Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Freezing ... BSOD ... Heck of a mess ... jumping computers ... jumping


  • This topic is locked This topic is locked

#1
winst0n

winst0n

    Member

  • Member
  • PipPip
  • 42 posts
I've run a heck of a lot of stuff to try to get rid of these critters. Safe mode is about all I can do without fear of freezing up.

Here are the requested logs:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 16:58
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\documents and settings\administrator\local settings\temp\~dfa556.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\~dfb8a1.tmp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\~dfe65c.tmp
Status: Allocation size mismatch (API: 163840, Raw: 0)

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\frameiconcache.dat
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8ASAYW0Q\trans_pixel[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EA6DG7QK\ADSAdClient31[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EA6DG7QK\default[3].htm
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\ea6dg7qk\errorinformation[1].htm
Status: Allocation size mismatch (API: 12288, Raw: 16384)

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NTVPWDIJ\mstoolbar[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NTVPWDIJ\footer[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NTVPWDIJ\toc[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NTVPWDIJ\trans_pixel[1].gif
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\ntvpwdij\welcome[1].htm
Status: Allocation size mismatch (API: 118784, Raw: 262144)



OTL logfile created on: 7/29/2009 5:01:21 PM - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.53 Mb Total Physical Memory | 808.64 Mb Available Physical Memory | 79.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.54 Gb Total Space | 94.52 Gb Free Space | 53.24% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 12.21 Gb Free Space | 32.77% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVEREST
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/07/02 19:38:24 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/07/29 16:59:38 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/13 20:00:00 | 00,100,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\6to4svc.dll -- (6to4 [Auto | Stopped])
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Stopped])
SRV - [2009/05/11 10:15:50 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2003/05/05 19:30:22 | 00,065,536 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\System32\Brmfrmps.exe -- (brmfrmps [Auto | Stopped])
SRV - [2002/04/12 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe -- (Brother XP spl Service [Auto | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/04/23 01:00:03 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9c3e9885acf3e [Auto | Stopped])
SRV - [2008/04/13 20:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2001/10/08 12:59:36 | 00,049,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Fast.exe -- (InteractiveLogon [Auto | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2005/03/31 23:16:00 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [On_Demand | Stopped])
SRV - [2002/09/20 15:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Stopped])
SRV - [2007/05/28 09:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE [Auto | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect...nampie7&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {0b38152b-1b20-484d-a11f-5e04a9b0661f}:5.6.10.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.12
FF - prefs.js..keyword.URL: "http://slirsredirect...inampab&query="


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/04 03:13:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/22 04:06:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/07/21 22:01:53 | 00,000,000 | ---D | M]

[2009/04/13 16:34:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/04/13 16:34:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/28 04:55:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\umraneyu.default\extensions
[2009/05/16 21:33:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\umraneyu.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2009/05/16 21:33:35 | 00,001,196 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\umraneyu.default\searchplugins\winamp-search.xml
[2009/04/13 16:34:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/07/21 22:01:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/21 22:01:48 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/21 22:01:48 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/21 22:01:50 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/03/26 11:56:22 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/03/26 11:56:22 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/06/25 02:44:11 | 00,001,489 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/03/26 11:56:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/03/26 11:56:22 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/03/26 11:56:22 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/03/26 11:56:22 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (2833 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 82.195.155.5 c3310.z1301.winmx.com c3311.z1301.winmx.com c3312.z1301.winmx.com c3313.z1301.winmx.com c3314.z1301.winmx.com c3315.z1301.winmx.com c3316.z1301.winmx.com c3317.z1301.winmx.com c3318.z1301.winmx.com c3319.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1302.winmx.com c3311.z1302.winmx.com c3312.z1302.winmx.com c3313.z1302.winmx.com c3314.z1302.winmx.com c3315.z1302.winmx.com c3316.z1302.winmx.com c3317.z1302.winmx.com c3318.z1302.winmx.com c3319.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1303.winmx.com c3311.z1303.winmx.com c3312.z1303.winmx.com c3313.z1303.winmx.com c3314.z1303.winmx.com c3315.z1303.winmx.com c3316.z1303.winmx.com c3317.z1303.winmx.com c3318.z1303.winmx.com c3319.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1304.winmx.com c3311.z1304.winmx.com c3312.z1304.winmx.com c3313.z1304.winmx.com c3314.z1304.winmx.com c3315.z1304.winmx.com c3316.z1304.winmx.com c3317.z1304.winmx.comc3318.z1304.winmx.com c3319.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1305.winmx.com c3311.z1305.winmx.com c3312.z1305.winmx.com c3313.z1305.winmx.com c3314.z1305.winmx.com c3315.z1305.winmx.com c3316.z1305.winmx.com c3317.z1305.winmx.com c3318.z1305.winmx.com c3319.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3310.z1306.winmx.com c3311.z1306.winmx.com c3312.z1306.winmx.com c3313.z1306.winmx.com c3314.z1306.winmx.com c3315.z1306.winmx.com c3316.z1306.winmx.com c3317.z1306.winmx.comc3318.z1306.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1301.winmx.com c3521.z1301.winmx.com c3522.z1301.winmx.com c3523.z1301.winmx.com c3524.z1301.winmx.com c3525.z1301.winmx.com c3526.z1301.winmx.com c3527.z1301.winmx.com c3528.z1301.winmx.com c3529.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1302.winmx.com c3521.z1302.winmx.com c3522.z1302.winmx.com c3523.z1302.winmx.com c3524.z1302.winmx.com c3525.z1302.winmx.com c3526.z1302.winmx.com c3527.z1302.winmx.com 3528.z1302.winmx.com c3529.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1303.winmx.com c3521.z1303.winmx.com c3522.z1303.winmx.com c3523.z1303.winmx.com c3524.z1303.winmx.com c3525.z1303.winmx.com c3526.z1303.winmx.com c3527.z1303.winmx.com c3528.z1303.winmx.com c3529.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1304.winmx.com c3521.z1304.winmx.com c3522.z1304.winmx.com c3523.z1304.winmx.com c3524.z1304.winmx.com c3525.z1304.winmx.com c3526.z1304.winmx.com c3527.z1304.winmx.com c3528.z1304.winmx.com c3529.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1305.winmx.com c3521.z1305.winmx.com c3522.z1305.winmx.com c3523.z1305.winmx.com c3524.z1305.winmx.com c3525.z1305.winmx.com c3526.z1305.winmx.com c3527.z1305.winmx.com c3528.z1305.winmx.com c3529.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3520.z1306.winmx.com c3521.z1306.winmx.com c3522.z1306.winmx.com c3523.z1306.winmx.comc3524.z1306.winmx.com c3525.z1306.winmx.com c3526.z1306.winmx.com c3527.z1306.winmx.com c3528.z1306.winmx.comc3529.z1306.winmx.com
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInstrumentation = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O8 - Extra context menu item: &Winamp Search - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/13 16:28:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/03/26 11:35:20 | 00,000,000 | ---D | M] - D:\autoruns -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/07/29 16:59:38 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/07/29 14:52:43 | 00,463,738 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal(2).zip
[2009/07/29 14:43:06 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Internet Explorer.lnk
[2009/07/29 14:42:19 | 00,463,738 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip
[2009/07/29 14:30:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2009/07/29 14:29:22 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/07/29 14:10:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/07/29 14:10:04 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/29 14:10:02 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/29 14:10:01 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/29 14:10:01 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/29 14:10:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/29 14:09:34 | 03,775,200 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2009/07/29 14:09:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/07/29 14:08:30 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2009/07/29 14:08:30 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2009/07/29 14:08:29 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/07/29 14:08:08 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Administrator\Desktop\erunt_setup.exe
[2009/07/29 14:03:49 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Administrator\Desktop\SysRestorePoint.exe
[2009/07/29 13:45:27 | 00,265,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2009/07/29 02:14:31 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/07/29 02:13:43 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/07/29 02:13:43 | 00,055,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/07/29 02:13:43 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/07/29 02:13:43 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/07/29 02:13:42 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/07/29 02:13:25 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/07/29 02:13:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/07/29 02:05:56 | 32,299,960 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\avira_antivir_personal_en.exe
[2009/07/29 01:31:44 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/07/28 20:24:15 | 03,252,640 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Administrator\Desktop\ccsetup221.exe
[2009/07/28 15:26:45 | 02,069,088 | ---- | C] (ParetoLogic Inc.) -- C:\Documents and Settings\Administrator\Desktop\RegCureSetup_RW.exe
[2009/07/28 04:58:17 | 00,000,005 | -HS- | C] () -- C:\WINDOWS\System32\dadeeb0_g.dll
[2009/07/28 04:58:17 | 00,000,005 | ---- | C] () -- C:\WINDOWS\System32\cabffdaffeb4_g.ocx
[2009/07/28 04:56:27 | 00,814,552 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RegSupreme_1.4_setup.exe
[2009/07/28 04:43:59 | 00,000,000 | ---D | C] -- C:\vlc
[2009/07/27 22:59:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\BUGHUN22
[2009/07/27 22:58:59 | 00,286,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\BUGHUN22.ZIP
[2009/07/27 00:54:12 | 00,000,608 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to procexp.exe.lnk
[2009/07/26 23:01:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2009/07/26 21:35:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProcessExplorer
[2009/07/26 19:25:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/07/26 16:58:15 | 00,000,000 | ---D | C] -- C:\Program Files\Creative Labs
[2009/07/26 16:57:06 | 00,000,000 | ---D | C] -- C:\Program Files\Eidos Interactive
[2009/07/26 15:27:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\mess
[2009/07/26 04:17:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2009/07/26 01:08:53 | 00,000,000 | ---D | C] -- C:\MinGW
[2009/07/25 23:33:48 | 00,000,000 | ---D | C] -- C:\Program Files\XEmacs
[2009/07/25 22:51:33 | 00,000,000 | ---D | C] -- C:\cygwin
[2009/07/25 22:25:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\emacs-22.3-barebin-i386
[2009/07/25 22:13:27 | 00,000,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Notepad++.lnk
[2009/07/25 22:13:25 | 00,000,000 | ---D | C] -- C:\Program Files\Notepad++
[2009/07/25 22:13:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2009/07/25 20:28:54 | 00,334,792 | ---- | C] (Alcohol Soft Development Team) -- C:\WINDOWS\System32\_AxShlEx.dll
[2009/07/25 20:11:36 | 00,716,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/07/25 20:04:02 | 00,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/07/25 20:01:37 | 00,000,000 | ---D | C] -- C:\Program Files\SlySoft
[2009/07/25 18:06:15 | 00,000,000 | ---D | C] -- C:\Program Files\Alcohol Soft
[2009/07/25 18:05:03 | 00,000,000 | ---D | C] -- C:\a120
[2009/07/25 18:04:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder
[2009/07/25 16:31:32 | 00,000,000 | ---D | C] -- C:\Program Files\Square Soft, Inc
[2009/07/25 16:26:04 | 00,000,156 | ---- | C] () -- C:\WINDOWS\tmpcpyis.bat
[2009/07/25 16:26:04 | 00,000,122 | ---- | C] () -- C:\WINDOWS\tmpdelis.bat
[2009/07/25 16:26:04 | 00,000,026 | ---- | C] () -- C:\WINDOWS\winstart.bat
[2009/07/25 16:24:20 | 00,299,520 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe
[2009/07/24 03:39:53 | 00,140,800 | ---- | C] (The Duck Corporation) -- C:\WINDOWS\System32\tm20dec.ax
[2009/07/24 03:26:21 | 00,000,000 | ---D | C] -- C:\Program Files\Final Fantasy VII
[2009/07/23 23:59:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/07/23 23:04:14 | 00,001,615 | ---- | C] () -- C:\WINDOWS\System32\sdbackup.reg
[2009/07/23 23:03:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\s4hide
[2009/07/23 22:37:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/07/23 22:13:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/07/23 22:12:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/07/23 22:01:22 | 00,000,000 | ---D | C] -- C:\Program Files\EA Games
[2009/07/23 20:01:40 | 00,000,000 | ---D | C] -- C:\Program Files\PowerISO
[2009/07/23 19:25:53 | 00,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Documents\Virtual CDs
[2009/07/23 19:25:47 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\My Documents\Virtual CD v9
[2009/07/23 19:00:05 | 00,000,768 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/19 00:25:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\dvdcss
[2009/07/17 22:22:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2009/07/17 21:59:12 | 00,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2009/07/17 21:58:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2009/07/15 19:56:06 | 00,000,000 | ---D | C] -- C:\Program Files\JFDuke3D

========== Files - Modified Within 14 Days ==========

[2009/07/29 16:59:38 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/07/29 16:52:38 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/29 16:44:12 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/29 16:43:23 | 03,712,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/07/29 14:52:41 | 00,463,738 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal(2).zip
[2009/07/29 14:44:41 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/07/29 14:44:27 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/29 14:43:06 | 00,000,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Internet Explorer.lnk
[2009/07/29 14:42:21 | 00,463,738 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip
[2009/07/29 14:10:05 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/29 14:09:44 | 03,775,200 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2009/07/29 14:08:30 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2009/07/29 14:08:30 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2009/07/29 14:08:09 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Administrator\Desktop\erunt_setup.exe
[2009/07/29 14:03:53 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Administrator\Desktop\SysRestorePoint.exe
[2009/07/29 13:45:30 | 00,265,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2009/07/29 11:10:37 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/07/29 02:14:31 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/07/29 02:08:31 | 32,299,960 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\avira_antivir_personal_en.exe
[2009/07/29 01:47:51 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/07/28 15:27:20 | 02,069,088 | ---- | M] (ParetoLogic Inc.) -- C:\Documents and Settings\Administrator\Desktop\RegCureSetup_RW.exe
[2009/07/28 14:53:04 | 00,151,581 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/07/28 11:59:09 | 00,000,529 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/28 11:59:09 | 00,000,232 | -HS- | M] () -- C:\boot.ini
[2009/07/28 04:58:17 | 00,000,005 | -HS- | M] () -- C:\WINDOWS\System32\dadeeb0_g.dll
[2009/07/28 04:58:17 | 00,000,005 | ---- | M] () -- C:\WINDOWS\System32\cabffdaffeb4_g.ocx
[2009/07/28 04:56:28 | 00,814,552 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RegSupreme_1.4_setup.exe
[2009/07/28 04:17:36 | 03,252,640 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Administrator\Desktop\ccsetup221.exe
[2009/07/27 22:59:18 | 00,286,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\BUGHUN22.ZIP
[2009/07/27 00:54:13 | 00,000,608 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to procexp.exe.lnk
[2009/07/26 22:09:38 | 00,015,216 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/07/26 21:07:27 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/25 22:13:27 | 00,000,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Notepad++.lnk
[2009/07/25 20:11:36 | 00,716,272 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/07/25 20:04:02 | 00,000,041 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/07/25 16:26:14 | 00,000,768 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/07/25 16:26:14 | 00,000,156 | ---- | M] () -- C:\WINDOWS\tmpcpyis.bat
[2009/07/25 16:26:14 | 00,000,122 | ---- | M] () -- C:\WINDOWS\tmpdelis.bat
[2009/07/25 16:26:04 | 00,000,026 | ---- | M] () -- C:\WINDOWS\winstart.bat
[2009/07/23 23:59:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2009/07/23 23:04:14 | 00,001,615 | ---- | M] () -- C:\WINDOWS\System32\sdbackup.reg
[2009/07/22 21:18:34 | 00,101,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/17 22:23:17 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/07/17 22:23:17 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/07/17 22:23:17 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== LOP Check ==========

[2009/07/29 14:10:06 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2009/04/19 10:16:50 | 00,000,000 | R--D | M] -- C:\Documents and Settings\Administrator\Application Data\Brother
[2009/07/26 19:26:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DNA
[2009/07/19 00:25:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\dvdcss
[2009/07/23 22:13:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/06/25 04:20:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LimeWire
[2009/07/25 22:13:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2009/04/25 22:59:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ubisoft
[2009/07/29 13:33:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2009/07/29 14:10:01 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/04/17 21:43:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Brother
[2008/04/13 20:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/07/29 14:44:41 | 00,000,882 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
[2009/07/29 11:10:37 | 00,000,886 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
[2009/07/29 14:44:27 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\WINDOWS:50550A1EBE70AA1E
< End of report >


OTL Extras logfile created on: 7/29/2009 5:01:21 PM - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.53 Mb Total Physical Memory | 808.64 Mb Available Physical Memory | 79.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.54 Gb Total Space | 94.52 Gb Free Space | 53.24% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 12.21 Gb Free Space | 32.77% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVEREST
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"D:\Program Files\LimeWire\LimeWire.exe" = D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- ()
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\eMule\emule.exe" = C:\Program Files\eMule\emule.exe:*:Enabled:eMule -- (http://www.emule-project.net)
"C:\Program Files\AeriaGames\Project Torque\ProjectTorque.bin" = C:\Program Files\AeriaGames\Project Torque\ProjectTorque.bin:*:Enabled:Game -- (Invictus-Games Kft.)
"C:\Program Files\Age of Wonders II\AoW2.exe" = C:\Program Files\Age of Wonders II\AoW2.exe:*:Enabled:Age of Wonders 2 -- (Triumph Studios)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\JFDuke3D\duke3d.exe" = C:\Program Files\JFDuke3D\duke3d.exe:*:Enabled:duke3d -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40A6C96D-808E-41DD-8716-617AB6B0F1F1}" = Brother MFL-Pro Suite
"{6C31E111-96BB-4ADC-9C81-E6D3EEDDD8D3}" = Powertoys For Windows XP
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Age of Wonders II" = Age of Wonders II
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"Duke Nukem 3D HRP" = Duke Nukem 3D HRP V 4.0 (321)
"EAX™ Unified (SHELL)" = EAX™ Unified (SHELL)
"eMule" = eMule
"ERUNT_is1" = ERUNT 1.1j
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"JAIELangPack" = Japanese Language Support
"JFDuke3D" = JFDuke3D 20050216
"LimeWire" = LimeWire PRO 4.12.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MinGW" = MinGW 5.1.4
"Mozilla Firefox (3.0.12)" = Mozilla Firefox (3.0.12)
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"PowerISO" = PowerISO
"Project Torque" = Project Torque
"Torrente_is1" = Torrente
"VLC media player" = VLC media player 0.9.9
"Winamp" = Winamp
"WinRAR archiver" = WinRAR archiver
"XEmacs_is1" = XEmacs 21.4.21
"ZHCIELangPack" = Chinese (Simplified) Language Support
"ZHTIELangPack" = Chinese (Traditional) Language Support

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 7/29/2009 5:34:08 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/29/2009 5:39:43 PM | Computer Name = EVEREST | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.100 for the Network Card with network
address 000C6E2A34A4 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/29/2009 5:43:07 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/29/2009 7:41:59 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/29/2009 7:43:25 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/29/2009 7:44:37 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/29/2009 7:46:37 PM | Computer Name = EVEREST | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.100 for the Network Card with network
address 000C6E2A34A4 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/29/2009 7:48:51 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 7/29/2009 7:51:54 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 7/29/2009 7:58:22 PM | Computer Name = EVEREST | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >
  • 0

Advertisements


#2
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I noticed a recommendation that someone made for another rootkit tool ... (I managed to create a log before I froze up again ...

I'm running a scan in safe mode so if I can get the focus on the right button in low rez, (its outside of the field of view ..) I'll paste a second log after the first.

.
.
.

Taking too long .... no second log yet

.
.
.

GMER 1.0.15.15010 [44buo36z.exe] - http://www.gmer.net
Rootkit scan 2009-07-30 01:32:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT splr.sys ZwEnumerateKey [0xBAF00CA2]
SSDT splr.sys ZwEnumerateValueKey [0xBAF01030]

Code \WINDOWS\system32\ntoskrnl.exe[PAGEVRFY] [8066BEA5] pIofCallDriver
Code \WINDOWS\system32\ntoskrnl.exe[PAGEVRFY] [8066C5AF] pIofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86B6D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat 867D4500

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----
  • 0

#3
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Another rootkit tool log ... :

(hmm the obviously nasty stuff didn't show up in the log...)

I attached a couple of bitmaps that seem to show a problem to my old geeky but not uber-geeky eyes ..

FreeFixer v0.43 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 3
Log dated 2009-07-30 02:02


Winlogon Notify (10 whitelisted)
avgrsstarter - (no file specified)

Browser Helper Objects (2 whitelisted)
{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}, , No file specified
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}, , No file specified
{A3BC75A2-1F87-4686-AA43-5347D756017C}, , No file specified

Internet Explorer toolbars (2 whitelisted)
HKLM\..\Toolbar\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - - No file specified
HKCU\..\Toolbar\WebBrowser\{A057A204-BACC-4D26-9990-79A187E2698E} - - No file specified

Basic Internet Explorer settings
HKCU\..\Main, Start Page = http://www.google.com/

Registry Startups (2 whitelisted)
HKCU\..\Run, SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HOSTS file
82.195.155.5 c3310.z1301.winmx.com
82.195.155.5 c3310.z1302.winmx.com
82.195.155.5 c3310.z1303.winmx.com
82.195.155.5 c3310.z1304.winmx.com
82.195.155.5 c3310.z1305.winmx.com
82.195.155.5 c3310.z1306.winmx.com
82.195.155.5 c3520.z1301.winmx.com
82.195.155.5 c3520.z1302.winmx.com
82.195.155.5 c3520.z1303.winmx.com
82.195.155.5 c3520.z1304.winmx.com
82.195.155.5 c3520.z1305.winmx.com
82.195.155.5 c3520.z1306.winmx.com

Processes (12 whitelisted)
C:\Documents and Settings\Administrator\Desktop\44buo36z.exe
C:\Program Files\FreeFixer\freefixer.exe

Application modules (61 whitelisted)
C:\WINDOWS\system32\sfc_os.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\SYNCOR11.DLL

Services (32 whitelisted)
brmfrmps, Brother Popup Suspend service for Resource manager, c:\windows\system32\brmfrmps.exe
gupdate1c9c3e9885acf3e, Google Update Service (gupdate1c9c3e9885acf3e), c:\program files\google\update\googleupdate.exe
InteractiveLogon, InteractiveLogon, c:\windows\system32\fast.exe
SoundMAX Agent Service (default), SoundMAX Agent Service, c:\program files\analog devices\soundmax\smagent.exe
StarWindServiceAE, StarWind AE Service, c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe

Drivers (29 whitelisted)
sptd, , C:\WINDOWS\system32\drivers\sptd.sys
Tcpip, TCP/IP Protocol Driver, C:\WINDOWS\system32\drivers\tcpip.sys
videX32, , C:\WINDOWS\system32\drivers\videx32.sys

Windows XP Firewall authorized apps (5 whitelisted)
D:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\AeriaGames\Project Torque\ProjectTorque.bin
C:\Program Files\Age of Wonders II\AoW2.exe
C:\Program Files\JFDuke3D\duke3d.exe
C:\Program Files\uTorrent\uTorrent.exe

Firefox Extensions
Winamp Toolbar, C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\umraneyu.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\install.rdf

Recently created/modified files (13 whitelisted)
7 minutes, c:\Program Files\FreeFixer\Uninstall.exe
8 minutes, c:\Documents and Settings\Administrator\Desktop\PAVARK.exe
8 minutes, c:\Documents and Settings\Administrator\Desktop\antirootkit.exe
10 minutes, c:\Documents and Settings\Administrator\Desktop\freefixersetup.exe
10 minutes, c:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\umraneyu.default\Cache\E9596A38d01
11 minutes, c:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\umraneyu.default\Cache\252B0183d01
36 minutes, c:\Program Files\Alwil Software\Avast4\DATA\clnr0.dll
45 minutes, c:\Documents and Settings\Administrator\Desktop\dds.com
46 minutes, c:\Documents and Settings\Administrator\Desktop\44buo36z.exe
8 hours, c:\Program Files\Alwil Software\Avast4\XT1922.dll
8 hours, c:\Program Files\Alwil Software\Avast4\Aavm4h.dll
8 hours, c:\Program Files\Alwil Software\Avast4\AavmGuih.dll.0
8 hours, c:\Program Files\Alwil Software\Avast4\AavmRpch.dll
8 hours, c:\Program Files\Alwil Software\Avast4\AhResMai.dll
8 hours, c:\Program Files\Alwil Software\Avast4\ahResMes.dll
8 hours, c:\Program Files\Alwil Software\Avast4\AhResNS.dll
8 hours, c:\Program Files\Alwil Software\Avast4\AhResOut.dll
  • 0

#4
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
bmp's didn't work so I'll type out what seems suspicious ...

from process explorer:

6 instances of svchost.exe (in safe mode)
csrss.exe shows weirdness
lsass.exe shows weirdness
lots of weird looking threads some of them with extension .dll!
Am I wrong does .dll! sound like junk?

here are some of the most suspicious threads:

ADVAPI32.dll!CryptVerifySignatureW+0x17
CSRSRV.dll!CsrValidateMessageString+0x179
winsrv.dll!ConServerDLLIntialization+0x35f4
ntdll.dll!RT|QueueWorkItem+0x0283
kernel32.dll!CreateThread+0x22
dhcpcsvc.dll!DhcpRequestOptions+0x54fe
LSASRV.dll!LsapAuOpenSam+0x2057

I'll move on to what Freefixer shows me:

Winlogon notify dlls:
crypt32.dll
cryptnet.dll
dimsntfy.dll
sclgntfy.dll
wlnotify.dll (4 times with differing registry IDs?)
Wlnotify.dll

and another list of services with svchost.exe running 5 times
  • 0

#5
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
So to describe a couple of BSOD's:
IRQL_NOT_LESS_OR_EQUAL
has happened several times ...

I just got a STOP 0x000000C4
(0x0000003C,0x000000F8,0x00000000,0x00000000)

windows thinks it's a driver issue (which it could be)
I'm pretty sure it's not just a driver issue though.
  • 0

#6
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I found a driver scanner which told me i had a bad one, but it didn't say which one.
I still think these services running wild is the major issue.
  • 0

#7
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello winst0n,

One thing: Please just run the tools we ask you to.

Now

There seem to be remnants of Avast anti-virus on your machine.

Let's remove those.

To uninstall Avast download the removal tool from here

Step 2

Your Java is out of date, older versions are vunerable to attack.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Next

You have used Malwarebytes before. If you still have it on your machine, please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Download DDS and save it to your desktop from here or here.

Disable any script blocker, and then double click dds.scr to run the tool.
  • Posted Image
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
Save both reports to your desktop & post them here.

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine. :)
  • 0

#8
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
So a friend helped me reinstall windows.
I'm running all the recommended "do this first" stuff again.
(ask me if you want to see new logs ... I'm assuming all the required info will be in the new logs.)

I managed to get windows to update.
Avira found a lot of stuff.

Here are the requested logs ...



Malwarebytes' Anti-Malware 1.40
Database version: 2557
Windows 5.1.2600 Service Pack 2

8/4/2009 1:46:45 AM
mbam-log-2009-08-04 (01-46-45).txt

Scan type: Quick Scan
Objects scanned: 110692
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 1:50:57.59 on Tue 08/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1024.729 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS2\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS2\system32\MMTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\Secway\SimpLite-MSN 2.1\SimpLite-MSN.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS2\system32\SLEE81.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Documents and Settings\Administrator.REBORN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netscape.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.netscape.co.uk/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows2\system32\ctfmon.exe
uRun: [Simp] c:\program files\secway\simplite-msn 2.1\SimpLite-MSN.exe
uRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeper.exe" /0
mRun: [AnyDVD] "c:\program files\slysoft\anydvd\AnyDVD.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [NeroFilterCheck] c:\windows2\system32\NeroCheck.exe
mRun: [MMTray] MMTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRun: [CTFMON.EXE] c:\windows2\system32\CTFMON.EXE
dRunOnce: [SSS7] "c:\program files\steganos security suite 7\SSS7.exe" -firstboot
StartupFolder: c:\docume~1\admini~1.reb\startm~1\programs\startup\winamp~1.lnk - c:\program files\winamp\winampa.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows2\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.reb\applic~1\mozilla\firefox\profiles\0frvvd9y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-8-3 364544]
R2 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-3-7 237635]
R2 SLEE_81_DRIVER;Steganos Live Encryption Engine 8.1 [Driver];c:\windows2\system32\drivers\slee81.sys [2004-11-19 69632]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-08-04 01:38 <DIR> --d----- c:\docume~1\admini~1.reb\applic~1\Malwarebytes
2009-08-04 01:38 38,160 a------- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-08-04 01:38 19,096 a------- c:\windows2\system32\drivers\mbam.sys
2009-08-04 01:38 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-08-04 01:32 410,984 a------- c:\windows2\system32\deploytk.dll
2009-08-04 01:32 73,728 a------- c:\windows2\system32\javacpl.cpl
2009-08-04 01:25 14,240 a------- c:\windows2\system32\drivers\wg6n.sys
2009-08-04 01:25 14,240 a------- c:\windows2\system32\drivers\wg5n.sys
2009-08-04 01:25 59,984 a------- c:\windows2\system32\drivers\Teefer.sys
2009-08-04 01:25 14,240 a------- c:\windows2\system32\drivers\wg4n.sys
2009-08-04 01:25 14,240 a------- c:\windows2\system32\drivers\wg3n.sys
2009-08-04 01:25 21,075 a------- c:\windows2\system32\drivers\wpsdrvnt.sys
2009-08-04 01:25 83,096 a------- c:\windows2\system32\SSSensor.dll
2009-08-04 01:25 <DIR> --d----- c:\program files\Sygate
2009-08-04 01:24 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-03 22:01 <DIR> --ds---- c:\documents and settings\administrator.reborn\UserData
2009-08-03 21:54 <DIR> --d----- c:\windows2\system32\appmgmt
2009-08-03 21:50 <DIR> --d----- c:\docume~1\admini~1.reb\applic~1\uTorrent
2009-08-03 21:50 3,072 a------- c:\windows2\system32\drivers\audstub.sys
2009-08-03 21:49 25,856 a------- c:\windows2\system32\drivers\usbprint.sys
2009-08-03 21:49 57,472 a------- c:\windows2\system32\drivers\redbook.sys
2009-08-03 21:48 23,040 a------- c:\windows2\system32\drivers\mouclass.sys
2009-08-03 21:48 10,624 a------- c:\windows2\system32\drivers\gameenum.sys
2009-08-03 21:48 1,897,408 a------- c:\windows2\system32\drivers\nv4_mini.sys
2009-08-03 21:48 4,274,816 a------- c:\windows2\system32\nv4_disp.dll
2009-08-03 21:48 27,165 a------- c:\windows2\system32\drivers\fetnd5.sys
2009-08-03 21:48 20,992 a------- c:\windows2\system32\drivers\RTL8139.sys
2009-08-03 21:48 6,400 a------- c:\windows2\system32\drivers\enum1394.sys
2009-08-03 21:47 74,240 a------- c:\windows2\system32\usbui.dll
2009-08-03 21:45 66,082 a------- c:\windows2\system32\c_28603.nls
2009-08-03 21:45 <DIR> --d--r-- c:\documents and settings\all users.windows2\Documents
2009-08-03 21:43 3,162 a------- c:\windows2\system32\$winnt$.inf
2009-08-03 21:38 <DIR> --d----- c:\windows2\pss
2009-08-03 21:33 <DIR> a-d----- c:\program files\WinZip 9
2009-08-03 21:33 <DIR> --d----- c:\program files\common files\Raxco
2009-08-03 21:33 <DIR> --d----- c:\program files\Raxco
2009-08-03 21:33 45,056 a------- c:\windows2\system32\WNASPI32.DLL
2009-08-03 21:33 5,600 a------- c:\windows2\system\WINASPI.DLL
2009-08-03 21:33 17,005 a------- c:\windows2\system32\drivers\ASPI32.SYS
2009-08-03 21:33 4,672 a------- c:\windows2\system\WOWPOST.EXE
2009-08-03 21:32 8,192 a------- c:\windows2\REGLOCS.OLD
2009-08-03 21:32 <DIR> --d----- c:\docume~1\admini~1.reb\applic~1\Symantec
2009-08-03 21:32 <DIR> --d----- c:\program files\Executive Software
2009-08-03 21:28 <DIR> --d----- c:\windows2\system32\URTTemp
2009-08-03 21:27 <DIR> --d----- c:\program files\Symantec
2009-08-03 21:27 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-03 21:27 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Symantec
2009-08-03 21:26 <DIR> --d----- c:\program files\Steganos Security Suite 7
2009-08-03 21:26 <DIR> --d----- c:\program files\Webroot
2009-08-03 21:26 <DIR> --d----- c:\docume~1\admini~1.reb\applic~1\Webroot
2009-08-03 21:26 442 a------- c:\windows2\system32\mapisvc.inf
2009-08-03 21:26 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-08-03 21:26 299,472 a------- c:\windows2\system32\drivers\amon.sys
2009-08-03 21:26 212,992 a------- c:\windows2\system32\imon.dll
2009-08-03 21:26 114,688 a------- c:\windows2\system32\nms32.dll
2009-08-03 21:26 <DIR> --d----- c:\program files\PeerGuardian2
2009-08-03 21:26 <DIR> --d----- c:\program files\ESET
2009-08-03 21:25 <DIR> --d----- c:\program files\Lavasoft
2009-08-03 21:24 <DIR> --d----- c:\program files\Soulseek
2009-08-03 21:24 <DIR> --d----- c:\program files\mIRC
2009-08-03 21:24 <DIR> a-d----- c:\program files\FlashFXP
2009-08-03 21:24 <DIR> --d----- c:\program files\GlobalSCAPE
2009-08-03 21:24 <DIR> --d----- c:\program files\BitTornado
2009-08-03 21:24 <DIR> --d----- c:\program files\BitComet
2009-08-03 21:24 <DIR> --d----- C:\Program1
2009-08-03 21:24 <DIR> --d----- c:\program files\Ares Lite Edition
2009-08-03 21:24 <DIR> --d----- c:\program files\ABC
2009-08-03 21:23 482 a------- c:\windows2\ODBC.INI
2009-08-03 21:23 24,816 a------- c:\windows2\system32\mdimon.dll
2009-08-03 21:23 <DIR> --d----- C:\install
2009-08-03 21:22 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-08-03 21:21 <DIR> --d----- c:\windows2\SHELLNEW
2009-08-03 21:17 <DIR> --d----- c:\program files\mozilla.org
2009-08-03 21:17 <DIR> --d----- c:\program files\iTunes
2009-08-03 21:17 <DIR> --d----- c:\program files\iPod
2009-08-03 21:16 <DIR> --d----- c:\program files\foobar2000
2009-08-03 21:15 <DIR> --d----- c:\program files\FLStudio4
2009-08-03 21:15 <DIR> --d----- c:\program files\Yahoo!
2009-08-03 21:15 <DIR> --d----- c:\program files\Secway
2009-08-03 21:15 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\MSN Messenger 7.0.0425
2009-08-03 21:15 <DIR> --d----- c:\program files\MSN Messenger
2009-08-03 21:14 <DIR> --d----- c:\program files\common files\GTK
2009-08-03 21:14 <DIR> --d----- c:\program files\Viewpoint
2009-08-03 21:14 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Viewpoint
2009-08-03 21:14 <DIR> --d----- c:\program files\AIM
2009-08-03 21:14 <DIR> --d----- c:\program files\Sony
2009-08-03 21:13 <DIR> --d----- c:\program files\common files\Jasc Software Inc
2009-08-03 21:13 <DIR> --d----- c:\program files\Jasc Software Inc
2009-08-03 21:07 <DIR> --d----- c:\program files\common files\Macromedia Shared
2009-08-03 21:07 <DIR> --d----- c:\program files\common files\Macromedia
2009-08-03 21:06 <DIR> --d----- c:\program files\Macromedia
2009-08-03 21:05 <DIR> --d----- c:\program files\XviD
2009-08-03 21:05 <DIR> --d----- c:\program files\Morgan
2009-08-03 21:05 <DIR> --d----- c:\program files\GSpot
2009-08-03 21:04 <DIR> --d----- c:\program files\ffdshow
2009-08-03 21:04 <DIR> --d----- c:\program files\DivX
2009-08-03 21:04 <DIR> --d----- c:\program files\AC3Filter
2009-08-03 21:04 <DIR> --d----- c:\program files\UltraISO
2009-08-03 21:04 <DIR> --d----- c:\program files\common files\EZB Systems
2009-08-03 21:03 <DIR> --d----- c:\program files\DVD Shrink
2009-08-03 21:03 <DIR> --d----- c:\program files\DVD Decrypter
2009-08-03 21:03 <DIR> --d----- c:\program files\VSO
2009-08-03 21:02 <DIR> --d----- c:\program files\SiSoftware
2009-08-03 21:02 <DIR> --d----- c:\program files\Motherboard Monitor 5
2009-08-03 21:02 <DIR> --d----- c:\program files\AquaMark3
2009-08-03 21:01 <DIR> --d----- c:\program files\Futuremark
2009-08-03 20:54 <DIR> --dsh--- c:\documents and settings\all users.windows2\DRM
2009-07-30 22:28 <DIR> --d----- c:\program files\HostsMan
2009-07-30 21:58 <DIR> --d----- c:\program files\Trend Micro
2009-07-30 12:30 <DIR> --d----- c:\program files\Driver Sweeper
2009-07-30 12:17 <DIR> --d----- c:\program files\Security Task Manager
2009-07-30 12:11 <DIR> --d----- c:\program files\Double Driver
2009-07-30 11:13 <DIR> --d----- c:\program files\Lavalys
2009-07-30 09:55 <DIR> --d----- c:\program files\FreeFixer
2009-07-29 22:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 09:31 <DIR> --d----- c:\program files\CCleaner
2009-07-27 00:58 <DIR> --d----- c:\program files\Creative Labs
2009-07-27 00:57 <DIR> --d----- c:\program files\Eidos Interactive
2009-07-26 07:33 <DIR> --d----- c:\program files\XEmacs
2009-07-26 04:01 <DIR> --d----- c:\program files\SlySoft
2009-07-26 02:06 <DIR> --d----- c:\program files\Alcohol Soft
2009-07-26 00:31 <DIR> --d----- c:\program files\Square Soft, Inc
2009-07-24 11:26 <DIR> --d----- c:\program files\Final Fantasy VII
2009-07-24 06:01 <DIR> --d----- c:\program files\EA Games
2009-07-24 04:01 <DIR> --d----- c:\program files\PowerISO
2009-07-18 05:59 <DIR> --d----- c:\program files\uTorrent
2009-07-16 03:56 <DIR> --d----- c:\program files\JFDuke3D

==================== Find3M ====================

2009-08-03 21:16 99,971 a------- c:\windows2\UninstallFirefox.exe
2009-08-03 21:16 3,131 a------- c:\windows2\mozver.dat
2009-08-03 21:04 2,098 a--sh--- c:\windows2\system32\KGyGaAvL.sys
2009-08-03 21:03 35,936 a------- c:\windows2\system32\drivers\Pcouffin.sys
2009-08-03 21:03 68,960 a------- c:\windows2\system32\drivers\Pcatip.sys
2009-08-03 20:54 86,333 a------- c:\windows2\pchealth\helpctr\offlinecache\index.dat
2009-08-03 20:51 21,640 a------- c:\windows2\system32\emptyregdb.dat

============= FINISH: 1:51:11.73 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/3/2009 8:56:35 PM
System Uptime: 8/4/2009 1:48:11 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7V8X-X
Processor: AMD Athlon™ XP 2000+ | SOCKET A | 1666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 178 GiB total, 68.036 GiB free.
D: is FIXED (FAT32) - 18 GiB total, 4.217 GiB free.
E: is Removable
F: is FIXED (FAT32) - 20 GiB total, 8.393 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F01&SUBSYS_00C1A0A0&REV_01\3&61AAA01&0&50
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F01&SUBSYS_00C1A0A0&REV_01\3&61AAA01&0&50
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: USB Device
Device ID: USB\VID_04F9&PID_0161&MI_01\7&E3805D&0&0001
Manufacturer:
Name: USB Device
PNP Device ID: USB\VID_04F9&PID_0161&MI_01\7&E3805D&0&0001
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_80A11043&REV_50\3&61AAA01&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_80A11043&REV_50\3&61AAA01&0&8D
Service:

==== System Restore Points ===================

RP1: 8/3/2009 9:02:54 PM - SandraRestorePoint
RP2: 8/3/2009 9:03:07 PM - Installed Alcohol 120% (Trial Version)
RP3: 8/3/2009 9:03:13 PM - Install AnyDVD
RP4: 8/3/2009 9:03:26 PM - Install CloneCD
RP5: 8/3/2009 9:05:18 PM - Installed Adobe Photoshop
RP6: 8/3/2009 9:06:29 PM - Installed Dreamweaver MX 2004
RP7: 8/3/2009 9:07:32 PM - Installed Extension Manager
RP8: 8/3/2009 9:13:26 PM - Installed Macromedia Studio MX 2004
RP9: 8/3/2009 9:08:00 PM - Installed Fireworks
RP10: 8/3/2009 9:08:28 PM - Installed FreeHand
RP11: 8/3/2009 9:09:00 PM - Installed Dreamweaver MX 2004
RP12: 8/3/2009 9:10:00 PM - Installed Extension Manager
RP13: 8/3/2009 9:11:59 PM - Installed Macromedia Flash MX 2004
RP14: 8/3/2009 9:15:07 PM - Installed MSN Messenger 6.2
RP15: 8/3/2009 9:15:20 PM - Installed MSN Messenger 7.0
RP16: 8/3/2009 9:15:30 PM - Removed MSN Messenger 6.2
RP17: 8/3/2009 9:17:14 PM - Installed iTunes4.7
RP18: 8/3/2009 9:17:48 PM - Installed Winamp
RP19: 8/3/2009 9:18:59 PM - Installed Adobe Reader 7.0
RP20: 8/3/2009 9:20:55 PM - Printer Driver Adobe PDF Converter Installed
RP21: 8/3/2009 9:21:40 PM - Installed Microsoft Office Professional Edition 2003
RP22: 8/3/2009 9:24:21 PM - Installed ISScript
RP23: 8/3/2009 9:24:29 PM - Installed CuteFTP 6 Professional
RP24: 8/3/2009 9:26:32 PM - Installed Steganos Security Suite 7.1.3
RP25: 8/3/2009 9:27:05 PM - Installed Symantec AntiVirus
RP26: 8/3/2009 9:28:49 PM - Installed Microsoft .NET Framework 1.1 SP1 with Hotfixes
RP27: 8/3/2009 9:32:29 PM - Installed Norton Ghost
RP28: 8/3/2009 9:33:23 PM - Installed Norton PartitionMagic
RP29: 8/3/2009 9:53:35 PM - Removed Symantec AntiVirus
RP30: 8/4/2009 12:51:16 AM - Removed Sygate Personal Firewall Pro
RP31: 8/4/2009 1:25:08 AM - Installed Sygate Personal Firewall Pro
RP32: 8/4/2009 1:32:33 AM - Installed Java™ 6 Update 14

==== Installed Programs ======================

3DMark03
7-Zip 3.13
ABC (remove only)
AC3Filter (remove only)
Ad-Aware SE Professional
Adobe Acrobat 7.0 Professional
Adobe Photoshop CS
Adobe Reader 7.0
Alcohol 120% (Trial Version)
AnyDVD
AOL Instant Messenger
AquaMark3
Ares 1.8.1
µTorrent
AutoUpdate
Azureus
BitComet 0.57
BitTornado 0.3.10
BlindWrite5
CloneCD
CuteFTP 6 Professional
Diskeeper Professional Edition
DivX Player
DivX Pro Trial
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eMule
ffdshow (remove only)
FlashFXP v3
foobar2000
Gaim-Encryption Plugin (remove only)
Gaim (remove only)
GSpot Codec Information Appliance
GTK+ Runtime 2.4.13 rev a (remove only)
IsoBuster 1.6
iTunes
iTunes4.7
Jasc Paint Shop Pro 9
Java™ 6 Update 14
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1 SP1 with Hotfixes
Microsoft Office Professional Edition 2003
Morgan M-JPEG codec V3
Motherboard Monitor 5
Mozilla Firefox (3.5.2)
MSN Messenger 7.0
Nero 6 Ultra Edition
NOD32 Antivirus System
Norton Ghost
Norton PartitionMagic
Norton PartitionMagic 8.0
PeerGuardian 2.0
PerfectDisk
QuickTime
SimpLite-MSN 2.1
SiSoftware Sandra Professional 2005 (Win64/32/CE)
Sony DVD Architect 2.0b
Sony Sound Forge 7.0
SoulSeek Client 155
Spy Sweeper
Spybot - Search & Destroy 1.3
Steganos Security Suite 7.1.3
Sun Download Manager 2.0 (web)
Sygate Personal Firewall Pro
UltraISO V7.52 ME
Viewpoint Media Player
WebFldrs XP
Winamp
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

8/4/2009 1:14:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/4/2009 1:14:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

==== End Of File ===========================


Looks like attachments have been turned off.
I'm guessing you'll want to see new logs from root repeal & OTL.
  • 0

#9
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello winst0n,

I'm guessing you'll want to see new logs from root repeal & OTL.


Not at present.

Firstly, please go to Start > Control Panel >Add or Remove Programs (Programs and Features if you are a Vista user) and uninstall the following if they exist:

Viewpoint, Viewpoint Manager, Viewpoint Media Player.:

Viewpoint Manager is considered to be foistware. You can go to the link below to read about it.

Now

Your Java is out of date, older versions are vunerable to attack.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Step 2

Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to update.

http://www.adobe.com.../readstep2.html

Next

Download Lop S&D by Eric_71 and save it to your desktop.

Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and anti-malware programs so they do not interfere with the running of Lop S&D. You can usually do this via a right click on the System Tray icon.
  • Double-click LopSD.exe
    If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.
  • Choose the language by typing of the corresponding letter and press Enter
  • Click OK at the informative window
  • Type 2 to choose Option 2 (Fix + Hosts), then press Enter
  • Wait until the end of the scan
  • A report will be generated, post the contents of it in your next reply.
(Copy of the report can be found at this location: %SystemDrive%\lopR.txt, in most cases C:\lopR.txt)
  • 0

#10
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
So acrobat is now 9.1.
Java™ is 6, update 14.
Viewpoint has been removed.

Next step will be to try to get my ubuntu partition back ...
I might just have to let whatever is in there go and do a fresh install ...

Thank you so much for helping. :)

I don't know if the serious damage to the partitions was from the Malware,
or from my friend being impatient and nowhere near as competent as I had hoped.
I now have 3 winXP options at bootup instead of GRUB. :)

I had to run a whole bunch of random partition tools.
The physical partition info was rewritten.
One of the tools (on the ultimate boot disk) was able to reconstruct the physical from the logical.
Some of them seemed to count differently than others.
Cylinder 1023 or 23175?
Was 1023 just a bogus rewrite of the physical data?
The Head and Sector info seemed fairly consistent.
I have a much better understanding of Primary,Extended (logical subdivision) now.
Not a simple as CDEF after all. :)

At one point I had the following:

start end
H S C id H S C LBA start #sectors
0:|80| 1 1 0 |7| 254 63 1023| 63|372322377
1:| 0| 0 1 1023 |5| 254 63 1023|372322440|252814905

I interpreted this as two partitions with the same endpoints.
Seems much better now.

If there are any other logs or tools you think would be a good idea,
I gather you'll let me know.

Anyway here's LOP:


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : AMD Athlon™ XP 2000+ )
BIOS : Award Modular BIOS v6.0
USER : Administrator ( Administrator )
BOOT : Normal boot
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:177 Go (Free:67 Go)
D:\ (Local Disk) - FAT32 - Total:17 Go (Free:4 Go)
E:\ (USB)
F:\ (Local Disk) - FAT32 - Total:19 Go (Free:8 Go)
G:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( Wed 08/05/2009| 2:12 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

-
[ Hosts file ] .. Restored!

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[07/30/2009|10:28] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> abelhadigital.com
[04/19/2009|06:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe
[04/19/2009|06:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Brother
[07/19/2009|08:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> dvdcss
[04/23/2009|09:01] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Google
[07/30/2009|12:21] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Help
[04/14/2009|12:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[07/24/2009|06:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Leadertech
[06/25/2009|12:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> LimeWire
[04/19/2009|06:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Macromedia
[07/29/2009|10:10] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Malwarebytes
[07/29/2009|09:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[04/14/2009|12:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla
[07/26/2009|06:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Notepad++
[07/03/2009|05:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun
[04/26/2009|06:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Ubisoft
[07/30/2009|11:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> uTorrent
[06/25/2009|12:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> vlc
[05/11/2009|06:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Winamp
[04/14/2009|01:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> WinRAR

[08/04/2009|04:08] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Adobe
[08/04/2009|04:42] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> AdobeUM
[08/03/2009|09:17] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Apple Computer
[08/03/2009|09:34] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Identities
[08/03/2009|09:13] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Jasc Software Inc
[08/03/2009|09:15] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Macromedia
[08/04/2009|01:38] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Malwarebytes
[08/04/2009|01:32] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Microsoft
[08/04/2009|12:59] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Mozilla
[08/04/2009|01:22] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Sun
[08/03/2009|09:32] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Symantec
[08/03/2009|10:01] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Talkback
[08/04/2009|04:33] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> uTorrent
[08/03/2009|09:26] C:\DOCUME~1\ADMINI~1.REB\APPLIC~1\<DIR> Webroot

[07/30/2009|10:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> abelhadigital.com
[04/19/2009|06:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[04/18/2009|05:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Brother
[07/29/2009|10:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[07/24/2009|06:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[07/27/2009|07:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> nView_Profiles
[07/30/2009|12:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SecTaskMan
[07/30/2009|01:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[08/05/2009|02:04] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Adobe
[08/04/2009|04:06] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Adobe Systems
[08/04/2009|03:16] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Avira
[08/03/2009|09:03] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> DVD Shrink
[08/04/2009|02:36] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> ESET
[08/03/2009|09:14] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> InstallShield
[08/03/2009|09:08] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Macromedia
[08/04/2009|01:38] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Malwarebytes
[08/04/2009|04:49] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Microsoft
[08/03/2009|09:15] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> MSN Messenger 7.0.0425
[08/03/2009|09:26] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Spybot - Search & Destroy
[08/03/2009|09:54] C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\<DIR> Symantec

[05/24/2009|10:53] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Macromedia
[04/14/2009|12:28] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[08/03/2009|08:55] C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\<DIR> Microsoft

[07/29/2009|09:44] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[08/03/2009|08:57] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\<DIR> Microsoft
[08/04/2009|01:35] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\<DIR> Mozilla

[07/29/2009|09:44] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[08/03/2009|08:57] C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\<DIR> Microsoft
[08/04/2009|03:31] C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\<DIR> Mozilla

--------------------\\ Scheduled Tasks located in C:\WINDOWS2\Tasks

[08/05/2009 01:34 AM][--ah-----] C:\WINDOWS2\tasks\SA.DAT
[12/31/2002 01:00 PM][-r-h-----] C:\WINDOWS2\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[08/03/2009|09:32] C:\Program Files\<DIR> 7-Zip
[08/03/2009|09:24] C:\Program Files\<DIR> ABC
[08/03/2009|09:04] C:\Program Files\<DIR> AC3Filter
[08/03/2009|09:19] C:\Program Files\<DIR> Adobe
[07/04/2009|08:50] C:\Program Files\<DIR> AeriaGames
[07/05/2009|10:42] C:\Program Files\<DIR> Age of Wonders II
[08/03/2009|09:04] C:\Program Files\<DIR> Ahead
[08/03/2009|09:14] C:\Program Files\<DIR> AIM
[07/26/2009|02:06] C:\Program Files\<DIR> Alcohol Soft
[08/04/2009|01:16] C:\Program Files\<DIR> Alwil Software
[05/01/2009|08:16] C:\Program Files\<DIR> Analog Devices
[08/03/2009|09:02] C:\Program Files\<DIR> AquaMark3
[07/29/2009|09:43] C:\Program Files\<DIR> Ares
[08/03/2009|09:24] C:\Program Files\<DIR> Ares Lite Edition
[04/14/2009|12:42] C:\Program Files\<DIR> AVG
[08/04/2009|03:16] C:\Program Files\<DIR> Avira
[08/03/2009|09:24] C:\Program Files\<DIR> BitComet
[08/03/2009|09:24] C:\Program Files\<DIR> BitTornado
[04/18/2009|05:43] C:\Program Files\<DIR> Brother
[07/29/2009|09:39] C:\Program Files\<DIR> CCleaner
[08/04/2009|04:06] C:\Program Files\<DIR> Common Files
[04/14/2009|12:25] C:\Program Files\<DIR> ComPlus Applications
[07/27/2009|12:58] C:\Program Files\<DIR> Creative Labs
[08/03/2009|09:04] C:\Program Files\<DIR> DivX
[07/30/2009|12:06] C:\Program Files\<DIR> DNA
[07/30/2009|12:14] C:\Program Files\<DIR> Double Driver
[07/30/2009|12:30] C:\Program Files\<DIR> Driver Sweeper
[08/03/2009|09:03] C:\Program Files\<DIR> DVD Decrypter
[08/03/2009|09:03] C:\Program Files\<DIR> DVD Shrink
[07/24/2009|06:13] C:\Program Files\<DIR> EA Games
[07/27/2009|12:57] C:\Program Files\<DIR> Eidos Interactive
[08/03/2009|09:24] C:\Program Files\<DIR> eMule
[08/04/2009|02:12] C:\Program Files\<DIR> ERUNT
[08/04/2009|02:54] C:\Program Files\<DIR> ESET
[08/03/2009|09:32] C:\Program Files\<DIR> Executive Software
[08/03/2009|09:05] C:\Program Files\<DIR> ffdshow
[07/26/2009|12:20] C:\Program Files\<DIR> Final Fantasy VII
[08/03/2009|09:24] C:\Program Files\<DIR> FlashFXP
[08/03/2009|09:16] C:\Program Files\<DIR> FLStudio4
[08/03/2009|09:16] C:\Program Files\<DIR> foobar2000
[07/30/2009|09:55] C:\Program Files\<DIR> FreeFixer
[08/03/2009|09:01] C:\Program Files\<DIR> Futuremark
[08/03/2009|09:24] C:\Program Files\<DIR> GlobalSCAPE
[05/24/2009|10:53] C:\Program Files\<DIR> Google
[08/03/2009|09:05] C:\Program Files\<DIR> GSpot
[04/14/2009|12:24] C:\Program Files\<DIR> HashTab Shell Extension
[07/30/2009|10:28] C:\Program Files\<DIR> HostsMan
[08/03/2009|09:33] C:\Program Files\<DIR> InstallShield Installation Information
[08/03/2009|08:53] C:\Program Files\<DIR> Internet Explorer
[08/03/2009|09:17] C:\Program Files\<DIR> iPod
[08/03/2009|09:17] C:\Program Files\<DIR> iTunes
[08/03/2009|09:13] C:\Program Files\<DIR> Jasc Software Inc
[08/05/2009|02:07] C:\Program Files\<DIR> Java
[07/18/2009|09:52] C:\Program Files\<DIR> JFDuke3D
[07/30/2009|11:13] C:\Program Files\<DIR> Lavalys
[08/03/2009|09:25] C:\Program Files\<DIR> Lavasoft
[08/03/2009|09:13] C:\Program Files\<DIR> Macromedia
[08/04/2009|01:38] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[04/14/2009|12:24] C:\Program Files\<DIR> Messenger
[08/03/2009|09:22] C:\Program Files\<DIR> Microsoft ActiveSync
[08/03/2009|09:22] C:\Program Files\<DIR> Microsoft Office
[04/14/2009|12:24] C:\Program Files\<DIR> Microsoft PowerToys
[08/03/2009|09:22] C:\Program Files\<DIR> Microsoft.NET
[08/03/2009|09:24] C:\Program Files\<DIR> mIRC
[08/03/2009|09:05] C:\Program Files\<DIR> Morgan
[08/03/2009|09:02] C:\Program Files\<DIR> Motherboard Monitor 5
[08/03/2009|08:52] C:\Program Files\<DIR> Movie Maker
[08/05/2009|01:38] C:\Program Files\<DIR> Mozilla Firefox
[08/03/2009|09:17] C:\Program Files\<DIR> mozilla.org
[07/04/2009|11:12] C:\Program Files\<DIR> MSBuild
[04/14/2009|12:23] C:\Program Files\<DIR> MSN
[04/14/2009|12:24] C:\Program Files\<DIR> MSN Gaming Zone
[08/03/2009|09:15] C:\Program Files\<DIR> MSN Messenger
[08/04/2009|02:05] C:\Program Files\<DIR> NETCheck
[08/03/2009|08:52] C:\Program Files\<DIR> NetMeeting
[07/26/2009|06:13] C:\Program Files\<DIR> Notepad++
[05/01/2009|07:35] C:\Program Files\<DIR> O3
[04/14/2009|12:24] C:\Program Files\<DIR> Online Services
[08/03/2009|08:52] C:\Program Files\<DIR> Outlook Express
[08/03/2009|09:26] C:\Program Files\<DIR> PeerGuardian2
[07/24/2009|04:01] C:\Program Files\<DIR> PowerISO
[08/03/2009|09:17] C:\Program Files\<DIR> QuickTime
[08/03/2009|09:33] C:\Program Files\<DIR> Raxco
[07/04/2009|11:12] C:\Program Files\<DIR> Reference Assemblies
[07/30/2009|12:21] C:\Program Files\<DIR> Security Task Manager
[08/03/2009|09:15] C:\Program Files\<DIR> Secway
[08/03/2009|09:02] C:\Program Files\<DIR> SiSoftware
[08/04/2009|02:56] C:\Program Files\<DIR> SlySoft
[08/03/2009|09:03] C:\Program Files\<DIR> Smart Projects
[08/03/2009|09:17] C:\Program Files\<DIR> Sony
[08/03/2009|09:24] C:\Program Files\<DIR> Soulseek
[08/03/2009|09:26] C:\Program Files\<DIR> Spybot - Search & Destroy
[07/26/2009|12:31] C:\Program Files\<DIR> Square Soft, Inc
[08/03/2009|09:26] C:\Program Files\<DIR> Steganos Security Suite 7
[08/04/2009|01:25] C:\Program Files\<DIR> Sygate
[08/03/2009|09:54] C:\Program Files\<DIR> Symantec
[07/30/2009|09:58] C:\Program Files\<DIR> Trend Micro
[08/03/2009|09:15] C:\Program Files\<DIR> Trillian
[08/03/2009|09:04] C:\Program Files\<DIR> UltraISO
[07/26/2009|12:29] C:\Program Files\<DIR> Uninstall Information
[07/24/2009|05:54] C:\Program Files\<DIR> Unlocker
[07/25/2009|09:21] C:\Program Files\<DIR> uTorrent
[05/03/2009|09:01] C:\Program Files\<DIR> VIA
[06/25/2009|11:38] C:\Program Files\<DIR> VideoLAN
[08/03/2009|09:03] C:\Program Files\<DIR> VSO
[08/03/2009|09:26] C:\Program Files\<DIR> Webroot
[08/03/2009|09:17] C:\Program Files\<DIR> Winamp
[08/03/2009|09:18] C:\Program Files\<DIR> Windows Media Player
[08/03/2009|08:51] C:\Program Files\<DIR> Windows NT
[04/14/2009|12:27] C:\Program Files\<DIR> WindowsUpdate
[08/03/2009|09:33] C:\Program Files\<DIR> WinRAR
[08/03/2009|09:33] C:\Program Files\<DIR> WinZip 9
[07/26/2009|07:34] C:\Program Files\<DIR> XEmacs
[08/03/2009|09:05] C:\Program Files\<DIR> XviD
[08/03/2009|09:15] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[08/03/2009|09:20] C:\Program Files\Common Files\<DIR> Adobe
[04/19/2009|06:10] C:\Program Files\Common Files\<DIR> Adobe AIR
[08/04/2009|04:06] C:\Program Files\Common Files\<DIR> Adobe Systems Shared
[08/03/2009|09:04] C:\Program Files\Common Files\<DIR> Ahead
[08/03/2009|09:22] C:\Program Files\Common Files\<DIR> DESIGNER
[08/03/2009|09:04] C:\Program Files\Common Files\<DIR> EZB Systems
[08/03/2009|09:14] C:\Program Files\Common Files\<DIR> GTK
[08/03/2009|09:13] C:\Program Files\Common Files\<DIR> InstallShield
[08/03/2009|09:14] C:\Program Files\Common Files\<DIR> Jasc Software Inc
[06/25/2009|11:17] C:\Program Files\Common Files\<DIR> Java
[08/03/2009|09:10] C:\Program Files\Common Files\<DIR> Macromedia
[08/03/2009|09:07] C:\Program Files\Common Files\<DIR> Macromedia Shared
[08/03/2009|09:22] C:\Program Files\Common Files\<DIR> Microsoft Shared
[04/14/2009|12:26] C:\Program Files\Common Files\<DIR> MSSoap
[04/13/2009|08:22] C:\Program Files\Common Files\<DIR> ODBC
[08/03/2009|09:33] C:\Program Files\Common Files\<DIR> Raxco
[04/14/2009|12:26] C:\Program Files\Common Files\<DIR> Services
[04/13/2009|08:22] C:\Program Files\Common Files\<DIR> SpeechEngines
[08/03/2009|09:54] C:\Program Files\Common Files\<DIR> Symantec Shared
[08/03/2009|09:21] C:\Program Files\Common Files\<DIR> System
[08/04/2009|01:24] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 32 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 02:14:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\ADMINI~1.REB\Recent\Avast.Pro.4.7.keygen-SND.zip.lnk


[F:24][D:4]-> C:\DOCUME~1\ADMINI~1.REB\LOCALS~1\Temp
[F:11][D:0]-> C:\DOCUME~1\ADMINI~1.REB\Cookies
[F:207][D:4]-> C:\DOCUME~1\ADMINI~1.REB\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Wed 08/05/2009| 2:14 - Option : [2]

--------------------\\ Scan completed at 2:14:48
  • 0

Advertisements


#11
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
hopefully my partition notes are comprehensible with dashes and dots ...


_______start__________end
-------H-S----C-id----H-S----C--LBAstart---#sectors
0:|80|.1.1....0 |7|.254.63.1023|.......63|372322377
1:|.0|.0.1.1023 |5|.254.63.1023|372322440|252814905

  • 0

#12
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Please run the MGA Diagnostic Tool and post back the report it produces:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

  • 0

#13
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
So I guess this patch isn't all it's cracked up to be. :)
I'll try a new one ...

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Cryptographic Errors Detected
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-T4YDB-PB6DG-JPKMJ
Windows Product Key Hash: kLpNTgYGTsUYia9HU4fgu7ASyNA=
Windows Product ID: 55274-640-1011873-23976
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {505668E9-A464-4FE9-8CF9-F56CC07E79B2}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.40.0
Signed By: N/A, hr = 0x80004005
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic:

025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2e

e2_E2AD56EA-148-80004005_16E0B333-89-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: N/A, hr = 0x80004005
WgaLogon.dll Signed By: N/A, hr = 0x80004005

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS2\system32\ntoskrnl.exe[5.1.2600.2180]
File Mismatch: C:\WINDOWS2\system32\syssetup.dll[5.1.2600.2180]

Other data-->
Office Details:

<GenuineResults><MachineData><UGUID>{505668E9-A464-4FE9-8CF9-F56CC07E79B2}</UGUID><Version>1.9.0011.0</

Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-***

**-JPKMJ</PKey><PID>55274-640-1011873-23976</PID><PIDType>1</PIDType><SID>S-1-5-21-789336058-583907252-

682003330</SID><SYSTEM><Manufacturer>System Manufacturer</Manufacturer><Model>System

Name</Model></SYSTEM><BIOS><Manufacturer>Award Software, Inc.</Manufacturer><Version>ASUS A7V8X-X ACPI

BIOS Revision 1013</Version><SMBIOSVersion major="2"

minor="3"/><Date>20040902000000.000000+000</Date></BIOS><HWID>A6E6376F01842069</HWID><UserLCID>0409</Us

erLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard

Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></mo

del></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll"

Version="1.9.40.0"/></GANotification></MachineData>

<Software><Office><Result>114</Result><Products><Product

GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office

Professional Edition

2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-6

40-0000106-57598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11"

Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App

Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11"

Result="114"/><App Id="44" Version="11"

Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 13550:ASUSTeK Computer Inc
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
  • 0

#14
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
I am not a tech but I understand there are a number of reasons this response from WGA can happen. The one I think most likely for your machine is that system files are corrupted.

Try this:

Please run System File Checker, to make sure your protected files are not corrupt.

The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:
My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.

Then rerun the scan.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:
My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.

  • 0

#15
winst0n

winst0n

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Problem starting to get easier to handle.
I now have 5 different windows directories.
2 different ubuntu linux partitions.
9.04 is looking pretty slick.
Still can't make a GRUB disk using command line.
Had a nervous experience with gpart;
(couldn't mount a hard disk to back the partitions up either.)
So once Win is clean enough, I'll risk GRUBing the MBR from CD again.
(A difficult thing for my limited knowledge and experience.)
As there is nothing other than updated packages in the 9.04 distro,
I can hopefully simply reinstall it without damaging the old 8.04 ...
reGRUBing the MBR in the process.
I'm still not sure why win was hanging on boot.
Will try more patches after I have done the do this first stuff (a third time),
and then the additional procedures you mentioned.
SFC seems hooped, thank you for pointing the util out.
For now I have a firewall running so I just hope these problems are contained to my machine.

Malware bytes found two unnecessary ndis.sys files in a previous attempt at a winstall (identified as Rootkit.Protector)

I disabled the ndisuio.sys on the advice of someone who thought you only needed it to handle wireless comm.

winlogon.exe seems jacked ... I turned the systembeep off in the firewall as requested by my wife.

Email and we can discuss firewall security flags in detail if you like.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP