Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Win32:Trojan-gen and Win32:Rootkit-gen malwares

Started by bar457 , Jun 28 2010 10:45 AM

  • Please log in to reply
80 replies to this topic

#46 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 08 July 2010 - 03:23 PM

Okay download and run a fresh copy of combofix, with no script this time... :D . Post the log.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

    Advertisements

Register to Remove

#47 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 09 July 2010 - 05:10 PM

Apologies but I am away this weekend but i will run ComboFix when I get back and report back to you. kind regards bar457

#48 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 09 July 2010 - 05:15 PM

No problem, enjoy the weekend.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#49 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 12 July 2010 - 11:59 AM

Hi Indigenus Downloaded fresh version of ComboFix from forospyware and tried to run it, it got as far as trying to start the scan and then went to black screen with the message: 'Non-system disc or disk error, replace and strike any key when ready' but this just repeated. So tried ctrl+Alt+del to restart but back to message. As before, a power down and restart got me back into Windows ok. Tried removal of ComboFix and fresh download again, but repeated problem. I wonder if this is picking up the infinate duplicate corrupt entries of combofix in Explorer C:\ bar457

#50 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 12 July 2010 - 01:56 PM

Please try this...

Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a new DDS log.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#51 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 13 July 2010 - 11:21 AM

Here are the reports: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4052 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 13/07/2010 17:20:46 mbam-log-2010-07-13 (17-20-46).txt Scan type: Quick scan Objects scanned: 149128 Time elapsed: 33 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 10 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ntuser_mssec.exe (Trojan.VirTool) -> Quarantined and deleted successfully. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> DDS (Ver_09-06-26.01) - NTFSx86 Run by Administrator at 18:08:09.23 on 13/07/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.186 [GMT 1:00] ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Application Updater\ApplicationUpdater.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\POP Peeper\POPPeeper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyServer = sbserver:8080 uInternet Settings,ProxyOverride = local.;*.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll BHO: : {206e52e0-d52e-11d4-ad54-0000e86c26f6} - c:\progra~1\freshd~1\freshd~1\FDCatch.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: FreshDownload Bar: {ed0e8ca5-42fb-4b18-997b-769e0408e79d} - c:\progra~1\freshd~1\freshd~1\fdiebar.dll TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe" uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [{672FC0DA-DF94-82F2-401B-4D1794AC3C54}] "c:\documents and settings\administrator\application data\yxfehe\xylyd.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {DDDD6D68-CF2E-4E7A-A8DF-43DF07C586F0} - c:\program files\freshdevices\freshdownload\fd.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\sy0rkrb4.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.co.uk FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 4\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 4\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox 3 beta 4\greprefs\all.js - pref("security.fileuri.origin_policy", 2); c:\program files\mozilla firefox 3 beta 4\defaults\pref\firefox.js - pref("browser.places.importBookmarksHTML", true); c:\program files\mozilla firefox 3 beta 4\defaults\pref\firefox.js - pref("browser.places.createdSmartBookmarks", false); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-15 64288] R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-11-17 4064] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384] S1 Klif;KLIF driver;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?] S1 Klmc;KLMC driver;c:\windows\system32\drivers\klmc.sys --> c:\windows\system32\drivers\klmc.sys [?] =============== Created Last 30 ================ 2010-07-13 15:57 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes 2010-07-13 15:56 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-13 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-07-13 15:56 20,952 a------- c:\windows\system32\drivers\mbam.sys 2010-07-13 15:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2010-07-12 16:43 <DIR> --ds---- C:\ComboFix 2010-07-08 13:58 293,376 a------- C:\i6pndm98.exe 2010-07-08 13:56 <DIR> --d----- C:\New Folder 2010-07-06 18:27 <DIR> --d----- c:\docume~1\admini~1\applic~1\PeaZip 2010-07-06 18:25 <DIR> --d----- c:\program files\PeaZip 2010-07-05 17:07 <DIR> --d----- C:\_OTL 2010-07-02 20:39 <DIR> --d----- C:\ComboFix Logs 2010-07-01 15:20 <DIR> a-dshr-- C:\cmdcons 2010-07-01 15:10 256,512 a------- c:\windows\PEV.exe 2010-07-01 15:10 161,792 a------- c:\windows\SWREG.exe 2010-07-01 15:10 77,312 a------- c:\windows\MBR.exe 2010-07-01 15:10 98,816 a------- c:\windows\sed.exe 2010-06-15 17:11 15,880 a------- c:\windows\system32\lsdelete.exe 2010-06-15 16:43 64,288 a------- c:\windows\system32\drivers\Lbd.sys 2010-06-15 16:37 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-06-15 16:36 <DIR> --d----- c:\program files\Lavasoft ==================== Find3M ==================== 2010-05-05 14:30 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe 2010-05-02 06:22 1,851,264 a------- c:\windows\system32\win32k.sys 2010-05-02 06:22 1,851,264 -------- c:\windows\system32\dllcache\win32k.sys 2010-04-20 06:30 285,696 a------- c:\windows\system32\atmfd.dll 2010-04-20 06:30 285,696 -------- c:\windows\system32\dllcache\atmfd.dll ============= FINISH: 18:09:59.39 ===============

#52 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 13 July 2010 - 01:56 PM

Alright I think we're making some more progress. I see more traces of Kaspersky on here. Let's run the removal tool and hopefully it will clear out the dead entries and those ADS. Download the tool and follow the instructions from the link.

http://support.kaspe.../?qid=208279463

Let's also uninstall combofix and that should clear out all those duplicate entries you see.

Uninstall Combofix
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
  • Delete the following: ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

If all is well at this point let's go ahead and download a fresh copy of combofix and run it.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#53 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 13 July 2010 - 05:34 PM

Ok the two uninstalls went smoothly. However new Combofix still would not run, got to same point of trying to scan and went to black screen with message 'Non-System disc or 'error, etc...' as before. Powered off followed by restart went to Ms Windows start screen and then switched to blue screen I have never seen before saying: Checking file system on C: One of your disks needs to be checked for sonsistency. CHKDSK is verifying files CHKDSK is verifying indexes Deleting index entry catchme.dll in index $130 of file 54 CHKDSK is recovering lost files CHKDSK is recovering lost files " " " " then shot through some other text and went to Windows start screen and completed startup. I rebooted just to be sure it was working ok and it started very quickly to desktop. However IE and Outlook are starting a bit slow. bar457

#54 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 13 July 2010 - 06:12 PM

So when you ran checkdisk earlier did it find any problems? Like it did this last time? I'm thinking this drive is definitely on its' way out. Would probably good to find out what kind of drive it is and run some mfg. diagnostics on it. In the meantime, run OTL again and post the log. No need to put in the code to check MD5's. Just run a quick scan, and there will only be the one log.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#55 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 14 July 2010 - 07:15 AM

When I ran CHKDSK before I could not see what it was doing, it finished the check and just reported that it had repaired one or more errors.

I have a Seagate Momentus 5400.2 Standard Disk Drive ST960822A
How can you run mfg diagnostics ?

I am not aware that I have had any problems with it before.

here is the OTL report ( I see we still have all the ADS entries):



OTL logfile created on: 14/07/2010 12:07:14 - Run 3
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 304.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 9.52 Gb Free Space | 17.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NX8220
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/08 13:23:38 | 000,380,928 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
PRC - [2010/01/12 19:13:48 | 001,490,944 | ---- | M] (Mortal Universe) -- C:\Program Files\POP Peeper\POPPeeper.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/03 17:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2005/03/17 12:10:32 | 000,536,576 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
PRC - [2004/11/12 01:13:40 | 000,290,816 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2004/11/04 19:40:08 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/08/18 18:57:40 | 001,048,576 | ---- | M] (McAfee Security) -- C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
PRC - [2003/04/09 16:11:54 | 000,200,704 | ---- | M] (McAfee Security) -- C:\Program Files\McAfee.com\Personal Firewall\MpfAgent.exe
PRC - [2003/01/29 16:30:58 | 000,184,320 | ---- | M] (McAfee Corporation) -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
PRC - [2002/09/20 23:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2005/03/10 17:33:48 | 000,053,248 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\XAHook.dll
MOD - [2004/11/04 19:39:58 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (kavsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/06/29 16:44:44 | 001,352,832 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/08 13:23:38 | 000,380,928 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/01/29 16:30:58 | 000,184,320 | ---- | M] (McAfee Corporation) [Auto | Running] -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe -- (MpfService)
SRV - [2002/09/20 23:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\klif.sys -- (TSP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\PPPoEWin.SYS -- (PPPoEWin)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/15 16:42:58 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2006/08/28 14:23:06 | 000,090,768 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se26unic.sys -- (se26unic) Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (WDM)
DRV - [2006/08/28 14:23:00 | 000,086,560 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26obex.sys -- (SE26obex)
DRV - [2006/08/28 14:22:58 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se26nd5.sys -- (se26nd5) Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (NDIS)
DRV - [2006/08/28 14:22:56 | 000,088,688 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mgmt.sys -- (SE26mgmt) Sony Ericsson Device 038 USB WMC Device Management Drivers (WDM)
DRV - [2006/08/28 14:22:52 | 000,097,184 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mdm.sys -- (SE26mdm)
DRV - [2006/08/28 14:22:50 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mdfl.sys -- (SE26mdfl)
DRV - [2006/08/28 14:22:46 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26bus.sys -- (SE26bus) Sony Ericsson Device 038 Driver driver (WDM)
DRV - [2005/05/27 16:13:12 | 000,128,295 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (Nokia USB Phone Parent)
DRV - [2005/05/27 16:13:12 | 000,011,001 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (Nokia USB Modem)
DRV - [2005/05/27 16:13:12 | 000,007,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (Nokia USB Generic)
DRV - [2005/05/26 10:51:33 | 000,028,160 | ---- | M] (W1zzard) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2005/02/11 01:52:36 | 000,157,056 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/12/07 23:06:42 | 000,874,496 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/11/22 12:33:52 | 000,190,592 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/11/16 11:37:48 | 003,222,784 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/11/16 11:37:38 | 000,342,912 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/04 19:26:42 | 000,186,016 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/10/26 12:22:50 | 001,337,274 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/10/26 12:22:50 | 000,002,410 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys -- (FreshIO)
DRV - [2004/10/26 11:55:26 | 000,398,208 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/10/26 11:49:54 | 000,147,896 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/10/26 11:47:24 | 000,030,299 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/10/26 11:47:08 | 000,030,125 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2004/10/26 11:46:04 | 000,055,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/24 12:20:08 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/08/17 12:21:00 | 000,087,168 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/08/03 10:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/08/03 10:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/08/03 10:05:00 | 000,086,138 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/08/03 10:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/08/03 10:05:00 | 000,025,723 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/08/03 10:05:00 | 000,014,715 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/08/03 10:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/08/03 10:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/08/03 10:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/07/14 20:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 20:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/07/14 11:56:00 | 000,040,448 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/06/16 19:19:58 | 000,046,080 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004/05/03 17:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2004/04/14 16:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2004/02/20 18:35:28 | 000,059,044 | R--- | M] (Hewlett-Packard) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\ClntMgmt.sys -- (ClntMgmt.sys)
DRV - [2003/06/06 20:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2003/01/10 22:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/12/06 10:21:22 | 000,055,936 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MpFirewall.sys -- (MPFIREWL)
DRV - [2001/08/17 16:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)
DRV - [1997/06/17 05:00:00 | 000,004,064 | ---- | M] (Adobe Systems Incorporated) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ATMHELPR.SYS -- (ATMhelpr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local.;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = sbserver:8080

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Components: C:\Program Files\Mozilla Firefox 3 Beta 4\components [2008/04/22 09:55:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3 Beta 4\plugins [2010/04/17 09:38:16 | 000,000,000 | ---D | M]

[2008/03/09 19:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/11/05 19:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\extensions
[2009/11/05 19:14:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2008/03/31 09:15:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/02/20 21:14:09 | 000,176,177 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/07/04 13:01:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: () - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Program Files\FreshDevices\FreshDownload\fdcatch.dll (FreshDevices Corp.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (FreshDownload Bar) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\Program Files\FreshDevices\FreshDownload\fdiebar.dll (FreshDevices Corp.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [MPFExe] C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKCU..\Run: [{672FC0DA-DF94-82F2-401B-4D1794AC3C54}] C:\Documents and Settings\Administrator\Application Data\Yxfehe\xylyd.exe File not found
O4 - HKCU..\Run: [POP Peeper] C:\Program Files\POP Peeper\POPPeeper.exe (Mortal Universe)
O4 - HKCU..\Run: [PopUpStopperFreeEdition] C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: FreshDownload - {DDDD6D68-CF2E-4E7A-A8DF-43DF07C586F0} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (FreshDevices Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.mac...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:1 (BBC - bbc.co.uk homepage - Home of the BBC on the Internet) - http://www.bbc.co.uk/
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/13 23:24:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/13 23:24:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/13 23:24:21 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/13 23:24:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/13 23:23:25 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/07/13 23:22:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/13 22:52:18 | 002,067,128 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\kavremover.exe
[2010/07/13 15:57:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/07/13 15:56:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/13 15:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/13 15:56:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/13 15:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/13 13:16:21 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/07/08 13:56:43 | 000,000,000 | ---D | C] -- C:\New Folder
[2010/07/07 21:00:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/07/07 21:00:20 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/07/07 20:45:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Copy of My Documents
[2010/07/07 20:33:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Barry
[2010/07/07 20:30:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\My Documents
[2010/07/06 18:30:27 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Administrator\Desktop\remover.exe
[2010/07/06 18:27:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PeaZip
[2010/07/06 18:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\PeaZip
[2010/07/06 12:54:37 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/07/05 19:55:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/05 17:07:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/05 16:41:01 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/02 20:39:03 | 000,000,000 | ---D | C] -- C:\ComboFix Logs
[2010/07/01 15:20:10 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/01 15:08:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/15 16:43:48 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 16:37:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/06/15 16:36:33 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/07 13:36:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/05/04 16:50:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/04/22 18:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner

========== Files - Modified Within 90 Days ==========

[2098/12/24 17:26:24 | 002,224,297 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\IMG00110.JPG
[2098/12/24 17:14:48 | 001,938,121 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\IMG00108.JPG
[2010/07/14 00:45:03 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job
[2010/07/14 00:14:27 | 000,177,504 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2010/07/14 00:14:26 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/14 00:13:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/14 00:13:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/14 00:13:50 | 536,268,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/14 00:12:51 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/14 00:12:51 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/07/13 23:20:49 | 003,738,561 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/07/13 22:52:18 | 002,067,128 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\kavremover.exe
[2010/07/13 16:46:04 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/13 15:56:25 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/13 13:16:21 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/07/08 13:58:32 | 000,293,376 | ---- | M] () -- C:\i6pndm98.exe
[2010/07/07 23:24:54 | 000,525,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Contacts copy folder 7.7.10.pst
[2010/07/07 23:24:27 | 000,271,360 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Mailbox administrator copy folder 7.7.10.pst
[2010/07/07 21:20:17 | 471,377,329 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\My Docs copy zipped 7.7.10.zipx
[2010/07/07 21:01:21 | 000,001,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/07/07 14:04:06 | 000,050,688 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/07/06 18:25:35 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PeaZip.lnk
[2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/04 13:01:36 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/02 20:07:01 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/02 14:34:04 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to My Computer (2).lnk
[2010/07/02 00:21:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/01 15:20:20 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/30 17:25:08 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/06/29 11:50:51 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/15 16:43:16 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 16:42:58 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 16:37:19 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/10 11:01:04 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/06/10 11:00:41 | 000,385,164 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 11:00:41 | 000,054,682 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/10 11:00:40 | 000,443,254 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 10:37:08 | 000,449,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 10:25:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 10:17:03 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/10 09:30:13 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/06 17:06:13 | 000,001,353 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SCAN pst.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/23 11:28:18 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/22 18:12:28 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/22 13:46:02 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

========== Files Created - No Company Name ==========

[2010/07/13 23:24:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/13 23:24:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/13 23:24:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/13 23:24:21 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/13 23:24:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/13 23:20:49 | 003,738,561 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/07/13 15:56:25 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/08 13:58:30 | 000,293,376 | ---- | C] () -- C:\i6pndm98.exe
[2010/07/07 21:20:17 | 471,377,329 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\My Docs copy zipped 7.7.10.zipx
[2010/07/07 21:01:21 | 000,001,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/07/07 20:19:30 | 000,176,594 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Administrator.wab~
[2010/07/07 18:54:26 | 000,271,360 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Mailbox administrator copy folder 7.7.10.pst
[2010/07/07 18:48:48 | 000,525,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Contacts copy folder 7.7.10.pst
[2010/07/07 14:04:06 | 000,050,688 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/07/06 18:25:35 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PeaZip.lnk
[2010/07/02 14:34:04 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to My Computer (2).lnk
[2010/07/01 15:20:19 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/01 15:20:12 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/15 17:11:07 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 16:37:19 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/05/06 17:06:13 | 000,001,353 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SCAN pst.lnk
[2010/04/22 18:12:28 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Eusing Free Registry Cleaner.lnk
[2009/11/17 00:39:07 | 000,000,177 | ---- | C] () -- C:\WINDOWS\kpcms.ini
[2009/11/17 00:39:06 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/11/17 00:38:50 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2009/11/17 00:38:49 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/01/23 00:10:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2007/10/07 01:25:05 | 000,001,279 | ---- | C] () -- C:\WINDOWS\SpecEmuWindow.ini
[2007/05/20 01:06:34 | 000,000,150 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/04/22 08:05:56 | 000,000,060 | ---- | C] () -- C:\WINDOWS\easkdiry.ini
[2007/02/01 10:08:56 | 000,000,006 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/11/14 21:37:02 | 000,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2005/11/06 00:13:55 | 000,000,020 | ---- | C] () -- C:\WINDOWS\TemplateWizard.INI
[2005/09/12 06:11:17 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/09/06 17:44:48 | 000,000,103 | ---- | C] () -- C:\WINDOWS\Licence.ini
[2005/09/06 17:33:49 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\usqlcs32.dll
[2005/09/06 17:33:49 | 000,072,704 | ---- | C] () -- C:\WINDOWS\System32\CCmove32.dll
[2005/09/06 17:33:49 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\CCCHNG32.dll
[2005/09/04 13:09:43 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MpfApi.dll
[2005/09/04 13:09:42 | 000,055,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\MpFirewall.sys
[2005/09/04 12:00:09 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/09/03 19:58:29 | 000,000,543 | ---- | C] () -- C:\WINDOWS\AppRun.ini
[2005/09/01 22:42:11 | 000,000,620 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/01 21:37:30 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/09/01 21:37:30 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/09/01 21:37:30 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/09/01 21:37:30 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/09/01 21:37:30 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/09/01 21:37:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/09 23:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 23:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/08/09 23:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/02/15 07:40:57 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/02/15 07:33:45 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/10/26 19:30:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/10/26 12:06:04 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/07 14:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 14:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/06/01 10:39:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2004/01/13 19:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/27 17:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2000/09/13 19:15:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pagesync.dll
[1998/05/07 03:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== LOP Check ==========

[2008/09/04 00:41:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Agyvak
[2010/01/09 15:46:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2006/04/11 08:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DataLayer
[2006/11/24 17:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Flickr
[2009/11/05 19:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit
[2009/12/14 16:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2009/11/05 19:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FreshDiagnose
[2005/09/07 22:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2005/10/26 22:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2005/11/11 16:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia
[2007/01/21 20:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nvu
[2010/07/06 12:36:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ozxi
[2005/11/14 21:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Suite
[2010/07/06 18:37:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PeaZip
[2010/07/13 16:05:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\POP Peeper
[2010/02/16 20:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Search Settings
[2007/09/28 17:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Teleca
[2008/03/25 23:23:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/02/16 20:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\YouTube Downloader
[2009/12/12 22:13:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2007/03/20 12:48:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus for Windows Workstations
[2008/03/25 20:01:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/09/03 21:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/07/07 21:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/06/24 12:14:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/07/13 16:46:04 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/07/14 00:45:03 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\Tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 68 bytes -> C:\WINDOWS\wmp11.log:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\twain_32.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\zipfldr.dll:KAVICHS

EDIT: Removed redundant entries

Edited by IndiGenus, 14 July 2010 - 03:10 PM.

    Advertisements

Register to Remove

#56 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 14 July 2010 - 07:18 AM

part 2 of OTL report: EDIT: Removed redundant entries, again.... @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\FreshDownload.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\FreshDiagnose.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\CleanUp.lnk:KAVICHS < End of report >

Edited by IndiGenus, 14 July 2010 - 03:09 PM.

#57 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 14 July 2010 - 03:19 PM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O4 - HKCU..\Run: [{672FC0DA-DF94-82F2-401B-4D1794AC3C54}] C:\Documents and Settings\Administrator\Application Data\Yxfehe\xylyd.exe File not found

:Files
C:\Documents and Settings\Administrator\Application Data\Yxfehe

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log

Let me know how it's running too please.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#58 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 15 July 2010 - 07:02 AM

report as follows: All processes killed ========== OTL ========== Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{672FC0DA-DF94-82F2-401B-4D1794AC3C54} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{672FC0DA-DF94-82F2-401B-4D1794AC3C54}\ not found. ========== FILES ========== File\Folder C:\Documents and Settings\Administrator\Application Data\Yxfehe not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 911786 bytes ->Temporary Internet Files folder emptied: 9342431 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Flash cache emptied: 434 bytes User: Administrator.WFDOM ->Flash cache emptied: 0 bytes User: All Users ->Flash cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: GARETH ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: gareth.NX8220 ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: Guest ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 16889 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 10.00 mb OTL by OldTimer - Version 3.2.7.1 log created on 07152010_134440 Files\Folders moved on Reboot... Registry entries deleted on Reboot...

#59 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 15 July 2010 - 08:16 AM

How is it running?

I would like you to run the following scan: Eset Online Scanner
Run with Internet Explorer
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button, or click the notification bar at the top of the window and choose to install.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#60 bar457

bar457

    Authentic Member

  • Authentic Member
  • PipPip
  • 183 posts

Posted 16 July 2010 - 08:39 AM

Well the computer seems to be running fine as far as I can tell, bearing in mind I am mostly using my second laptop instead at the moment, but it appears good. The only problem I still have is that it goes into screensaver and is hard to get out. Screensaver does not run properly as it freezes the bursting planets or they run very slowly. The only time they went back to normal and I could touch pad and go straight to desktop was after the very first run of CombFix, but as soon as we had to return to a saved registry to recover from later failed Combofixes, it has been bad. here is the ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=aba9be960cdcb0478ab367c8b07246be # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-07-16 12:28:07 # local_time=2010-07-16 01:28:07 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777215 100 0 19596145 19596145 0 0 # compatibility_mode=1280 16777215 100 0 104892550 104892550 0 0 # compatibility_mode=8192 67108863 100 0 404 404 0 0 # scanned=145508 # found=7 # cleaned=0 # scan_time=3008 C:\ntuser_mssec.exe probably a variant of Win32/Obfuscated trojan 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\Application Data\Agyvak\iwdav.exe a variant of Win32/Peerfrag.FU worm 00000000000000000000000000000000 I C:\Documents and Settings\Default User\Start Menu\Programs\Startup\afraf.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I C:\Documents and Settings\gareth.NX8220\Start Menu\Programs\Startup\riunmi.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I C:\Documents and Settings\Guest\Start Menu\Programs\Startup\byvea.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application 00000000000000000000000000000000 I C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application 00000000000000000000000000000000 I esets_scanner_update returned -1 esets_gle=53251 # version=7 # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=aba9be960cdcb0478ab367c8b07246be # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-07-16 02:16:50 # local_time=2010-07-16 03:16:50 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777215 100 0 19600477 19600477 0 0 # compatibility_mode=1280 16777215 100 0 104896882 104896882 0 0 # compatibility_mode=8192 67108863 100 0 4736 4736 0 0 # scanned=145506 # found=7 # cleaned=0 # scan_time=5219 C:\ntuser_mssec.exe probably a variant of Win32/Obfuscated trojan 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\Application Data\Agyvak\iwdav.exe a variant of Win32/Peerfrag.FU worm 00000000000000000000000000000000 I C:\Documents and Settings\Default User\Start Menu\Programs\Startup\afraf.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I C:\Documents and Settings\gareth.NX8220\Start Menu\Programs\Startup\riunmi.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I C:\Documents and Settings\Guest\Start Menu\Programs\Startup\byvea.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application 00000000000000000000000000000000 I C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application 00000000000000000000000000000000 I

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·