Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

BehavesLike. Win32. Malware. klt (mx-v) [Solved]

Started by Pat_54 , Feb 24 2013 03:57 AM

  • This topic is locked This topic is locked

#16
godawgs
Posted 28 February 2013 - 02:06 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Combofix found some things. How is the computer running now. Is the issue with IE still there?
  • 0

Advertisements

#17
Pat_54
Posted 28 February 2013 - 02:26 AM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi Godawgs

The computer is running much better. IE much better but still hesitates a little on loading MSN homepage and have to wait briefly before I can click on anything but it is much better.


  • 0

#18
godawgs
Posted 28 February 2013 - 07:34 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Pat,

That is good news indeed. Let's run an on line scan and see if it finds anything. Then I want to check out that driver that aswMBR found but ComboFix didn't.


Step-1.


Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Uncheck the box beside Remove Found Threats
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
When The Scan is Complete:

  • If No Threats Were Found:
    • Put a checkmark in "Uninstall application on close"
    • Close the program
    • Report to me that nothing was found
  • If Threats Were Found:
    • Click on "list of threats found"
    • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
    • Click on Back
    • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
    • Click on Finish
    • Close the program
    • Copy and paste the report here
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Step-2.

Posted Image OTL Custom Scan

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the Posted Image box in OTL. To do that:
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

createrestorepoint
/md5start
spae.sys
/md5stop


2. Re-open Posted Imageon the desktop. To do that:
  • XP users: Double click on the OTL icon.
Make sure all other windows are closed.
  • You will see a console like the one below:

    Posted Image
  • Click the box beside Scan All Users at the top of the console
  • Do Not click the box beside Include 64bit Scans at the top of the console.
  • Make sure the Output box at the top is set to Standard Output.
  • Place the mouse pointer inside thePosted Image box, right click and click Paste. This will put the above script inside OTL
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL (it should be on your desktop).
  • Please copy the contents of this file and paste it into your reply. To do that:
  • On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.

Step-3.

Run Security Check

Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The ESET log (IF it found anything. IF it didn't just let me know.)
2. The new OTL.txt log
3. The checkup.txt log
  • 0

#19
Pat_54
Posted 28 February 2013 - 06:03 PM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi godawgs

Just want to let you know its beginning to take longer to load homepage or clicking on the link you provide in email to get here. I have to wait for page to load before I can do anything. Here are the results from the next steps you wanted me to do.

Results of screen317's Security Check version 0.99.59
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.70.0.1100
Java™ 6 Update 33
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.2 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````


C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP300\A0030752.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP300\A0030753.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP300\A0030754.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP300\A0030755.dll a variant of Win32/Bundled.Toolbar.Ask application


OTL logfile created on: 2/28/2013 6:36:34 PM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 73.05% Memory free
3.84 Gb Paging File | 3.53 Gb Available in Paging File | 91.90% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.71 Gb Total Space | 42.54 Gb Free Space | 61.91% Space Free | Partition Type: NTFS
Drive D: | 5.80 Gb Total Space | 2.95 Gb Free Space | 50.78% Space Free | Partition Type: FAT32

Computer Name: PATTY | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/02/24 04:15:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 11:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/11/15 13:57:20 | 000,086,216 | ---- | M] (PC Pitstop LLC) -- C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
PRC - [2012/09/07 19:40:06 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/14 15:42:18 | 000,622,653 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/03/14 15:40:52 | 001,376,340 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2004/10/08 14:44:24 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/02 01:49:10 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2008/04/13 19:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 19:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/08/02 02:26:20 | 000,118,784 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
MOD - [2006/08/02 02:24:54 | 000,348,160 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll


========== Services (SafeList) ==========

SRV - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/11/29 20:31:04 | 000,038,608 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2012/11/15 13:57:20 | 000,086,216 | ---- | M] (PC Pitstop LLC) [Auto | Running] -- C:\Program Files\PCPitstop\PCPitstopScheduleService.exe -- (PCPitstop Scheduling)
SRV - [2012/09/07 19:40:06 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2008/12/01 10:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus®
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/24 03:02:46 | 000,196,608 | ---- | M] (New Boundary Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2013/02/28 16:28:34 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9540C60F-AA25-460E-A650-F0C550E5F13B}\MpKslf1789b92.sys -- (MpKslf1789b92)
DRV - [2011/09/02 01:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 01:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 01:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/03/22 00:47:50 | 000,023,608 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MP4ConverterAudio.sys -- (MP4ConverterAudio)
DRV - [2010/10/08 20:30:08 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/09/27 13:50:44 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/06/14 08:32:54 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2010/05/31 10:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/06/04 09:19:18 | 000,003,768 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MusCVideo32.sys -- (MusCVideo32)
DRV - [2008/06/04 09:19:16 | 000,508,544 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MusCDriverV32.sys -- (MusCDriverV32)
DRV - [2007/12/14 09:21:56 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2007/06/18 19:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/09/14 12:03:52 | 000,980,736 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2006/08/02 03:27:48 | 000,012,544 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/03/14 15:21:18 | 000,328,237 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/03/14 15:19:24 | 000,023,271 | ---- | M] (Broadcom Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)
DRV - [2006/03/14 15:18:00 | 000,851,402 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/03/14 15:15:34 | 000,030,427 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/03/14 15:15:24 | 000,030,285 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2006/03/14 15:14:52 | 000,065,784 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/03/14 15:12:02 | 000,148,900 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/03/14 15:10:56 | 000,045,683 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2005/09/09 17:15:32 | 001,032,472 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2003/06/30 04:50:00 | 000,072,894 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lmouflt2.sys -- (LMouFlt2)
DRV - [2003/06/30 04:50:00 | 000,037,884 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHIDUSB.SYS -- (LHidUsb)
DRV - [2003/06/30 04:50:00 | 000,025,214 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS -- (LHidFlt2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.c...s=PTB&M=NX860XL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.c...s=PTB&M=NX860XL
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-4230808171-790681429-768623690-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.0.282: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.0.282: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{34712C68-7391-4c47-94F3-8F88D49AD632}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/02/10 18:36:41 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2013/02/28 02:27:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PC Pitstop PC Matic Reminder] C:\Program Files\PCPitstop\PC Matic\Reminder-PCMatic.exe (PC Pitstop LLC)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-4230808171-790681429-768623690-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4230808171-790681429-768623690-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4230808171-790681429-768623690-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4230808171-790681429-768623690-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4230808171-790681429-768623690-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Administrator\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm File not found
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\Administrator\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm File not found
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcp...ols/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2698A5C7-EA98-4195-ADC3-6AB12C1614C6}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 04:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/02/28 17:16:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2013/02/28 17:16:46 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/02/28 03:48:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/02/28 02:29:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/02/28 02:23:40 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/02/28 02:23:40 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/02/28 02:23:40 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/02/28 02:23:40 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/02/28 02:23:33 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/28 02:18:21 | 005,036,023 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2013/02/28 01:17:08 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.exe
[2013/02/27 20:48:59 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013/02/26 16:33:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Fix IE
[2013/02/24 18:19:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/02/24 04:16:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\documents
[2013/02/24 04:15:15 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013/02/10 18:37:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\RealNetworks
[2013/02/10 18:36:40 | 000,000,000 | ---D | C] -- C:\Program Files\RealNetworks
[2013/02/10 18:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RealNetworks
[2013/02/10 18:36:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2013/02/10 18:36:09 | 000,201,424 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2013/02/10 18:35:51 | 000,000,000 | ---D | C] -- C:\Program Files\real
[2013/02/10 18:35:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Real
[2013/02/10 18:33:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/01/01 02:14:27 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Administrator\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2013/02/28 16:40:44 | 000,010,886 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\6857114.pdf
[2013/02/28 16:38:56 | 000,682,845 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\S2043.pdf
[2013/02/28 16:38:04 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/02/28 16:37:47 | 000,000,366 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2013/02/28 16:27:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/28 04:07:18 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2013/02/28 02:40:48 | 000,000,326 | RHS- | M] () -- C:\boot.ini
[2013/02/28 02:27:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/02/28 02:18:32 | 005,036,023 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2013/02/28 01:17:12 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.exe
[2013/02/27 21:55:05 | 000,000,024 | ---- | M] () -- C:\Documents and Settings\Administrator\random.dat
[2013/02/27 21:25:30 | 000,000,069 | ---- | M] () -- C:\Documents and Settings\Administrator\jagex_cl_runescape_LIVE.dat
[2013/02/27 21:17:32 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2013/02/27 20:49:03 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2013/02/27 18:34:26 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/26 16:39:51 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/02/26 16:34:32 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2013/02/26 16:34:32 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2013/02/26 16:25:07 | 000,415,707 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Fix IE.zip
[2013/02/26 16:21:37 | 000,001,432 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DelDomains.inf
[2013/02/24 15:33:25 | 000,881,935 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SecurityCheck.exe
[2013/02/24 15:23:42 | 000,594,019 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
[2013/02/24 04:15:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013/02/24 02:04:48 | 000,001,675 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PC Matic.lnk
[2013/02/15 22:50:58 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/02/15 22:50:58 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/02/14 16:47:41 | 000,200,936 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 01:16:39 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/14 01:14:15 | 000,442,140 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/14 01:14:15 | 000,071,910 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/10 18:36:09 | 000,201,424 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2013/02/10 18:36:00 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2013/02/10 18:36:00 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2013/02/10 18:35:59 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2013/01/30 05:53:21 | 000,232,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2013/02/28 16:40:44 | 000,010,886 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\6857114.pdf
[2013/02/28 16:38:52 | 000,682,845 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\S2043.pdf
[2013/02/28 02:23:40 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/02/28 02:23:40 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/02/28 02:23:40 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/02/28 02:23:40 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/02/28 02:23:40 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/02/27 21:17:32 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2013/02/26 16:49:36 | 000,000,366 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2013/02/26 16:24:58 | 000,415,707 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Fix IE.zip
[2013/02/26 16:21:37 | 000,001,432 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DelDomains.inf
[2013/02/24 15:33:12 | 000,881,935 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SecurityCheck.exe
[2013/02/24 15:23:21 | 000,594,019 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
[2013/02/24 15:03:34 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/02/24 02:04:48 | 000,001,675 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PC Matic.lnk
[2012/10/25 23:30:19 | 000,000,071 | ---- | C] () -- C:\Documents and Settings\Administrator\jagex_cl_loginapplet_LIVE.dat
[2012/06/21 19:00:42 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\Administrator\jagex_cl_runescape_LIVE1.dat
[2012/06/01 22:30:20 | 000,000,069 | ---- | C] () -- C:\Documents and Settings\Administrator\jagex_cl_runescape_LIVE.dat
[2012/05/12 18:53:16 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\Administrator\random.dat
[2012/02/25 20:00:35 | 000,000,316 | ---- | C] () -- C:\WINDOWS\w32demo8.ini
[2012/02/17 11:03:45 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/30 00:20:18 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2012/01/30 00:20:15 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2012/01/30 00:20:15 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2012/01/30 00:20:13 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2012/01/30 00:20:10 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2012/01/30 00:20:10 | 001,346,080 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2012/01/30 00:20:05 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2012/01/30 00:20:04 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2011/12/20 20:24:07 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ESGAppInfo.dll
[2011/11/20 12:41:23 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/10/28 22:53:24 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2011/10/28 22:53:24 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2011/10/28 22:53:14 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc
[2011/01/25 07:14:21 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/02 23:49:05 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\setup_ldm.iss
[2009/04/07 19:38:36 | 000,000,364 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
[2009/02/10 00:47:28 | 000,002,119 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\ghH6NSCmtt.gif
[2009/02/10 00:47:28 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\ghH6NSCmnn.gif
[2009/02/10 00:47:28 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\ghH6NSCmyy.gif
[2009/02/05 19:04:32 | 003,670,016 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.bak
[2009/01/31 23:59:44 | 000,002,119 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\tt.gif
[2009/01/31 23:59:44 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\nn.gif
[2009/01/31 23:59:44 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\yy.gif
[2009/01/01 20:48:48 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/01/01 02:14:27 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
[2009/01/01 02:14:27 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
[2009/01/01 02:14:27 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
[2008/08/14 20:04:24 | 000,001,028 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\WavCodec.wff
[2008/07/29 21:37:50 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2006/06/17 04:37:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< >

< >

< >

< End of report >



  • 0

#20
godawgs
Posted 01 March 2013 - 01:20 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Pat,

Well that's not what we like to hear. Troubleshooting browser problems can be a p-a-i-n. :D And OTL still didn't find anything on spae.sys.
I know you only use IE. Do you have any other browser installed ? I see remnants of Fiefox but I don't see it in the list of programs installed.
Also you have several programs that are out of date. Let's update them first and then do a search for the spae.sys file.


Step-1.

Posted Image JAVA Advice
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:If you still want to update your Java, follow the instructions below:

A.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

  • Download the latest version of the Java Runtime Environment (JRE) Version from Here or Here and save it to your desktop.
  • Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 7u15
  • Click the "Download JRE" button to the right.
  • On the JSE Downloads page, click the button to "Accept License Agreement".
  • Under the Java SE Runtime Environment 7u15 heading:
    To install the version for your system:
    • For Windows 32 bit systems, look for Windows x86 Offline 30.05MB, click the jre-7u15-windows-i586.exe file and save it to your desktop. Do Not run it from the Java site.
  • Close any programs you may have running - especially your web browser.

B.
Uninstall all versions of Java

  • Click Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Click to (highlight) any Java item. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE or J2SE
    The versions I see on the computer are:
    • Java™ 6 Update 33
  • Click the Remove or Change/Remove button and follow the on screen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
    -- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
C.
Install the latest JAVA

  • Back on your desktop:
    • Double-click on the jre-7u15-windows-i586.exe file to install the newest version.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
AFTER the instllation has completed:
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. It's on the Update tab in Java in the Control Panel.

[Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.


Step-2.

Update Adobe Flash Player

  • Please go to the Adobe Webpage
  • In the middle of the page under Downloads, click on the Adobe Flash Player link.
  • On the next page UNCHECK the box next to Yes, install McAfee Security Plan Plus - optional
  • Click the Download now button
Please note, depending on your settings, you may have to temporarily disable your antivirus software.


Step-3.

Update Adobe Reader

Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy.
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader. The versions I see on the computer sre:
    • Adobe Reader X (10.1.2)
    • Adobe Reader 9
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, download the latest version of Adobe Reader from Here.
  • Remove the check mark next to Yes, install McAfee Security Scan Plus-optional box.
  • Click the Download Now button to download Adobe Reader and follow the directions.
Alternative Option: After uninstalling Adobe Reader, you could try installing Foxit Reader from HERE. Foxit Reader is a much smaller program. It has fewer add-ons therefore loads more quickly.
NOTE: When installing FoxitReader, be careful not to install anything to do with AskBar. Or any other foistware programs.


Step-4.

Search for a File

Show Hidden Files and Folders
  • Click Start. Click Computer.
  • On the next window, at the top of the window, click Tools then click Folder Options.
  • On the Folder Options window click the View tab.
  • Under the Files and Folders section:
  • Make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.

    Posted Image
  • Also make sure that Hide protected system operating files(recommended) is un-checked.

    Posted Image
  • Also make sure the Hide extensions for known file types box is un-checked.

    Posted Image
  • Close the Computer window.

NEXT....

  • Click Start, then click Search. The Search Companion window will open.
  • Click All files and folders
  • In the All or part of the filename: box type spae.sys
  • Click the down arrow beside More Advanced Options
  • Make sure the Type of file: is set to (All files and folders)
  • Click the box beside the following:
    • Search system folders
    • Search hidden files and folders
    • Search subfolders.
  • Click the Search button and wait until the search finishes.
IF the search found any instances of the spae.sys file, note it's location and let me know...or maximize the window by clicking the little square next to the red X in the upper right corner and then take a screen shot of the window and post it in your next reply.

IF the search didn't find any instances of spae.sys complete the next step and let's see if aswMBR still sees it.

Step-5.

Run aswMBR
  • Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe file to run it.
  • If it asks you if you want to download the latest virus definitions, click "No"
    Posted Image
  • Click the "Scan" button to start the scan
    Posted Image
  • On completion of the scan click save log. Save it to your desktop and post in your next reply.
    Posted Image
NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename the executable (aswMBR.exe) to iexplore.exe and try it again.


Step-6.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Answer my question about other browsers
2. Let me know how the updates went.
3. If the search found spae.sys let me know where it is
4. The aswMBR log if you ran the scan
  • 0

#21
Pat_54
Posted 02 March 2013 - 04:14 PM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi Godawgs

Sorry for the delay but wasn't able to get on computer. I hope I did everything right here. I'm still having same problem with the browser and yea your right it is a pain.:wacko: I use to have firefox a long time ago but thought I removed all remnants of it but guess not. I guess at my age you get so use to using and having the same thing that changing is hard. I'm not against having a different browser or even changing or removing Java. I heard and read about the Java being a security risk but I do play games online sometimes to pass the time and I think there are certain programs I have on my computer that require Java to run. I did remove all old versions and install latest versions of java, adobe reader, and flash player. I also see in control panel an adobe air and adobe download assistant are these needed? Also I could not find adobe reader 9 it's not in control panel add and remove, where might I find it to remove it? If I download Firefox or Chrome will I still need Java though to run online games or is it just easier to enable and disable with these browsers? Also I ran search as you asked and nothing came up for spae.sys. Ran aswmbr and here are the results from it. Thank you so much for this.

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-27 20:49:59
-----------------------------
20:49:59.570 OS Version: Windows 5.1.2600 Service Pack 3
20:49:59.570 Number of processors: 2 586 0xF06
20:49:59.570 ComputerName: PATTY UserName:
20:50:01.289 Initialize success
21:00:30.669 AVAST engine defs: 13022701
21:03:05.148 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:03:05.148 Disk 0 Vendor: HTS72108 MC4O Size: 76319MB BusType: 3
21:03:05.179 Disk 0 MBR read successfully
21:03:05.179 Disk 0 MBR scan
21:03:05.304 Disk 0 unknown MBR code
21:03:05.320 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 70362 MB offset 12193335
21:03:05.335 Disk 0 Partition 2 00 0B FAT32 RECOVERY 5953 MB offset 63
21:03:06.335 Disk 0 scanning sectors +156296385
21:03:06.413 Disk 0 scanning C:\WINDOWS\system32\drivers
21:03:26.647 Service scanning
21:03:41.443 Service MpKsl60f01f30 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5F71452F-6485-4445-99AE-9D8F4AD2C942}\MpKsl60f01f30.sys **LOCKED** 32
21:03:55.458 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
21:04:02.146 Modules scanning
21:04:11.739 Disk 0 trace - called modules:
21:04:11.770 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IASTOR.SYS spae.sys >>UNKNOWN [0x8a785938]<<
21:04:11.770 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6f4ab8]
21:04:11.770 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\000000ab[0x8a16df18]
21:04:11.770 5 ACPI.sys[b7e74620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a6f7030]
21:04:12.380 AVAST engine scan C:\WINDOWS
21:04:33.613 AVAST engine scan C:\WINDOWS\system32
21:08:56.947 AVAST engine scan C:\WINDOWS\system32\drivers
21:09:20.134 AVAST engine scan C:\Documents and Settings\Administrator
21:15:25.263 AVAST engine scan C:\Documents and Settings\All Users
21:16:22.355 Scan finished successfully
21:17:32.227 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
21:17:32.321 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-03-02 16:33:10
-----------------------------
16:33:10.328 OS Version: Windows 5.1.2600 Service Pack 3
16:33:10.328 Number of processors: 2 586 0xF06
16:33:10.328 ComputerName: PATTY UserName:
16:33:11.218 Initialize success
16:33:18.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:33:18.265 Disk 0 Vendor: HTS72108 MC4O Size: 76319MB BusType: 3
16:33:18.281 Disk 0 MBR read successfully
16:33:18.281 Disk 0 MBR scan
16:33:18.281 Disk 0 unknown MBR code
16:33:18.296 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 70362 MB offset 12193335
16:33:18.296 Disk 0 Partition 2 00 0B FAT32 RECOVERY 5953 MB offset 63
16:33:18.312 Disk 0 scanning sectors +156296385
16:33:18.390 Disk 0 scanning C:\WINDOWS\system32\drivers
16:33:26.546 Service scanning
16:33:33.921 Service MpKslfa974844 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{09C06E82-3FBC-4423-B732-728EF1D7B55C}\MpKslfa974844.sys **LOCKED** 32
16:33:38.640 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
16:33:41.843 Modules scanning
16:33:51.187 Disk 0 trace - called modules:
16:33:51.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IASTOR.SYS spuj.sys >>UNKNOWN [0x8a785938]<<
16:33:51.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d78ab8]
16:33:51.562 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\000000ac[0x8a6b9568]
16:33:51.562 5 ACPI.sys[b7e74620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a17c030]
16:33:51.562 Scan finished successfully
16:34:15.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
16:34:15.843 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"





  • 0

#22
godawgs
Posted 03 March 2013 - 12:57 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Pat,

I guess at my age you get so use to using and having the same thing that changing is hard.

I'm with you there.

I heard and read about the Java being a security risk but I do play games online sometimes to pass the time and I think there are certain programs I have on my computer that require Java to run. I did remove all old versions and install latest versions of java, adobe reader, and flash player.

I'm glad the updates went well. As for playing games, you can try leaving the Java add-ons disabled in IE and then go to the site where you play the game. If you get a warning that Java is disabled and you need it to use the site then you will need to re-enable Java. If the site doesn't complain, then you don't need Java there.
If the site(s) require Java then I would recommend installing Firefox or Chrome and the NoScript or Script-No add-on and only using that browser to visit these sites.

I also see in control panel an adobe air and adobe download assistant are these needed? Also I could not find adobe reader 9 it's not in control panel add and remove, where might I find it to remove it?

You don't need Adobe Air but it isn't running at start up so it isn't using any system resources. If you uninstall it, Adobe will re-install it the next time you update Adobe Reader. The Adobe Download Assistant is used to update the Adobe products so leave it. As for Adobe Reader 9, if it isn't in the installed programs list then there isn't anything to uninstall.

If I download Firefox or Chrome will I still need Java though to run online games or is it just easier to enable and disable with these browsers?

First, I would do what I recommend earlier and see if I could play games in IE with the Java add-on disabled. If you can then you don't need Java. If you can't then you need to decide what browser you want to use. I will add this. You should make sure that Java is kept updated to the most recent version if you keep it.

I am checking on the suspicious file that awMBR found. It changed names in the second aswMBR scan. There can be a legitimate reason for this. I will let you know what I come up with. Please stay with me.
  • 0

#23
Pat_54
Posted 03 March 2013 - 03:10 PM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi Godawgs

Thank you so much I really appreciate what you have done here and that you have stayed with me through this long process to try and solve my problem. You have been more then gracious. You are very professional. You have given really excellent advice on what to do especially the advice on the Java. I will take note of everything and do the suggestions you have told me about the Java. I want to keep my computer as clean as I possibly can. Just a little note here. When I got on the computer this morning it was slow I almost thought I wasn't going to be able to get here but it finally kicked in and worked but up to this point it was working much better. I'm not sure there isn't something really hiding in the background here. I will be waiting patiencely for your advice. Thanks again for all the time you have spent here. Patty :thumbsup:


  • 0

#24
godawgs
Posted 04 March 2013 - 02:26 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi,

The files that aswMBR showed are false positives. There is a driver on the system named sptd.sys. This driver is put on the system by several products, notably Daemon Tools and Alcohol120 and some CD/DVD burning software use this file. The Daemon and Alcohol programs emulate cdDVD drives and virtual drives. If you have never had Daemon Tools or Alcohol120 on the computer then the driver likely comes from one of the many CD/DVD burning programs on the system.

I really don't see any malware left. You have already done a disk defrag so let's do some additional system maintenance and see if the system files and the hard disk are OK.

Step-1.

Run System File Checker

We are going to run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds. We need to be sure that system and hidden files can be seen.

  • Click My Computer
  • Click Tools
  • Click Folder Options
  • Click View
  • "Uncheck" the following:
    • Show hidden files/folders
    • Hide protected operating system files.
  • Close the My Computer window.

Then.....

  • Click Start, click Run. The Run dialogue box will open.
  • Type the following in the Open box and click OK:
    cmd.exe
  • A Command Window will open.
  • At the blinking cursor type the following and press the Enter key:
    sfc /scannow (Please note that there is a single space between sfc and /scannow).
    NOTE:This will start the program, and a box should appear telling you how much longer the process should take.
    If you are asked to put in your windows XP CD, and you do not have the CD (If you bought it pre-installed), just click retry (may have to several times) and see if it can finish.
    If that doesn't work, post back for more tips.
  • If the SFC scan completes, there should be a message in the Command window telling you if SFC found anything or not. Write this message down and post it in your next reply.
  • Back at the blinking cursor type Exit and press the Enter key to close the Command window.


Step-2.

Check Hard Disk For Errors:

Windows XP:

  • Click on Start >> Run..., then copy/paste the following command into the box and press OK:

    cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
  • A blank command window will open on your desktop, then close in a few minutes. This is normal.
  • A text file named checkhd.txt should appear on your Desktop. Please post the contents of this file.


Step-3.

Run Farbar Service Scanner

Please download Farbar Service Scanner to the desktop.
Double click the FSS.exe file to run it.
  • Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Let me know if SFC found anything.
2. The checkhd.txt file
3. The FSS.txt log
  • 0

#25
Pat_54
Posted 04 March 2013 - 03:42 AM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi Godawgs

I tried running the sfc /scannow but a dialog box called windows file protection says: please wait while windows verifies that all protected windows files are intact and in their original versions. Then a pop up comes up and says: insert my windows xp professional cd service pack 3. The cd I have is windows xp professional service pack 2. I insert it but it says wrong cd. After removing cd I try several times to do retry and nothing but when I press cancel it continues to run through the files but several times this box comes up and then finally it finished but it said nothing, not really sure that it did anything. Also you ask me about this file sptd.sys I believe the was added when I downloaded daemon tools several years ago. Please advise what to do about the sfc /scannow. Here are the results from the other two items.

Farbar Service Scanner Version: 03-03-2013
Ran by Administrator (administrator) on 04-03-2013 at 04:54:17
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll
[2006-06-17 04:38] - [2008-04-13 19:12] - 0006656 ____A (Microsoft Corporation) 35321FB577CDC98CE3EB3A3EB9E4610A

C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe
[2006-06-17 04:23] - [2009-02-06 06:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315


Extra List:
=======
AegisP(9) Bridge(13) BridgeMP(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) s24trans(8) Tcpip(3)
0x0E0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E000000
IpSec Tag value is correct.

**** End of log ****

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

72051524 KB total disk space.
27166976 KB in 88009 files.
30376 KB in 11473 indexes.
0 KB in bad sectors.
322936 KB in use by the system.
65536 KB occupied by the log file.
44531236 KB available on disk.

4096 bytes in each allocation unit.
18012881 total allocation units on disk.
11132809 allocation units available on disk.

Edited by Pat_54, 04 March 2013 - 04:19 AM.

  • 0

Advertisements

#26
godawgs
Posted 04 March 2013 - 01:12 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
The critical services show to be OK. The hard disk doesn't show any errors. We need to tell SFC where to look for the files. But first we need to see where they are.


Posted Image OTL Custom Scan

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the Posted Image box in OTL. To do that:
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

%systemroot%|i386;true;false;false /FN


2. Re-open Posted Imageon the desktop. To do that:
  • XP users: Double click on the OTL icon.
Make sure all other windows are closed.
  • You will see a console like the one below:

    Posted Image
  • Click the greyed out NONE button at the top of the console.<---Very Important
  • Make sure the Output box at the top is set to Standard Output.
  • Place the mouse pointer inside thePosted Image box, right click and click Paste. This will put the above script inside OTL
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL (it should be on your desktop).
  • Please copy the contents of this file and paste it into your reply. To do that:
  • On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.
Post the contents of the OTL.txt file in your next reply.
  • 0

#27
Pat_54
Posted 04 March 2013 - 05:50 PM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi Godawgs

Here is result from OTL

OTL logfile created on: 3/4/2013 6:47:50 PM - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.42% Memory free
3.84 Gb Paging File | 3.43 Gb Available in Paging File | 89.29% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.71 Gb Total Space | 42.53 Gb Free Space | 61.89% Space Free | Partition Type: NTFS
Drive D: | 5.80 Gb Total Space | 2.95 Gb Free Space | 50.78% Space Free | Partition Type: FAT32

Computer Name: PATTY | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< %systemroot%|i386;true;false;false /FN >
[2009/05/09 08:59:42 | 000,000,000 | ---D | M] -- C:\WINDOWS\I386
[2013/02/14 01:16:28 | 000,000,000 | ---D | M] -- C:\WINDOWS\Driver Cache\i386
[2009/05/29 09:17:17 | 000,000,000 | ---D | M] -- C:\WINDOWS\ServicePackFiles\i386
[2008/07/29 21:20:45 | 000,000,000 | ---D | M] -- C:\WINDOWS\ServicePackFiles\ServicePackCache\i386
[2011/11/15 12:58:01 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386
[2008/07/24 02:52:17 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386
[2008/07/24 02:52:19 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386
[2008/07/24 02:52:22 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386
[2008/07/24 02:52:25 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386
[2008/07/24 02:52:27 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386
[2008/07/24 02:52:32 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386
[2008/07/24 02:53:12 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386
[2008/07/24 02:53:14 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386
[2008/07/24 02:53:15 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386
[2008/07/24 02:53:16 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386
[2008/07/29 21:17:17 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386
[2008/07/29 21:17:18 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386
[2010/11/19 16:14:53 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386
[2011/11/10 01:26:07 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386
[2009/03/31 18:23:27 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\spool\XPSEP\i386
[2009/03/31 18:23:27 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\spool\XPSEP\i386\i386

< >

< >

< >

< End of report >



  • 0

#28
godawgs
Posted 04 March 2013 - 11:02 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Thanks. Now let's point SFC to the correct location and then see if it will run. We are going to edit the Registry so we need to back it up. First we will remove the SPTD driver.

Step-1.

Make a Fresh Restore Point

Windows XP
  • Click Start > All Programs > Accessories > System tools > System Restore. The System Restore Wizard opens.
  • Note: If the System Restore Wizard does not open, the System Restore feature may be turned off. To turn System Restore on, follow these steps:
  • Click Start, click Control Panel, and then double-click System.
  • Click the System Restore tab.
  • Make sure that the Turn off System Restore check box is not selected. Or, make sure that the Turn off System Restore on all drives check box is not selected.
  • Click OK.
[*] On the dialog box that appears select Create a Restore Point
[*] Click NEXT
[*] Enter a name e.g. Before Reg change
[*] Click CREATE
You should get a message telling you that the restore point was successfully created.
[*] Close System Restore[/list]

Step-2

Remove the SPTD driver

  • Download the SPTD setup file for Windows 2000/XP/2003/Vista (32-bit) [675,896 bytes] and save it to the desktop.
  • Double click the SPTDinst-v183-x86.exe file to run the program.
  • In dialog that appears press the Uninstall button and then SPTD will remove itself from your Windows installation.
If you want to install it again then execute the same setup file and press Install.


Step-3.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. If you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Posted Image Backing Up Your Registry with ERUNT
Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Compatible with Windows NT, 2000, 2003, XP, Vista, Windows 7, 32 & 64-bit versions.
1. Download ERUNT
2. Double-click erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration:
a. Select your preferred Setup language.
Posted Image

b. At the Setup screen click Next.
Posted Image

c. Accept the default destination folder by clicking Next.
Posted Image

d. Accept the default Start Menu Folder by clicking Next.
Posted Image

e. On the Select Additional Tasks Window, click Create ERUNT desktop icon only. Do Not check the Create NTREGOPT desktop icon. Then click Next.
Posted Image

f. Ready to Install. The Create NTREGOPT desktop icon will not be on the list. Click the Install button.
Posted Image

g. Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
Posted Image

h. Setup has completed. Tick the check boxes to Show documentation, or Launch ERUNT. Click Finish.
Posted Image
4. Click OK to start ERUNT
Posted Image

5. Choose a location for the backup

The default location C:\WINDOWS\ERDNT\[today's date] is preferred


6. The first two check boxes are ticked by default (System registry and Current user registry).
7. Press OK
Posted Image

8. When prompted, click YES to create a new folder.
Posted Image

9. Progress bars will show backup status.
Posted Image

10. A confirmation window will pop up when complete.
Posted Image

11. Click Ok to close.
There is a Readme.txt file in the C:/Program Files/ERUNT folder that explains the program.


Step-4.

Make sure that the hidden files and folders and the hidden system files are viewable. Use the directions in post #24 if you need them.

NEXT....

  • Click Start and then Run. The Run dialog window will open.
  • In the Open box type regedit and click OK. The Registry Editor will open.

    Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup. To do that:
    • Click the + beside HKEY_LOCAL_MACHINE
    • Click the + beside SOFTWARE
    • Click the + beside Microsoft
    • Click the + beside Windows
    • Click the + beside CurrentVersion
    • Click Setup
    You will see various Value entries on the right hand side.
    The one we want is called: SourcePath
    It probably has an entry pointing to your CD-ROM drive, usually D and that is why it is asking for the XP CD.
    All we need to do is change it to: C:\Windows
  • Now, double click the SourcePath setting and the Edit String window will pop up.
  • In the Value data: box, change the drive letter from your CD drive to C:\Windows and click the OK button.
  • Close the Registry Editor.
Now restart your computer and try sfc /scannow again by this process:

  • Click Start, click Run, type cmd.exe, and then click OK. A Command window will open.
  • At the blinking cursor sfc /scannow, (Note: There is a space between sfc and the /) and then press ENTER.
    This command may take several minutes to finish.
    NOTE: After SFC completes there should be a message in the command window telling you if it found any corrupted files and was able to fix them. Write this message down before you close the Command window.
  • Back at the command prompt, type exit, and then press ENTER to close the command prompt.


Step-5.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Let me know if the restore point was created successfully.
2. Let me know if the registry backup was successful.
3. Let me know if there was a message in the Command window after the SFC scan and what it said.
If SFC found any corrupted files and repaired them see if the computer is running better.
  • 0

#29
Pat_54
Posted 04 March 2013 - 11:25 PM

Pat_54

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 212 posts
Hi Godawgs

I did a fresh restore point and I downloaded the SPTD setup file when I double click on it, it opens then I tell it to run, dialog box says: c:\documents and settings\administrator\desktop\STPDinst-y183-x86.exe is not a valid win32 aplication, click ok and it closes. Waiting to hear from you before I do anything else.

Edited by Pat_54, 04 March 2013 - 11:28 PM.

  • 0

#30
godawgs
Posted 05 March 2013 - 12:01 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
That's not good. The file may have gotten corrupted during the download.

Delete the file from the desktop.
Open IE, click Tools and Internet Options
On the General tab under Browsing history: click the Delete button to delete the IE Temp files.

Go back to my original instructions and right click on the file and click Save Target As and save the file to the desktop.
Close IE and double click the file and see if it will run.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP