Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PUP.InfoAtoms + one redirect[Solved]

Started by Sonnet29 , Feb 07 2013 07:37 AM

  • This topic is locked This topic is locked

#16
Dakeyras
Posted 17 February 2013 - 04:57 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Thanks for your advice, I'm glad I can protect my tablet and USB drives.

Good and you're welcome!

It's an old machine and it runs rather slowly, not certain if it is due to age or malware

We can see what can be done about this in due course. Though upgrading the presently installed RAM(random access memmory) would probably improve matters also:-

1021.98 Mb Total Physical Memory | 415.96 Mb Available Physical Memory | 40.70% Memory free

As it stands not to bad but the more the better/what any one machine is capable of supporting is actually ideal overall. Crucial have a small scanner(CrucialScan.exe) which is perfectly safe to download and run. Which will advise if your system can support any upgraded memory modules.

MBAM found and quarantined/deleted this recently:
C:\Documents and Settings\Administrator\Local Settings\TempDIR\BetterInstaller.exe (PUP.BundleInstaller.Somoto)

Not that bad in the great scheme of things and merely what is known as a potentially unwanted program but sill borderline nefarious non the less but we can check more in-depth later one.

Afterward, Avira quarantined:
C:\System Volume Information\_restore{211BA828-A636-4C8F-83E0-74A5DF7A930B}\RP466\A0049404.exe
DETECTION] Is the TR/Drop.Softomat.AN Trojan

It has flagged then quarantined a actual System Restore point that became infected, not necessarily a bad thing as even a infected once can be invoked in therory but in this instance it will most likely be no longer accessible. Not a real cause for concern though I will further add. Plus when I give the all clear we will be resetting the aforementioned anyway.

Now with regard to Avira, probably be a good idea to uninstall that and replace with a alternative which has a lesser footprint on system resources overall but still provides more than adequate protection. This is your choice and if you wish to keep Avira installed on this XP machine absolutely fine by me, just let myself know what you wish to do etc.

Another issue that has persisted is on occasion, the Windows display theme reverts from Windows Classic to Windows XP style. This only happens sometimes, after either a system update/restart or program uninstall followed by a restart.

Acknowledged.

Next:

Could you post the contents of the OTL extras.txt please for my review, it should be on the desktop.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double-click on erunt-setup.exe to install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Create a System Restore point:

  • Click on Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point >> Next >> type a name like GTG Backup for example then click on Create >> Close
Check Hard Disk For Errors:

Click on Start >> Run... then copy/paste the following command into the box and click on OK:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
A blank command window will open on your desktop, then close in a few minutes. This is normal.

A file icon named checkhd.txt should appear on your desktop. Please post the contents of this file in your next reply.

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Double-click on aswMBR.exe to run it.
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start the scan.
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Next:

When completed the above, please post back the following in the order asked for:

  • Do you wish to keep Avira installed or not ?
  • Was the Registry Backup & System Restore Point creation successful ?
  • OTL Extras Log.
  • Check Hard Disk For Errors Log.
  • aswMBR Log.
Note: Post all requested logs separately if you so wish.
  • 0

Advertisements

#17
Sonnet29
Posted 17 February 2013 - 01:36 PM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I'd prefer not to use Avira if there are good alternatives. The registry backup and system restore point creation were successful.

Here is the OTL Extras Log:

OTL Extras logfile created on: 2/16/2013 4:49:44 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 415.96 Mb Available Physical Memory | 40.70% Memory free
2.41 Gb Paging File | 1.71 Gb Available in Paging File | 70.89% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 129.13 Gb Free Space | 86.64% Space Free | Partition Type: NTFS

Computer Name: JESS-DELL | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"58795:TCP" = 58795:TCP:*:Enabled:Pando Media Booster
"58795:UDP" = 58795:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"58795:TCP" = 58795:TCP:*:Enabled:Pando Media Booster
"58795:UDP" = 58795:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Pidgin\pidgin.exe" = C:\Program Files\Pidgin\pidgin.exe:*:Enabled:Pidgin -- (The Pidgin developer community)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.1 (r518)
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java™ 6 Update 30
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.1
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1" = Free YouTube Downloader 3.5.128
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.5)
"{B4E343DD-BAAB-4D59-AD9C-DEA0AFE09DF1}" = Mumble 1.2.3
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D952C4F9-2488-3723-84BE-1BFA907DCAC9}" = Google Talk Plugin
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"7-Zip" = 7-Zip 4.57
"Adobe AIR" = Adobe AIR
"Avira AntiVir Desktop" = Avira Free Antivirus
"DAEMON Tools Lite" = DAEMON Tools Lite
"DMX5_is1" = DriverMax 5
"Mabinogi" = Mabinogi
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft.Net.Client.3.5" = Microsoft .NET Framework Client Profile
"MSNINST" = MSN
"Pidgin" = Pidgin
"PROSet" = Intel® PRO Network Adapters and Drivers
"Revo Uninstaller" = Revo Uninstaller 1.92
"Steam App 105600" = Terraria
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/6/2012 1:57:42 AM | Computer Name = JESS-DELL | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 22.0.1229.94, faulting module
chrome.dll, version 22.0.1229.94, fault address 0x00557c64.

Error - 11/16/2012 1:36:35 PM | Computer Name = JESS-DELL | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 23.0.1271.64, faulting module
chrome.dll, version 23.0.1271.64, fault address 0x0056733a.

Error - 11/17/2012 9:59:55 AM | Computer Name = JESS-DELL | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 23.0.1271.64, faulting module
chrome.dll, version 23.0.1271.64, fault address 0x0056733a.

Error - 12/17/2012 8:17:46 PM | Computer Name = JESS-DELL | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 6.0.0.126, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x0000984e.

Error - 12/19/2012 12:40:39 PM | Computer Name = JESS-DELL | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 23.0.1271.97, faulting module
chrome.dll, version 23.0.1271.97, fault address 0x0056f383.

Error - 1/24/2013 2:38:02 AM | Computer Name = JESS-DELL | Source = Application Hang | ID = 1002
Description = Hanging application googletalk.exe, version 1.0.0.104, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/31/2013 11:04:09 PM | Computer Name = JESS-DELL | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 24.0.1312.56, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/3/2013 4:15:06 PM | Computer Name = JESS-DELL | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 24.0.1312.57, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/3/2013 10:34:26 PM | Computer Name = JESS-DELL | Source = Application Hang | ID = 1002
Description = Hanging application googletalk.exe, version 1.0.0.104, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/3/2013 10:34:29 PM | Computer Name = JESS-DELL | Source = Application Hang | ID = 1002
Description = Hanging application googletalk.exe, version 1.0.0.104, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/16/2013 4:56:29 PM | Computer Name = JESS-DELL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 7A7900000000. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 2/16/2013 5:02:56 PM | Computer Name = JESS-DELL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 7A7900000000. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 2/16/2013 5:09:11 PM | Computer Name = JESS-DELL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 7A7900000000. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 2/16/2013 5:15:34 PM | Computer Name = JESS-DELL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 7A7900000000. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 2/16/2013 5:22:14 PM | Computer Name = JESS-DELL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 7A7900000000. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 2/16/2013 5:24:39 PM | Computer Name = JESS-DELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 2/16/2013 5:24:39 PM | Computer Name = JESS-DELL | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 2/16/2013 5:28:22 PM | Computer Name = JESS-DELL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 7A7900000000. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 2/16/2013 5:35:32 PM | Computer Name = JESS-DELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 2/16/2013 5:35:32 PM | Computer Name = JESS-DELL | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053


< End of report >


Check Hard Disk For Errors Log:

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

156280288 KB total disk space.
20674780 KB in 41046 files.
12952 KB in 4753 indexes.
0 KB in bad sectors.
126848 KB in use by the system.
65536 KB occupied by the log file.
135465708 KB available on disk.

4096 bytes in each allocation unit.
39070072 total allocation units on disk.
33866427 allocation units available on disk.


aswMBR Log:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-17 14:19:16
-----------------------------
14:19:16.375 OS Version: Windows 5.1.2600 Service Pack 3
14:19:16.375 Number of processors: 1 586 0x209
14:19:16.375 ComputerName: JESS-DELL UserName:
14:19:16.796 Initialize success
14:19:49.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:19:49.531 Disk 0 Vendor: WDC_WD1600AAJB-00PVA0 00.07H00 Size: 152627MB BusType: 3
14:19:49.546 Disk 0 MBR read successfully
14:19:49.546 Disk 0 MBR scan
14:19:49.562 Disk 0 Windows XP default MBR code
14:19:49.562 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
14:19:49.562 Disk 0 scanning sectors +312560640
14:19:49.625 Disk 0 scanning C:\WINXP\system32\drivers
14:19:53.328 Service scanning
14:20:01.015 Modules scanning
14:20:05.656 Disk 0 trace - called modules:
14:20:05.687 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
14:20:05.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86364ab8]
14:20:05.687 3 CLASSPNP.SYS[f74d7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86387b00]
14:20:06.078 Scan finished successfully
14:20:31.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
14:20:31.953 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
  • 0

#18
godawgs
Posted 19 February 2013 - 03:22 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Sonnet29,

My name is godawgs. Dakeyras has asked me to step in for him as he will be away from the board for the next few days. So if it's ok with you we will start on this system.

The slowness can be caused by a combination of things. the longer an operating system remains on a computer the slower it gets due to all of the updates that have been installed, the programs running at start up, malware....there are many factors.

The aswMBR scan is clean so the master boot record shows OK. There isn't a lot in the OTL scan, but I see couple of suspicious looking items that we will have scanned.

I noticed that you have had Pando Media Booster installed on this machine at one time but I don't see evidence of it in the Add/Remove Programs list. Did you uninstall it?

The Hard Drive check shows a problems with the file system. I wnat to check the questionable items then remove anything that doesn't belong with an OTL fix. Then we will address the chkdsk problem.


Step-1.

Virustotal File Upload:

To use Virustotal go Here
Posted Image
  • Click the Choose File button in the middle of the screen. This will open a File Upload window.
  • On the File Upload window, in the File name box, type, or copy and paste the following and click Open:
    NOTE.. Only one file per scan

    C:\WINXP\System32\e100bmsg.dll
    C:\WINXP\System32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
  • This will put the file in the box on the Virustotal page.
  • Click the Scan it! button.
  • Please be patient while the file is scanned. It may take several minutes.
  • Once the scan results appear, please provide them in your next reply, or copy and paste the Virustotal link(s) (URL) in your next reply
  • Repeat 1 thru 6 for each file listed.

Step-2

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Answer my question about Pando
2. The VirusTotal results or links to the results.
  • 0

#19
Sonnet29
Posted 20 February 2013 - 01:04 PM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hello godawgs, I uninstalled Pando Media Booster the other day with Revo Uninstaller.

Here are the VirusTotal results:

https://www.virustot...sis/1361386506/
https://www.virustot...sis/1361386748/
  • 0

#20
godawgs
Posted 21 February 2013 - 03:19 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello,

Avira free does not have a firewall and I didn't see the Windows firewall running in the OTL log so let's make sure it is turned on.

To enable Windows Firewall, follow these steps:

  • Click Start, click Run, type Firewall.cpl, and then click OK.
  • On the General tab, click On (recommended).
  • Click OK and close the firewall window.


    Posted Image JAVA Advice

    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
    See this article and this article.
    I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
    In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:
  • For Firefox, install the NoScript add-on.
  • For Chrome, install the Script-No add-on.
    NOTE: After installing the add-ons you will need to tell them that the site you are visiting is allowed to run Java.
  • Disable Java in your browsers until you need it for that software and then enable it. (See How to disable Java in your web browser or How to unplug Java from the browser)

A.
If you still want to update your Java, follow the instructions below:

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

  • Download the latest version of the Java Runtime Environment (JRE) Version from Here or Here and save it to your desktop.
  • Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 7u15
  • Click the "Download JRE" button to the right.
  • On the JSE Downloads page, click the button to "Accept License Agreement".
  • Under the Java SE Runtime Environment 7u15 heading:
  • For Windows 32 bit systems, look for Windows x86 Offline 30.05MB, click the jre-7u15-windows-i586.exe file and save it to your desktop. Do Not run it from the Java site.
  • Close any programs you may have running - especially your web browser.

B.
Uninstall all versions of Java

  • Click Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Click to (highlight) any Java item. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE or J2SE
    The versions I see on the computer are:
    Java™ 6 Update 22
    Java™ 6 Update 30
    Java Auto Updater
  • Click the Remove or Change/Remove button and follow the on screen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
    -- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

C.
Install the latest JAVA

  • Back on your desktop double-click on the jre-7u15-windows-i586.exe file to install the newest version.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. It's on the Update tab in Java in the Control Panel.

[Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.


Next we are going to back up the registry. But on this machine with Windows XP we will use a different program.

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. If you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Posted Image Backing Up Your Registry with ERUNT
Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Compatible with Windows NT, 2000, 2003, XP, Vista, Windows 7, 32 & 64-bit versions.
1. Download ERUNT
2. Double-click erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration:
a. Select your preferred Setup language.
Posted Image

b. At the Setup screen click Next.
Posted Image

c. Accept the default destination folder by clicking Next.
Posted Image

d. Accept the default Start Menu Folder by clicking Next.
Posted Image

e. On the Select Additional Tasks Window, click Create ERUNT desktop icon only. Do Not check the Create NTREGOPT desktop icon. Then click Next.
Posted Image

f. Ready to Install. The Create NTREGOPT desktop icon will not be on the list. Click the Install button.
Posted Image

g. Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
Posted Image

h. Setup has completed. Tick the check boxes to Show documentation, or Launch ERUNT. Click Finish.
Posted Image
4. Click OK to start ERUNT
Posted Image

5. Choose a location for the backup

The default location C:\WINDOWS\ERDNT\[today's date] is preferred


6. The first two check boxes are ticked by default (System registry and Current user registry).
7. Press OK
Posted Image

8. When prompted, click YES to create a new folder.
Posted Image

9. Progress bars will show backup status.
Posted Image

10. A confirmation window will pop up when complete.
Posted Image

11. Click Ok to close.
There is a Readme.txt file in the C:/Program Files/ERUNT folder that explains the program.

Now I want to disable the Avire Host File Protection. When we are finished here I or Dakeyras will help you uninstall Avira and install an AV program with a smaller foot print, that uses fewer system resources.

Temp' Disable Avira Host File Protection:

  • Right-click on the system tray icon for Avira >> Configure Avira Free Antivirus
  • Once the GUI(graphical user interface) has appeared/loaded >> click on Expert mode >> General >> Security
  • Now de-select the option under the System Protection heading: Protect Windows hosts file from changes >> Apply >> OK
Note: You may re-enable the above after running the custom OTL script below. If Avira warns about the modification afterwards, merely acknowledge/allow it etc.

Now we will run an OTL fix to remove the things I found in the OTL log. The following items are running when Windows starts up. These are valid entries, but is classified as 'not required'. Typically, these entries are infrequently used tasks that can be started manually, if necessary:

Filename: googletalk.exe
Description: Related to Google Talk enables you to call or send instant messages to your friends for free anytime, anywhere in the world.

Filename: IMJPMIG.EXE
Description: Part of MS Input Method Editor which is used to ease the input of Asian characters in MS Office (Chinese, Korean and this one is Japanese)

Filename: TINTSETP.EXE
Description: Part of Microsoft's Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word

Filename: TINTSETP.EXE
Description: Part of Microsoft's Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word

Filename: drivermax.exe
Description: Related to Innovative Solutions Drivermax basically backs-up and restores driver in a very attractive and well presented interface. It has a powerful export wizard.

NOTE: I have not removed any of them from the registry start up key. But removing them should let Windows load faster. If you don't use them often and would rather start them when you need them let me know and we will stop them from running when windows boots up.


Step-1.

Posted Image OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]

:OTL
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)

:FILES
ipconfig /flushdns /c

:REG
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"58795:TCP" = -
"58795:UDP" = -

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"58795:TCP" = -
"58795:UDP" = -

:COMMANDS
[emptytemp]


Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image on your desktop. To do that:
  • XP users: Double click the icon.
3. Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).


Step-2.

Posted Image OTL Scan

Please re-open Posted Image on the desktop. To do that:
  • XP users: Double click the OTL icon.
Make sure all other windows are closed .
  • You will see a console like the one below:

    Posted Image
  • At the top of the console, click the box beside Scan All Users
  • Do Not click the box deside Include 64bit Scans
  • Make sure the Output box at the top is set to Minimal Output.
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt. This file is saved in the same location as OTL.
  • Please copy the contents of this file and paste it into your reply. To do that:
  • On the .txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right-click inside the forum post window then click Paste.This will paste the contents of the .txt file in the in the post window.

Step-3.

Run Farbar Service Scanner

Please download Farbar Service Scanner to the desktop.
Doubleclick the FSS.exe file to run it.
  • Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Lwt me know what happened with the Windows firewall
2. The OTL fixes log
3. The new OTL.txt log
4. The FSS.txt log
5. Let me know what you want to do about the items that are running at start up.
  • 0

#21
Sonnet29
Posted 24 February 2013 - 03:26 AM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi, I'll try to do the logs later today or tomorrow. Sorry for my late response, this week has just been a little busy...I'll reply as soon as possible...
  • 0

#22
Dakeyras
Posted 24 February 2013 - 03:45 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Acknowledged(and my personal thanks to godawgs for the cover during my absence). :)
  • 0

#23
Sonnet29
Posted 25 February 2013 - 03:09 PM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thank you godawgs, welcome back Dakeyras...

Windows Firewall appeared to already be on when I checked to enable it. I uninstalled the Java items that were present and used ERUNT to backup the registry. Upon attempting Step 1 - OTL Fix, my computer seemed to get stuck on "shutting down processes" in the OTL window.

How should I proceed? There are no logs present in the specified folder after two attempts. I had to force shut down after thirty minutes on the first attempt and waited twenty on the second. Should I have continued to let it run instead?
  • 0

#24
Dakeyras
Posted 25 February 2013 - 04:34 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Thank you godawgs, welcome back Dakeyras...

On behalf of godawgs you are welcome and thank you also from myself...

Step 1 - OTL Fix, my computer seemed to get stuck on "shutting down processes" in the OTL window.

How should I proceed? There are no logs present in the specified folder after two attempts. I had to force shut down after thirty minutes on the first attempt and waited twenty on the second. Should I have continued to let it run instead?

Re-run this modified custom OTL script as sometimes older machines do have a problem with certain commands if they are in need of some in-depth maintenance like yours is for example. Not a cause for concern I will further add and we will address the aforementioned in-depth maintenance in due course.

:OTL
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)

:FILES
ipconfig /flushdns /c

:REG
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"58795:TCP" = -
"58795:UDP" = -

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"58795:TCP" = -
"58795:UDP" = -

Once the script has been processed, reboot your machine manually and carry on with the rest of the prior instructions, thank you.
  • 0

#25
Sonnet29
Posted 26 February 2013 - 06:53 PM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here is the OTL Fix log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\58795:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\58795:UDP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\58795:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\58795:UDP deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 02262013_192626


OTL.txt log:

OTL logfile created on: 2/26/2013 7:34:18 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1021.98 Mb Total Physical Memory | 621.71 Mb Available Physical Memory | 60.83% Memory free
2.41 Gb Paging File | 2.01 Gb Available in Paging File | 83.62% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 129.45 Gb Free Space | 86.85% Space Free | Partition Type: NTFS

Computer Name: JESS-DELL | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\WINXP\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\Google Talk\googletalk.exe (Google)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll ()


========== Services (SafeList) ==========

SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)


========== Driver Services (SafeList) ==========

DRV - (XDva391) -- C:\WINXP\system32\XDva391.sys File not found
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (EagleXNt) -- C:\WINXP\system32\drivers\EagleXNt.sys File not found
DRV - (EagleNT) -- C:\WINXP\system32\drivers\EagleNT.sys File not found
DRV - (Changer) -- File not found
DRV - (MBAMProtector) -- C:\WINXP\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (HssDrv) -- C:\WINXP\system32\drivers\HssDrv.sys (AnchorFree Inc.)
DRV - (taphss) -- C:\WINXP\system32\drivers\taphss.sys (AnchorFree Inc)
DRV - (avipbb) -- C:\WINXP\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINXP\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (dtsoftbus01) -- C:\WINXP\system32\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV - (avkmgr) -- C:\WINXP\system32\drivers\avkmgr.sys (Avira GmbH)
DRV - (b57w2k) -- C:\WINXP\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (ssmdrv) -- C:\WINXP\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (hamachi) -- C:\WINXP\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (VIAudio) -- C:\WINXP\system32\drivers\vinyl97.sys (VIA Technologies, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 73 CF 7C A0 21 FF CD 01 [binary data]
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINXP\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O1DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npo1d.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\25.0.1364.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\25.0.1364.97\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\25.0.1364.97\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Chrome IE Tab (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd\3.5.14.1_0\plugin/blackfishietab.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINXP\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: WOT = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp\1.4.9_0\
CHR - Extension: YouTube = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: AdBlock = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.61_0\
CHR - Extension: IE Tab = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd\4.2.22.2_0\
CHR - Extension: FastestChrome - Browse Faster = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mmffncokckfccddfenhkhnllmlobdahm\7.0.3_0\
CHR - Extension: Gmail = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINXP\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-1078081533-1767777339-1417001333-500..\Run: [DriverMax_RESTART] C:\Program Files\Innovative Solutions\DriverMax\devices.exe (Innovative Solutions)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-1767777339-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} http://avatar.mabino....2010.05.24.cab (MabinogiWebAvatarRenderer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6796D18-389A-480F-BEDF-104A5D19952E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINXP\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINXP\system32\userinit.exe) - C:\WINXP\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/05/26 09:15:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/02/25 16:52:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2013/02/25 15:01:45 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/02/25 14:42:47 | 000,000,000 | ---D | C] -- C:\WINXP\System32\appmgmt
[2013/02/17 14:17:36 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013/02/17 14:07:39 | 000,000,000 | ---D | C] -- C:\WINXP\ERDNT
[2013/02/17 14:03:53 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/02/17 14:03:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2013/02/16 16:45:20 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013/02/16 16:00:05 | 000,000,000 | ---D | C] -- C:\WINXP\SxsCaPendDel
[2013/02/09 00:00:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mumble
[2013/02/08 21:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mumble
[2013/02/08 21:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mumble
[2013/02/08 21:48:56 | 000,000,000 | ---D | C] -- C:\Program Files\Mumble
[2013/02/06 17:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2013/02/06 17:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/02/06 17:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/02/06 17:41:07 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINXP\System32\drivers\mbam.sys
[2013/02/06 17:41:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/02/02 01:15:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2013/02/02 01:15:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2013/02/02 01:15:44 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[1 C:\WINXP\System32\*.tmp files -> C:\WINXP\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/02/26 19:32:27 | 000,432,784 | ---- | M] () -- C:\WINXP\System32\perfh009.dat
[2013/02/26 19:32:27 | 000,067,740 | ---- | M] () -- C:\WINXP\System32\perfc009.dat
[2013/02/26 19:28:02 | 000,002,206 | ---- | M] () -- C:\WINXP\System32\wpa.dbl
[2013/02/26 19:27:39 | 000,002,048 | --S- | M] () -- C:\WINXP\bootstat.dat
[2013/02/26 18:52:00 | 000,001,010 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1767777339-1417001333-500UA.job
[2013/02/25 21:52:00 | 000,000,958 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1767777339-1417001333-500Core.job
[2013/02/25 14:29:43 | 000,002,261 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2013/02/21 17:59:39 | 000,002,362 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/02/21 17:59:38 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2013/02/17 14:20:31 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2013/02/17 14:18:57 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013/02/17 14:03:54 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2013/02/17 14:03:54 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2013/02/16 16:45:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013/02/16 16:18:20 | 000,000,894 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Talk.lnk
[2013/02/13 16:49:39 | 000,190,592 | ---- | M] () -- C:\WINXP\System32\FNTCACHE.DAT
[2013/02/13 16:45:23 | 000,001,374 | ---- | M] () -- C:\WINXP\imsins.BAK
[2013/02/08 21:54:50 | 000,002,378 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\MumbleAutomaticCertificateBackup.p12
[2013/02/08 21:49:17 | 000,000,656 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mumble.lnk
[2013/02/06 17:41:10 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/06 07:03:16 | 000,001,142 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ Mabinogi .lnk
[1 C:\WINXP\System32\*.tmp files -> C:\WINXP\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/02/17 14:20:31 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2013/02/17 14:03:54 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2013/02/17 14:03:54 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2013/02/16 16:18:20 | 000,000,894 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Google Talk.lnk
[2013/02/08 21:54:50 | 000,002,378 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\MumbleAutomaticCertificateBackup.p12
[2013/02/08 21:49:17 | 000,000,656 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mumble.lnk
[2013/02/06 17:41:10 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/02 01:15:46 | 000,002,261 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/09/01 16:38:33 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/14 23:44:28 | 000,003,072 | ---- | C] () -- C:\WINXP\System32\iacenc.dll
[2012/02/12 17:20:47 | 000,038,956 | -H-- | C] () -- C:\WINXP\System32\mlfcache.dat
[2011/11/13 01:05:38 | 000,000,262 | ---- | C] () -- C:\WINXP\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2011/10/03 23:11:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\ColorSet.ini
[2011/07/08 18:32:27 | 000,003,120 | ---- | C] () -- C:\WINXP\System32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
[2011/06/17 18:32:02 | 000,000,032 | R--- | C] () -- C:\Documents and Settings\All Users\hash.dat
[2011/05/26 09:23:56 | 000,012,288 | ---- | C] () -- C:\WINXP\System32\e100bmsg.dll
[2011/05/26 09:18:03 | 000,002,048 | --S- | C] () -- C:\WINXP\bootstat.dat
[2011/05/26 09:12:28 | 000,021,640 | ---- | C] () -- C:\WINXP\System32\emptyregdb.dat
[2011/05/26 05:00:46 | 000,004,073 | ---- | C] () -- C:\WINXP\ODBCINST.INI
[2011/05/26 04:59:38 | 000,190,592 | ---- | C] () -- C:\WINXP\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2011/08/14 02:23:32 | 000,000,227 | RHS- | M] () -- C:\WINXP\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 07:00:00 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINXP\system32\wbem\fastprox.dll -- [2010/09/16 11:11:04 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINXP\system32\wbem\wbemess.dll -- [2008/04/14 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >


The FSS.txt log:

Farbar Service Scanner Version: 20-02-2013
Ran by Administrator (administrator) on 26-02-2013 at 19:48:14
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINXP\system32\dhcpcsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\afd.sys => MD5 is legit
C:\WINXP\system32\Drivers\netbt.sys => MD5 is legit
C:\WINXP\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINXP\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINXP\system32\dnsrslvr.dll => MD5 is legit
C:\WINXP\system32\ipnathlp.dll => MD5 is legit
C:\WINXP\system32\netman.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\srsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\sr.sys => MD5 is legit
C:\WINXP\system32\wscsvc.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\wuauserv.dll
[2011-05-26 09:13] - [2008-04-14 07:00] - 0006656 ____A (Microsoft Corporation) 35321FB577CDC98CE3EB3A3EB9E4610A

C:\WINXP\system32\qmgr.dll => MD5 is legit
C:\WINXP\system32\es.dll => MD5 is legit
C:\WINXP\system32\cryptsvc.dll => MD5 is legit
C:\WINXP\system32\svchost.exe => MD5 is legit
C:\WINXP\system32\rpcss.dll => MD5 is legit
C:\WINXP\system32\services.exe
[2010-09-16 11:11] - [2010-09-16 11:11] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6


Extra List:
=======
Gpc(3) HssDrv(8) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

________
Lastly, I would like to stop the mentioned items from running at startup.
  • 0

Advertisements

#26
Dakeyras
Posted 27 February 2013 - 07:17 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

Lastly, I would like to stop the mentioned items from running at startup.

Aye we can do so the fairly easy way in due course and if the need can target specifically etc...

Next:

Please download AdwCleaner, StartUpLite and the installer for Microsoft Security Essentials and save to you Desktop.

Note: Do not do anything with these downloads just yet.

Uninstall Avira Free Antivirus:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Avira Free Antivirus

To do so, click once on the above to highlight and then click on the Remove button.

Note: Take extra care in answering any questions posed by the Uninstaller. Some questions may be worded to deceive you into keeping the program.

Next:-

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Avira
C:\WINXP\SxsCaPendDel

Next:-

Click Start >> Run... and type cleanmgr in the box and click on OK.

  • Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
  • You can choose to check other boxes if you wish but they are not required.
  • Click on OK then Yes.
Reboot your machine if you were not prompted to do so after the actual Avira uninstall, plus limit actual online activity until the new Anti-Virus is installed.

StartUpLite:

Double-click on startuplite-setup-1.07.exe >> follow the prompts >> if anything found merely select if not and click on Continue etc.

Scan with AdwCleaner:

  • Double click on adwcleaner.exe to launch the application.
  • Now click on the Delete tab >> reboot your machine if not prompted to do so.
  • Please post the contents of the log-file created in your next post.
Note: The log can also be located at C: >> AdwCleaner[XX].txt >> XX <-- denotes the number of times the application has been ran etc.

Install Microsoft Security Essentials:

  • Double-click on the installer for Microsoft Security Essentials(mseinstall.exe)
  • Follow the prompts to install >> when asked if you want to turn on the Windows Firewall, agree to this...
  • Update >> Carry Out a Complete Scan. Have it fix/remove anything it finds.
Note: If anything was removed please inform myself in your next reply and if the need we can retrieve the log for my review.

Next:

Let myself know when completed the above...if any problems encountered. Also post the AdwCleaner log and we will then go from there, thank you.
  • 0

#27
Sonnet29
Posted 27 February 2013 - 03:38 PM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
There was only an instance of a folder C:\WINXP\SxsCaPendDel which I deleted. I completed everything else including the Microsoft Security Essentials scan (I think)... I left it to run during a full scan and when I returned I didn't notice any window that would show its results.

Here is the AdwCleaner log:

# AdwCleaner v2.113 - Logfile created 02/27/2013 at 13:53:05
# Updated 23/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - JESS-DELL
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [842 octets] - [27/02/2013 13:53:05]

########## EOF - C:\AdwCleaner[S1].txt - [901 octets] ##########
  • 0

#28
Dakeyras
Posted 27 February 2013 - 03:54 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

There was only an instance of a folder C:\WINXP\SxsCaPendDel which I deleted

My apologies, I should have put it as a folder to delete(I have amended my prior instruction's in-case any others view the aforementioned during the course of their research etc).

I left it to run during a full scan and when I returned I didn't notice any window that would show its results.

Probably then nothing was detected/removed but no harm double checking...

Right-click on the System Tray icon for MSE >> Open >> History >> All detected items >> if anything present make a note of it and inform myself in your next reply.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

  • Click Start >> Run... then type in CMD and click on OK.
  • At the Command Prompt C:\ > type the following:
  • CD C:\ and hit the Enter/Return key.
  • Now type in DEFRAG C: -F
  • A Analysis report will be displayed and then Windows will start the Defragmentation run automatically.
  • This may take some time, when completed the Command Prompt C:\ > will appear.
  • Now type in CHKDSK C: /R and hit the Enter/Return key.
  • When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)

  • Hit the Y key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.
Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:

Posted Image

Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.

Next:

Let myself know when completed the above and if any further issues remaining.
  • 0

#29
Sonnet29
Posted 28 February 2013 - 12:04 AM

Sonnet29

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hello, I completed the above. For the hard drive maintenance/repair step, CHKDSK finished very quickly, within a few seconds or so. I think the message said "file is clean" but I didn't catch all of it. I haven't encountered any problems or further issues. :happy:

Edited by Sonnet29, 28 February 2013 - 12:05 AM.

  • 0

#30
Dakeyras
Posted 28 February 2013 - 03:48 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

I completed the above. For the hard drive maintenance/repair step, CHKDSK finished very quickly, within a few seconds or so. I think the message said "file is clean" but I didn't catch all of it. I haven't encountered any problems. :happy:

Good...Let check/update some software as follows shall we...

  • Download and install FileHippo Update Checker from here.
  • Once installed(during the installation process deselect the option:- Run at Startup >> Start >> All Programs >> double-click on Update Checker >> a browser window will open after the scan is complete.
  • Download any updates detected(apart from beta updates) to the desktop >> uninstall anything that requires updating via Add/Remove Programs in the Control Panel.
  • Re-install the updated software, delete the installers and then empty the Recycle Bin.
  • When completed the above let myself know and if any further issues remaining, thank you.
Note: When I give the all clear my advice would be to consider keeping FileHippo Update Checker installed. Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP