-
February 20th, 2013, 06:28 PM
#1
[Inactive] search.imesh.net... how to get rid of it?
Somehow this malware has gotten onto my sister's computer and I am trying to help her fix it. It redirects the home page from google to search.imesh.net. The computer is running awfully slow (not that it was very fast to begin with but now it is worse). Also, I don't know if this has anything to do with it but every time I log on the firewall is turned off and I have to turn it back on. If it is not this malware doing this I need to figure out what is causing that to happen. It's just a little Dell notepad but she is disabled and we are trying to teach her how to use a computer before getting her a laptop. She is not savvy enough to know to turn on the firewall every time she boots the computer, though I think we could train her. Any help with these issues would be appreciated. Below are the scans. I also did a scan with Microsoft Security Essentials and it came up clean.
Malware Bytes
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.02.20.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User XP :: DARLAPTOP [administrator]
2/20/2013 2:09:06 PM
mbam-log-2013-02-20 (14-09-06).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211038
Time elapsed: 8 minute(s), 33 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
************************************
ASWMBR
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-02-20 14:32:36
-----------------------------
14:32:36.062 OS Version: Windows 5.1.2600 Service Pack 3
14:32:36.062 Number of processors: 1 586 0xD08
14:32:36.062 ComputerName: DARLAPTOP UserName: User XP
14:32:38.140 Initialize success
14:33:08.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:33:08.562 Disk 0 Vendor: FUJITSU_MHV2080AH 000000A0 Size: 76319MB BusType: 3
14:33:08.593 Disk 0 MBR read successfully
14:33:08.609 Disk 0 MBR scan
14:33:08.625 Disk 0 Windows XP default MBR code
14:33:08.640 Disk 0 Partition 1 80 (A) 06 FAT16 MSDOS5.0 2047 MB offset 63
14:33:08.640 Disk 0 Partition - 00 0F Extended LBA 74269 MB offset 4192965
14:33:08.671 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 74269 MB offset 4193028
14:33:08.687 Disk 0 scanning sectors +156296385
14:33:08.765 Disk 0 scanning D:\WINDOWS\system32\drivers
14:33:14.171 Service scanning
14:33:19.875 Service MpKsl244cbbad d:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2082D495-C2CD-4A38-84DF-0E7931F42885}\MpKsl244cbbad.sys **LOCKED** 32
14:33:27.265 Modules scanning
14:33:35.031 Disk 0 trace - called modules:
14:33:36.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
14:33:36.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dedab8]
14:33:36.203 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89e58770]
14:33:36.250 Scan finished successfully
14:34:40.843 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\User XP\Desktop\MBR.dat"
14:34:40.890 The log file has been saved successfully to "D:\Documents and Settings\User XP\Desktop\aswMBR02-20-13.txt"
********************************
DDS Attach
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/9/2011 3:45:56 PM
System Uptime: 2/20/2013 1:39:44 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0MG948
Processor: Intel(R) Pentium(R) M processor 1.73GHz | Microprocessor | 1729/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (FAT32) - 2 GiB total, 1.691 GiB free.
D: is FIXED (NTFS) - 73 GiB total, 62.49 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Mobile Intel(R) 915GM/GMS,910GML Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_018F1028&REV_03\3&61AAA01&0&10
Manufacturer: Intel Corporation
Name: Mobile Intel(R) 915GM/GMS,910GML Express Chipset Family
PNP Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_018F1028&REV_03\3&61AAA01&0&10
Service: ialm
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Mobile Intel(R) 915GM/GMS,910GML Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_018F1028&REV_03\3&61AAA01&0&11
Manufacturer: Intel Corporation
Name: Mobile Intel(R) 915GM/GMS,910GML Express Chipset Family
PNP Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_018F1028&REV_03\3&61AAA01&0&11
Service: ialm
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme 57xx Gigabit Controller
Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_018F1028&REV_01\4&2959CBDC&0&00E0
Manufacturer: Broadcom
Name: Broadcom NetXtreme 57xx Gigabit Controller
PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_018F1028&REV_01\4&2959CBDC&0&00E0
Service: b57w2k
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: MAC Bridge Miniport
Device ID: ROOT\MS_BRIDGEMP\0000
Manufacturer: Microsoft
Name: MAC Bridge Miniport
PNP Device ID: ROOT\MS_BRIDGEMP\0000
Service: BridgeMP
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Infrared Port
Device ID: ROOT\MS_IRDAMINIPORT\0000
Manufacturer: Microsoft
Name: Infrared Port
PNP Device ID: ROOT\MS_IRDAMINIPORT\0000
Service: Rasirda
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
Broadcom Gigabit Integrated Controller
C-Major Audio
Conexant D110 MDC V.92 Modem
Encompass360 NetBranch Installation Manager
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HTC Driver Installer
HTC Sync
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless WiFi Software
Java Auto Updater
Java(TM) 6 Update 25
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
2/20/2013 1:41:40 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.2229.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80004002 Error description: No such interface supported
2/17/2013 1:25:55 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.2229.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80004002 Error description: No such interface supported
2/16/2013 6:54:22 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.2229.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80004002 Error description: No such interface supported
2/16/2013 6:33:01 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.2229.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80004002 Error description: No such interface supported
2/16/2013 6:19:50 PM, error: System Error [1003] - Error code 100000ea, parameter1 89c00ca0, parameter2 89de5c90, parameter3 b8d5fcb4, parameter4 00000001.
2/16/2013 5:51:19 PM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: The specified module could not be found.
2/16/2013 5:51:18 PM, error: Rasman [20063] - Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.
2/16/2013 5:39:38 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.2229.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80004002 Error description: No such interface supported
2/16/2013 5:29:33 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
2/16/2013 5:29:32 PM, error: Service Control Manager [7001] - The Remote Access Auto Connection Manager service depends on the Remote Access Connection Manager service which failed to start because of the following error: The specified module could not be found.
2/16/2013 5:29:29 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The specified module could not be found.
2/16/2013 5:29:29 PM, error: Service Control Manager [7001] - The Infrared Monitor service depends on the IrDA Protocol service which failed to start because of the following error: The system cannot find the file specified.
2/16/2013 5:29:29 PM, error: Service Control Manager [7000] - The IrDA Protocol service failed to start due to the following error: The system cannot find the file specified.
2/13/2013 4:46:33 PM, error: Dhcp [1002] - The IP address lease 192.168.2.6 for the Network Card with network address 00166FA749A2 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
2/13/2013 4:45:36 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.1318.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/13/2013 4:45:36 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.1318.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
2/13/2013 4:45:36 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.143.1318.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Link...D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.9103.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
.
==== End Of File ===========================
DDS
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by User XP at 15:00:50 on 2013-02-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1455 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
d:\Program Files\Microsoft Security Client\MsMpEng.exe
D:\Program Files\Intel\WiFi\bin\S24EvMon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\SCardSvr.exe
D:\Program Files\Intel\WiFi\bin\EvtEng.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
D:\Program Files\Intel\WiFi\bin\WLKeeper.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
D:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
D:\Program Files\Microsoft Security Client\msseces.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Program Files\Common Files\Teleca Shared\logger.exe
D:\Program Files\Common Files\Teleca Shared\Generic.exe
D:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
D:\WINDOWS\System32\alg.exe
D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\svchost.exe -k bthsvcs
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=15866
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - d:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Google Update] "d:\documents and settings\user xp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "d:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DW6] "d:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "d:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [Mobile Connectivity Suite] "d:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "d:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes Anti-Malware] d:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "d:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{FA792F11-65CA-431C-8DC4-4503E192AFB6} : DHCPNameServer = 192.168.0.1 205.171.3.25
Notify: igfxcui - igfxdev.dll
AppInit_DLLs=
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\wpdshserviceobj.dll
Hosts: 127.0.0.1 mpa.one.microsoft.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;d:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
R1 MpKsl244cbbad;MpKsl244cbbad;d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2082d495-c2cd-4a38-84df-0e7931f42885}\MpKsl244cbbad.sys [2013-2-20 29904]
R3 GTIPCI21;GTIPCI21;d:\windows\system32\drivers\gtipci21.sys [2011-5-9 88192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-02-20 21:32:37 29904 ----a-w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2082d495-c2cd-4a38-84df-0e7931f42885}\MpKsl244cbbad.sys
2013-02-20 20:56:05 -------- d-----w- d:\documents and settings\user xp\application data\Malwarebytes
2013-02-20 20:55:26 -------- d-----w- d:\documents and settings\all users\application data\Malwarebytes
2013-02-20 20:55:23 21104 ----a-w- d:\windows\system32\drivers\mbam.sys
2013-02-20 20:55:23 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2013-02-13 23:58:56 6991832 ----a-w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2082d495-c2cd-4a38-84df-0e7931f42885}\mpengine.dll
2013-02-01 05:16:56 6991832 ----a-w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-01-30 19:13:07 -------- d-----w- d:\documents and settings\user xp\local settings\application data\The Weather Channel
2013-01-29 20:24:01 -------- d-----w- d:\documents and settings\user xp\Incomplete
2013-01-29 20:23:38 -------- d-----w- d:\documents and settings\user xp\local settings\application data\APN
2013-01-29 20:23:10 -------- d-----w- d:\documents and settings\all users\application data\Ask
2013-01-29 20:22:50 -------- d-----w- d:\program files\MP3 Rocket Downloader
2013-01-29 20:22:42 -------- d-----w- d:\documents and settings\user xp\application data\MP3Rocket
2013-01-29 20:17:51 -------- d-----w- d:\documents and settings\user xp\local settings\application data\Real
2013-01-29 20:14:47 -------- d-----w- d:\program files\The Weather Channel FW
2013-01-29 19:06:11 -------- d-----w- d:\documents and settings\all users\application data\B5D
2013-01-29 02:55:28 -------- d-----w- d:\documents and settings\user xp\AppData
2013-01-29 02:55:27 -------- d-----w- d:\documents and settings\user xp\application data\searchresultstb
2013-01-29 02:54:08 -------- d-----w- d:\documents and settings\all users\application data\boost_interprocess
2013-01-29 02:49:31 -------- d-----w- d:\program files\iMesh Applications
2013-01-29 02:43:29 -------- d-----w- d:\documents and settings\user xp\local settings\application data\PackageAware
.
==================== Find3M ====================
.
2013-01-30 10:53:21 232336 ------w- d:\windows\system32\MpSigStub.exe
2012-12-16 12:23:59 290560 ----a-w- d:\windows\system32\atmfd.dll
.
============= FINISH: 15:01:15.98 ===============
-
February 20th, 2013, 08:07 PM
#2
Please, observe following rules:
- Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
- If you're stuck, or you're not sure about certain step, always ask before doing anything else.
- Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
- Never run more than one scan at a time.
- Keep updating me regarding your computer behavior, good, or bad.
- The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
- If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
- I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
=====================================
Download RogueKiller on the desktop
- Close all the running programs
- Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
- Otherwise just double-click on RogueKiller.exe
- Pre-scan will start. Let it finish.
- Click on SCAN button.
- Wait until the Status box shows Scan Finished
- Click on Delete.
- Wait until the Status box shows Deleting Finished.
- Click on Report and copy/paste the content of the Notepad into your next reply.
- RKreport.txt could also be found on your desktop.
- If more than one log is produced post all logs.
- If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
Download Malwarebytes Anti-Rootkit (MBAR) from HERE
- Unzip downloaded file.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
- When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
-
February 20th, 2013, 11:07 PM
#3
I did RogueKiller and thought there were 2 reports
RogueKiller V8.5.1 [Feb 20 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : User XP [Admin rights]
Mode : Scan -- Date : 02/20/2013 18:46:25
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : DW6 ("D:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe") [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-776561741-2052111302-1417001333-1003[...]\Run : DW6 ("D:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe") [x] -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> D:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 mpa.one.microsoft.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHV2080AH +++++
--- User ---
[MBR] 3089db04e427a51cf3f88cd765080447
[BSP] a4f935857ca4866dc1bf36b1f7d6005f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 2047 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 4192965 | Size: 74269 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_02202013_02d1846.txt >>
RKreport[1]_S_02202013_02d1846.txt
RogueKiller V8.5.1 [Feb 20 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : User XP [Admin rights]
Mode : Remove -- Date : 02/20/2013 18:47:05
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : DW6 ("D:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe") [x] -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> D:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 mpa.one.microsoft.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHV2080AH +++++
--- User ---
[MBR] 3089db04e427a51cf3f88cd765080447
[BSP] a4f935857ca4866dc1bf36b1f7d6005f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 63 | Size: 2047 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 4192965 | Size: 74269 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2]_D_02202013_02d1847.txt >>
RKreport[1]_S_02202013_02d1846.txt ; RKreport[2]_D_02202013_02d1847.txt
************************
Here is the Malwarebytes Anti-Rootkit files
Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org
Database version: v2013.02.21.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User XP :: DARLAPTOP [administrator]
2/20/2013 7:26:46 PM
mbar-log-2013-02-20 (19-26-46).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 24940
Time elapsed: 11 minute(s), 38 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1020
(c) Malwarebytes Corporation 2011-2012
OS version: 5.1.2600 Windows XP Service Pack 3 x86
Account is Administrative
Internet Explorer version: 8.0.6001.18702
Java version: 1.6.0_25
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.729000 GHz
Memory total: 2138427392, free: 1585487872
------------ Kernel report ------------
02/20/2013 19:06:23
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
PCIIde.sys
\WINDOWS\System32\Drivers\PCIIDEX.SYS
intelide.sys
pcmcia.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\gtipci21.sys
\SystemRoot\system32\DRIVERS\SMCLIB.SYS
\SystemRoot\system32\DRIVERS\w29n51.sys
\SystemRoot\system32\drivers\STAC97.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\HSFHWICH.sys
\SystemRoot\system32\DRIVERS\HSF_DPV.SYS
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\smcirda.sys
\SystemRoot\system32\DRIVERS\irenum.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\BTHUSB.sys
\SystemRoot\System32\Drivers\bthport.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\DRIVERS\rfcomm.sys
\SystemRoot\system32\DRIVERS\BthEnum.sys
\SystemRoot\system32\DRIVERS\bthpan.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\??\D:\WINDOWS\system32\drivers\TrueSight.sys
\??\d:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{150A9383-91B0-44B6-BF25-4B9B4D6A2E1D}\MpKslbe7cd502.sys
\??\D:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\D:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89dedab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff89e58770
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Load Function returned 0x0
Downloaded database version: v2013.02.21.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89dedab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89db9308, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89dedab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89e58770, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe29ce8e8, 0xffffffff89dedab8, 0xffffffff88f43ab8
Lower DeviceData: 0xffffffffe13161d0, 0xffffffff89e58770, 0xffffffff88eda9d8
<<<3>>>
Volume: D:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: D:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: D:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 9BDF9BDF
Partition information:
Partition 0 type is Other (0x6)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 4192902
Partition file system is FAT32
Partition is bootable
Partition 1 type is Extended with LBA (0xf)
Partition is NOT ACTIVE.
Partition starts at LBA: 4192965 Numsec = 152103420
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 80026361856 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================
-
February 20th, 2013, 11:12 PM
#4
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/...-in-windows-7/
- Vista: http://www.howtogeek.com/howto/windo...ystem-restore/
- XP: http://support.microsoft.com/kb/948247
Please download ComboFix from Here, Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix. - Double click on combofix.exe & follow the prompts.
- NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.
Make sure, you re-enable your security programs, when you're done with Combofix.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE.
If, for some reason, Combofix refuses to run, try the following...
Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
Restart computer in safe mode
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.
IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
-
February 21st, 2013, 06:45 AM
#5
ComboFix 13-02-20.01 - User XP 02/21/2013 3:31.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1476 [GMT -7:00]
Running from: d:\documents and settings\User XP\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2013-01-21 to 2013-02-21 )))))))))))))))))))))))))))))))
.
.
2013-02-21 02:06 . 2013-02-21 02:06 35144 ----a-w- d:\windows\system32\drivers\mbamchameleon.sys
2013-02-21 01:45 . 2013-02-21 01:45 29904 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{150A9383-91B0-44B6-BF25-4B9B4D6A2E1D}\MpKslbe7cd502.sys
2013-02-21 00:15 . 2013-02-08 00:45 6954968 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{150A9383-91B0-44B6-BF25-4B9B4D6A2E1D}\mpengine.dll
2013-02-20 23:49 . 2012-06-02 22:19 45080 ----a-w- d:\windows\system32\wups2.dll
2013-02-20 20:56 . 2013-02-20 20:56 -------- d-----w- d:\documents and settings\User XP\Application Data\Malwarebytes
2013-02-20 20:55 . 2013-02-20 20:55 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2013-02-20 20:55 . 2013-02-20 20:55 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2013-02-20 20:55 . 2012-12-14 23:49 21104 ----a-w- d:\windows\system32\drivers\mbam.sys
2013-02-17 00:57 . 2013-02-17 00:57 -------- d-----w- d:\program files\Microsoft.NET
2013-02-14 20:30 . 2012-12-26 20:16 105984 -c----w- d:\windows\system32\dllcache\url.dll
2013-02-14 20:30 . 2012-12-26 20:16 916480 -c----w- d:\windows\system32\dllcache\wininet.dll
2013-02-14 20:30 . 2012-12-26 20:16 1212928 -c----w- d:\windows\system32\dllcache\urlmon.dll
2013-02-13 23:58 . 2013-01-08 04:57 6991832 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-30 19:13 . 2013-02-17 01:09 -------- d-----w- d:\documents and settings\User XP\Local Settings\Application Data\The Weather Channel
2013-01-29 20:24 . 2013-01-30 20:52 -------- d-----w- d:\documents and settings\User XP\Incomplete
2013-01-29 20:23 . 2013-01-29 20:23 -------- d-----w- d:\documents and settings\User XP\Local Settings\Application Data\APN
2013-01-29 20:23 . 2013-01-29 20:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Ask
2013-01-29 20:22 . 2013-01-29 20:22 -------- d-----w- d:\program files\MP3 Rocket Downloader
2013-01-29 20:22 . 2013-02-14 00:42 -------- d-----w- d:\documents and settings\User XP\Application Data\MP3Rocket
2013-01-29 20:17 . 2013-01-29 20:17 -------- d-----w- d:\documents and settings\User XP\Local Settings\Application Data\Real
2013-01-29 20:16 . 2013-02-14 00:38 -------- d-----w- d:\program files\Real
2013-01-29 20:14 . 2013-02-17 01:05 -------- d-----w- d:\program files\The Weather Channel FW
2013-01-29 19:06 . 2013-01-29 19:06 -------- d-----w- d:\documents and settings\All Users\Application Data\B5D
2013-01-29 02:55 . 2013-01-29 02:55 -------- d-----w- d:\documents and settings\User XP\AppData
2013-01-29 02:55 . 2013-01-29 02:55 -------- d-----w- d:\documents and settings\User XP\Application Data\searchresultstb
2013-01-29 02:54 . 2013-01-29 02:54 -------- d-----w- d:\documents and settings\All Users\Application Data\boost_interprocess
2013-01-29 02:49 . 2013-02-20 20:40 -------- d-----w- d:\program files\iMesh Applications
2013-01-29 02:43 . 2013-01-29 02:43 -------- d-----w- d:\documents and settings\User XP\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2012-02-14 23:38 232336 ------w- d:\windows\system32\MpSigStub.exe
2013-01-26 03:55 . 2011-05-09 17:29 552448 ----a-w- d:\windows\system32\oleaut32.dll
2013-01-07 01:16 . 2011-05-09 17:29 2193024 ----a-w- d:\windows\system32\ntoskrnl.exe
2013-01-07 00:36 . 2008-04-14 00:01 2069760 ----a-w- d:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2011-05-09 17:30 1867264 ----a-w- d:\windows\system32\win32k.sys
2013-01-02 06:49 . 2011-05-09 17:29 1292288 ----a-w- d:\windows\system32\quartz.dll
2013-01-02 06:49 . 2011-05-09 17:29 148992 ----a-w- d:\windows\system32\mpg2splt.ax
2012-12-26 20:16 . 2011-05-09 17:30 916480 ----a-w- d:\windows\system32\wininet.dll
2012-12-26 20:16 . 2011-05-09 17:29 43520 ----a-w- d:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2011-05-09 17:29 1469440 ----a-w- d:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2011-05-09 17:28 385024 ----a-w- d:\windows\system32\html.iec
2012-12-16 12:23 . 2011-05-09 17:28 290560 ----a-w- d:\windows\system32\atmfd.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-01-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"igfxtray"="d:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="d:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"IntelZeroConfig"="d:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="d:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Mobile Connectivity Suite"="d:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"MSC"="d:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Z1"="d:\documents and settings\User XP\My Documents\Downloads\mbar-1.01.0.1020\mbar\mbar.exe" [2013-02-21 1363528]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
R1 MpKslbe7cd502;MpKslbe7cd502;d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{150A9383-91B0-44B6-BF25-4B9B4D6A2E1D}\MpKslbe7cd502.sys [2/20/2013 6:45 PM 29904]
R3 GTIPCI21;GTIPCI21;d:\windows\system32\drivers\gtipci21.sys [5/9/2011 4:09 PM 88192]
R3 mbamchameleon;mbamchameleon;d:\windows\system32\drivers\mbamchameleon.sys [2/20/2013 7:06 PM 35144]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMCHAMELEON
*NewlyCreated* - MPKSLBE7CD502
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-21 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2012-02-15 01:00]
.
2013-02-21 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2012-02-15 01:00]
.
2013-02-21 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-2052111302-1417001333-1003Core.job
- d:\documents and settings\User XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-12 07:27]
.
2013-02-21 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-2052111302-1417001333-1003UA.job
- d:\documents and settings\User XP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-12 07:27]
.
2013-02-21 d:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- d:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 00:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=15866
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-21 03:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2013-02-21 03:38:27
ComboFix-quarantined-files.txt 2013-02-21 10:38
.
Pre-Run: 66,228,244,480 bytes free
Post-Run: 67,190,038,528 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\btsec\XPSTP.bs="1. Begin TXT Mode Setup Windows XP, Never unplug USB-Drive Until Logon"
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="2. and 3. Continue with GUI Mode Setup Windows XP + Start XP from HD 1" /FASTDETECT
multi(0)disk(0)rdisk(2)partition(1)\WINDOWS="Continue GUI Setup + Start XP from HD 2, use if installing on HD2" /FASTDETECT
c:\grldr="4. Start GRUB4DOS Menu - DOS FPY IMAGES + Linux + XP Rec Cons + Vista"
c:\btsec\XATSP.bs="Attended Setup XP, Never unplug USB-Drive Until After Logon"
.
- - End Of File - - 44FB4B67BFFBA4FB5D6B46B7CF5D52E0
-
February 21st, 2013, 08:30 PM
#6
Looks good.
Please download AdwCleaner by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on adwcleaner.exe to run the tool.
- Click on Delete.
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the contents of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
Please download Junkware Removal Tool to your desktop.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- Post the contents of JRT.txt into your next message.
Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Click the Scan All Users checkbox.
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
-
February 22nd, 2013, 09:42 PM
#7
I'm runnning the next tools now but something odd has happened. When I signed onto the machine it brought up a DOS eindow and it was "D:......cmd.exe" (Ididn't write down what the whole thing was as my grandson came into the room and when I turned around it was gone.) Now the computer is saying "You may be a victim of software counterfeiting. This copy of Windows did not pass genuine windows validation." And Microsoft Security Essentials keeps popping up (real time protection is currently turned off as I am running the tools). What do you make of this?
-
February 22nd, 2013, 10:14 PM
#8
# AdwCleaner v2.112 - Logfile created 02/22/2013 at 18:27:18
# Updated 10/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : User XP - DARLAPTOP
# Boot Mode : Normal
# Running from : D:\Documents and Settings\User XP\Desktop\adwcleaner0.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : D:\Documents and Settings\All Users\Application Data\Ask
Folder Deleted : D:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : D:\Documents and Settings\User XP\Local Settings\Application Data\APN
***** [Registry] *****
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ADE92211-31DC-4775-85C0-75659B099DD3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Results Toolbar
Key Deleted : HKLM\Software\PIP
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=15866 --> hxxp://www.google.com
-\\ Google Chrome v24.0.1312.57
File : D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[S1].txt - [1412 octets] - [22/02/2013 18:27:18]
########## EOF - D:\AdwCleaner[S1].txt - [1472 octets] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.5 (02.18.2013:1)
OS: Microsoft Windows XP x86
Ran by User XP on Fri 02/22/2013 at 18:36:32.29
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
~~~ Registry Keys
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "D:\Documents and Settings\User XP\Application Data\searchresultstb"
Successfully deleted: [Folder] "D:\Documents and Settings\User XP\appdata\locallow\datamngr"
Successfully deleted: [Folder] "D:\Program Files\imesh applications"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/22/2013 at 18:41:14.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OTL logfile created on: 2/22/2013 6:49:48 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = D:\Documents and Settings\User XP\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.99 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 77.11% Memory free
3.84 Gb Paging File | 3.53 Gb Available in Paging File | 91.96% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 2.00 Gb Total Space | 1.69 Gb Free Space | 84.51% Space Free | Partition Type: FAT32
Drive D: | 72.53 Gb Total Space | 62.48 Gb Free Space | 86.14% Space Free | Partition Type: NTFS
Computer Name: DARLAPTOP | User Name: User XP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2013/02/22 18:49:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\User XP\Desktop\OTL.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- d:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/01/07 11:12:22 | 000,505,576 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/03/19 13:05:08 | 000,389,120 | R--- | M] (Teleca) -- D:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
PRC - [2010/03/17 13:22:52 | 001,019,904 | R--- | M] (Teleca Sweden AB) -- D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
PRC - [2010/03/17 13:08:22 | 000,253,952 | R--- | M] (TODO: <Company name>) -- D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
PRC - [2010/03/17 13:08:04 | 000,462,848 | R--- | M] (Teleca AB) -- D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
PRC - [2009/12/11 12:50:34 | 000,557,056 | R--- | M] (Teleca AB) -- D:\Program Files\Common Files\Teleca Shared\Generic.exe
PRC - [2009/11/19 14:19:48 | 000,598,016 | R--- | M] (Teleca Sweden AB) -- D:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
PRC - [2009/11/03 13:48:54 | 000,874,768 | ---- | M] (Intel(R) Corporation) -- D:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/11/03 13:45:52 | 000,348,160 | ---- | M] (Intel(R) Corporation) -- D:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PRC - [2009/11/03 13:45:48 | 001,372,160 | ---- | M] (Intel(R) Corporation) -- D:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2009/11/03 13:42:00 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- D:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/11/03 13:35:14 | 001,202,448 | ---- | M] (Intel(R) Corporation) -- D:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2009/11/03 13:33:48 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- D:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2009/06/03 07:25:16 | 000,106,496 | R--- | M] (Popwire AB) -- D:\Program Files\Common Files\Teleca Shared\logger.exe
PRC - [2009/04/14 10:14:26 | 000,139,264 | ---- | M] (Teleca Sweden AB) -- D:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
PRC - [2009/03/10 20:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\WgaTray.exe
PRC - [2008/04/14 00:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe
========== Modules (No Company Name) ==========
MOD - [2010/03/17 13:20:30 | 000,139,264 | R--- | M] () -- D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\tcpsock_object.dll
MOD - [2010/02/10 16:08:38 | 000,237,361 | R--- | M] () -- D:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\fsync.dll
MOD - [2010/02/10 16:08:38 | 000,237,361 | R--- | M] () -- D:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\fsync.dll
MOD - [2009/11/03 13:35:46 | 000,200,704 | ---- | M] () -- D:\Program Files\Intel\WiFi\bin\iWMSProv.dll
MOD - [2007/01/11 15:33:20 | 000,106,496 | R--- | M] () -- D:\Program Files\Common Files\Teleca Shared\boost_log-vc80-mt-1_33.dll
========== Services (SafeList) ==========
SRV - File not found [Auto | Stopped] -- %SystemRoot%\System32\irmon.dll -- (Irmon)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- d:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/11/03 13:48:54 | 000,874,768 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- D:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2009/11/03 13:45:52 | 000,348,160 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- D:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER)
SRV - [2009/11/03 13:42:00 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- D:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2009/11/03 13:33:48 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- D:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\rasirda.sys -- (Rasirda)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\irda.sys -- (irda)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\DOCUME~1\USERXP~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/11/11 02:26:02 | 002,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2008/08/13 14:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/04/06 14:49:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/01/11 18:25:26 | 000,039,808 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2006/01/11 16:29:42 | 000,062,848 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosrfhid.sys -- (Tosrfhid)
DRV - [2006/01/07 04:39:30 | 000,108,800 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosrfbd.sys -- (Tosrfbd)
DRV - [2005/11/22 08:47:00 | 000,047,104 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/10/03 11:57:00 | 000,086,867 | R--- | M] (CSR) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\BCOREUSB.sys -- (BCOREUSB)
DRV - [2005/09/15 17:06:08 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2005/08/01 15:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 17:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\toshidpt.sys -- (toshidpt)
DRV - [2005/05/03 14:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/05/03 14:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/03 14:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/04/06 08:54:44 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosrfsnd.sys -- (TosRfSnd)
DRV - [2005/03/10 15:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2005/01/06 12:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/08/23 12:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 05:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{965B4D12-46BD-422A-BB93-8AB0AE214820}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 54 A9 D0 A6 75 10 CC 01 [binary data]
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\..\SearchScopes\{3E6C1DB0-6D05-40F1-94FE-8203D8DA5136}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=MP3R7&o=15863&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^RV&apn_dtid=^YYYYYY^YY^US&apn_uid=aa35b1f6-f9de-4cd1-b7c0-aa604f009f90&apn_sauid=6671D03C-93F9-4258-9229-FB75FAA692CF
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\..\SearchScopes\{965B4D12-46BD-422A-BB93-8AB0AE214820}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADRA_enUS471
IE - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: d:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
[2013/01/29 13:22:50 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\User XP\Application Data\Mozilla\Firefox\Profiles\extensions
[2012/12/20 11:42:14 | 000,679,123 | ---- | M] () (No name found) -- D:\Documents and Settings\User XP\Application Data\Mozilla\Firefox\Profiles\extensions\mp3rocketdownloader@mp3rocket.me.xpi
========== Chrome ==========
CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = D:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = D:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = D:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = D:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = D:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = D:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = d:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Gmail = D:\Documents and Settings\User XP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
Had to split OTL file as it was too big for one post....
-
February 22nd, 2013, 10:48 PM
#9
O1 HOSTS File: ([2013/02/21 03:36:31 | 000,000,027 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] D:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] D:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] D:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel(R) Corporation)
O4 - HKLM..\Run: [Mobile Connectivity Suite] D:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe (Teleca Sweden AB)
O4 - HKLM..\Run: [MSC] d:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 File not found
O4 - HKU\S-1-5-18..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downlo...eckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/wind...?1361403312937 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FA792F11-65CA-431C-8DC4-4503E192AFB6}: DhcpNameServer = 192.168.0.1 205.171.3.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (D:\WINDOWS\system32\userinit.exe) - D:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/05/09 17:43:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2013/02/22 18:48:53 | 000,602,112 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\User XP\Desktop\OTL.exe
[2013/02/22 18:36:29 | 000,000,000 | ---D | C] -- D:\WINDOWS\ERUNT
[2013/02/22 18:36:24 | 000,000,000 | ---D | C] -- D:\JRT
[2013/02/22 18:35:28 | 000,547,439 | ---- | C] (Oleg N. Scherbakov) -- D:\Documents and Settings\User XP\Desktop\JRT.exe
[2013/02/21 03:26:43 | 000,518,144 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWREG.exe
[2013/02/21 03:26:43 | 000,406,528 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWSC.exe
[2013/02/21 03:26:43 | 000,212,480 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWXCACLS.exe
[2013/02/21 03:26:43 | 000,060,416 | ---- | C] (NirSoft) -- D:\WINDOWS\NIRCMD.exe
[2013/02/21 03:26:13 | 000,000,000 | ---D | C] -- D:\Qoobox
[2013/02/21 03:25:42 | 000,000,000 | ---D | C] -- D:\WINDOWS\erdnt
[2013/02/21 03:21:23 | 005,034,373 | R--- | C] (Swearware) -- D:\Documents and Settings\User XP\Desktop\ComboFix.exe
[2013/02/20 18:45:19 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Desktop\RK_Quarantine
[2013/02/20 15:00:50 | 000,000,000 | R--D | C] -- D:\Documents and Settings\User XP\Start Menu\Programs\Administrative Tools
[2013/02/20 14:37:13 | 000,688,992 | R--- | C] (Swearware) -- D:\Documents and Settings\User XP\Desktop\dds.com
[2013/02/20 14:23:03 | 004,732,416 | ---- | C] (AVAST Software) -- D:\Documents and Settings\User XP\Desktop\aswMBR.exe
[2013/02/20 13:56:05 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Application Data\Malwarebytes
[2013/02/20 13:55:34 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/02/20 13:55:26 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/02/20 13:55:23 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2013/02/20 13:55:23 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2013/02/16 18:18:25 | 000,000,000 | ---D | C] -- D:\WINDOWS\Minidump
[2013/02/16 18:05:39 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel
[2013/02/16 17:57:05 | 000,000,000 | ---D | C] -- D:\Program Files\Microsoft.NET
[2013/02/16 16:22:34 | 000,000,000 | ---D | C] -- D:\WINDOWS\Prefetch
[2013/01/30 12:13:07 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Local Settings\Application Data\The Weather Channel
[2013/01/29 13:24:01 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Incomplete
[2013/01/29 13:22:50 | 000,000,000 | ---D | C] -- D:\Program Files\MP3 Rocket Downloader
[2013/01/29 13:22:50 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Application Data\Mozilla
[2013/01/29 13:22:42 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Application Data\MP3Rocket
[2013/01/29 13:17:51 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Local Settings\Application Data\Real
[2013/01/29 13:16:06 | 000,000,000 | ---D | C] -- D:\Program Files\Real
[2013/01/29 13:15:15 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Application Data\Real
[2013/01/29 13:14:47 | 000,000,000 | ---D | C] -- D:\Program Files\The Weather Channel FW
[2013/01/29 13:09:00 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Real
[2013/01/29 12:06:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\B5D
[2013/01/28 19:55:28 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\AppData
[2013/01/28 19:53:45 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\My Documents\My Received Files
[2013/01/28 19:43:29 | 000,000,000 | ---D | C] -- D:\Documents and Settings\User XP\Local Settings\Application Data\PackageAware
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013/02/22 18:49:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\User XP\Desktop\OTL.exe
[2013/02/22 18:39:45 | 000,000,384 | -H-- | M] () -- D:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/02/22 18:35:39 | 000,547,439 | ---- | M] (Oleg N. Scherbakov) -- D:\Documents and Settings\User XP\Desktop\JRT.exe
[2013/02/22 18:31:13 | 000,000,374 | ---- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts.ics
[2013/02/22 18:29:54 | 000,000,884 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/22 18:29:53 | 000,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2013/02/22 18:29:36 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2013/02/22 18:28:02 | 000,510,066 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2013/02/22 18:28:02 | 000,091,470 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2013/02/22 18:26:22 | 000,587,671 | ---- | M] () -- D:\Documents and Settings\User XP\Desktop\adwcleaner0.exe
[2013/02/22 18:25:01 | 000,000,888 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/21 03:36:31 | 000,000,027 | ---- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts
[2013/02/21 03:23:35 | 005,034,373 | R--- | M] (Swearware) -- D:\Documents and Settings\User XP\Desktop\ComboFix.exe
[2013/02/21 03:20:45 | 000,000,184 | ---- | M] () -- D:\Documents and Settings\User XP\Desktop\imesh on virtual dr.url
[2013/02/21 03:19:05 | 000,000,664 | ---- | M] () -- D:\WINDOWS\System32\d3d9caps.dat
[2013/02/21 03:10:00 | 000,000,986 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-2052111302-1417001333-1003UA.job
[2013/02/20 18:10:00 | 000,000,934 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-2052111302-1417001333-1003Core.job
[2013/02/20 17:32:47 | 000,799,232 | ---- | M] () -- D:\Documents and Settings\User XP\Desktop\RogueKiller.exe
[2013/02/20 16:59:32 | 000,098,256 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/20 14:43:09 | 000,688,992 | R--- | M] (Swearware) -- D:\Documents and Settings\User XP\Desktop\dds.com
[2013/02/20 14:34:40 | 000,000,512 | ---- | M] () -- D:\Documents and Settings\User XP\Desktop\MBR.dat
[2013/02/20 14:30:35 | 004,732,416 | ---- | M] (AVAST Software) -- D:\Documents and Settings\User XP\Desktop\aswMBR.exe
[2013/02/20 13:55:34 | 000,000,784 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/16 17:53:24 | 000,006,042 | ---- | M] () -- D:\Documents and Settings\User XP\My Documents\My Favorite Theme.theme
[2013/02/13 16:45:49 | 000,694,382 | ---- | M] () -- D:\WINDOWS\setupapi.old
[2013/01/30 13:12:08 | 000,002,320 | ---- | M] () -- D:\Documents and Settings\User XP\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013/02/22 18:26:05 | 000,587,671 | ---- | C] () -- D:\Documents and Settings\User XP\Desktop\adwcleaner0.exe
[2013/02/21 03:26:43 | 000,256,000 | ---- | C] () -- D:\WINDOWS\PEV.exe
[2013/02/21 03:26:43 | 000,208,896 | ---- | C] () -- D:\WINDOWS\MBR.exe
[2013/02/21 03:26:43 | 000,098,816 | ---- | C] () -- D:\WINDOWS\sed.exe
[2013/02/21 03:26:43 | 000,080,412 | ---- | C] () -- D:\WINDOWS\grep.exe
[2013/02/21 03:26:43 | 000,068,096 | ---- | C] () -- D:\WINDOWS\zip.exe
[2013/02/21 03:20:15 | 000,000,184 | ---- | C] () -- D:\Documents and Settings\User XP\Desktop\imesh on virtual dr.url
[2013/02/20 17:32:26 | 000,799,232 | ---- | C] () -- D:\Documents and Settings\User XP\Desktop\RogueKiller.exe
[2013/02/20 14:34:40 | 000,000,512 | ---- | C] () -- D:\Documents and Settings\User XP\Desktop\MBR.dat
[2013/02/20 13:55:34 | 000,000,784 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/16 18:12:41 | 000,085,234 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-776561741-2052111302-1417001333-1003-0.dat
[2013/02/16 18:12:40 | 000,085,234 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/02/16 17:53:24 | 000,006,042 | ---- | C] () -- D:\Documents and Settings\User XP\My Documents\My Favorite Theme.theme
[2013/02/16 16:24:37 | 000,000,664 | ---- | C] () -- D:\WINDOWS\System32\d3d9caps.dat
[2012/02/14 16:28:42 | 000,003,072 | ---- | C] () -- D:\WINDOWS\System32\iacenc.dll
[2012/02/01 14:26:21 | 000,000,063 | ---- | C] () -- D:\Documents and Settings\User XP\jagex_cl_runescape_LIVE.dat
[2012/02/01 14:26:21 | 000,000,024 | ---- | C] () -- D:\Documents and Settings\User XP\random.dat
[2011/05/14 14:28:23 | 000,006,144 | ---- | C] () -- D:\Documents and Settings\User XP\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/09 16:50:07 | 000,000,000 | ---- | C] () -- D:\WINDOWS\tosOBEX.INI
[2011/05/09 15:56:01 | 000,192,512 | ---- | C] () -- D:\WINDOWS\System32\stac97co.dll
[2011/05/09 15:46:02 | 000,002,048 | --S- | C] () -- D:\WINDOWS\bootstat.dat
[2011/05/09 15:40:45 | 000,021,640 | ---- | C] () -- D:\WINDOWS\System32\emptyregdb.dat
[2011/05/09 10:36:25 | 000,004,161 | ---- | C] () -- D:\WINDOWS\ODBCINST.INI
[2011/05/09 10:35:35 | 000,098,256 | ---- | C] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/09 10:29:54 | 000,004,569 | ---- | C] () -- D:\WINDOWS\System32\secupd.dat
[2011/05/09 10:29:44 | 000,510,066 | ---- | C] () -- D:\WINDOWS\System32\perfh009.dat
[2011/05/09 10:29:44 | 000,272,128 | ---- | C] () -- D:\WINDOWS\System32\perfi009.dat
[2011/05/09 10:29:44 | 000,091,470 | ---- | C] () -- D:\WINDOWS\System32\perfc009.dat
[2011/05/09 10:29:44 | 000,028,626 | ---- | C] () -- D:\WINDOWS\System32\perfd009.dat
[2011/05/09 10:29:42 | 000,004,463 | ---- | C] () -- D:\WINDOWS\System32\oembios.dat
[2011/05/09 10:29:41 | 013,107,200 | ---- | C] () -- D:\WINDOWS\System32\oembios.bin
[2011/05/09 10:29:36 | 000,000,741 | ---- | C] () -- D:\WINDOWS\System32\noise.dat
[2011/05/09 10:29:16 | 000,673,088 | ---- | C] () -- D:\WINDOWS\System32\mlang.dat
[2011/05/09 10:29:15 | 000,046,258 | ---- | C] () -- D:\WINDOWS\System32\mib.bin
[2011/05/09 10:28:49 | 000,218,003 | ---- | C] () -- D:\WINDOWS\System32\dssec.dat
[2011/05/09 10:28:40 | 000,001,804 | ---- | C] () -- D:\WINDOWS\System32\Dcache.bin
========== ZeroAccess Check ==========
[2011/05/09 16:31:26 | 000,000,227 | RHS- | M] () -- D:\WINDOWS\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 00:42:06 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2011/05/09 16:13:41 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Infineon
[2011/05/12 19:18:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\AVAST Software
[2013/01/29 12:06:11 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\B5D
[2011/05/12 20:45:00 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\HTC
[2011/05/12 20:44:59 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Teleca
[2011/05/09 17:12:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User XP\Application Data\Infineon
[2013/02/13 17:42:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User XP\Application Data\MP3Rocket
[2011/05/12 21:43:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\User XP\Application Data\Teleca
========== Purity Check ==========
< End of report >
QTL Extras is in separate post...
-
February 22nd, 2013, 10:53 PM
#10
I can't posts the OTL Extras as I keep getting the message "You have included a total of 7 images and/or videos in your message. The maximum number that you may include is 6. Please correct the problem and then continue again.
Images include use of smilies, the BB code [img] tag, and HTML <img> tags. Videos are included with the BB code [video] tag. The use of these is all subject to them being enabled by the administrator."
I haven't included any images or videos, smilies. img tags or anything else. I'm going to try it for the fourth time...
But in the meantime...
There is a logo, for lack of a better description, at the bottom of the desktop that has the "You may be a victim of counterfeiting..." statement and ASK FOR GENUINE MICROSOFT SOFTWARE in big letters. Did the license somehow get corrupted? Something in the registry?
-
February 22nd, 2013, 11:07 PM
#11
I still cannot post the OTL Extras file. It keeps referring to "you have included 7 images or videos in the message. The maximum number is 6." Any thoughts on how to get around this?
-
February 22nd, 2013, 11:12 PM
#12
Click on "Go Advanced" button and on a next page under "Additional Options:" checkmark "Disable smilies in text".
Are you still getting message about Windows not being genuine?
-
February 22nd, 2013, 11:35 PM
#13
OTL Extras logfile created on: 2/22/2013 6:49:48 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = D:\Documents and Settings\User XP\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.99 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 77.11% Memory free
3.84 Gb Paging File | 3.53 Gb Available in Paging File | 91.96% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 2.00 Gb Total Space | 1.69 Gb Free Space | 84.51% Space Free | Partition Type: FAT32
Drive D: | 72.53 Gb Total Space | 62.48 Gb Free Space | 86.14% Space Free | Partition Type: NTFS
Computer Name: DARLAPTOP | User Name: User XP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
[HKEY_USERS\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"D:\Program Files\iMesh Applications\iMesh\iMesh.exe" = D:\Program Files\iMesh Applications\iMesh\iMesh.exe:*:Enabled:iMesh
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"D:\Program Files\Java\jre6\bin\javaw.exe" = D:\Program Files\Java\jre6\bin\javaw.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = TIPCI
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 25
"{33E14464-2AEC-40DF-AD88-474F6B1FCF9B}" = Encompass360 NetBranch Installation Manager
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{82CE6B7B-9665-4E29-8CE0-DD993484B38D}" = Intel(R) PROSet/Wireless WiFi Software
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{FCAFEEB3-3520-4539-89AF-4B743D2DFAEC}" = HTC Sync
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
"ie8" = Windows Internet Explorer 8
"InstallShield_{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"ProInst" = Intel PROSet Wireless
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-776561741-2052111302-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 12/17/2012 8:29:32 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 4.1.522.0, P3 timeout, P4 1.1.9002.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.
Error - 1/15/2013 12:42:33 PM | Computer Name = DARLAPTOP | Source = System.ServiceModel.Install 3.0.0.0 | ID = 0
Description =
Error - 1/23/2013 9:39:38 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 4.1.522.0, P3 timeout, P4 1.1.9103.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.
Error - 1/29/2013 2:49:15 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile,
P4 4.1.522.0, P5 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.
Error - 2/16/2013 9:08:44 PM | Computer Name = DARLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 2/20/2013 4:44:32 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x8000ffff, P2 patchapplication, P3 am bde,
P4 11.1.4289.0, P5 mpsigstub.exe, P6 4.1.522.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.
Error - 2/20/2013 4:54:10 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x8000ffff, P2 patchapplication, P3 am bde,
P4 11.1.4289.0, P5 mpsigstub.exe, P6 4.1.522.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.
Error - 2/20/2013 5:17:31 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x8000ffff, P2 patchapplication, P3 am bde,
P4 11.1.4289.0, P5 mpsigstub.exe, P6 4.1.522.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.
Error - 2/20/2013 8:01:12 PM | Computer Name = DARLAPTOP | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown
Error - 2/20/2013 8:14:28 PM | Computer Name = DARLAPTOP | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x8000ffff, P2 patchapplication, P3 am bde,
P4 11.1.4289.0, P5 mpsigstub.exe, P6 4.1.522.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.
[ System Events ]
Error - 2/22/2013 9:21:25 PM | Computer Name = DARLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126
Error - 2/22/2013 9:21:26 PM | Computer Name = DARLAPTOP | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The specified module could not be found.
Error - 2/22/2013 9:21:27 PM | Computer Name = DARLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126
Error - 2/22/2013 9:21:27 PM | Computer Name = DARLAPTOP | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The specified module could not be found.
Error - 2/22/2013 9:21:28 PM | Computer Name = DARLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126
Error - 2/22/2013 9:21:31 PM | Computer Name = DARLAPTOP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.
Error - 2/22/2013 9:21:31 PM | Computer Name = DARLAPTOP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.
Error - 2/22/2013 9:21:31 PM | Computer Name = DARLAPTOP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.
Error - 2/22/2013 9:21:32 PM | Computer Name = DARLAPTOP | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The specified module could not be found.
Error - 2/22/2013 9:21:32 PM | Computer Name = DARLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126
< End of report >
I emailed the OTL Extras to my computer to try and get it to post.
There is the logo at the bottom of the desktop that appears now as a permanent fixture on the desktop - clicking on it does nothing and I can't see any way to make it go away.
-
February 23rd, 2013, 12:19 AM
#14
What does it say?
You didn't answer my question:
Are you still getting message about Windows not being genuine?
-
February 23rd, 2013, 12:32 AM
#15
The logo at the bottom of the screen says "You may be a victim of counterfeiting. This copy of Windows did not pass genuine Windows validation."
If I go into Microsoft Security Essentials it says
"Windows did not pass genuine validation.
Security Essentials will become disabled if you do not resolve this issue.
To continue using Security Essentials, click Resolve Now and get genuine Windows.
If you have already resolved this issue, click Run a validation check."
IT is saying that Windows is not genuine.....???
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|