Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Two PCs that hang up very quickly unless in safe mode

Started by Andy Spragg , May 07 2010 03:37 PM

  • Please log in to reply

#1
Andy Spragg
Posted 07 May 2010 - 03:37 PM

Andy Spragg

    Member

  • Member
  • PipPip
  • 31 posts
Hi again folks,

Seeking help with two poorly PCs, both displaying the same problem - they'll only run in safe mode, or safe mode with networking. Boot either one normally, and it'll be unresponsive before quickly hanging completely, within the space of 30 seconds for one, or a couple of minutes for the other.

I suspect malware, but I only have circumstantial evidence, the most convincing of which is that yesterday I tried to run chkdsk on the one that hangs quicker. Safe mode, no apps running. chkdsk said "could not lock disk" and then it said "chkdsk could not start because another process is using the disk" and asked me if I'd like to schedule it to start on next reboot. I did this and let it run overnight, so I don't know what it found or did, if anything, but it hasn't helped.

I've followed the malware and spyware cleaning guide on this machine, but I don't know how useful it will have been in safe mode:
- MBAM found three infected items (registry keys for MyWebSearch, which I found and thought I had cleaned a few days ago)
- Trend Micro AV found nothing
- GMER found no system modification
- OTL ran quickly to completion

MBAM and OTL logs below. Still working through the procedure on the other machine.

Andy

---

vMalwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

07/05/2010 21:29:58
mbam-log-2010-05-07 (21-29-58).txt

Scan type: Quick scan
Objects scanned: 111130
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and

deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---

OTL logfile created on: 07/05/2010 22:23:39 - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 727.00 Mb Available Physical Memory | 71.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 86.61 Gb Free Space | 88.69% Space Free | Partition Type: NTFS
Drive D: | 92.25 Gb Total Space | 86.90 Gb Free Space | 94.19% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WIN-54769632BA0
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/28 22:11:42 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/04/04 10:45:38 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/24 20:09:36 | 000,169,296 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
PRC - [2009/02/12 18:52:44 | 000,161,104 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\platformdependent\ProToolbarComm.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/28 22:11:42 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/10/21 01:50:10 | 000,711,248 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2009/09/04 02:07:28 | 000,497,008 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw)
SRV - [2009/09/04 01:51:40 | 000,677,128 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2009/03/03 09:46:13 | 000,341,256 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2008/08/14 12:08:59 | 000,181,584 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe -- (Security Activity Dashboard Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/12/04 17:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2009/12/04 17:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2009/12/04 17:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2009/04/03 00:08:54 | 000,050,192 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2009/04/03 00:08:52 | 000,050,192 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2009/04/03 00:08:48 | 000,153,104 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/03/04 00:12:44 | 000,080,400 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/03/03 10:08:15 | 000,335,376 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2008/04/13 19:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/06/27 02:58:16 | 002,303,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/11/21 19:28:30 | 000,209,536 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\m5288.sys -- (m5288)
DRV - [2005/11/10 12:54:56 | 000,402,944 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BLKWGU.sys -- (BLKWGU(Belkin)) Belkin Wireless G USB Network Adapter(Belkin)
DRV - [2005/10/05 17:21:10 | 000,141,312 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2005/08/11 13:49:28 | 000,393,088 | R--- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2005/03/30 08:24:00 | 000,230,400 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2004/10/27 15:21:30 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/10/25 14:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - [2004/08/13 11:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/04 13:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2003/07/24 12:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.SYS -- (DNINDIS5)
DRV - [2001/08/17 15:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 12:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADM8511.SYS -- (ADM8511)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://go.microsoft..../?LinkId=69157"
FF - prefs.js..extensions.enabledItems: {22181a4d-af90-4ca3-a569-faed9118d6bc}:1.2.0.1073
FF - prefs.js..keyword.URL: "http://www.bing.com/...?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Firefox\extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension [2010/01/24 08:53:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/09 13:31:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 10:45:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/19 00:22:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/12/30 18:15:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/05/04 20:48:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\i263r173.default\extensions
[2009/09/04 07:49:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\i263r173.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/17 20:30:08 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\i263r173.default\searchplugins\bing.xml
[2008/12/30 01:22:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 07:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

O1 HOSTS File: ([2004/08/04 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1230576961612 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1230576948893 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/07 19:07:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{f43b6616-d5cb-11dd-8b8d-0018f362a021}\Shell\AutoRun\command - "" = K:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/08/07 19:36:34 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 90 Days ==========

[2010/04/28 22:12:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2010/04/28 22:11:41 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/22 22:49:59 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/22 22:40:07 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2010/04/22 15:45:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/22 15:36:05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IECompatCache
[2010/04/22 15:36:03 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/03/17 00:34:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Tracing
[2010/03/17 00:33:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/03/17 00:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/03/17 00:33:34 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2010/03/17 00:33:14 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/03/17 00:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live

========== Files - Modified Within 90 Days ==========

[2010/05/07 21:50:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/07 21:48:48 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/07 21:44:58 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/05/07 21:44:48 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/07 21:44:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/07 21:44:08 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/05/07 21:44:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/05/07 21:44:06 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/05/07 21:10:50 | 000,355,033 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SysProt.zip
[2010/05/04 17:49:06 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:14:11 | 000,014,877 | ---- | M] () -- D:\Steph\Birthday list.docx
[2010/04/29 09:08:54 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2007.lnk
[2010/04/28 22:11:42 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/28 22:10:12 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/04/26 21:30:13 | 000,000,162 | -H-- | M] () -- D:\Steph\~$rthday list.docx
[2010/04/22 22:40:08 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2010/04/22 15:49:13 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/22 15:49:13 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/22 15:49:13 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/22 12:58:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\settings.dat
[2010/04/21 17:52:02 | 000,000,855 | ---- | M] () -- C:\WINDOWS\goldwave.ini
[2010/04/21 17:48:11 | 000,011,703 | ---- | M] () -- D:\Steph\West End petition.docx
[2010/04/09 21:13:47 | 000,013,129 | ---- | M] () -- D:\Steph\Chocolate Chestnut Cake.docx
[2010/04/05 14:01:52 | 000,012,527 | ---- | M] () -- D:\Steph\Comedy script 2.docx
[2010/04/05 13:22:38 | 000,012,333 | ---- | M] () -- D:\Steph\Blame Carrington.docx
[2010/04/04 10:49:18 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/03/29 11:26:04 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/29 11:26:04 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/29 11:26:04 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/21 01:07:30 | 000,019,763 | ---- | M] () -- D:\Steph\Comedy script.docx
[2010/03/20 01:33:29 | 000,011,910 | ---- | M] () -- D:\Steph\Hot chocolate set letter.docx
[2010/03/02 15:47:30 | 000,000,347 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\The Highway Code '09.lnk

========== Files Created - No Company Name ==========

[2010/05/07 21:10:49 | 000,355,033 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SysProt.zip
[2010/04/28 22:10:12 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/04/26 21:30:13 | 000,000,162 | -H-- | C] () -- D:\Steph\~$rthday list.docx
[2010/04/22 12:58:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\settings.dat
[2010/04/11 11:57:40 | 000,011,703 | ---- | C] () -- D:\Steph\West End petition.docx
[2010/04/09 21:13:47 | 000,013,129 | ---- | C] () -- D:\Steph\Chocolate Chestnut Cake.docx
[2010/03/25 10:44:46 | 000,012,527 | ---- | C] () -- D:\Steph\Comedy script 2.docx
[2010/03/14 13:05:37 | 000,011,910 | ---- | C] () -- D:\Steph\Hot chocolate set letter.docx
[2010/03/02 15:47:30 | 000,000,347 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\The Highway Code '09.lnk
[2009/04/14 22:00:36 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys
[2009/01/23 20:53:34 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/12/30 01:24:12 | 000,001,403 | ---- | C] () -- C:\WINDOWS\MQPreset.ini
[2008/12/30 01:24:12 | 000,000,211 | ---- | C] () -- C:\WINDOWS\Multique.ini
[2008/12/30 01:23:15 | 000,006,592 | ---- | C] () -- C:\WINDOWS\gwpreset.ini
[2008/12/30 01:23:15 | 000,000,855 | ---- | C] () -- C:\WINDOWS\goldwave.ini
[2008/12/29 18:22:51 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/12/13 18:06:28 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/08/11 13:44:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/08/11 12:20:08 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\TnetWCoInst.dll
[2005/07/12 15:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2004/03/23 17:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[1999/01/22 19:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/12/29 18:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/12/29 18:24:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2009/01/23 20:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/08/07 19:07:33 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/04/22 15:49:13 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/08/07 19:07:33 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/08/07 19:07:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/04/22 22:49:18 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2010/04/05 21:19:24 | 000,000,135 | ---- | M] () -- C:\moduleName.txt
[2008/08/07 19:07:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/12/29 21:48:28 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/07 21:50:50 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/08/07 19:41:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/08/07 19:41:10 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/08/07 19:41:10 | 000,921,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
< End of report >

---

OTL Extras logfile created on: 07/05/2010 22:23:39 - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 727.00 Mb Available Physical Memory | 71.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 86.61 Gb Free Space | 88.69% Space Free | Partition Type: NTFS
Drive D: | 92.25 Gb Total Space | 86.90 Gb Free Space | 94.19% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WIN-54769632BA0
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04677911-D5DC-C500-A4E8-2D5CCC9180E9}" = CCC Help Greek
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0629A9E3-42C3-38F4-7DE1-84647E9BE9CE}" = ccc-utility
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{15327F19-DCA5-D102-0A11-C8B213AC278A}" = Catalyst Control Center Localization Greek
"{170A555B-8B7C-18A7-FBB3-68FCD8171BEF}" = CCC Help English
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2100F7DB-91AA-8C7C-1917-E41BE3E06C64}" = CCC Help Dutch
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23101306-56BD-BD95-DE03-907203A2D121}" = CCC Help Russian
"{23F84188-E168-12FC-68E1-0BC2B9ADA0F7}" = CCC Help Thai
"{252E8DB0-E036-1BFD-D1BA-0434C3B66B41}" = ccc-core-preinstall
"{255B921D-AE7F-8C7A-ACEA-9C7420659DC5}" = Catalyst Control Center Localization Thai
"{25F78FDD-6D45-5229-3602-1026D916B534}" = CCC Help Japanese
"{281D1C3D-50DA-46B4-D3E3-B811A9A3E644}" = Catalyst Control Center Localization Dutch
"{2847E94E-E127-1018-BA2D-1B99C229BE71}" = CCC Help Polish
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{32AF8E1C-CCC7-78D0-1BD6-E48EFFBBEE92}" = Catalyst Control Center Localization French
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{385DFAC7-B31A-6FB0-1EB6-CD4854D55219}" = Catalyst Control Center Localization Swedish
"{3D6816CE-0943-85C8-8AB4-88C23C38CECB}" = Catalyst Control Center Localization Chinese Traditional
"{4026F0FC-CD1B-C487-B5C6-E815B258A1CA}" = Catalyst Control Center Graphics Light
"{40E12A55-C504-4223-AFAC-7672DBF1ACDE}" = Trend Micro Internet Security Pro
"{44EBA8D8-C559-A742-692D-51D2049AB8F1}" = CCC Help Finnish
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45E5354A-2CB2-EB0B-D930-29F8DD9F17AC}" = CCC Help Turkish
"{4846B4A3-E2E3-61A3-2B9F-3674291C3C97}" = CCC Help Spanish
"{491E695B-D88A-96B3-5DD6-C8487E6CF145}" = CCC Help Swedish
"{52DF099A-2A4A-4714-756F-3E4719FE4672}" = Skins
"{5399ACAF-7B15-43D5-9233-4E797B184FD2}" = AVIVO
"{54043BD9-50E5-96F0-D95F-E8BAACE26D89}" = Catalyst Control Center Localization Finnish
"{54B21299-1523-BA6D-CF0C-37122B5CB762}" = CCC Help Italian
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{67E76212-F672-32C4-0828-5BE8F7B85966}" = Catalyst Control Center Graphics Full New
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A9D8554-E01A-B116-C84D-810589D016A1}" = Catalyst Control Center Localization Japanese
"{6C144163-02C2-B57F-AB61-56DA5546B2BB}" = Catalyst Control Center Localization Spanish
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security Pro
"{74DF227F-21FD-1B67-B1C2-635B14A0158E}" = CCC Help Danish
"{76CA3745-48C8-1B2E-4090-56711467CD43}" = Catalyst Control Center Localization Portuguese
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B545503-5C31-B8A4-9B77-B6B99ADEC09D}" = Catalyst Control Center Localization Russian
"{7D4A509E-8F02-7850-5837-B50D08D47FF5}" = Catalyst Control Center Localization Czech
"{7DD3D82C-714A-F883-D93B-4C129D5FFA15}" = Catalyst Control Center Localization Norwegian
"{7E95FCBF-A6E7-2475-7A87-C6D4A355AA66}" = Catalyst Control Center Localization German
"{8010923B-40C7-0ECC-95C5-50623E548D96}" = CCC Help Portuguese
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82CD426E-31DC-2F43-205E-E01E5C098F5A}" = CCC Help Chinese Traditional
"{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}" = EPSON Easy Photo Print
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{920560B7-6A55-DC40-5525-5F44A494F740}" = CCC Help Czech
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B56936D-273E-F723-89D1-6EB3FC858AB5}" = ccc-core-static
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B545059F-F74D-115D-2BAD-56555D575FCD}" = CCC Help Norwegian
"{C03DF297-96AD-B6D5-92EA-D99F5D76E5A3}" = CCC Help German
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5DC3DD5-80E0-88B9-2AF4-DFBEF10E4EBB}" = CCC Help Chinese Standard
"{C66844A2-A373-1EEB-589E-AFD77E661FC9}" = Catalyst Control Center Core Implementation
"{C8781F28-84B1-4DBB-4627-951652B04293}" = CCC Help French
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CC8EA619-F11E-AD1F-93B7-7B356752185A}" = Catalyst Control Center Localization Polish
"{CD13227D-2CA4-AB85-8674-5F6ADF42B882}" = Catalyst Control Center Localization Korean
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6FC3A76-C2BD-0B95-FB03-7EE37A8D2B21}" = Catalyst Control Center Localization Hungarian
"{D83D00F3-BBEF-B19D-5FE3-AA3C2BD726E3}" = Catalyst Control Center Localization Turkish
"{D966EC30-E3FF-9B17-BB68-2277D0870F5B}" = Catalyst Control Center Graphics Previews Common
"{E5ADC9FD-8C1F-456E-DFFB-716FE481C520}" = CCC Help Hungarian
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F30E3BD6-F658-FDC3-8FF7-13302359DDD8}" = CCC Help Korean
"{F4B265CB-59BF-CCB2-F606-B8D16EE2D8ED}" = Catalyst Control Center Localization Chinese Standard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F860DD52-99C8-8746-1F2E-71A662B59FEA}" = Catalyst Control Center Graphics Full Existing
"{FAFDA3E9-7035-5EF2-679C-C787EFD01ADF}" = Catalyst Control Center Localization Danish
"{FB63CC95-17BA-A660-35EE-EAEBBA79C30C}" = Catalyst Control Center Localization Italian
"{FDC53DC6-137A-4541-BFA2-A9BAE4A7FE99}" = ULi Sata Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"Coupon Printer2.0" = Coupon Printer
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"GoldWave v4.25" = GoldWave v4.25
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Multiquence v2.02" = Multiquence v2.02
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Registrar Lite 2.00" = Registrar Lite 2.00
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ OSession Events ]
Error - 08/11/2009 07:42:26 | Computer Name = WIN-54769632BA0 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 22
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 07/05/2010 16:14:31 | Computer Name = WIN-54769632BA0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07/05/2010 16:15:33 | Computer Name = WIN-54769632BA0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07/05/2010 16:16:57 | Computer Name = WIN-54769632BA0 | Source = Service Control Manager | ID = 7001
Description = The Trend Micro Proxy Service service depends on the Trend Micro TDI
Driver service which failed to start because of the following error: %%31

Error - 07/05/2010 16:16:57 | Computer Name = WIN-54769632BA0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips Processor tmtdi

Error - 07/05/2010 16:44:08 | Computer Name = WIN-54769632BA0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07/05/2010 16:45:13 | Computer Name = WIN-54769632BA0 | Source = ati2mtag | ID = 43034
Description = Unknown EDID version

Error - 07/05/2010 16:45:13 | Computer Name = WIN-54769632BA0 | Source = ati2mtag | ID = 43034
Description = Unknown EDID version

Error - 07/05/2010 16:51:24 | Computer Name = WIN-54769632BA0 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 07/05/2010 16:52:45 | Computer Name = WIN-54769632BA0 | Source = Service Control Manager | ID = 7001
Description = The Trend Micro Proxy Service service depends on the Trend Micro TDI
Driver service which failed to start because of the following error: %%31

Error - 07/05/2010 16:52:45 | Computer Name = WIN-54769632BA0 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips Processor tmtdi


< End of report >
  • 0

Advertisements

#2
RKinner
Posted 08 May 2010 - 11:54 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Copy the next line by highlighting it and then Ctrl + c:

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Atierecord" /s > junk.txt

Start, Run, cmd, OK to bring up a Command window. Right click and select Paste then hit Enter. Type

notepad junk.txt

Copy the text and paste it into a reply.

Ron
  • 0

#3
Andy Spragg
Posted 08 May 2010 - 05:19 PM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Ron,

Many thanks for a speedy reply. ComboFix and registry query logs below. I wasn't able to properly disable Trend Micro - it doesn't actually load in safe mode, and if run, it doesn't present a UI to give access to options, it just runs and prompts to be shut down when finished - but it seems the personal firewall was still active.

Andy

---

ComboFix 10-05-08.01 - Owner 09/05/2010 0:07.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.821 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\george.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\service
c:\windows\system32\service\06092009_TIS17_SfFniAU.log
c:\windows\system32\service\06122009_TIS17_SfFniAU.log
c:\windows\system32\service\07122009_TIS17_SfFniAU.log
c:\windows\system32\service\08092009_TIS17_SfFniAU.log
c:\windows\system32\service\08112009_TIS17_SfFniAU.log
c:\windows\system32\service\09122009_TIS17_SfFniAU.log
c:\windows\system32\service\13042010_TIS17_SfFniAU.log
c:\windows\system32\service\13092009_TIS17_SfFniAU.log
c:\windows\system32\service\14042009_TIS17_SfFniAU.log
c:\windows\system32\service\14042010_TIS17_SfFniAU.log
c:\windows\system32\service\15022009_TIS17_SfFniAU.log
c:\windows\system32\service\15022010_TIS17_SfFniAU.log
c:\windows\system32\service\16042010_TIS17_SfFniAU.log
c:\windows\system32\service\16092009_TIS17_SfFniAU.log
c:\windows\system32\service\16112009_TIS17_SfFniAU.log
c:\windows\system32\service\18082009_TIS17_SfFniAU.log
c:\windows\system32\service\19082009_TIS17_SfFniAU.log
c:\windows\system32\service\20112009_TIS17_SfFniAU.log
c:\windows\system32\service\21092009_TIS17_SfFniAU.log
c:\windows\system32\service\22092009_TIS17_SfFniAU.log
c:\windows\system32\service\22122009_TIS17_SfFniAU.log
c:\windows\system32\service\23092009_TIS17_SfFniAU.log
c:\windows\system32\service\23112009_TIS17_SfFniAU.log
c:\windows\system32\service\23122009_TIS17_SfFniAU.log
c:\windows\system32\service\24012009_TIS17_SfFniAU.log
c:\windows\system32\service\25012009_TIS17_SfFniAU.log
c:\windows\system32\service\26092009_TIS17_SfFniAU.log
c:\windows\system32\service\27012010_TIS17_SfFniAU.log
c:\windows\system32\service\27082009_TIS17_SfFniAU.log
c:\windows\system32\service\27102009_TIS17_SfFniAU.log
c:\windows\system32\service\29092009_TIS17_SfFniAU.log
c:\windows\system32\service\29102009_TIS17_SfFniAU.log
c:\windows\system32\service\30122008_TIS17_SfFniAU.log
c:\windows\system32\service\30122009_TIS17_SfFniAU.log
c:\windows\system32\service\31102009_TIS17_SfFniAU.log

.
((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-08 14:26 . 2010-05-08 14:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-22 21:49 . 2010-04-22 21:50 -------- d-----w- c:\program files\ERUNT
2010-04-22 14:36 . 2010-04-22 14:36 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-04-22 11:58 . 2010-04-22 11:58 0 ----a-w- c:\documents and settings\Owner\settings.dat
2010-04-13 11:11 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 14:27 . 2009-01-23 19:29 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-07 20:14 . 2009-09-27 18:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 20:12 . 2010-04-22 21:49 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 14:39 . 2009-09-27 18:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-09-27 18:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 22:44 . 2009-03-08 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-16 23:33 . 2010-03-16 23:33 -------- d-----w- c:\program files\Microsoft
2010-03-16 23:33 . 2010-03-16 23:33 -------- d-----w- c:\program files\Windows Live
2010-03-16 23:33 . 2010-03-16 23:33 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-16 23:22 . 2010-03-16 23:22 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-12 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [11/08/2008 12:39 209536]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [29/12/2008 18:25 335376]
S2 gupdate1ca1ba2c4705fb6;Google Update Service (gupdate1ca1ba2c4705fb6);c:\program files\Google\Update\GoogleUpdate.exe [13/08/2009 00:15 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/09/2009 19:44 304464]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [29/12/2008 18:43 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [29/12/2008 18:42 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [29/12/2008 18:42 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [29/12/2008 18:25 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [29/12/2008 18:42 677128]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [08/08/2008 11:58 20160]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS --> c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/09/2009 19:44 20952]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-12 23:12]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 23:15]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 23:15]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i263r173.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 00:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-09 00:10:23
ComboFix-quarantined-files.txt 2010-05-08 23:10

Pre-Run: 92,860,436,480 bytes free
Post-Run: 92,826,636,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 06E49A3A79B36DB106DA6E533FF39E19

---


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Atierecord
eRecordEnable REG_DWORD 0x1
eRecordEnablePopups REG_DWORD 0x1

---
  • 0

#4
RKinner
Posted 08 May 2010 - 06:35 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Start, Run, regedit, OK to bring up the registry editor. Find

HKEY_LOCAL_MACHINE and click on the + in front of it. It will now show some entries under it.

Find SYSTEM and click on the + in front of it.

Find CurrentControlSet and click on the + in front of it.

Find Services and click on the + in front of it.

Find Atierecord and click on it.

Look in the right pane and find:

eRecordEnable

Double click on it and change the 1 to 0 then OK.

Look in the right pane and find:

eRecordEnablePopups

Double click on it and change the 1 to 0 then OK.

Close regedit and reboot into regular mode. Is it any faster?

Ron
  • 0

#5
Andy Spragg
Posted 09 May 2010 - 03:16 AM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Ron,

Sorry for delay - read your reply last night on my machine but couldn't get onto this one until this morning. I flipped the registry entries but no difference - in normal mode, I can move the (wired) mouse cursor but can't actually do anything with it. Similarly with the (wired) keyboard; none of the "action" keys do anything.

Andy
  • 0

#6
RKinner
Posted 09 May 2010 - 10:02 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I don't keep track so never notice delays.

Start, Run, msconfig, OK

Under Startup uncheck everything and Apply

Under Services, first check Hide Microsoft Services and then uncheck everything remaining and OK. Let it reboot into normal mode. Does it work? (You can cancel msconfig when it comes up after the boot). If so one of the startups or services is the cause of the problem. Go back into msconfig and check the services and OK then reboot. Does it work this time? If not one of the services is bad. Uncheck about half and OK then reboot. If it still works after checking all of the services then try checking about half of the Startups. We are trying to narrow it down to one or two items.

If that makes no difference then uncheck the Hide Microsoft Services and uncheck everything and see if that does it.



Ron
  • 0

#7
Andy Spragg
Posted 10 May 2010 - 01:18 PM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Ron,

Now we're getting somewhere! To cut quite a long story short, I've nailed the culprit and somewhat to my surprise it's Malwarebytes - mbamgui.exe, to be precise. And it's a reproducible and sole culprit - when it's disabled, all works fine, when it's enabled, very quickly nothing works. It also isn't an interaction with Trend Micro (as I thought it might be, once I found out it was the enabled presence of MBAM that was causing the problem), because with MBAM enabled and Trend Micro disabled, I still see the problem.

Odds are I've done two machines for the price of one here because the other one that is showing the same symptoms also uses MBAM and Trend Micro.

So I guess it's time to refer the question over to the good folks at Malwarebytes, unless you can short-circuit the process with any prior knowledge? Even if so, I need to refer it to them anyway - I've searched their own forum and can't find any similar reports.

Andy
  • 0

#8
RKinner
Posted 10 May 2010 - 01:24 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
First I've heard of a problem like that but put msconfig back to normal, uninstall MBAM, reboot and download and reinstall the latest version. A new version was just released last week. Perhaps it is a known bug that no one talks about that has been fixed in the new version.

Ron
  • 0

#9
Andy Spragg
Posted 10 May 2010 - 02:50 PM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts

First I've heard of a problem like that but put msconfig back to normal, uninstall MBAM, reboot and download and reinstall the latest version.


I'll need to do that in a different order (or uninstall MBAM in safe mode), because if I put msconfig back to normal, I won't be able to do anything in normal mode! Bit of a Catch 22. I think the thing to do is uninstall in safe mode, rather than mess with the suggested order, yes?

A new version was just released last week. Perhaps it is a known bug that no one talks about that has been fixed in the new version.


There were certainly known issues with the previous version that the current version was intended to fix. Thing is, both machines claim to be using the latest version! One of the things I did whilst regularly in safe mode was to update MBAM (I couldn't update Trend Micro until now because in safe mode, it just goes straight into a scan without displaying the normal UI). But yes, since the "latest version" was arrived at under abnormal circumstances, the first obvious thing to try is uninstall and reinstall.

For reference, here's the thread in the MBAM forum:

http://forums.malwar...showtopic=47974

I opened it at the time I originally sought help here, and was asked to report on the results from here.

Andy
  • 0

#10
RKinner
Posted 10 May 2010 - 02:56 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Safe Mode should work.

Ron
  • 0

Advertisements

#11
Andy Spragg
Posted 13 May 2010 - 02:41 PM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Ron,

Thought we were done but we're not - sorry.

We never removed Combofix. I looked in another thread to remind myself how to do it, and tried, but it didn't work. Start-Run-combofix /u and it just runs and scans. I tried it twice. The log file states it ran with the command line switch /u but for whatever reason it isn't working. I did wonder if it was because we renamed it george on the desktop, but the person in the thread I looked at had also been told to rename it, and they just got told combofix /u and it worked. When I run, I can see that it's george that is running, but it's not uninstalling. So not sure what's going wrong.

FYI, I tried uninstalling and reinstalling MBAM on both problem machines and it still hangs both machines in normal mode. So I'm going to follow that up with Malwarebytes. But if you can help me uninstall combofix, I'd really appreciate it.

Andy
  • 0

#12
RKinner
Posted 13 May 2010 - 10:34 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Since we rename combofix to george.exe it's a bit different:

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.


Make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on.


Ron
  • 0

#13
Andy Spragg
Posted 14 May 2010 - 02:05 AM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Ron,

Combofix all gone. I still have C:\george\nircmdb left over, can I just delete that?

I've hidden everything as per instruction and I still have D:\recycler\S-1-5-21-...(big long alphanumeric string)... visible as well as the standard Recycle Bin. Nothing in it though. What do I do with that?

Thanks for various heads-up on other matters, particularly Adobe.

I do use Firefox. Will Adblock play nicely with NoScript? Or are they not both necessary?

Andy
  • 0

#14
RKinner
Posted 14 May 2010 - 08:18 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
You can delete the folder C:\george and all of its contents.

Right click on d:\recycler and check the Hidden box then OK.

I expect AdBlock Plus and NoScript will work together. If not Firefox is pretty good about telling you.

Ron

Edited by RKinner, 14 May 2010 - 08:20 AM.

  • 0

#15
Andy Spragg
Posted 16 May 2010 - 03:49 PM

Andy Spragg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hello again Ron,

I downloaded WinPatrol and I noticed it's classed as a HIPS application, like Online Armor which I use as my firewall. Does that mean they will conflict?

Andy
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP