[2010/03/03 00:00:00 | 000,100,864 | ---- | C] () -- C:\windows\System32\ff_wmv9.dll
[2010/03/03 00:00:00 | 000,097,792 | ---- | C] () -- C:\windows\System32\ff_unrar.dll
[2010/03/03 00:00:00 | 000,085,504 | ---- | C] () -- C:\windows\System32\ff_vfw.dll
[2009/11/14 18:37:08 | 000,154,112 | ---- | C] () -- C:\windows\System32\ts.dll
[2009/11/14 18:33:38 | 000,249,856 | ---- | C] () -- C:\windows\System32\dxr.dll
[2009/11/14 18:11:50 | 000,093,184 | ---- | C] () -- C:\windows\System32\avss.dll
[2009/11/14 18:11:42 | 000,150,016 | ---- | C] () -- C:\windows\System32\mkx.dll
[2009/11/14 18:11:42 | 000,141,824 | ---- | C] () -- C:\windows\System32\mp4.dll
[2009/11/14 18:11:40 | 000,123,392 | ---- | C] () -- C:\windows\System32\ogm.dll
[2009/11/14 18:11:40 | 000,109,568 | ---- | C] () -- C:\windows\System32\avi.dll
[2009/11/14 18:11:38 | 000,097,792 | ---- | C] () -- C:\windows\System32\avs.dll
[2009/11/14 18:11:32 | 000,080,384 | ---- | C] () -- C:\windows\System32\mkzlib.dll
[2009/11/14 18:11:32 | 000,024,576 | ---- | C] () -- C:\windows\System32\mkunicode.dll
[2009/06/07 16:24:04 | 000,180,224 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2009/06/05 12:35:30 | 000,028,510 | ---- | C] () -- C:\windows\System32\oeminfo.ini
[2009/06/05 12:15:30 | 000,147,456 | ---- | C] () -- C:\windows\System32\igfxCoIn_v4926.dll
[2009/01/10 22:15:44 | 000,159,744 | ---- | C] () -- C:\windows\System32\mmfinfo.dll
[2008/11/06 16:37:32 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll
[2008/06/25 01:48:20 | 000,000,061 | ---- | C] () -- C:\windows\smscfg.ini
[2008/06/25 01:12:12 | 000,004,161 | ---- | C] () -- C:\windows\ODBCINST.INI
[2007/10/13 09:30:20 | 000,000,137 | ---- | C] () -- C:\windows\System32\Registration.ini
========== Alternate Data Streams ==========
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:DFC5A2B2
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:0B4227B4
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:430C6D84
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:1CE11B51
< End of report >
OTL Extras Results:
OTL Extras logfile created on: 08/02/2011 00:03:59 - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\miss madigan\Desktop\new
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1,015.00 Mb Total Physical Memory | 462.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 133.68 Gb Free Space | 89.70% Space Free | Partition Type: NTFS
Computer Name: CLAIRE | User Name: miss madigan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe" = C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe:*:Disabled:Java Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{69DAC00A-7665-4E9B-B441-093D40736429}" = HP BatteryCheck 2.10 A2
"{6FABA483-0BAD-4EFA-9B1C-599CC4F6677D}" = HP User Guides 0139
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{909B62B0-8ACA-4061-A83B-09CAEF609619}" = MSXML 6.0 Parser
"{918F4F34-2544-4519-9479-9239C8DD69DF}" = syncables desktop
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AE469025-08BA-4B2A-915D-CC7765132419}" = Default Manager
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"4F46AE07E545B0E89F0ECDA2928DE11652D170CF" = Windows Driver Package - MicroVision (Mvc25U870_VID_1262&PID_25FD) Image (01/14/2006 1.0.1.7)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"ESET Online Scanner" = ESET Online Scanner v3
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Media Player - Codec Pack" = Media Player Codec Pack 3.9.5
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"uTorrent" = µTorrent
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description = Product: Windows Installer Clean Up -- Error 1500. Another installation
is in progress. You must complete that installation before continuing this one.
Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description = Product: Windows Installer Clean Up -- Error 1500. Another installation
is in progress. You must complete that installation before continuing this one.
Error - 30/01/2011 11:51:44 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11704
Description = Product: HiJackThis -- Error 1704. An installation for Windows Installer
Clean Up is currently suspended. You must undo the changes made by that installation
to continue. Do you want to undo those changes?
Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description = Product: Windows Installer Clean Up -- Error 1500. Another installation
is in progress. You must complete that installation before continuing this one.
Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description = Product: Windows Installer Clean Up -- Error 1500. Another installation
is in progress. You must complete that installation before continuing this one.
Error - 30/01/2011 11:55:09 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description = Product: Windows Installer Clean Up -- Error 1500. Another installation
is in progress. You must complete that installation before continuing this one.
Error - 31/01/2011 16:50:55 | Computer Name = CLAIRE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80080005, P2 updateservicemanager-_get_services,
P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender,
P8 NIL, P9 NIL, P10 NIL.
Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: CLAIRE\miss madigan Checkpoint ID: 1 Error Code: 0x80070005
Error
description: Access is denied.
Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: CLAIRE\miss madigan Checkpoint ID: 1 Error Code: 0x8000ffff
Error
description: Catastrophic failure
Error - 04/02/2011 18:01:47 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office XP Standard -- Error 1706. Setup cannot
find the required files. Check your connection to the network, or CD-ROM drive.
For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.
[ System Events ]
Error - 04/02/2011 10:42:27 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7022
Description = The Automatic Updates service hung on starting.
Error - 04/02/2011 11:05:25 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 04/02/2011 11:14:22 | Computer Name = CLAIRE | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.35 for the Network Card with network
address 00265E70524F has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).
Error - 04/02/2011 17:53:31 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 07/02/2011 07:19:16 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 07/02/2011 10:15:16 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 07/02/2011 17:08:30 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 07/02/2011 18:41:48 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 07/02/2011 19:11:48 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000
Description = The BOTService service failed to start due to the following error:
%%3
Error - 07/02/2011 19:13:07 | Computer Name = CLAIRE | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.33 for the Network Card with network
address 00265E70524F has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).
[ Windows PowerShel Events ]
Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description =
Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description =
Error - 30/01/2011 11:51:44 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11704
Description =
Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description =
Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description =
Error - 30/01/2011 11:55:09 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500
Description =
Error - 31/01/2011 16:50:55 | Computer Name = CLAIRE | Source = MPSampleSubmission | ID = 5000
Description =
Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003
Description =
Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003
Description =
Error - 04/02/2011 18:01:47 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11706
Description =
< End of report >
-
Hey,
the results of the Jotti scan were as follows:
For c:\windows\system32\drivers\82495002.sys
Filename: 82495002.sys
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Mon 7 Feb 2011 15:31:02
Additional info
File size: 37392 bytes
Filetype: PE32 executable for MS Windows (DLL) (native) Intel 80386 32-bit
MD5: a305fad3719c5db0c13d1c2bfd08a04d
SHA1: cd7300ae608db1ca6583736b9648cf36b476f832
For: c:\windows\system32\drivers\82495001.sys
Filename: 82495001.sys
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Mon 7 Feb 2011 15:33:13
Additional info
File size: 128016 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 7dd41b7ac1fbb1dbf20bb1f4e4fbe58c
SHA1: c763c52f8b0dbb6594f1a81246ae2c27c6f74557
For: c:\windows\system32\drivers\8249500.sys
Filename: 8249500.sys
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Mon 7 Feb 2011 15:36:05
Additional info
File size: 315408 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 66ef49622baa18e4d4f1fe4bae1d51b8
SHA1: 0c2651ff9f5661ae124408c457f6c8ac20f0c9cb
Thanks!
-
Hey,
Thanks again for all your help so far. I followed your last instructions, (& searched unsuccessfully for AVG & tried to disbale it but i got nowhere again). Ran combofix as you said, after draging and dropping the text above into it. The log is as follows:
ComboFix 11-01-31.02 - miss madigan 04/02/2011 14:51:20.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.588 [GMT 0:00]
Running from: c:\documents and settings\miss madigan\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\miss madigan\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
"c:\windows\system32\drivers\syscow32x.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSCOW
-------\Service_SysCow
((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))
.
2011-01-30 19:13 . 2011-01-31 11:39 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2011-01-30 17:56 . 2011-01-30 17:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-30 15:29 . 2011-01-30 15:29 -------- d-----w- c:\documents and settings\miss madigan\Application Data\Avira
2011-01-30 15:27 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-30 15:27 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-30 15:27 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-30 15:27 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\program files\Avira
2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-01-30 14:24 . 2011-01-30 17:42 -------- d-----w- c:\program files\MSECACHE
2011-01-29 12:45 . 2011-01-29 12:45 388096 ----a-r- c:\documents and settings\miss madigan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-29 12:45 . 2011-01-29 12:45 -------- d-----w- c:\program files\Trend Micro
2011-01-28 20:03 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\82495002.sys
2011-01-28 20:02 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\82495001.sys
2011-01-28 20:02 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\8249500.sys
2011-01-28 19:51 . 2011-01-28 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2011-01-28 17:21 . 2011-01-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-18 22:17 . 2010-12-18 22:17 951291 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\remregfix.reg
2010-12-18 22:17 . 2010-12-18 22:17 896 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\databasepath.reg
2010-12-18 22:17 . 2010-12-18 22:17 890 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\Remove-itRestorePoint.vbs
2010-12-18 22:17 . 2010-12-18 22:17 5228 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\nfig.reg
2010-12-18 22:17 . 2010-12-18 22:17 4994 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\s.reg
2010-12-18 22:17 . 2010-12-18 22:17 4512 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\hpregfix.reg
2010-12-18 22:17 . 2010-12-18 22:17 4224 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\beep.sys
2010-12-18 22:17 . 2010-12-18 22:17 3008 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\bgregfix.reg
2010-12-18 22:17 . 2010-12-18 22:17 2600 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\exefix.reg
2010-12-18 22:17 . 2010-12-18 22:17 18308 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\IEDef.reg
2010-12-18 22:17 . 2010-12-18 22:17 1754 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\regf.reg
2010-12-18 22:17 . 2010-12-18 22:17 29634504 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\scan.exe
2010-12-18 22:17 . 2008-04-15 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-12-18 22:17 . 2010-12-18 22:17 16384 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\tskill.exe
2010-11-16 19:30 . 2010-10-10 16:02 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-01-31_21.25.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 01:26 . 2011-01-31 20:31 71912 c:\windows\system32\perfc009.dat
+ 2008-06-25 01:26 . 2011-02-04 14:44 71912 c:\windows\system32\perfc009.dat
+ 2008-06-25 01:26 . 2011-02-04 14:44 442334 c:\windows\system32\perfh009.dat
- 2008-06-25 01:26 . 2011-01-31 20:31 442334 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^miss madigan^Start Menu^Programs^Startup^_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnk]
backup=c:\windows\pss\_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
2009-02-18 21:41 737280 ----a-w- c:\windows\system32\AESTFltr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 21:46 159744 ----a-w- c:\windows\system32\hkcmd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/01/2011 15:27 135336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [05/06/2009 12:16 113664]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [02/03/2009 21:03 38912]
S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [05/06/2009 12:17 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 utexntcx;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utexntcx.sys --> c:\windows\system32\Drivers\utexntcx.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2011-01-27 c:\windows\Tasks\BackOnTrack Update.job
- c:\windows\BotInvokeUpdate.exe [2009-07-23 05:41]
2011-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-04 15:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3188)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\wdm\STacSV.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-02-04 15:12:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-04 15:12
ComboFix2.txt 2011-01-31 21:31
Pre-Run: 140,894,076,928 bytes free
Post-Run: 144,615,481,344 bytes free
- - End Of File - - 6839704EEB39D24F558FAD6A41AF8269
-
Hi,
I have followed these steps... firstly I disabled Avira (not a problem), then ComboFix said that AVG Free was running, which I thought it wasn't. I couldn't find a running AVG program, so I ran AVG removal tool, & ComboFix still said AVG was running. I assumed it was a glitch so I ran ComboFix (you will see from the report that it DOES say AVG is running, I just couldn't find the location).
First few steps went fine, the Windows Recovery Console was not installed so it connected with the Microsoft site & downlaoded 100% but then didn't install the console. I don't know why this is?? ComboFix ran fine after that & I enclose the log report.
So just remember when viewing it:
1 - AVG was running but I couldn't find it
2 - the recovery console was not & is not now installed.
Just in case these facts affect how we proceed from here.
Thanks,
K-Dog
ComboFix 11-01-31.01 - miss madigan 31/01/2011 21:10:28.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.589 [GMT 0:00]
Running from: c:\documents and settings\miss madigan\Desktop\schrauber.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RKHIT
-------\Service_RkHit
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-31 )))))))))))))))))))))))))))))))
.
2011-01-30 19:13 . 2011-01-31 11:39 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2011-01-30 17:56 . 2011-01-30 17:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-30 15:29 . 2011-01-30 15:29 -------- d-----w- c:\documents and settings\miss madigan\Application Data\Avira
2011-01-30 15:27 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-30 15:27 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-30 15:27 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-30 15:27 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\program files\Avira
2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-01-30 14:24 . 2011-01-30 17:42 -------- d-----w- c:\program files\MSECACHE
2011-01-29 12:45 . 2011-01-29 12:45 388096 ----a-r- c:\documents and settings\miss madigan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-29 12:45 . 2011-01-29 12:45 -------- d-----w- c:\program files\Trend Micro
2011-01-28 20:03 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\82495002.sys
2011-01-28 20:02 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\82495001.sys
2011-01-28 20:02 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\8249500.sys
2011-01-28 19:51 . 2011-01-28 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2011-01-28 17:21 . 2011-01-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-18 22:17 . 2010-12-18 22:17 951291 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\remregfix.reg
2010-12-18 22:17 . 2010-12-18 22:17 896 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\databasepath.reg
2010-12-18 22:17 . 2010-12-18 22:17 890 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\Remove-itRestorePoint.vbs
2010-12-18 22:17 . 2010-12-18 22:17 5228 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\nfig.reg
2010-12-18 22:17 . 2010-12-18 22:17 4994 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\s.reg
2010-12-18 22:17 . 2010-12-18 22:17 4512 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\hpregfix.reg
2010-12-18 22:17 . 2010-12-18 22:17 4224 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\beep.sys
2010-12-18 22:17 . 2010-12-18 22:17 3008 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\bgregfix.reg
2010-12-18 22:17 . 2010-12-18 22:17 2600 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\exefix.reg
2010-12-18 22:17 . 2010-12-18 22:17 18308 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\IEDef.reg
2010-12-18 22:17 . 2010-12-18 22:17 1754 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\regf.reg
2010-12-18 22:17 . 2010-12-18 22:17 29634504 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\scan.exe
2010-12-18 22:17 . 2008-04-15 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2010-12-18 22:17 . 2010-12-18 22:17 16384 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\tskill.exe
2010-11-16 19:30 . 2010-10-10 16:02 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\CyberLink\YouCam\YouCamTray .exe
c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu .exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain .exe
c:\program files\HP\HPBTWD .exe
c:\program files\IDT\WDM\sttray .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\syncables\syncables desktop\Syncables .exe
c:\program files\uTorrent\uTorrent .exe
</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^miss madigan^Start Menu^Programs^Startup^_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnk]
backup=c:\windows\pss\_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr]
2009-02-18 21:41 737280 ----a-w- c:\windows\system32\AESTFltr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 21:46 159744 ----a-w- c:\windows\system32\hkcmd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent .exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [24/09/2008 21:09 103792]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/01/2011 15:27 135336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [05/06/2009 12:16 113664]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [02/03/2009 21:03 38912]
S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [05/06/2009 12:17 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 utexntcx;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utexntcx.sys --> c:\windows\system32\Drivers\utexntcx.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sepmfxtv
.
Contents of the 'Scheduled Tasks' folder
2011-01-27 c:\windows\Tasks\BackOnTrack Update.job
- c:\windows\BotInvokeUpdate.exe [2009-07-23 05:41]
2011-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ie
mStart Page = www.google.ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-31 21:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1460)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\wdm\STacSV.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-01-31 21:31:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-31 21:31
Pre-Run: 140,954,198,016 bytes free
Post-Run: 140,876,398,592 bytes free
- - End Of File - - 280CB042CF25FCBF6B4F4689E5B78EAD
-
Hi again Tom,
I got nowhere with the Rootkit Unhooker, basically i spent all night trying to get it going to no avail. It downloads fine, installed fine but when i clcik it to open a small box saying " Please wait a few seconds.... Initialising" appears & then nothing more happens. The computer totally freezes on that screen, cannot open anything else, the clock doesn't even change & i have to hold the power button to shut the pc down. I removed the program & installed another version but same thing happened. SO no results there for ya...
-
Hey Tom,
Thanks for your response. Prior to your post I had run a spybot search & destroy scan but I won't run anything else until i have completed your instructions.
The results of the OTL scan are as follows:
-
i have a netbook with Windows XP which has had some problems for a while. Freezing, slow to run, windows explorer takes approx. 5 mins to open when computer has started. Windows installer keeps popping up when random buttons are clicked. I cannot acces Windows update or manually install any updates. I cannot install AVG or another anti-virus as it always fails due to "another installation already in progress". I have managed to install tune up programs to no avail, & windows defender or one care scanner are not finding any viruses. Hijack this is my last resort. Hopefully someone can spot what the problem is???
Thanks in advance for any help you can offer??
I include the log file here as it would not attach!
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:58:16 PM, on 29/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=91&bd=Pavilion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289937724671
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285972845937
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BOTService - Sonic Solutions - C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe
--
End of file - 4397 bytes
Help with HJT file?[RESOLVED]
in Malware Removal
Posted
Hey,
I followed all your last steps & had no problems.
The pc is running fine now, no issues so whether it was malware or not it is sorted.
Thanks so much for all your help I really appreciate it!!
K-Dog