Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware problems [Solved]


  • This topic is locked This topic is locked

#16
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Log from step 1

Log Opened: 2013-08-19 @ 21:16:29
21:16:29 - -----------------
21:16:29 - | Begin Logging |
21:16:29 - -----------------
21:16:29 - Fix started on a WIN_XP X86 computer
21:16:29 - Prep in progress. Please Wait.
21:16:32 - Prep complete
21:16:32 - Repairing Services Now. Please wait...

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Setup>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.

The operation completed successfully
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\XP\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Enum>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
21:16:34 - Services Repair Complete.
21:16:45 - Reboot Initiated
  • 0

Advertisements


#17
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Step 3 log

OTL logfile created on: 19/08/2013 21:24:52 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.48 Gb Available Physical Memory | 73.85% Memory free
3.85 Gb Paging File | 3.50 Gb Available in Paging File | 91.08% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 2047 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 181.34 Gb Free Space | 77.87% Space Free | Partition Type: NTFS

Computer Name: ASUSP5K-SE | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
PRC - [2013/08/17 15:24:03 | 000,131,036 | --S- | M] (Pelikan Software Kft.) -- C:\Documents and Settings\Joe\Local Settings\Temp\lbrsflgk.exe
PRC - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
PRC - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
PRC - [2013/07/25 17:56:22 | 001,650,472 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\bin\HSSCP.exe
PRC - [2012/06/03 17:55:08 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2009/11/04 10:20:04 | 001,507,431 | ---- | M] (NETGEAR) -- C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
PRC - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/08 17:31:24 | 000,148,760 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
MOD - [2013/07/24 20:18:40 | 000,744,744 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\af_proxy.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe -- (hshld)
SRV - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2013/07/24 03:17:10 | 000,078,512 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HSSTrayService.exe -- (HssTrayService)
SRV - [2012/01/18 14:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [Disabled | Stopped] -- C:\Program Files\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2010/06/06 17:32:00 | 003,819,912 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/02/27 11:54:52 | 000,360,547 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe -- (jswpsapi)
SRV - [2007/08/08 17:31:14 | 000,410,904 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\rp_skt32.sys -- (RPSKT)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lmimirr.sys -- (lmimirr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Joe\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a59ll2nh)
DRV - [2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hssdrv.sys -- (HssDrv)
DRV - [2013/06/21 01:19:10 | 000,033,512 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2010/10/27 16:40:00 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/07/04 20:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/04/20 05:12:32 | 000,601,088 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WN111v2.sys -- (WN111v2)
DRV - [2009/01/31 03:55:05 | 000,033,824 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\oreans32.sys -- (oreans32)
DRV - [2008/10/01 16:45:52 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/05/14 00:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 19:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/12/14 04:31:00 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/11/01 01:56:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)
DRV - [2007/06/18 21:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/03/26 12:21:06 | 004,395,008 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2006/10/18 20:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/09/05 19:26:56 | 000,168,832 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2004/08/13 11:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/07/24 12:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.sys -- (DNINDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.search....FA2265}&serpv=5
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.com/ [binary data]
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.co.uk/
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes,DefaultScope = {E397187B-6912-4356-95B2-3D204C8F4741}
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{08AADFBC-3CEE-4019-A342-6EE40DDFDC73}: "URL" = http://search.yahoo....petb&type=10553
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enGB382
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{7C3CEAA9-70DE-4456-84CE-16D14854EA16}: "URL" = http://search.us.com...k={searchTerms}
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{E397187B-6912-4356-95B2-3D204C8F4741}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: [email protected]:1.0
FF - prefs.js..extensions.enabledAddons: {97E22097-9A2F-45b1-8DAF-36AD648C7EF4}:15.0.4

FF - user.js..browser.startup.homepage: "http://start.search....A2265}&serpv=5"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tightropeinteractive.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\@tnt2ghost.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2ghost.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/06/03 17:55:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/03 17:55:18 | 000,000,000 | ---D | M]

[2011/04/05 10:34:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Joe\Application Data\Mozilla\Extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2013/08/19 21:21:48 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-448539723-515967899-725345543-1004..\Run: [TvtXdnsd] C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1199120511546 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{068DCEAB-14A4-4E6D-9C26-03D529310EFD}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0E0EEEF2-16DD-4387-ABD4-AA840C8FA85F}: NameServer = 8.8.8.8
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe) - C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/31 18:04:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{32acefe0-3762-11dd-ac65-001d60526c5c}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{54a7570c-185f-11de-ae2c-001d60526c5c}\Shell\AutoRun\command - "" = E:\wdsync.exe
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell - "" = AutoRun
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun\command - "" = F:\Startme.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/19 21:16:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2013/08/19 17:32:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Hotspot Shield
[2013/08/18 15:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2
[2013/08/18 14:59:52 | 000,000,000 | ---D | C] -- C:\Avenger
[2013/08/18 14:53:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/08/17 23:23:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 20:37:56 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/07/30 12:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\ff11 stuff
[2013/07/25 19:33:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Hotspot Shield
[2013/07/25 19:33:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hotspot Shield
[2013/07/25 19:32:42 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot Shield
[2013/07/25 19:32:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Hotspot Shield
[2010/03/07 14:09:26 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdm.sys
[2010/03/07 14:09:26 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmserd.sys
[2010/03/07 14:09:26 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmbus.sys
[2010/03/07 14:09:26 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermptxp.sys
[2010/03/07 14:09:26 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermpt.sys
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdfl.sys
[2010/03/07 14:09:26 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcmnt.sys
[2010/03/07 14:09:26 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmwhnt.sys
[2010/03/07 14:09:26 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcr.sys
[1 C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/19 21:23:04 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/19 21:23:02 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/19 21:22:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/19 21:21:48 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/08/19 21:16:12 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/19 20:39:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/19 17:33:00 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/08/19 17:30:58 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/18 17:56:01 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/18 14:57:25 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 22:06:02 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/03 13:09:18 | 000,001,124 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) -- C:\WINDOWS\System32\drivers\hssdrv.sys

========== Files Created - No Company Name ==========

[2013/08/19 21:16:11 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/18 14:57:43 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.com
[2013/08/18 14:57:24 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/03 13:09:18 | 000,001,124 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/25 19:33:37 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/06/30 10:34:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/22 19:48:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\SharedSettings.ccs
[2013/05/09 19:00:44 | 000,646,807 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-448539723-515967899-725345543-1004-0.dat
[2013/05/09 19:00:38 | 000,299,122 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/02/21 22:02:23 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2012/04/04 23:49:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/03/07 14:11:53 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.PNF
[2010/03/07 14:11:53 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.inf
[2010/03/07 14:11:53 | 000,016,002 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.PNF
[2010/03/07 14:11:53 | 000,015,682 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.PNF
[2010/03/07 14:11:53 | 000,014,334 | ---- | C] () -- C:\Documents and Settings\Joe\Copy (2) of oem28.PNF
[2010/03/07 14:11:53 | 000,012,866 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.PNF
[2010/03/07 14:11:53 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.PNF
[2010/03/07 14:11:53 | 000,012,348 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.PNF
[2010/03/07 14:11:53 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.inf
[2010/03/07 14:11:53 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.inf
[2010/03/07 14:11:53 | 000,007,754 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.PNF
[2010/03/07 14:11:53 | 000,007,314 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.PNF
[2010/03/07 14:11:53 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\1267967513-(null)
[2010/03/07 14:11:53 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.inf
[2010/03/07 14:11:53 | 000,006,209 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.inf
[2010/03/07 14:11:53 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.inf
[2010/03/07 14:11:53 | 000,005,813 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.inf
[2010/03/07 14:11:53 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.inf
[2010/03/07 14:09:26 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_MDM.INF
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_BRIT.INF
[2010/03/07 14:09:26 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000.INF
[2010/03/07 14:09:26 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_BUS.INF
[2010/03/07 14:09:26 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000XP.INF
[2010/03/07 14:09:26 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_A1000.INF
[2010/03/07 14:09:26 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\USB_CMCS_2000.INF
[2010/03/07 14:09:26 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_SDM.INF
[2010/03/07 14:09:20 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem28.PNF
[2010/03/07 14:09:20 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\1267967360-(null)
[2008/03/04 23:48:34 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/31 18:55:51 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2007/12/31 17:39:10 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
No service found with a name of ALG
SRV - [2008/04/14 01:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 01:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 14:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 01:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 01:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 18:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 01:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 01:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 01:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/14 01:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 01:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand | Stopped] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 01:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 01:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 01:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 14:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 01:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 01:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 13:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/14 01:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 01:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
No service found with a name of wscsvc
SRV - [2010/08/27 06:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 01:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 01:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 01:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 01:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 01:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 01:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 01:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
No service found with a name of SharedAccess
SRV - [2008/04/14 01:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/14 01:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 01:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
No service found with a name of Wmi
SRV - [2008/04/14 01:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 01:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 07:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< sc query afd /c >
SERVICE_NAME: AFD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

< sc query netbt /c >
SERVICE_NAME: NETBT
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

< sc query tcpip /c >
SERVICE_NAME: TCPIP
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

< >

========== Files - Unicode (All) ==========
[2009/04/29 03:11:18 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/29 03:11:18 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/24 17:15:11 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
[2009/04/24 17:15:11 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“

< End of report >
  • 0

#18
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Sorry that so much time went, but still no improvements. This malware is quite complicated.

I'd like you to run aswMBR scan, because I think that something is still hiding in the system and OTL isn't able to show it us.

  • Download aswMBR.com to your desktop.
  • Double click the aswMBR.com to run it.

    Posted Image
  • Click the [Scan] button to start scan.

    Posted Image
  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

  • 0

#19
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
BTW, how your computer is running now?
  • 0

#20
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi,

No change on the computer so far. Here is the log also just to mention it when i ran it it prompted me to download avast definitions but i dont think it worked. I ran the scan anyway.

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-20 17:42:32
-----------------------------
17:42:32.703 OS Version: Windows 5.1.2600 Service Pack 3
17:42:32.703 Number of processors: 2 586 0x1706
17:42:32.703 ComputerName: ASUSP5K-SE UserName: Joe
17:42:35.000 Initialize success
17:42:56.140 AVAST engine download error: 0
17:43:21.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
17:43:21.343 Disk 0 Vendor: ST3250820AS 3.AAD Size: 238475MB BusType: 3
17:43:21.531 Disk 0 MBR read successfully
17:43:21.531 Disk 0 MBR scan
17:43:21.531 Disk 0 Windows XP default MBR code
17:43:21.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
17:43:21.531 Disk 0 scanning sectors +488392065
17:43:21.609 Disk 0 scanning C:\WINDOWS\system32\drivers
17:43:33.796 Service scanning
17:43:47.437 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
17:43:51.968 Modules scanning
17:43:58.593 Disk 0 trace - called modules:
17:43:58.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spfa.sys >>UNKNOWN [0x8a8c4938]<<
17:43:58.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7f7ab8]
17:43:58.625 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000073[0x8a8e2be0]
17:43:58.625 5 ACPI.sys[b7e74620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-10[0x8a853d98]
17:43:58.625 Scan finished successfully
17:44:08.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joe\Desktop\MBR.dat"
17:44:08.234 The log file has been saved successfully to "C:\Documents and Settings\Joe\Desktop\aswMBR.txt"
  • 0

#21
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Please, follow these steps:

Step 1. OTL fix.

  • Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a59ll2nh)
    IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.search....FA2265}&serpv=5
    IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{7C3CEAA9-70DE-4456-84CE-16D14854EA16}: "URL" = http://search.us.com...k={searchTerms}
    FF - user.js..browser.startup.homepage: "http://start.search.us.com/v/2/?guid={AA430A1A-C3B6-459E-9583-00789CFA2265}&serpv=5"
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O4 - HKU\S-1-5-21-448539723-515967899-725345543-1004..\Run: [TvtXdnsd] C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe) - C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
    [2009/04/29 03:11:18 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
    [2009/04/29 03:11:18 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
    [2009/04/24 17:15:11 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
    [2009/04/24 17:15:11 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
    
    :Files
    C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm
    netsh int ip reset /c
    netsh winsock reset catalog /c
    
    :Commands
    [EMPTYTEMP]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • After reboot OTL log should pop up. Post it contents in your next message.
Step 2. Avenger fix.

1. Run Avenger.
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm
C:\WINDOWS\System32\8m“
C:\WINDOWS\System32\0~“

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and rename avenger.exe into avenger.com. After that run avenger.com.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Step 3. Fixing corrupted services.

Some of your services, required for normal functioning of some System components, are corrupted. That could lead to unstable work of your System and crashes. Let's fix it now.

Step 4. OTL scan.

  • Run OTL.
  • Click on Scan All Users checkbox, which is located near Quick Scan button.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    BASESERVICES
  • Then click the Run Scan button at the top.
  • Let the program run unhindered.
  • When the scan completes, it will open notepad window - OTL.Txt. This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post them in your topic.
How your computer is running after all these steps?

So, please, don't forget to post in your next message:

  • OTL log after reboot
  • OTL.txt
  • Avenger log

  • 0

#22
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Notepad from step 1,

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Error: No service named a59ll2nh was found to stop!
Service\Driver key a59ll2nh not found.
HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Internet Explorer\SearchScopes\{7C3CEAA9-70DE-4456-84CE-16D14854EA16}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C3CEAA9-70DE-4456-84CE-16D14854EA16}\ not found.
C:\Documents and Settings\Joe\Application Data\Mozilla\FireFox\Profiles\n2jy7rr2.default\user.js moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.
Registry value HKEY_USERS\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run\\TvtXdnsd deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe deleted successfully.
File C:\WINDOWS\System32\8m“ not found.
File C:\WINDOWS\System32\8m“ not found.
File C:\WINDOWS\System32\0~“ not found.
File C:\WINDOWS\System32\0~“ not found.
========== FILES ==========
File\Folder C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm not found.
< netsh int ip reset /c >
One or more essential parameters were not entered.
Verify the required parameters, and reenter them.
The syntax supplied for this command is not valid. Check help for the correct syntax.
Usage: reset [name=]<string>

Parameters:

Tag Value
name - The name of a file to which to append information
regarding what settings were reset.

Remarks: Resets TCP/IP and related components to a clean state.

Examples:

reset resetlog.txt
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
< netsh winsock reset catalog /c >
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: fbwuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Joe
->Temp folder emptied: 3252779 bytes
->Temporary Internet Files folder emptied: 32308427 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 607 bytes

User: Keith
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7183485 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 220322582 bytes

Total Files Cleaned = 251.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 08202013_235159

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF83E9.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF8433.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF84BE.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF84C9.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF85A2.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF85AD.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF85E0.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF85EB.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF8619.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF8624.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF86DE.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DF908A.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DFAE56.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DFCC20.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DFD6F4.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DFE13A.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DFEA81.tmp not found!
File\Folder C:\Documents and Settings\Joe\Local Settings\Temp\~DFF999.tmp not found!
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\BZQ4BI86\search[1].htm moved successfully.
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\BZQ4BI86\search[6].htm moved successfully.
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\0RI27P9Q\page__st__15[1].htm moved successfully.
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\0RI27P9Q\search[2].htm moved successfully.
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\0RI27P9Q\search[3].htm moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_1034.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#23
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Notepad from step 2,

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm" deleted successfully.

Error: folder "C:\WINDOWS\System32\8m" not found!
Deletion of folder "C:\WINDOWS\System32\8m" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\System32\0~" not found!
Deletion of folder "C:\WINDOWS\System32\0~" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
  • 0

#24
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
All 4 links in step 3 are getting no page to display
  • 0

#25
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Okay, try these links:


  • 0

Advertisements


#26
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
step 4 log

OTL logfile created on: 21/08/2013 18:38:16 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.72% Memory free
3.85 Gb Paging File | 3.53 Gb Available in Paging File | 91.60% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 2047 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 181.24 Gb Free Space | 77.83% Space Free | Partition Type: NTFS

Computer Name: ASUSP5K-SE | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
PRC - [2013/08/17 15:24:03 | 000,131,036 | --S- | M] (Pelikan Software Kft.) -- C:\Documents and Settings\Joe\Local Settings\Temp\lbrsflgk.exe
PRC - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
PRC - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
PRC - [2013/07/25 17:56:22 | 001,650,472 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\bin\HSSCP.exe
PRC - [2012/06/03 17:55:08 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2009/11/04 10:20:04 | 001,507,431 | ---- | M] (NETGEAR) -- C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
PRC - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/08 17:31:24 | 000,148,760 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
MOD - [2013/07/24 20:18:40 | 000,744,744 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\af_proxy.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe -- (hshld)
SRV - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2013/07/24 03:17:10 | 000,078,512 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HSSTrayService.exe -- (HssTrayService)
SRV - [2012/01/18 14:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [Disabled | Stopped] -- C:\Program Files\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2010/06/06 17:32:00 | 003,819,912 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/02/27 11:54:52 | 000,360,547 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe -- (jswpsapi)
SRV - [2007/08/08 17:31:14 | 000,410,904 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\rp_skt32.sys -- (RPSKT)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lmimirr.sys -- (lmimirr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Joe\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ai2evsrk)
DRV - [2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hssdrv.sys -- (HssDrv)
DRV - [2013/06/21 01:19:10 | 000,033,512 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2010/10/27 16:40:00 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/07/04 20:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/04/20 05:12:32 | 000,601,088 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WN111v2.sys -- (WN111v2)
DRV - [2009/01/31 03:55:05 | 000,033,824 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\oreans32.sys -- (oreans32)
DRV - [2008/10/01 16:45:52 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/05/14 00:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 19:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/12/14 04:31:00 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/11/01 01:56:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)
DRV - [2007/06/18 21:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/03/26 12:21:06 | 004,395,008 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2006/10/18 20:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/09/05 19:26:56 | 000,168,832 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2004/08/13 11:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/07/24 12:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.sys -- (DNINDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.com/ [binary data]
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.co.uk/
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes,DefaultScope = {E397187B-6912-4356-95B2-3D204C8F4741}
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{08AADFBC-3CEE-4019-A342-6EE40DDFDC73}: "URL" = http://search.yahoo....petb&type=10553
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enGB382
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{E397187B-6912-4356-95B2-3D204C8F4741}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: [email protected]:1.0
FF - prefs.js..extensions.enabledAddons: {97E22097-9A2F-45b1-8DAF-36AD648C7EF4}:15.0.4
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tightropeinteractive.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\@tnt2ghost.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2ghost.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/06/03 17:55:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/03 17:55:18 | 000,000,000 | ---D | M]

[2011/04/05 10:34:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Joe\Application Data\Mozilla\Extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2013/08/19 21:21:48 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-448539723-515967899-725345543-1004..\Run: [TvtXdnsd] C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1199120511546 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{068DCEAB-14A4-4E6D-9C26-03D529310EFD}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0E0EEEF2-16DD-4387-ABD4-AA840C8FA85F}: NameServer = 8.8.8.8
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe) - C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/31 18:04:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{32acefe0-3762-11dd-ac65-001d60526c5c}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{54a7570c-185f-11de-ae2c-001d60526c5c}\Shell\AutoRun\command - "" = E:\wdsync.exe
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell - "" = AutoRun
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun\command - "" = F:\Startme.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/20 17:42:11 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Joe\Desktop\aswMBR.com
[2013/08/19 21:16:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2013/08/19 17:32:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Hotspot Shield
[2013/08/18 15:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2
[2013/08/18 14:59:52 | 000,000,000 | ---D | C] -- C:\Avenger
[2013/08/18 14:53:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/08/17 23:23:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 20:37:56 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/07/30 12:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\ff11 stuff
[2013/07/25 19:33:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Hotspot Shield
[2013/07/25 19:33:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hotspot Shield
[2013/07/25 19:32:42 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot Shield
[2013/07/25 19:32:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Hotspot Shield
[2010/03/07 14:09:26 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdm.sys
[2010/03/07 14:09:26 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmserd.sys
[2010/03/07 14:09:26 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmbus.sys
[2010/03/07 14:09:26 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermptxp.sys
[2010/03/07 14:09:26 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermpt.sys
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdfl.sys
[2010/03/07 14:09:26 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcmnt.sys
[2010/03/07 14:09:26 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmwhnt.sys
[2010/03/07 14:09:26 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcr.sys
[1 C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/21 18:39:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/21 18:34:51 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/21 18:34:32 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/21 18:34:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/21 18:32:38 | 000,003,274 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\Wmi.reg
[2013/08/21 18:32:24 | 000,005,848 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\SharedAccess.reg
[2013/08/21 18:32:19 | 000,003,658 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\wscsvc.reg
[2013/08/21 18:32:14 | 000,002,764 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ALG.reg
[2013/08/20 17:44:08 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\MBR.dat
[2013/08/20 17:42:12 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Joe\Desktop\aswMBR.com
[2013/08/19 21:21:48 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/08/19 21:16:12 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/19 17:33:00 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/08/19 17:30:58 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/18 17:56:01 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/18 14:57:25 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 22:06:02 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/03 13:09:18 | 000,001,124 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) -- C:\WINDOWS\System32\drivers\hssdrv.sys

========== Files Created - No Company Name ==========

[2013/08/21 18:32:38 | 000,003,274 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\Wmi.reg
[2013/08/21 18:32:24 | 000,005,848 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\SharedAccess.reg
[2013/08/21 18:32:19 | 000,003,658 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\wscsvc.reg
[2013/08/21 18:32:13 | 000,002,764 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ALG.reg
[2013/08/20 17:44:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\MBR.dat
[2013/08/19 21:16:11 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/18 14:57:43 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.com
[2013/08/18 14:57:24 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/03 13:09:18 | 000,001,124 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/25 19:33:37 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/06/30 10:34:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/22 19:48:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\SharedSettings.ccs
[2013/05/09 19:00:44 | 000,646,807 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-448539723-515967899-725345543-1004-0.dat
[2013/05/09 19:00:38 | 000,299,122 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/02/21 22:02:23 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2012/04/04 23:49:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/03/07 14:11:53 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.PNF
[2010/03/07 14:11:53 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.inf
[2010/03/07 14:11:53 | 000,016,002 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.PNF
[2010/03/07 14:11:53 | 000,015,682 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.PNF
[2010/03/07 14:11:53 | 000,014,334 | ---- | C] () -- C:\Documents and Settings\Joe\Copy (2) of oem28.PNF
[2010/03/07 14:11:53 | 000,012,866 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.PNF
[2010/03/07 14:11:53 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.PNF
[2010/03/07 14:11:53 | 000,012,348 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.PNF
[2010/03/07 14:11:53 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.inf
[2010/03/07 14:11:53 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.inf
[2010/03/07 14:11:53 | 000,007,754 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.PNF
[2010/03/07 14:11:53 | 000,007,314 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.PNF
[2010/03/07 14:11:53 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\1267967513-(null)
[2010/03/07 14:11:53 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.inf
[2010/03/07 14:11:53 | 000,006,209 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.inf
[2010/03/07 14:11:53 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.inf
[2010/03/07 14:11:53 | 000,005,813 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.inf
[2010/03/07 14:11:53 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.inf
[2010/03/07 14:09:26 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_MDM.INF
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_BRIT.INF
[2010/03/07 14:09:26 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000.INF
[2010/03/07 14:09:26 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_BUS.INF
[2010/03/07 14:09:26 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000XP.INF
[2010/03/07 14:09:26 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_A1000.INF
[2010/03/07 14:09:26 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\USB_CMCS_2000.INF
[2010/03/07 14:09:26 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_SDM.INF
[2010/03/07 14:09:20 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem28.PNF
[2010/03/07 14:09:20 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\1267967360-(null)
[2008/03/04 23:48:34 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/31 18:55:51 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2007/12/31 17:39:10 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
No service found with a name of ALG
SRV - [2008/04/14 01:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 01:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 14:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 01:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 01:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 18:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 01:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 01:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 01:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/14 01:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 01:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand | Stopped] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 01:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 01:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 01:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 14:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 01:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 01:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 13:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/14 01:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 01:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
No service found with a name of wscsvc
SRV - [2010/08/27 06:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 01:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 01:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 01:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 01:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 01:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 01:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 01:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Unknown] -- C:\WINDOWS\system32\svchost.exe -- (SharedAccess)
SRV - [2008/04/14 01:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/14 01:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 01:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2009/02/09 13:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/14 01:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 01:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 07:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< >

========== Files - Unicode (All) ==========
[2009/04/29 03:11:18 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/29 03:11:18 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/24 17:15:11 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
[2009/04/24 17:15:11 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“

< End of report >
  • 0

#27
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Download RogueKiller to your desktop

Note: This is a French tool so don't be surprised when you find the page displays with some French.

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • Click on Scan

    Posted Image
  • Wait for the scan to finish.
  • The report is created on your desktop.
Please post the contents of all the RKreport.txt files from your desktop in your next Reply.
  • 0

#28
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Joe [Admin rights]
Mode : Scan -- Date : 08/21/2013 21:20:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : TvtXdnsd (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe [-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-448539723-515967899-725345543-1004\[...]\Run : TvtXdnsd (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe [-]) -> FOUND
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : userinit (c:\windows\system32\userinit.exe,,C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe [7][-]) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SECU] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250820AS +++++
--- User ---
[MBR] c22358d4f4a6616a5ccf77711b57b869
[BSP] a1cd38a3ebe5e0fca92649b10ccc2fee : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08212013_212018.txt >>
  • 0

#29
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
It found a bunch of things but i did not delete any just in case.
  • 0

#30
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Step 1. RogueKiller fix.

  • Run RogueKiller.
  • Wait until Prescan has finished...
  • Click on Scan

    Posted Image
  • Wait for the scan to finish.
  • The report is created on your desktop.
  • Click on the Delete button

    Posted Image
  • The report is created on your desktop.
Please post the contents of all the RKreport.txt files from your desktop in your next Reply.

Step 2. OTL scan.

  • Run OTL.
  • Click on Scan All Users checkbox, which is located near Quick Scan button.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    BASESERVICES
  • Then click the Run Scan button at the top.
  • Let the program run unhindered.
  • When the scan completes, it will open notepad window - OTL.Txt. This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, one at a time and post them in your topic.
So, please, don't forget to post in your next message:

  • OTL.txt
  • RogueKiller log

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP