Sponsored By

Kazzaa

Members
  • Content Count

    8
  • Joined

  • Last visited

About Kazzaa

  • Rank
    Member
  1. Kazzaa

    Help with HJT file?[RESOLVED]

    Hey, I followed all your last steps & had no problems. The pc is running fine now, no issues so whether it was malware or not it is sorted. Thanks so much for all your help I really appreciate it!! K-Dog
  2. Kazzaa

    Help with HJT file?[RESOLVED]

    Hey, Yes the netbook is running much smoother. No freezing problems for the last while anyhooo, it is starting up quicker & it actually accessed Windows Update today & downloaded & installed updates which it has been unable to do for months. I ran the last few scans you suggested & the results were as follows: Malwarebytes Anti-Malware Results: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5706 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 07/02/2011 22:40:32 mbam-log-2011-02-07 (22-40-32).txt Scan type: Quick scan Objects scanned: 146499 Time elapsed: 5 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ESET Online Scanner: [email protected] as CAB hook log: OnlineScanner.ocx - registred OK esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6419 # api_version=3.0.2 # EOSSerial=1f927064c5e65c40b6d422b018175e37 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-02-08 12:01:37 # local_time=2011-02-08 12:01:37 (+0000, GMT Standard Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 818926 818926 0 0 # compatibility_mode=1797 16775125 100 93 3826 33653416 42712 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 5279 5279 0 0 # scanned=120688 # found=0 # cleaned=0 # scan_time=2832 OTL Log:OTL logfile created on: 08/02/2011 00:03:59 - Run 2 OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\miss madigan\Desktop\new Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,015.00 Mb Total Physical Memory | 462.00 Mb Available Physical Memory | 46.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 149.04 Gb Total Space | 133.68 Gb Free Space | 89.70% Space Free | Partition Type: NTFS Computer Name: CLAIRE | User Name: miss madigan | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011/01/30 18:44:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\miss madigan\desktop\new\OTL.exe PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe PRC - [2009/03/30 20:47:00 | 000,254,042 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\WDM\stacsv.exe PRC - [2008/04/15 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe ========== Modules (SafeList) ========== MOD - [2011/01/30 18:44:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\miss madigan\desktop\new\OTL.exe MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - File not found [Auto | Stopped] -- -- (BOTService) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009/03/30 20:47:00 | 000,254,042 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV) SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend) ========== Driver Services (SafeList) ========== DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2009/06/05 12:18:50 | 001,735,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX) DRV - [2009/03/30 20:47:00 | 001,550,891 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) DRV - [2009/03/19 18:55:06 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud) DRV - [2009/03/02 21:03:48 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c) DRV - [2009/01/16 02:41:00 | 000,206,512 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP) DRV - [2008/11/22 01:36:46 | 000,160,256 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR) DRV - [2008/04/15 12:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) DRV - [2008/04/14 23:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\amdagp.sys -- (amdagp) DRV - [2008/04/14 23:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sisagp.sys -- (sisagp) DRV - [2008/02/15 22:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm) DRV - [2001/08/18 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sparrow.sys -- (Sparrow) DRV - [2001/08/18 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sym_u3.sys -- (sym_u3) DRV - [2001/08/18 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sym_hi.sys -- (sym_hi) DRV - [2001/08/18 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\symc8xx.sys -- (symc8xx) DRV - [2001/08/18 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\symc810.sys -- (symc810) DRV - [2001/08/18 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ultra.sys -- (ultra) DRV - [2001/08/18 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql12160.sys -- (ql12160) DRV - [2001/08/18 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql1080.sys -- (ql1080) DRV - [2001/08/18 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql1280.sys -- (ql1280) DRV - [2001/08/18 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\dac2w2k.sys -- (dac2w2k) DRV - [2001/08/18 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\mraid35x.sys -- (mraid35x) DRV - [2001/08/18 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\asc.sys -- (asc) DRV - [2001/08/18 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\asc3550.sys -- (asc3550) DRV - [2001/08/18 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\aliide.sys -- (AliIde) DRV - [2001/08/18 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\cmdide.sys -- (CmdIde) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7C 18 AE 8D B9 C6 CB 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 O1 HOSTS File: ([2011/02/04 15:06:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoControlPanel = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O15 - HKCU\..Trusted Domains: microsoft.com ([]http in Trusted sites) O15 - HKCU\..Trusted Domains: microsoft.com ([]https in Trusted sites) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289937724671 (WUWebControl Class) O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class) O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll (PCPitstop AntiVirus) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285972845937 (MUWebControl Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Reg Error: Key error.) O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\miss madigan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\miss madigan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011/02/07 22:46:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2011/02/07 22:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\Desktop\mon+tues results [2011/02/07 22:32:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2011/02/07 22:32:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys [2011/02/07 22:32:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2011/02/07 22:32:21 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys [2011/02/07 22:32:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2011/02/07 13:59:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2011/02/07 11:36:05 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\ndproxy.sys [2011/02/07 11:23:04 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\wab.exe [2011/02/04 15:12:07 | 000,000,000 | ---D | C] -- C:\windows\temp [2011/02/04 15:08:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\Desktop\new [2011/01/31 21:07:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe [2011/01/31 21:07:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe [2011/01/31 21:07:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe [2011/01/31 21:07:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe [2011/01/31 20:56:26 | 000,000,000 | ---D | C] -- C:\windows\ERDNT [2011/01/31 20:42:16 | 000,000,000 | ---D | C] -- C:\Qoobox [2011/01/31 11:38:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Rootkit Unhooker LE [2011/01/30 17:56:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy [2011/01/30 17:56:04 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2011/01/30 15:29:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\Application Data\Avira [2011/01/30 15:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira [2011/01/30 15:27:27 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\ssmdrv.sys [2011/01/30 15:27:23 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avipbb.sys [2011/01/30 15:27:23 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntflt.sys [2011/01/30 15:27:23 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntdd.sys [2011/01/30 15:27:23 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\windows\System32\drivers\avgntmgr.sys [2011/01/30 15:27:21 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2011/01/30 15:27:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira [2011/01/30 14:24:56 | 000,000,000 | ---D | C] -- C:\Program Files\MSECACHE [2011/01/29 12:45:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2011/01/28 21:26:21 | 000,000,000 | ---D | C] -- C:\windows\setup.pss [2011/01/28 20:03:09 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\82495002.sys [2011/01/28 20:02:55 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\82495001.sys [2011/01/28 20:02:39 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\8249500.sys [2011/01/28 19:51:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL [2011/01/28 17:21:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCPitstop [2011/01/18 22:22:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\miss madigan\My Documents\Downloads [2010/12/18 22:17:15 | 000,004,224 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\beep.sys [2010/12/18 22:17:10 | 029,634,504 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\scan.exe [2010/12/18 22:17:10 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\tskill.exe ========== Files - Modified Within 30 Days ========== [2011/02/08 00:02:10 | 000,001,158 | ---- | M] () -- C:\windows\System32\wpa.dbl [2011/02/07 23:32:04 | 000,000,330 | -H-- | M] () -- C:\windows\tasks\MP Scheduled Scan.job [2011/02/07 23:16:29 | 000,442,334 | ---- | M] () -- C:\windows\System32\perfh009.dat [2011/02/07 23:16:29 | 000,071,912 | ---- | M] () -- C:\windows\System32\perfc009.dat [2011/02/07 23:11:41 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat [2011/02/07 23:11:40 | 1064,620,032 | -HS- | M] () -- C:\hiberfil.sys [2011/02/07 22:32:29 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2011/02/07 14:15:13 | 000,000,230 | ---- | M] () -- C:\windows\tasks\BackOnTrack Update.job [2011/02/07 14:15:06 | 000,247,904 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT [2011/02/07 14:11:55 | 000,001,355 | ---- | M] () -- C:\windows\imsins.BAK [2011/02/04 15:06:04 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts [2011/02/04 14:44:23 | 004,263,406 | R--- | M] () -- C:\Documents and Settings\miss madigan\Desktop\schrauber.exe [2011/02/02 17:11:20 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\MpSigStub.exe [2011/01/31 11:39:02 | 000,034,560 | ---- | M] () -- C:\windows\System32\drivers\Normandy.sys [2011/01/30 17:56:13 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\miss madigan\Desktop\Spybot - Search & Destroy.lnk [2011/01/30 15:28:18 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk [2011/01/28 22:19:09 | 000,000,254 | -HS- | M] () -- C:\BOOT.BAK ========== Files Created - No Company Name ========== [2011/02/07 22:32:29 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2011/02/04 14:40:18 | 1064,620,032 | -HS- | C] () -- C:\hiberfil.sys [2011/01/31 21:07:00 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe [2011/01/31 21:07:00 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe [2011/01/31 21:07:00 | 000,089,088 | ---- | C] () -- C:\windows\MBR.exe [2011/01/31 21:07:00 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe [2011/01/31 21:07:00 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe [2011/01/31 20:41:21 | 004,263,406 | R--- | C] () -- C:\Documents and Settings\miss madigan\Desktop\schrauber.exe [2011/01/30 19:13:41 | 000,034,560 | ---- | C] () -- C:\windows\System32\drivers\Normandy.sys [2011/01/30 17:56:13 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\miss madigan\Desktop\Spybot - Search & Destroy.lnk [2011/01/30 15:28:18 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk [2011/01/28 21:30:29 | 000,000,254 | -HS- | C] () -- C:\BOOT.BAK [2010/12/18 22:17:15 | 000,951,291 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\remregfix.reg [2010/12/18 22:17:15 | 000,610,455 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\HOSTS [2010/12/18 22:17:15 | 000,018,308 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\IEDef.reg [2010/12/18 22:17:15 | 000,005,228 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\nfig.reg [2010/12/18 22:17:15 | 000,004,994 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\s.reg [2010/12/18 22:17:15 | 000,004,512 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\hpregfix.reg [2010/12/18 22:17:15 | 000,003,008 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\bgregfix.reg [2010/12/18 22:17:15 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\exefix.reg [2010/12/18 22:17:15 | 000,001,754 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\regf.reg [2010/12/18 22:17:15 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\databasepath.reg [2010/12/18 22:17:15 | 000,000,890 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\Remove-itRestorePoint.vbs [2010/10/29 20:28:30 | 000,044,800 | ---- | C] () -- C:\windows\System32\drivers\imzbwcdrxu.sys [2010/10/20 20:18:53 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\housecall.guid.cache [2010/10/18 20:44:52 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI [2010/10/01 19:16:14 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\77381BC7-E504-403C-B58D-E4A40A94395D.txt [2010/10/01 19:16:01 | 000,004,190 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\77381BC7-E504-403C-B58D-E4A40A94395D.txt [2010/06/29 22:11:48 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\KFr2df.dat [2010/05/24 17:07:30 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\miss madigan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/05/24 08:30:04 | 003,706,235 | ---- | C] () -- C:\Documents and Settings\miss madigan\Application Data\Katy Perry ft Snoop Dogg - California Girls.zip [2010/05/19 11:18:04 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\miss madigan\Application Data\Windowz.exe [2010/03/03 00:00:00 | 004,555,278 | ---- | C] () -- C:\windows\System32\libavcodec.dll [2010/03/03 00:00:00 | 001,449,935 | ---- | C] () -- C:\windows\System32\ffmpegmt.dll [2010/03/03 00:00:00 | 000,882,688 | ---- | C] () -- C:\windows\System32\xvidcore.dll [2010/03/03 00:00:00 | 000,877,385 | ---- | C] () -- C:\windows\System32\ff_x264.dll [2010/03/03 00:00:00 | 000,556,491 | ---- | C] () -- C:\windows\System32\libmplayer.dll [2010/03/03 00:00:00 | 000,336,384 | ---- | C] () -- C:\windows\System32\ff_libfaad2.dll [2010/03/03 00:00:00 | 000,324,096 | ---- | C] () -- C:\windows\System32\TomsMoComp_ff.dll [2010/03/03 00:00:00 | 000,248,320 | ---- | C] () -- C:\windows\System32\ff_kernelDeint.dll [2010/03/03 00:00:00 | 000,216,576 | ---- | C] () -- C:\windows\System32\ff_libdts.dll [2010/03/03 00:00:00 | 000,169,984 | ---- | C] () -- C:\windows\System32\ff_samplerate.dll [2010/03/03 00:00:00 | 000,151,552 | ---- | C] () -- C:\windows\System32\ff_libmad.dll [2010/03/03 00:00:00 | 000,145,408 | ---- | C] () -- C:\windows\System32\libmpeg2_ff.dll [2010/03/03 00:00:00 | 000,121,856 | ---- | C] () -- C:\windows\System32\ff_liba52.dll [2010/03/03 00:00:00 | 000,116,736 | ---- | C] () -- C:\windows\System32\ff_tremor.dll [2010/03/03 00:00:00 | 000,100,864 | ---- | C] () -- C:\windows\System32\ff_wmv9.dll [2010/03/03 00:00:00 | 000,097,792 | ---- | C] () -- C:\windows\System32\ff_unrar.dll [2010/03/03 00:00:00 | 000,085,504 | ---- | C] () -- C:\windows\System32\ff_vfw.dll [2009/11/14 18:37:08 | 000,154,112 | ---- | C] () -- C:\windows\System32\ts.dll [2009/11/14 18:33:38 | 000,249,856 | ---- | C] () -- C:\windows\System32\dxr.dll [2009/11/14 18:11:50 | 000,093,184 | ---- | C] () -- C:\windows\System32\avss.dll [2009/11/14 18:11:42 | 000,150,016 | ---- | C] () -- C:\windows\System32\mkx.dll [2009/11/14 18:11:42 | 000,141,824 | ---- | C] () -- C:\windows\System32\mp4.dll [2009/11/14 18:11:40 | 000,123,392 | ---- | C] () -- C:\windows\System32\ogm.dll [2009/11/14 18:11:40 | 000,109,568 | ---- | C] () -- C:\windows\System32\avi.dll [2009/11/14 18:11:38 | 000,097,792 | ---- | C] () -- C:\windows\System32\avs.dll [2009/11/14 18:11:32 | 000,080,384 | ---- | C] () -- C:\windows\System32\mkzlib.dll [2009/11/14 18:11:32 | 000,024,576 | ---- | C] () -- C:\windows\System32\mkunicode.dll [2009/06/07 16:24:04 | 000,180,224 | ---- | C] () -- C:\windows\System32\xvidvfw.dll [2009/06/05 12:35:30 | 000,028,510 | ---- | C] () -- C:\windows\System32\oeminfo.ini [2009/06/05 12:15:30 | 000,147,456 | ---- | C] () -- C:\windows\System32\igfxCoIn_v4926.dll [2009/01/10 22:15:44 | 000,159,744 | ---- | C] () -- C:\windows\System32\mmfinfo.dll [2008/11/06 16:37:32 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll [2008/06/25 01:48:20 | 000,000,061 | ---- | C] () -- C:\windows\smscfg.ini [2008/06/25 01:12:12 | 000,004,161 | ---- | C] () -- C:\windows\ODBCINST.INI [2007/10/13 09:30:20 | 000,000,137 | ---- | C] () -- C:\windows\System32\Registration.ini ========== Alternate Data Streams ========== @Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:DFC5A2B2 @Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:0B4227B4 @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:430C6D84 @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:1CE11B51 < End of report > OTL Extras Results: OTL Extras logfile created on: 08/02/2011 00:03:59 - Run 2 OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\miss madigan\Desktop\new Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,015.00 Mb Total Physical Memory | 462.00 Mb Available Physical Memory | 46.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files Drive C: | 149.04 Gb Total Space | 133.68 Gb Free Space | 89.70% Space Free | Partition Type: NTFS Computer Name: CLAIRE | User Name: miss madigan | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe" = C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe:*:Disabled:Java Platform SE binary -- (Sun Microsystems, Inc.) "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam "{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{69DAC00A-7665-4E9B-B441-093D40736429}" = HP BatteryCheck 2.10 A2 "{6FABA483-0BAD-4EFA-9B1C-599CC4F6677D}" = HP User Guides 0139 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard "{909B62B0-8ACA-4061-A83B-09CAEF609619}" = MSXML 6.0 Parser "{918F4F34-2544-4519-9479-9239C8DD69DF}" = syncables desktop "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant "{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2 "{AE469025-08BA-4B2A-915D-CC7765132419}" = Default Manager "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp "{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729) "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01 "4F46AE07E545B0E89F0ECDA2928DE11652D170CF" = Windows Driver Package - MicroVision (Mvc25U870_VID_1262&PID_25FD) Image (01/14/2006 1.0.1.7) "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter "ESET Online Scanner" = ESET Online Scanner v3 "HDMI" = Intel® Graphics Media Accelerator Driver "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Media Player - Codec Pack" = Media Player Codec Pack 3.9.5 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "SynTPDeinstKey" = Synaptics Pointing Device Driver "uTorrent" = µTorrent "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "WinRAR archiver" = WinRAR archiver ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Product: Windows Installer Clean Up -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one. Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Product: Windows Installer Clean Up -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one. Error - 30/01/2011 11:51:44 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11704 Description = Product: HiJackThis -- Error 1704. An installation for Windows Installer Clean Up is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes? Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Product: Windows Installer Clean Up -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one. Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Product: Windows Installer Clean Up -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one. Error - 30/01/2011 11:55:09 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Product: Windows Installer Clean Up -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one. Error - 31/01/2011 16:50:55 | Computer Name = CLAIRE | Source = MPSampleSubmission | ID = 5000 Description = EventType mptelemetry, P1 80080005, P2 updateservicemanager-_get_services, P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL. Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: CLAIRE\miss madigan Checkpoint ID: 1 Error Code: 0x80070005 Error description: Access is denied. Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: CLAIRE\miss madigan Checkpoint ID: 1 Error Code: 0x8000ffff Error description: Catastrophic failure Error - 04/02/2011 18:01:47 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11706 Description = Product: Microsoft Office XP Standard -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP. [ System Events ] Error - 04/02/2011 10:42:27 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7022 Description = The Automatic Updates service hung on starting. Error - 04/02/2011 11:05:25 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 04/02/2011 11:14:22 | Computer Name = CLAIRE | Source = Dhcp | ID = 1002 Description = The IP address lease 192.168.1.35 for the Network Card with network address 00265E70524F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). Error - 04/02/2011 17:53:31 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 07/02/2011 07:19:16 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 07/02/2011 10:15:16 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 07/02/2011 17:08:30 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 07/02/2011 18:41:48 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 07/02/2011 19:11:48 | Computer Name = CLAIRE | Source = Service Control Manager | ID = 7000 Description = The BOTService service failed to start due to the following error: %%3 Error - 07/02/2011 19:13:07 | Computer Name = CLAIRE | Source = Dhcp | ID = 1002 Description = The IP address lease 192.168.1.33 for the Network Card with network address 00265E70524F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). [ Windows PowerShel Events ] Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Error - 30/01/2011 10:47:13 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Error - 30/01/2011 11:51:44 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11704 Description = Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Error - 30/01/2011 11:55:08 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Error - 30/01/2011 11:55:09 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11500 Description = Error - 31/01/2011 16:50:55 | Computer Name = CLAIRE | Source = MPSampleSubmission | ID = 5000 Description = Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003 Description = Error - 03/02/2011 19:21:58 | Computer Name = CLAIRE | Source = WinDefendRtp | ID = 3003 Description = Error - 04/02/2011 18:01:47 | Computer Name = CLAIRE | Source = MsiInstaller | ID = 11706 Description = < End of report >
  3. Kazzaa

    Help with HJT file?[RESOLVED]

    Hey, the results of the Jotti scan were as follows: For c:\windows\system32\drivers\82495002.sys Filename: 82495002.sys Status: Scan finished. 0 out of 19 scanners reported malware. Scan taken on: Mon 7 Feb 2011 15:31:02 Additional info File size: 37392 bytes Filetype: PE32 executable for MS Windows (DLL) (native) Intel 80386 32-bit MD5: a305fad3719c5db0c13d1c2bfd08a04d SHA1: cd7300ae608db1ca6583736b9648cf36b476f832 For: c:\windows\system32\drivers\82495001.sys Filename: 82495001.sys Status: Scan finished. 0 out of 19 scanners reported malware. Scan taken on: Mon 7 Feb 2011 15:33:13 Additional info File size: 128016 bytes Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit MD5: 7dd41b7ac1fbb1dbf20bb1f4e4fbe58c SHA1: c763c52f8b0dbb6594f1a81246ae2c27c6f74557 For: c:\windows\system32\drivers\8249500.sys Filename: 8249500.sys Status: Scan finished. 0 out of 19 scanners reported malware. Scan taken on: Mon 7 Feb 2011 15:36:05 Additional info File size: 315408 bytes Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit MD5: 66ef49622baa18e4d4f1fe4bae1d51b8 SHA1: 0c2651ff9f5661ae124408c457f6c8ac20f0c9cb Thanks!
  4. Kazzaa

    Help with HJT file?[RESOLVED]

    Hey, Thanks again for all your help so far. I followed your last instructions, (& searched unsuccessfully for AVG & tried to disbale it but i got nowhere again). Ran combofix as you said, after draging and dropping the text above into it. The log is as follows: ComboFix 11-01-31.02 - miss madigan 04/02/2011 14:51:20.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.588 [GMT 0:00] Running from: c:\documents and settings\miss madigan\Desktop\schrauber.exe Command switches used :: c:\documents and settings\miss madigan\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: "c:\windows\system32\drivers\syscow32x.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SYSCOW -------\Service_SysCow ((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 ))))))))))))))))))))))))))))))) . 2011-01-30 19:13 . 2011-01-31 11:39 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys 2011-01-30 17:56 . 2011-01-30 17:56 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-01-30 15:29 . 2011-01-30 15:29 -------- d-----w- c:\documents and settings\miss madigan\Application Data\Avira 2011-01-30 15:27 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-01-30 15:27 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-01-30 15:27 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-01-30 15:27 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\program files\Avira 2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-01-30 14:24 . 2011-01-30 17:42 -------- d-----w- c:\program files\MSECACHE 2011-01-29 12:45 . 2011-01-29 12:45 388096 ----a-r- c:\documents and settings\miss madigan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-29 12:45 . 2011-01-29 12:45 -------- d-----w- c:\program files\Trend Micro 2011-01-28 20:03 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\82495002.sys 2011-01-28 20:02 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\82495001.sys 2011-01-28 20:02 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\8249500.sys 2011-01-28 19:51 . 2011-01-28 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL 2011-01-28 17:21 . 2011-01-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-18 22:17 . 2010-12-18 22:17 951291 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\remregfix.reg 2010-12-18 22:17 . 2010-12-18 22:17 896 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\databasepath.reg 2010-12-18 22:17 . 2010-12-18 22:17 890 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\Remove-itRestorePoint.vbs 2010-12-18 22:17 . 2010-12-18 22:17 5228 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\nfig.reg 2010-12-18 22:17 . 2010-12-18 22:17 4994 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\s.reg 2010-12-18 22:17 . 2010-12-18 22:17 4512 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\hpregfix.reg 2010-12-18 22:17 . 2010-12-18 22:17 4224 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\beep.sys 2010-12-18 22:17 . 2010-12-18 22:17 3008 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\bgregfix.reg 2010-12-18 22:17 . 2010-12-18 22:17 2600 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\exefix.reg 2010-12-18 22:17 . 2010-12-18 22:17 18308 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\IEDef.reg 2010-12-18 22:17 . 2010-12-18 22:17 1754 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\regf.reg 2010-12-18 22:17 . 2010-12-18 22:17 29634504 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\scan.exe 2010-12-18 22:17 . 2008-04-15 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys 2010-12-18 22:17 . 2010-12-18 22:17 16384 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\tskill.exe 2010-11-16 19:30 . 2010-10-10 16:02 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys . ((((((((((((((((((((((((((((( [email protected]_21.25.05 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-25 01:26 . 2011-01-31 20:31 71912 c:\windows\system32\perfc009.dat + 2008-06-25 01:26 . 2011-02-04 14:44 71912 c:\windows\system32\perfc009.dat + 2008-06-25 01:26 . 2011-02-04 14:44 442334 c:\windows\system32\perfh009.dat - 2008-06-25 01:26 . 2011-01-31 20:31 442334 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^miss madigan^Start Menu^Programs^Startup^_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnk] backup=c:\windows\pss\_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr] 2009-02-18 21:41 737280 ----a-w- c:\windows\system32\AESTFltr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2008-02-15 21:46 159744 ----a-w- c:\windows\system32\hkcmd.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/01/2011 15:27 135336] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [05/06/2009 12:16 113664] R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [02/03/2009 21:03 38912] S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?] S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [05/06/2009 12:17 160256] S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?] S3 utexntcx;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utexntcx.sys --> c:\windows\system32\Drivers\utexntcx.sys [?] . Contents of the 'Scheduled Tasks' folder 2011-01-27 c:\windows\Tasks\BackOnTrack Update.job - c:\windows\BotInvokeUpdate.exe [2009-07-23 05:41] 2011-02-04 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: microsoft.com . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-04 15:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3188) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\idt\wdm\STacSV.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2011-02-04 15:12:04 - machine was rebooted ComboFix-quarantined-files.txt 2011-02-04 15:12 ComboFix2.txt 2011-01-31 21:31 Pre-Run: 140,894,076,928 bytes free Post-Run: 144,615,481,344 bytes free - - End Of File - - 6839704EEB39D24F558FAD6A41AF8269
  5. Kazzaa

    Help with HJT file?[RESOLVED]

    Hi, I have followed these steps... firstly I disabled Avira (not a problem), then ComboFix said that AVG Free was running, which I thought it wasn't. I couldn't find a running AVG program, so I ran AVG removal tool, & ComboFix still said AVG was running. I assumed it was a glitch so I ran ComboFix (you will see from the report that it DOES say AVG is running, I just couldn't find the location). First few steps went fine, the Windows Recovery Console was not installed so it connected with the Microsoft site & downlaoded 100% but then didn't install the console. I don't know why this is?? ComboFix ran fine after that & I enclose the log report. So just remember when viewing it: 1 - AVG was running but I couldn't find it 2 - the recovery console was not & is not now installed. Just in case these facts affect how we proceed from here. Thanks, K-Dog ComboFix 11-01-31.01 - miss madigan 31/01/2011 21:10:28.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.589 [GMT 0:00] Running from: c:\documents and settings\miss madigan\Desktop\schrauber.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_RKHIT -------\Service_RkHit ((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-31 ))))))))))))))))))))))))))))))) . 2011-01-30 19:13 . 2011-01-31 11:39 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys 2011-01-30 17:56 . 2011-01-30 17:56 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-01-30 15:29 . 2011-01-30 15:29 -------- d-----w- c:\documents and settings\miss madigan\Application Data\Avira 2011-01-30 15:27 . 2010-12-13 08:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-01-30 15:27 . 2010-12-13 08:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-01-30 15:27 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-01-30 15:27 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\program files\Avira 2011-01-30 15:27 . 2011-01-30 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-01-30 14:24 . 2011-01-30 17:42 -------- d-----w- c:\program files\MSECACHE 2011-01-29 12:45 . 2011-01-29 12:45 388096 ----a-r- c:\documents and settings\miss madigan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-29 12:45 . 2011-01-29 12:45 -------- d-----w- c:\program files\Trend Micro 2011-01-28 20:03 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\82495002.sys 2011-01-28 20:02 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\82495001.sys 2011-01-28 20:02 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\8249500.sys 2011-01-28 19:51 . 2011-01-28 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL 2011-01-28 17:21 . 2011-01-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-18 22:17 . 2010-12-18 22:17 951291 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\remregfix.reg 2010-12-18 22:17 . 2010-12-18 22:17 896 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\databasepath.reg 2010-12-18 22:17 . 2010-12-18 22:17 890 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\Remove-itRestorePoint.vbs 2010-12-18 22:17 . 2010-12-18 22:17 5228 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\nfig.reg 2010-12-18 22:17 . 2010-12-18 22:17 4994 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\s.reg 2010-12-18 22:17 . 2010-12-18 22:17 4512 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\hpregfix.reg 2010-12-18 22:17 . 2010-12-18 22:17 4224 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\beep.sys 2010-12-18 22:17 . 2010-12-18 22:17 3008 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\bgregfix.reg 2010-12-18 22:17 . 2010-12-18 22:17 2600 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\exefix.reg 2010-12-18 22:17 . 2010-12-18 22:17 18308 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\IEDef.reg 2010-12-18 22:17 . 2010-12-18 22:17 1754 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\regf.reg 2010-12-18 22:17 . 2010-12-18 22:17 29634504 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\scan.exe 2010-12-18 22:17 . 2008-04-15 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys 2010-12-18 22:17 . 2010-12-18 22:17 16384 ----a-w- c:\documents and settings\miss madigan\Local Settings\Application Data\tskill.exe 2010-11-16 19:30 . 2010-10-10 16:02 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys . <pre> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe c:\program files\Common Files\Java\Java Update\jusched .exe c:\program files\CyberLink\YouCam\YouCamTray .exe c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu .exe c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain .exe c:\program files\HP\HPBTWD .exe c:\program files\IDT\WDM\sttray .exe c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe c:\program files\Synaptics\SynTP\SynTPEnh .exe c:\program files\syncables\syncables desktop\Syncables .exe c:\program files\uTorrent\uTorrent .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^miss madigan^Start Menu^Programs^Startup^_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnk] backup=c:\windows\pss\_uninst_setup_9.0.0.722_19.11.2010_22-12.exe.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AESTFltr] 2009-02-18 21:41 737280 ----a-w- c:\windows\system32\AESTFltr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2008-02-15 21:46 159744 ----a-w- c:\windows\system32\hkcmd.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"= "c:\\Program Files\\uTorrent\\uTorrent .exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [24/09/2008 21:09 103792] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/01/2011 15:27 135336] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [05/06/2009 12:16 113664] R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [02/03/2009 21:03 38912] S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?] S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [05/06/2009 12:17 160256] S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?] S3 utexntcx;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utexntcx.sys --> c:\windows\system32\Drivers\utexntcx.sys [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs sepmfxtv . Contents of the 'Scheduled Tasks' folder 2011-01-27 c:\windows\Tasks\BackOnTrack Update.job - c:\windows\BotInvokeUpdate.exe [2009-07-23 05:41] 2011-01-31 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] . . ------- Supplementary Scan ------- . uStart Page = www.google.ie mStart Page = www.google.ie IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: microsoft.com . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-31 21:26 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1460) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\idt\wdm\STacSV.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\windows\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2011-01-31 21:31:37 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-31 21:31 Pre-Run: 140,954,198,016 bytes free Post-Run: 140,876,398,592 bytes free - - End Of File - - 280CB042CF25FCBF6B4F4689E5B78EAD
  6. Kazzaa

    Help with HJT file?[RESOLVED]

    Hi again Tom, I got nowhere with the Rootkit Unhooker, basically i spent all night trying to get it going to no avail. It downloads fine, installed fine but when i clcik it to open a small box saying " Please wait a few seconds.... Initialising" appears & then nothing more happens. The computer totally freezes on that screen, cannot open anything else, the clock doesn't even change & i have to hold the power button to shut the pc down. I removed the program & installed another version but same thing happened. SO no results there for ya...
  7. Kazzaa

    Help with HJT file?[RESOLVED]

    Hey Tom, Thanks for your response. Prior to your post I had run a spybot search & destroy scan but I won't run anything else until i have completed your instructions. The results of the OTL scan are as follows: OTL.Txt Extras.Txt
  8. i have a netbook with Windows XP which has had some problems for a while. Freezing, slow to run, windows explorer takes approx. 5 mins to open when computer has started. Windows installer keeps popping up when random buttons are clicked. I cannot acces Windows update or manually install any updates. I cannot install AVG or another anti-virus as it always fails due to "another installation already in progress". I have managed to install tune up programs to no avail, & windows defender or one care scanner are not finding any viruses. Hijack this is my last resort. Hopefully someone can spot what the problem is??? Thanks in advance for any help you can offer?? I include the log file here as it would not attach! Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:58:16 PM, on 29/01/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\idt\wdm\STacSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=91&bd=Pavilion&pf=cnnb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289937724671 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285972845937 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O23 - Service: BOTService - Sonic Solutions - C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe -- End of file - 4397 bytes