[Resolved] xp 2010 - preventing install of malwarebytes? Options

[paulh45]

Hi - topic says it all really - I am following one of your threads on removal of xp 2010 (many thanks), and I can't seem to get malwarebytes to install - I've downloaded it a few times but the setup won't run?

Is it possible that the malware is preventing this install? If so, how do I get around it?

Thanks in advance

Paul

[inzanity]

Hello and

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I will post back shortly with instructions.

[inzanity]

Hi,

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
• Do not install/uninstall anything on your computer unless advised.
• Do not run any other scanning tools other than those instructed for you to use.
• Follow the instructions on the order they are given.
• Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
• If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
• And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

--Next--

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop

NOTE: If GMER won't run in Normal Mode, run it in Safe Mode by doing the following:

• Restart your computer.
• Keep on tapping f8 when windows starts to boot. Do this before you see the windows screen.
• When a list of menu appears, scroll to Safe Mode using the arrow keys then press Enter.
• Run GMER again by following the instructions above.

To post in your next reply:
1. OTL logs.
2. GMER log.

[paulh45]

Hi Inzanity

In answer to you standard questions - I'm not asking for help on another forum but I have previously tried to install spyware doctor (it wants money) and Kaspersky virus removal tool (it hasn't found it - or at least not all of it)

Here is the log from OTL

OTL logfile created on: 04/02/2010 07:50:09 - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Paul\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 16.49 Gb Free Space | 56.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 203.59 Gb Total Space | 189.15 Gb Free Space | 92.91% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WIGANRECYCLES
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Paul\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
PRC - C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\ATK0100\Hcontrol.exe ()
PRC - C:\WINDOWS\ATK0100\ATKOSD.exe ()
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe (Sony Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
PRC - C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe (Brother Industries, Ltd.)
PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\Program Files\Sony\HotKey Utility\HKWnd.exe (Sony Corporation)
PRC - C:\Program Files\Sony\HotKey Utility\HKServ.exe (Sony Corporation)
PRC - C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe (Sony Corporation)
PRC - C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe (Sony Corporation)
PRC - C:\Program Files\Sony\vaio power management\SPMgr.exe (Sony Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Paul\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (gupdate) Google Update Service (gupdate) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (EvtEng) Intel® -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (S24EventMonitor) Intel® -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
SRV - (RegSrvc) Intel® -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart) -- C:\WINDOWS\system32\ati2sgag.exe ()


========== Driver Services (SafeList) ==========

DRV - (setup_9.0.0.722_03.02.2010_15-00drv) -- File not found
DRV - (34039642) -- File not found
DRV - (34039641) -- File not found
DRV - (w22n51) Intel® -- C:\WINDOWS\system32\drivers\w22n51.sys (Intel® Corporation)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (tifmsony) -- C:\WINDOWS\system32\drivers\tifmsony.sys (Texas Instruments)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (RimVSerPort) -- C:\WINDOWS\system32\drivers\RimSerial.sys (Research in Motion Ltd)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (RimUsb) -- C:\WINDOWS\system32\drivers\RimUsb.sys (Research In Motion Limited)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ATKACPI.sys ()
DRV - (E1000) Intel® -- C:\WINDOWS\system32\drivers\e1000325.sys (Intel Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (BrUsbSer) -- C:\WINDOWS\system32\drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerIf) -- C:\WINDOWS\system32\drivers\BrSerIf.sys (Brother Industries Ltd.)
DRV - (BrScnUsb) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys (Brother Industries Ltd.)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ROOTMODEM) -- C:\WINDOWS\system32\drivers\rootmdm.sys (Microsoft Corporation)
DRV - (SPI) -- C:\WINDOWS\system32\drivers\SonyPI.sys (Sony Corporation)
DRV - (SNC) -- C:\WINDOWS\system32\drivers\SonyNC.sys (Sony Corporation)
DRV - (DMICall) -- C:\WINDOWS\system32\drivers\DMICall.sys (Sony Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/02/03 21:38:40 | 000,378,487 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13044 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe ()
O4 - HKLM..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKServ.exe (Sony Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06b\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\vaio power management\SPMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe (Sony Corporation)
O4 - HKLM..\Run: [VAIO Update 4] C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe (Sony Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\Paul\Start Menu\Programs\Startup\BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe (Sony Corporation)
O4 - Startup: C:\Documents and Settings\Paul\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: mendeley.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1259744190833 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/11 15:22:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/04 07:48:02 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\OTL.exe
[2010/02/04 07:44:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/02/03 20:46:46 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/03 20:46:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/03 18:33:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/03 18:29:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\WinRAR
[2010/02/03 18:28:48 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/02/03 18:15:31 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul\Desktop\mbam-setup (1).exe
[2010/02/03 14:11:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Threat Expert
[2010/02/03 13:33:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/03 13:33:06 | 034,628,384 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Paul\Desktop\sdsetup_aff.exe
[2010/02/03 13:33:01 | 061,803,232 | ---- | C] ( ) -- C:\Documents and Settings\Paul\Desktop\setup_9.0.0.722_03.02.2010_15-00.exe
[2010/01/21 14:05:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\My Documents\CLASP
[2010/01/19 14:26:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\vlc
[2010/01/13 17:33:58 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/07 13:18:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\My Documents\Paint
[2009/11/29 13:17:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/19 15:56:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/19 15:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2009/11/19 15:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Intel
[2009/11/11 15:25:29 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/11 15:25:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/11 15:25:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/04 07:47:11 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\OTL.exe
[2010/02/04 07:45:37 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B856A072-18DA-4A42-BB8F-6828D85EEE9B}.job
[2010/02/04 07:40:37 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\Paul\NTUSER.DAT
[2010/02/04 07:40:20 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/04 07:39:23 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/04 07:39:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/03 23:17:06 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/03 22:38:31 | 000,012,826 | -HS- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\V2Iu86wOC61hS
[2010/02/03 21:45:49 | 000,064,000 | ---- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/03 21:38:40 | 000,378,487 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/03 20:46:57 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Spybot - Search & Destroy.lnk
[2010/02/03 20:26:46 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Paul\ntuser.ini
[2010/02/03 14:47:34 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul\Desktop\mbam-setup (1).exe
[2010/02/03 13:56:22 | 055,048,281 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/03 13:31:06 | 034,628,384 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Paul\Desktop\sdsetup_aff.exe
[2010/02/03 13:27:36 | 061,803,232 | ---- | M] ( ) -- C:\Documents and Settings\Paul\Desktop\setup_9.0.0.722_03.02.2010_15-00.exe
[2010/02/03 13:02:56 | 000,184,320 | -HS- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\av.exe
[2010/02/02 18:22:32 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/01/30 10:33:24 | 000,013,756 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/29 20:36:53 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\Venford Ezekiel Rouse.doc
[2010/01/27 15:47:38 | 000,008,560 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\receipt for cash wages.odt
[2010/01/27 15:18:40 | 000,783,767 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\COI SE presentation FINAL.pdf
[2010/01/27 15:15:13 | 000,170,633 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\2006SU_POV_Schorr.pdf
[2010/01/25 16:05:33 | 000,016,163 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\Profile.odt
[2010/01/25 09:26:00 | 001,333,462 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Wigan council presentation.odp
[2010/01/24 23:48:55 | 000,011,072 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\invitation list.odt
[2010/01/24 15:38:50 | 031,828,420 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\606_20100123-2111a.mp3
[2010/01/21 13:11:57 | 000,499,050 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Top Tips Cards Final Draft for Signoff.pdf
[2010/01/20 06:30:37 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/01/19 14:10:38 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/01/18 19:45:56 | 000,292,323 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\CRT RRP Information Booklet.pdf
[2010/01/18 10:17:43 | 002,485,760 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\Agenda TSG 18.1.10.doc
[2010/01/18 10:17:43 | 000,147,456 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\TSG mins 23 June 09.doc
[2010/01/17 17:00:45 | 007,394,969 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\NorthWestEnglandRSS.pdf
[2010/01/14 13:45:01 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/01/14 08:24:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/05 16:36:20 | 000,017,006 | ---- | M] () -- C:\Documents and Settings\Paul\My Documents\Closure.odt
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/03 20:46:57 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Spybot - Search & Destroy.lnk
[2010/02/03 13:02:56 | 000,184,320 | -HS- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\av.exe
[2010/02/03 13:02:56 | 000,012,826 | -HS- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\V2Iu86wOC61hS
[2010/01/29 20:36:52 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\Venford Ezekiel Rouse.doc
[2010/01/27 15:47:37 | 000,008,560 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\receipt for cash wages.odt
[2010/01/27 15:18:39 | 000,783,767 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\COI SE presentation FINAL.pdf
[2010/01/27 15:15:13 | 000,170,633 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\2006SU_POV_Schorr.pdf
[2010/01/25 12:59:34 | 000,016,163 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\Profile.odt
[2010/01/25 09:25:42 | 001,333,462 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Wigan council presentation.odp
[2010/01/24 23:48:54 | 000,011,072 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\invitation list.odt
[2010/01/24 15:38:49 | 031,828,420 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\606_20100123-2111a.mp3
[2010/01/21 13:11:56 | 000,499,050 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Top Tips Cards Final Draft for Signoff.pdf
[2010/01/19 14:10:38 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/01/18 19:45:56 | 000,292,323 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\CRT RRP Information Booklet.pdf
[2010/01/18 10:17:43 | 002,485,760 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\Agenda TSG 18.1.10.doc
[2010/01/18 10:17:43 | 000,147,456 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\TSG mins 23 June 09.doc
[2010/01/17 17:00:45 | 007,394,969 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\NorthWestEnglandRSS.pdf
[2010/01/05 16:36:20 | 000,017,006 | ---- | C] () -- C:\Documents and Settings\Paul\My Documents\Closure.odt
[2009/12/01 10:29:21 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/12/01 10:29:21 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/12/01 10:27:20 | 000,000,228 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/12/01 10:27:20 | 000,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/12/01 10:26:22 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/12/01 10:21:28 | 000,064,000 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/19 18:19:01 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/11/19 18:09:03 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\fusioncache.dat
[2009/11/19 17:34:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\U55A_25b.INI
[2009/11/19 17:15:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2009/11/19 15:28:07 | 000,000,066 | ---- | C] () -- C:\WINDOWS\BlueSpaceNE.INI
[2009/11/17 17:39:20 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/08/28 05:58:00 | 000,005,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys

========== LOP Check ==========

[2009/11/11 17:17:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/11/11 15:45:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/11/22 21:23:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/02/03 20:16:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/22 22:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Blackberry Desktop
[2009/11/22 19:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Lexmark Productivity Studio
[2009/11/19 20:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\OpenOffice.org
[2009/11/22 21:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Research In Motion
[2010/02/04 07:50:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\uTorrent
[2010/02/04 07:45:37 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B856A072-18DA-4A42-BB8F-6828D85EEE9B}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

[paulh45]

Here is the "Extras" log from OTL -

OTL Extras logfile created on: 04/02/2010 07:50:09 - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Paul\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 16.49 Gb Free Space | 56.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 203.59 Gb Total Space | 189.15 Gb Free Space | 92.91% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WIGANRECYCLES
Current User Name: Paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"16602:TCP" = 16602:TCP:*:Enabled:utorrent

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Lexmark 3500-4500 Series\app4r.exe" = C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\system32\lxdicoms.exe" = C:\WINDOWS\system32\lxdicoms.exe:*:Enabled:3500-4500 Series Server -- File not found
"C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" = C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:*:Enabled:Device Monitor -- File not found
"C:\Program Files\Lexmark 3500-4500 Series\App4R.exe" = C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Printing Application -- File not found
"C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" = C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:*:Enabled:Device Monitor Application -- File not found
"C:\Documents and Settings\Paul\Local Settings\Temp\lxdi\wireless\ENGLISH\lxdiwpss.exe" = C:\Documents and Settings\Paul\Local Settings\Temp\lxdi\wireless\ENGLISH\lxdiwpss.exe:*:Enabled: -- File not found
"C:\WINDOWS\system32\lxdicfg.exe" = C:\WINDOWS\system32\lxdicfg.exe:*:Enabled:Printer Communication System -- File not found
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe:*:Enabled:Printer Status Window Interface -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A62C3DB-2506-4FAE-A6DB-55D12A9BA370}" = BlueSpace NE
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{545DB151-1514-4FFC-BF2F-FE8FBBD06987}" = VAIO Power Management
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony Video Shared Library
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{72EEB695-388B-4835-8EA6-0C04545B06B9}" = Intel® PROSet/Wireless WiFi Software
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83CDA18E-0BF3-4ACA-872C-B4CDABF2360E}" = VAIO Update 4
"{936FADC9-C609-471A-B6F2-A33E2E660D1A}" = Sony Notebook Setup
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C53CF6A-89EC-4EE1-8872-B7C579293DC0}" = ATI Catalyst Control Center
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BB311F54-39D6-4A03-8E18-053D1B2833D7}" = HotKey Utility
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F0F563C4-D4AD-41C4-A8A6-26664C027D11}" = Brother MFL-Pro Suite
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG Free 9.0
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_818C104D" = SoftV92 Data Fax Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Google Chrome" = Google Chrome
"Hcontrol" = ATK0100 ACPI UTILITY
"ie8" = Windows Internet Explorer 8
"Mendeley Desktop" = Mendeley Desktop 0.9.4.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel® PRO Network Connections Drivers
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13/01/2010 04:59:27 | Computer Name = WIGANRECYCLES | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 13/01/2010 05:18:09 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 15/01/2010 04:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 15/01/2010 05:56:23 | Computer Name = WIGANRECYCLES | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 16/01/2010 09:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 23/01/2010 17:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 24/01/2010 16:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 24/01/2010 17:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 24/01/2010 18:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

Error - 24/01/2010 19:17:05 | Computer Name = WIGANRECYCLES | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 03/02/2010 16:16:05 | Computer Name = WIGANRECYCLES | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 03/02/2010 16:16:06 | Computer Name = WIGANRECYCLES | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 03/02/2010 16:16:06 | Computer Name = WIGANRECYCLES | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 03/02/2010 16:28:33 | Computer Name = WIGANRECYCLES | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 03/02/2010 16:28:34 | Computer Name = WIGANRECYCLES | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 03/02/2010 16:28:34 | Computer Name = WIGANRECYCLES | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 04/02/2010 03:40:45 | Computer Name = WIGANRECYCLES | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 04/02/2010 03:40:46 | Computer Name = WIGANRECYCLES | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 04/02/2010 03:40:46 | Computer Name = WIGANRECYCLES | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 04/02/2010 03:40:55 | Computer Name = WIGANRECYCLES | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.6 for the Network Card with network
address 000E3510B16C has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

[paulh45]

....and machine just blue screened.

Should I run these activity scans again?

[inzanity]

Hi,

You have µTorrent, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

I would recommend that you uninstall µTorrent, via Control Panel -> Add or Remove Programs.

However, if you do not wish to remove this program please be advised not to use the said program during the course of cleaning your machine.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554

--Next--

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  CODE
  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
  @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
  
  :Files
  C:\Documents and Settings\Paul\Local Settings\Application Data\av.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Then click the Run Fix button at the top.
• Let the program run unhindered, reboot when it is done.
• Then post the result and a new OTL log in your next reply. ( don't check the boxes beside LOP Check or Purity this time )

--Next--

Please go to the site below to scan the following files:
Virus Total

Click on Browse, and upload the following file for analysis or copy/paste the text below into the browse box:
C:\Documents and Settings\Paul\Local Settings\Application Data\V2Iu86wOC61hS

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

--Next--

Can you tell me more about these files?
C:\Documents and Settings\Paul\Desktop\setup_9.0.0.722_03.02.2010_15-00.exe
C:\Documents and Settings\Paul\Desktop\606_20100123-2111a.mp3

Are you able to run GMER in safe mode? What programs are you running when the BSOD (blue screen) occured?

To post in your next reply:
1. OTL script log.
2. VirusTotal log.
3. About my last questions.

[paulh45]

Hi Inzanity

I removed the utorrent. I suspect that you're right and that's where I got this problem in the first place. I've often thought that bypassing firewall and virus was none too clever... time to knock the filesharing on the head..

Here is the log for OTL after using the fix you provided -

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
Process TeaTimer.exe killed successfully!
========== FILES ==========
C:\Documents and Settings\Paul\Local Settings\Application Data\av.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Google Chrome cache emptied: 6082433 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Paul
->Temp folder emptied: 38209256 bytes
->Temporary Internet Files folder emptied: 9181806 bytes
->Java cache emptied: 37906185 bytes
->Google Chrome cache emptied: 56103866 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 296342 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10936892 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33661 bytes
RecycleBin emptied: 10231664 bytes

Total Files Cleaned = 163.00 mb


OTL by OldTimer - Version 3.1.27.1 log created on 02052010_000852

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\LI8SOBLE\s;tp=1;tn=2;to=h;tr=1;tcs=2;te=2;slot=right_table1_R21;sect=pictures-of-liverpool-ne;templ=page;cat=MultiMedia;reg=NW;st=r2;oid=24252530;sz=160x60,160x120;ord=129
4042296961563000[1] not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\LI8SOBLE\videos-pictures;slot=bottom_leaderboard;sect=pictures-of-liverpool-ne;templ=page;cat=MultiMedia;reg=NW;st=r2;oid=24252530;sz=728x90;tile=5;ord=2251
700010097729000[1] not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\LI8SOBLE\videos-pictures;slot=right_sky;sect=pictures-of-liverpool-ne;templ=page;cat=MultiMedia;reg=NW;st=r2;oid=24252530;sz=120x600,160x600;tile=4
;ord=2251700010097729000[1] not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\3VBES8ZB\3DhgVf3UTABceZ3M%253A%2526tbnh%253D90%2526tbnw%253D121%2526prev%253D%252Fimages%25253Fq%25253Dbeacon%25252Bcountry%25252Bpark%252526hl%25253Den%252526sa%25253DG%252526um%25253D1[1] not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\3VBES8ZB\s;tp=1;tn=2;to=h;tr=1;tcs=2;te=2;slot=right_table2_R21;sect=pictures-of-liverpool-ne;templ=page;cat=MultiMedia;reg=NW;st=r2;oid=24252530;sz=160x60,160x120;ord=129
4042296961563000[1] not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V8DR9DX\3DhgVf3UTABceZ3M%253A%2526tbnh%253D90%2526tbnw%253D121%2526prev%253D%252Fimages%25253Fq%25253Dbeacon%25252Bcountry%25252Bpark%252526hl%25253Den%252526sa%25253DG%252526um%25253D1[1] not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\0QFG2IOV\fold_main.js.v48851.48851.48851.48851.48851.38771.48851.48851.81770.38771.7
1746.71745.62864.38771.66362.77756.76912.69832.38771.63688.38771.73289.67088.5594
4.79933[1].14 not found!
File\Folder C:\Documents and Settings\Paul\Local Settings\Temp\Temporary Internet Files\Content.IE5\0QFG2IOV\videos-pictures;slot=top_leaderboard;sect=pictures-of-liverpool-ne;templ=page;cat=MultiMedia;reg=NW;st=r2;oid=24252530;sz=728x90;dcopt=ist;tile=
1;ord=2251700010097729000[1] not found!

Registry entries deleted on Reboot...

[paulh45]

Here are the results form the Total Virus scan

File V2Iu86wOC61hS received on 2010.02.05 00:17:24 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.05 -
AhnLab-V3 5.0.0.2 2010.02.04 -
AntiVir 7.9.1.158 2010.02.04 -
Antiy-AVL 2.0.3.7 2010.02.04 -
Authentium 5.2.0.5 2010.02.04 -
Avast 4.8.1351.0 2010.02.04 -
AVG 9.0.0.730 2010.02.05 -
BitDefender 7.2 2010.02.05 -
CAT-QuickHeal 10.00 2010.02.04 -
ClamAV 0.96.0.0-git 2010.02.04 -
Comodo 3823 2010.02.05 -
DrWeb 5.0.1.12222 2010.02.05 -
eSafe 7.0.17.0 2010.02.04 -
eTrust-Vet 35.2.7283 2010.02.04 -
F-Prot 4.5.1.85 2010.02.05 -
F-Secure 9.0.15370.0 2010.02.04 -
Fortinet 4.0.14.0 2010.02.05 -
GData 19 2010.02.05 -
Ikarus T3.1.1.80.0 2010.02.04 -
K7AntiVirus 7.10.966 2010.02.03 -
Kaspersky 7.0.0.125 2010.02.05 -
McAfee 5882 2010.02.04 -
McAfee+Artemis 5882 2010.02.04 -
McAfee-GW-Edition 6.8.5 2010.02.04 -
Microsoft 1.5406 2010.02.05 -
NOD32 4836 2010.02.04 -
Norman 6.04.03 2010.02.04 -
nProtect 2009.1.8.0 2010.02.04 -
Panda 10.0.2.2 2010.02.04 -
PCTools 7.0.3.5 2010.02.05 -
Prevx 3.0 2010.02.05 -
Rising 22.33.03.04 2010.02.04 -
Sophos 4.50.0 2010.02.05 -
Sunbelt 3.2.1858.2 2010.02.04 -
TheHacker 6.5.1.0.180 2010.02.04 -
TrendMicro 9.120.0.1004 2010.02.04 -
VBA32 3.12.12.1 2010.02.04 -
ViRobot 2010.2.4.2172 2010.02.04 -
VirusBuster 5.0.21.0 2010.02.04 -
Additional information
File size: 12826 bytes
MD5...: 3d489cf8538c5269bddba061cd2dbe91
SHA1..: 676cea7a34691c0ab43856b9a88ce63129499a18
SHA256: a6c596a5b91915dc2e22f15bb3fdc24253d1dac30eed03ddc823f019595ab9d2
ssdeep: 384:KQybpSd2VUD8mxR4yKS5SPu7aRuRgSZafP:KQybUD87jS5SPh6MP<br>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Unknown!
sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

[paulh45]

Finally - your questions -

Can you tell me more about these files?
C:\Documents and Settings\Paul\Desktop\setup_9.0.0.722_03.02.2010_15-00.exe
C:\Documents and Settings\Paul\Desktop\606_20100123-2111a.mp3

The first one is the .exe file for the Kaspersky virus removal tool I downloaded. I tried running it, it found something related to the xp 2010 thing but I was still getting popups after I ran it so I uninstalled it.

The second one is a podcast download from a BBC radio station (it broadcasts on 606 MW).

Paul

[inzanity]

Hi,

How about GMER? Did you try running it in safe mode?

What programs are you running when the BSOD occured?

[paulh45]

oops, forgot the GMER - I'll post a log next .

The BSOD just happened again. That's the third or fourth time. I should say that this laptop suffered a hard drive failure last year, It's a replacement hard drive which I was trying to keep a bit cleaner (!). I'm at work so I was running a couple of Open Office files and Google Chrome along with IE explorer 8. The BSOD report referred to the following files -

C:\DOCUME~1\Paul\LOCALS~1\Temp\WERd99a.dir00\Mini020510-01.dmp
C:\DOCUME~1\Paul\LOCALS~1\Temp\WERd99a.dir00\sysdata.xml

Paul

[paulh45]

I ran the GMER in safe mode - it didn't report anything at all.

Paul

[inzanity]

Hi,

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  CODE
  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :Files
  C:\Documents and Settings\Paul\Local Settings\Application Data\V2Iu86wOC61hS
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Then click the Run Fix button at the top.
• Let the program run unhindered, reboot when it is done.
• Then post the result and a new OTL log in your next reply. ( don't check the boxes beside LOP Check or Purity this time )

--Next--

We Need to check for Rootkits with RootRepeal
Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

• Open on your desktop.
• Click the tab.
• Click the button.
• Check just these boxes:
• 
• Push Ok
• Check the box for your main system drive (Usually C:, and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

To post in your next reply:
1. OTL Script log.
2. RootRepeal log.

[paulh45]

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\Paul\Local Settings\Application Data\V2Iu86wOC61hS moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Google Chrome cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Paul
->Temp folder emptied: 145188 bytes
->Temporary Internet Files folder emptied: 99862352 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 75338931 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 289584 bytes

Total Files Cleaned = 168.00 mb


OTL by OldTimer - Version 3.1.27.1 log created on 02082010_114421

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...