Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry problems: help with Hijack this logfile: probable infection of pc


  • This topic is locked This topic is locked
18 replies to this topic

#1 anna livia

anna livia

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 25 March 2010 - 07:29 PM

Have a Hijack This log file which I do not know how to handle. Followed helper's instruction and created a DDS text log. Now sending this in the hope that the problem may be solved by a fundi. (Also tried to create an ark.txt with Gmer, but unsuccessful - runs the whole process, but cannot save anything at the end.). Your help will be really much appreciated...



DDS (Ver_10-03-17.01) - NTFSx86
Run by helize at 22:30:23.93 on 2010/03/25
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.27.1033.18.3311.2418 [GMT 2:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {56807D78-BAF3-4DAA-94F1-EBAD86A66B91}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtect.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtectTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\helize.HVANVUUREN2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.nmmu.ac.za/default.asp?id=161&bhcp=1
uSearch Page = hxxp://google.icq.com
uDefault_Page_URL = hxxp://start.icq.com/?icid=st_ie8
uURLSearchHooks: H - No File
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [TMWebProtectTray] "c:\program files\trend micro\web protection add-on\TMWebProtectTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-explorer: NoFolderOptions = 00000000
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoFileSysPage = 0 (0x0)
uPolicies-system: NoNetSetup = 0 (0x0)
uPolicies-system: NoNetSetupIDPage = 0 (0x0)
uPolicies-system: NoNetSetupSecurityPage = 0 (0x0)
uPolicies-system: NoWorkgroupContents = 0 (0x0)
uPolicies-system: NoEntireNetwork = 0 (0x0)
uPolicies-system: NoFileSharingControl = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: NoFolderOptions = 00000000
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: absa.co.za\www
Trusted Zone: antivirus
Trusted Zone: live.com\onecare
Trusted Zone: nmmu.ac.za\area51
Trusted Zone: nmmu.ac.za\my
Trusted Zone: pcpitstop.com\www
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\helize~1.hva\applic~1\mozilla\firefox\profiles\rhpxojhi.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.nmmu.ac.za/Default.asp?bhcp=1
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2007-9-20 21504]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2010-3-16 222456]
R2 TMWebProtect;Trend Micro Web Protection Add-On Service;c:\program files\trend micro\web protection add-on\TMWebProtect.exe [2010-3-22 591232]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2007-9-20 2554648]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-3-22 206608]
S2 gupdate1ca774e726a867e;Google Update Service (gupdate1ca774e726a867e);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 133104]
S2 TmFilter;Trend Micro Filter;\??\c:\program files\trend micro\officescan client\tmxpflt.sys --> c:\program files\trend micro\officescan client\TmXPFlt.sys [?]
S2 TmPfw;OfficeScan NT Firewall;"c:\program files\trend micro\officescan client\tmpfw.exe" --> c:\program files\trend micro\officescan client\TmPfw.exe [?]
S2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\trend micro\officescan client\tmpreflt.sys --> c:\program files\trend micro\officescan client\TmPreFlt.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-16 1691480]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2010-1-19 55184]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\tm_cfw.sys --> c:\windows\system32\drivers\TM_CFW.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-3-22 206608]
S3 TmProxy;OfficeScan NT Proxy Service;"c:\program files\trend micro\officescan client\tmproxy.exe" --> c:\program files\trend micro\officescan client\TmProxy.exe [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-5 189792]

=============== Created Last 30 ================

2010-03-22 20:12:34 0 d-----w- c:\program files\Runtime Software
2010-03-22 17:15:08 0 ----a-w- c:\documents and settings\helize.hvanvuuren2\defogger_reenable
2010-03-22 12:48:02 0 d-----w- c:\docume~1\helize~1.hva\applic~1\Malwarebytes
2010-03-22 12:47:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-22 12:47:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 12:47:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 12:47:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-22 11:30:51 0 d-----w- c:\program files\TrendMicro
2010-03-22 11:17:01 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-03-22 11:17:00 0 d-----w- c:\program files\Trend Micro
2010-03-22 10:52:59 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-21 14:01:29 53248 ----a-w- c:\program files\iCheckConnection.exe
2010-03-18 22:53:12 1674683 ----a-w- c:\windows\system32\igxpxa32.cpa
2010-03-18 22:53:12 1023 ----a-w- c:\windows\system32\igxpxa32.vp
2010-03-18 22:53:11 155648 ----a-w- c:\windows\system32\igfxCoIn_v5218.dll
2010-03-17 10:58:35 12270986 ----a-w- c:\temp\spel.zip
2010-03-16 13:03:18 0 d-----w- c:\program files\ICQ6NewTab
2010-03-16 13:01:22 0 dc-h--w- c:\windows\ie8
2010-03-16 13:00:48 0 d-----w- c:\program files\ICQ6Toolbar
2010-03-16 13:00:48 0 d-----w- c:\docume~1\alluse~1\applic~1\ICQ
2010-03-16 13:00:44 0 d--h--w- c:\windows\msdownld.tmp
2010-03-16 12:41:41 18015992 ----a-w- c:\temp\IE8-Setup-Full.exe
2010-03-11 20:55:58 0 d-----w- c:\program files\Innovative Solutions
2010-03-10 13:24:46 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 20:29:38 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-09 17:47:21 0 d-----w- c:\program files\Support Tools
2010-03-09 15:42:37 0 d-----w- c:\windows\system32\FxsTmp
2010-03-09 15:42:33 535 ----a-w- c:\windows\system32\mapisvc.inf
2010-03-09 15:42:32 698 ----a-w- c:\windows\system32\inetsrv.mib
2010-03-09 15:42:32 6179 ----a-w- c:\windows\system32\ftp.mib
2010-03-09 15:42:32 20079 ----a-w- c:\windows\system32\http.mib
2010-03-09 14:45:24 0 d-----w- c:\program files\IIS
2010-03-09 14:41:49 0 d-----w- c:\program files\Microsoft SQL Server
2010-03-09 14:36:57 0 d-----w- c:\program files\Microsoft ASP.NET
2010-03-09 14:22:31 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2010-03-09 14:22:29 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2010-03-08 13:40:16 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-03-08 13:40:14 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-03-08 13:39:57 0 d-----w- c:\docume~1\helize~1.hva\applic~1\TuneUp Software
2010-03-08 13:39:45 0 d-----w- c:\program files\TuneUp Utilities 2010
2010-03-08 13:16:05 21190984 ----a-w- c:\temp\Trial-9.0.2000.16_en-US_155.exe
2010-03-08 11:54:56 0 d-----w- c:\docume~1\helize~1.hva\applic~1\Uniblue
2010-03-08 11:54:51 0 d-----w- c:\program files\Uniblue
2010-03-05 15:53:50 297035 ----a-w- c:\windows\system32\drivers\CVPNDRVA.sys
2010-03-05 15:53:49 163840 ----a-w- c:\windows\system32\vpnapi.dll
2010-03-05 15:53:46 0 d-----w- c:\program files\common files\Deterministic Networks
2010-03-03 08:46:58 0 d-----w- c:\docume~1\helize~1.hva\applic~1\Foxit Software
2010-03-01 22:44:10 0 d-----w- c:\program files\Microsoft Security Essentials
2010-02-26 14:49:50 1056872 ----a-w- c:\program files\Managing_Internet_Explorer_Enhanced_Security_Configuration.zip
2010-02-26 14:35:59 1088378 ----a-w- c:\windows\setupapi.log.0.old
2010-02-26 10:45:40 528424 ----a-w- c:\program files\WindowsXP-KB946648-x86-ENU.exe
2010-02-25 14:50:45 0 d-----w- C:\Sun
2010-02-25 14:03:52 0 d-----w- c:\program files\Messenger
2010-02-25 10:46:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-25 10:46:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 10:50:54 244 ---ha-w- C:\sqmnoopt02.sqm
2010-02-24 10:50:54 232 ---ha-w- C:\sqmdata02.sqm
2010-02-24 05:54:25 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 03:24:09 0 d-----w- c:\documents and settings\helize.hvanvuuren2\SecurityScans
2010-02-24 03:22:35 0 d-----w- c:\program files\Microsoft Baseline Security Analyzer 2

==================== Find3M ====================

2010-03-13 03:53:22 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-03-13 03:53:22 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-03-13 03:53:22 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-03-13 03:53:16 19521056 ----a-w- c:\windows\RTHDCPL.EXE
2010-03-13 03:53:16 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-03-13 03:53:12 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-03-13 03:53:12 358944 ----a-w- c:\windows\vncutil.exe
2010-03-13 03:53:12 1833504 ----a-w- c:\windows\SkyTel.exe
2010-03-13 03:53:10 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-03-13 03:53:10 2177568 ----a-w- c:\windows\MicCal.exe
2010-03-13 03:53:04 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-03-13 03:41:22 5867040 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-02-03 06:17:08 14717792 ----a-w- C:\pcmatic-setup.exe
2010-01-13 10:19:00 3773952 ----a-w- c:\windows\system32\igxpdx32.dll
2010-01-13 10:18:48 2685280 ----a-w- c:\windows\system32\igxpdv32.dll
2010-01-13 10:18:38 185856 ----a-w- c:\windows\system32\igxpgd32.dll
2010-01-13 10:18:36 57344 ----a-w- c:\windows\system32\igxprd32.dll
2010-01-13 10:03:54 294912 ----a-w- c:\windows\system32\igldev32.dll
2010-01-13 10:03:44 2342912 ----a-w- c:\windows\system32\iglicd32.dll
2010-01-13 09:48:40 645632 ----a-w- c:\windows\system32\igfxcfg.exe
2010-01-13 09:46:48 134656 ----a-w- c:\windows\system32\igfxtray.exe
2010-01-13 09:46:36 166912 ----a-w- c:\windows\system32\hkcmd.exe
2010-01-13 09:46:32 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-01-13 09:46:28 199168 ----a-w- c:\windows\system32\igfxpph.dll
2010-01-13 09:46:28 165888 ----a-w- c:\windows\system32\igfxext.exe
2010-01-13 09:46:16 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-01-13 09:46:14 135680 ----a-w- c:\windows\system32\igfxpers.exe
2010-01-13 09:46:04 51712 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-01-13 09:46:02 243712 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-01-13 09:45:38 93696 ----a-w- c:\windows\system32\hccutils.dll
2010-01-13 09:45:32 5702656 ----a-w- c:\windows\system32\igfxress.dll
2010-01-13 09:45:32 205824 ----a-w- c:\windows\system32\igfxdev.dll
2007-06-01 14:07:48 741376 ----a-w- c:\program files\common files\InfoSlips.ForMe.exe
2008-06-03 09:22:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-06-25 08:40:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062520090626\index.dat

============= FINISH: 22:30:32.15 ===============
ow sending this in the hope that the problem may be solved by a fundi.

Attached Files



BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:25 PM

Posted 29 March 2010 - 09:03 PM

Hey anna livia,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:25 PM

Posted 30 March 2010 - 09:35 AM

Hey anna livia,

It seems that you are running Uniblue RegistryBooster 2010, which in effect is a registry scanner/cleaner. Please be aware that the Registry is a very important segment of a computer system and that registry edit can be a dangerous process. Any mistakes in editing can corrupt the entire registry, rendering your system unbootable or unrepairable. Unless you have advanced knowledge about the inner workings of the Registry, you should never run any registry scanners/cleaners without the guidance of an expert. Doing so may not always deliver the results you want to see, in addition,fixing/cleaning a wrong section of the registry can ultimately corrupt your entire computer system. Thus, I highly recommend that you remove Uniblue RegistryBooster 2010 from your computer and refrain from downloading registry scanners/cleaners in the future.

From your log, you seem to have multiple anti-virus running on your computer. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the softwares. I would advise that you remove Microsoft Security Essentials and keep Trend Micro.

I don't see much in your log, let's run some scans first. thumbup2.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Trend Micro) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
2) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Next reply (please include in your post):

OTS.txt (attached)
RootRepeal.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 01 April 2010 - 08:10 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/04/01 14:48
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA75F4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5DA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA54EB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Apps\2.0\GYJ5TG35.M8R\MMB8KDQR.T2N\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Apps\2.0\GYJ5TG35.M8R\MMB8KDQR.T2N\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Apps\2.0\GYJ5TG35.M8R\MMB8KDQR.T2N\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==Attached File  OTS.Txt   183.62KB   10 downloadsAttached File  RootRepeal.txt   2.58KB   12 downloads

#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:25 PM

Posted 03 April 2010 - 01:05 AM

Hey anna livia,

Thank you for the logs. smile.gif

QUOTE
C:\Documents and Settings\helize.HVANVUUREN2\My Documents\artikels Gitte
C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Beyers Naude
C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Alba Bouwer
C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Onderhoude
C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Adam Small
c:\temp\spel.zip
C:\Documents and Settings\helize.HVANVUUREN2\My Documents\cc_20100319_223249.reg


Do you happen to know the files/folders above?

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (insert protection software(s)'s name(s)) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :FileFind
    comsvcs.dll
    dxtmsft.dll
    dxtrans.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

3) Run MBR and Rooter

Please download MBR.exe to your desktop. Double-click on it and it will produce a log on desktop (mbr.log). Please post the log in your next reply.

THEN

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be foun/d at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the button to close Rooter.
  • Please post the contents of that log file here in your next reply.

Next reply (please include in your post):

ComboFix.txt
SystemLook.txt
MBR log
Rooter_1.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 04 April 2010 - 09:44 AM

Attached File  Rooter_1.txt   4.31KB   8 downloads
Attached File  SystemLook.txt   10.35KB   7 downloads
Attached File  mbr.log   195bytes   11 downloads
Attached File  ComboFix.txt   24.9KB   10 downloads
Attached File  log.txt   24.9KB   9 downloads

Hi Ltangelic

Herewith the required logs and text files attached. Although I deactivated my Trend Micro Officescan Web protection, Combofix insisted that Trend was still running. I could not detect anything running, but as a precaution deleted the program totally. Hope that nothing seriously went wrong when runninge Combofix (they do give a dire warning of such a possibility).

Hope that a solution is near. I would also like to know whether, if and when everything is solved, I may clear the proliferation of downloads and text/log files from my desktop. Still do not know how to deal with the original HiJack This logfile.

Thanks for your help thus far.


Regards
Anna Livia

#7 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 04 April 2010 - 10:00 AM

Hi Ltangelic

Recently (Jan 2010) I bought and download PCmatic, a programme which also involves a registry cleaner. Should I also in future not use this programme/delete it? I suspect that it might be the root of some of my problems (it is sold by www.pctools.com) and consists of their Exterminate, registry cleaner, defragger and more. It does not pick up the problem I have with accessing my work intranet (i can get through to the intranet, but not to the financial requisitions page for approvals of requisitions - this works through another private PIN number). Although I am able to access the financial requisitions page from work, on campus, and was able to approve things from home for years, lately this has become impossible - since mid January, precisely the time when I started using Pcmatic.

Regards
Anna Livia

#8 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 04 April 2010 - 03:46 PM

Hi Ltangelic
I forgot to answer your first question about the files you specified. I know them all, the last two are unessential and may be removed (the last one is from CCcleaner, when cleaning the registry under CCcleaning, as a back-up). The second last one (wspel) may be removed. The others are essential work files.

Regards
Anna livia

#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:06:25 PM

Posted 06 April 2010 - 09:18 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:25 AM

Posted 06 April 2010 - 11:09 AM

Hello, anna livia
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

I will review the topic now, in the meantime, please tell me how the system is running and run this tool:

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 06 April 2010 - 02:56 PM

Hi Tom

Thanks for the anticipated help...
Regards
anna livia
_________________________________________________
OTL logfile created on: 2010/04/06 09:04:03 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\helize.HVANVUUREN2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 80.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 123.42 Gb Free Space | 82.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HVANVUUREN2
Current User Name: helize
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 21:02:58 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTL.exe
PRC - [2010/03/18 20:23:35 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2009/09/02 03:29:54 | 000,288,136 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtectTray.exe
PRC - [2009/09/02 03:29:52 | 000,591,232 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtect.exe
PRC - [2009/08/17 22:54:54 | 012,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/03/23 10:29:46 | 000,222,456 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/14 02:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2008/04/14 02:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 02:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/28 06:18:05 | 002,554,648 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/06/28 06:18:04 | 000,183,064 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/06/28 06:18:03 | 000,109,336 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/05/17 13:10:00 | 000,098,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe
PRC - [2007/05/16 13:48:56 | 000,228,208 | ---- | M] () -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe
PRC - [2007/02/01 09:21:22 | 001,466,368 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PRC - [2004/08/04 14:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 21:02:58 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTL.exe
Attached File  Extras.Txt   47.68KB   8 downloads

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:25 AM

Posted 06 April 2010 - 03:11 PM

Hi,

The OTL.txt is incomplete, please post it again and tell me what issues do you still have with the system and how it is running smile.gif.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 April 2010 - 02:11 AM

Hi Tom
I ran a quick scan again - same results. Then chose "scan all users", and a slightly bigger file was created.

The problem I still have is that I cannot manually access (switch off temporarily, or put on) the windows fire wall, as I have tampered with auditing with out understanding what I did (parent, inheriting, user rights - by mistake I created multiple users on my system, although I am the only person using the computer : receive the following message:
"ICS not running" - when I try to switch this on, it refuses to do so - "unavailable". I also tampered with the services under "Administrator".

final error message: 'Windows cannot start the Windows Firewall/ICS service"

This might be the cause of my inability to contact my work intranet's finance requisition and approval site at my.nmmu.ac.za.

I also tampered with "services", "prinicipals" and ? in some setting, so that when i try to start the Windows firewall, it specifies a complicated list of "Groups", "Users" and "Principals" which I really do not understand, and seem unable to remove. All these then are specified in detail as having been allowed or denied a long list of things they can or cannot do. If I could reset to the default original settings, I suspect this would solve my intranet access problem.

For the rest everything seems fine now, although i have still not been told how to deal with my original HiJack.this file, which is why i visited your website for help in the first instance, many moons ago.
My desktop is now full of a proliferation of programmes and log files, which i am too frightened to delete, and none of which I understand how to use myself.

Thanks again for your time and effort
Helize
___________________

new and more complete OTL logfile:

Attached File  OTL_3_.Txt   88.7KB   10 downloads

OTL logfile created on: 2010/04/07 08:41:55 AM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\helize.HVANVUUREN2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 123.48 Gb Free Space | 82.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HVANVUUREN2
Current User Name: helize
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 21:02:58 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTL.exe
PRC - [2010/03/18 20:23:35 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2009/09/02 03:29:54 | 000,288,136 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtectTray.exe
PRC - [2009/09/02 03:29:52 | 000,591,232 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtect.exe
PRC - [2009/08/17 22:54:54 | 012,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/03/23 10:29:46 | 000,222,456 | ---- | M] () -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/14 02:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2008/04/14 02:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 02:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/28 06:18:05 | 002,554,648 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/06/28 06:18:04 | 000,183,064 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/06/28 06:18:03 | 000,109,336 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/05/17 13:10:00 | 000,098,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe
PRC - [2007/05/16 13:48:56 | 000,228,208 | ---- | M] () -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe
PRC - [2007/02/01 09:21:22 | 001,466,368 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PRC - [2004/08/04 14:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 21:02:58 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTL.exe
MOD - [2009/07/11 19:41:02 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
MOD - [2009/05/24 22:41:34 | 000,304,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll
MOD - [2009/03/06 04:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll
MOD - [2009/02/12 15:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
MOD - [2009/02/12 15:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
MOD - [2008/10/25 11:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll
MOD - [2008/07/25 11:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/04/14 02:11:50 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2008/04/13 19:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (TmProxy)
SRV - File not found [Auto | Stopped] -- -- (TmPfw)
SRV - File not found [Auto | Stopped] -- -- (tmlisten)
SRV - File not found [On_Demand | Stopped] -- -- (SecureStorageService)
SRV - File not found [On_Demand | Stopped] -- -- (ntrtscan)
SRV - [2010/01/19 17:49:14 | 000,055,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -- (MsDepSvc)
SRV - [2009/09/02 03:29:52 | 000,591,232 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtect.exe -- (TMWebProtect)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/03/23 10:29:46 | 000,222,456 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2008/04/14 02:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2008/04/14 02:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 02:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/06/28 06:18:05 | 002,554,648 | R--- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel®
SRV - [2007/06/28 06:18:04 | 000,183,064 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv) Intel®
SRV - [2007/06/28 06:18:03 | 000,109,336 | R--- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2007/05/17 13:10:00 | 000,098,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/05/16 13:48:56 | 000,228,208 | ---- | M] () [Auto | Running] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/02/01 09:21:22 | 001,466,368 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2005/01/07 14:15:58 | 001,409,048 | ---- | M] (Cisco Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2004/08/04 14:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://lock.nmmu.ac.za/proxy/staff


IE - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.nmmu.ac.za/default.asp?id=161&bhcp=1
IE - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://my.nmmu.ac.za/Default.asp?bhcp=1"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/21 10:43:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/25 21:21:18 | 000,000,000 | ---D | M]

[2009/12/01 13:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Mozilla\Extensions
[2010/03/21 16:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Mozilla\Firefox\Profiles\rhpxojhi.default\extensions
[2009/12/01 14:31:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Mozilla\Firefox\Profiles\rhpxojhi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/17 11:36:22 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Mozilla\Firefox\Profiles\rhpxojhi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/02/20 20:02:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Mozilla\Firefox\Profiles\rhpxojhi.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/03/21 16:13:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/13 02:00:07 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/04/04 16:11:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [TMWebProtectTray] C:\Program Files\Trend Micro\Web Protection Add-On\TMWebProtectTray.exe (Trend Micro Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [TSClientMSIUninstaller] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThumbnailCache = 1
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: RestrictRun = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 1
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSecCPL = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDevMgrPage = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoConfigPage = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVirtMemPage = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoFileSysPage = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoNetSetup = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoNetSetupIDPage = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoNetSetupSecurityPage = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoWorkgroupContents = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoEntireNetwork = 0
O7 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoFileSharingControl = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\biolsp.dll (Wave Systems Corp.)
O15 - HKU\.DEFAULT\..Trusted Domains: nmmu.ac.za ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: petech.ac.za ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: staff.upe ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: upe.ac.za ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: nmmu.ac.za ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: petech.ac.za ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: staff.upe ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: upe.ac.za ([]* in Local intranet)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: absa.co.za ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: antivirus ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: live.com ([onecare] http in Trusted sites)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: nmmu.ac.za ([area51] http in Trusted sites)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: nmmu.ac.za ([basalt] http in Local intranet)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: nmmu.ac.za ([my] http in Trusted sites)
O15 - HKU\S-1-5-21-3135593450-3778320516-3760818761-1017\..Trusted Domains: pcpitstop.com ([www] http in Trusted sites)
O16 - DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab (VersionControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab (PCMaticVer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.2
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1235.0517.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1235.0517.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/20 17:24:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/07 08:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
[2010/04/06 21:02:58 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTL.exe
[2010/04/04 22:50:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\helize.HVANVUUREN2\Recent
[2010/04/04 22:50:12 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/04 21:27:41 | 000,206,608 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\TMPassthru.sys
[2010/04/04 21:27:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/04 17:44:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Kalahari bestellings Apr 2010
[2010/04/04 16:32:05 | 000,000,000 | ---D | C] -- C:\Rooter$
[2010/04/04 16:31:21 | 000,173,119 | ---- | C] (Eric_71) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\Rooter.exe
[2010/04/04 15:49:09 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/04 15:47:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/04 15:02:09 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/04 14:50:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/04 14:50:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/04 14:50:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/04 14:50:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/04 14:50:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/04 14:47:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/01 14:47:53 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\RootRepeal.exe
[2010/04/01 14:32:26 | 000,637,440 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTS.exe
[2010/03/25 12:05:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Nathan MA 2010
[2010/03/25 12:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Etienne van Heerden 30 Nagte
[2010/03/24 20:29:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/03/08 16:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\TuneUp Software
[2010/02/26 12:45:40 | 000,528,424 | ---- | C] (Microsoft Corporation) -- C:\Program Files\WindowsXP-KB946648-x86-ENU.exe
[2010/02/19 23:40:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/01 20:17:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
[2009/12/08 12:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/12/07 17:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/07 17:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/10 06:30:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Ahead
[2009/11/10 06:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/04/28 11:45:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/03/23 18:03:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/06/01 16:07:48 | 000,741,376 | ---- | C] (InfoSlips) -- C:\Program Files\Common Files\InfoSlips.ForMe.exe
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/07 08:28:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/07 08:20:15 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/07 08:19:56 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/07 08:19:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/07 08:19:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/07 08:18:30 | 005,767,168 | ---- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\ntuser.dat
[2010/04/07 08:18:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\ntuser.ini
[2010/04/06 21:02:58 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTL.exe
[2010/04/06 11:41:28 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CB430C20-AAB0-4DF7-8284-B2F87F771447}.job
[2010/04/05 16:36:32 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\Microsoft Office Word 2007.lnk
[2010/04/04 16:31:23 | 000,173,119 | ---- | M] (Eric_71) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\Rooter.exe
[2010/04/04 16:30:24 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\mbr.exe
[2010/04/04 16:25:06 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\SystemLook.exe
[2010/04/04 16:11:32 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/04 16:11:25 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/04 15:49:14 | 000,000,317 | RHS- | M] () -- C:\boot.ini
[2010/04/04 14:46:41 | 003,907,280 | R--- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\ComboFix.exe
[2010/04/01 14:48:05 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\RootRepeal.exe
[2010/04/01 14:35:25 | 000,637,440 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\OTS.exe
[2010/04/01 11:28:35 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/03/26 03:24:15 | 000,002,467 | ---- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\HiJackThis.lnk
[2010/03/25 22:34:22 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\gmer.zip
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/04 16:30:23 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\mbr.exe
[2010/04/04 16:25:03 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\SystemLook.exe
[2010/04/04 15:49:14 | 000,000,247 | ---- | C] () -- C:\Boot.bak
[2010/04/04 15:49:11 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/04 14:50:17 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 14:50:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/04 14:50:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/04 14:50:17 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 14:50:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/04 14:46:41 | 003,907,280 | R--- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\Desktop\ComboFix.exe
[2010/04/02 12:44:20 | 000,000,539 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\My Documents\Shortcut to mbam-setup.exe.lnk
[2010/03/22 19:15:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\defogger_reenable
[2010/03/22 12:44:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Application Data\housecall.guid.cache
[2010/03/21 16:01:29 | 000,053,248 | ---- | C] () -- C:\Program Files\iCheckConnection.exe
[2010/03/09 19:55:21 | 005,767,168 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\ntuser.dat
[2010/03/09 16:08:04 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2010/03/09 16:08:03 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2010/03/09 16:08:01 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2010/03/05 17:53:49 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2010/03/04 01:58:37 | 000,159,112 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/26 16:49:50 | 001,056,872 | ---- | C] () -- C:\Program Files\Managing_Internet_Explorer_Enhanced_Security_Configuration.zip
[2010/02/25 11:26:29 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2010/02/17 13:15:13 | 000,106,591 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll
[2010/02/17 13:15:06 | 000,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini
[2010/02/16 15:13:56 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/16 15:13:55 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/16 14:13:03 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5016.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/21 00:22:23 | 000,172,056 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/10/29 13:15:59 | 000,000,331 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\wave_license.txt
[2008/10/29 13:15:59 | 000,000,101 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\default.pls
[2008/10/29 13:15:59 | 000,000,051 | ---- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\Local Settings\Application Data\setup.txt
[2008/10/29 13:15:58 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\ntuser.dat.LOG
[2008/10/29 13:15:58 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\helize.HVANVUUREN2\ntuser.ini
[2007/09/27 11:12:53 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2007/09/27 11:12:53 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/27 10:32:33 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2007/09/27 10:32:33 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2007/09/20 21:31:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/09/20 19:20:39 | 000,012,663 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2007/09/20 18:58:33 | 000,000,510 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/20 18:21:52 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2007/09/20 18:05:44 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2007/09/20 17:58:22 | 001,736,704 | ---- | C] () -- C:\WINDOWS\System32\Tsp1.dll
[2007/01/31 20:16:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2007/01/31 20:16:20 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\OEM_Resources.dll
[2007/01/31 20:08:44 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2007/01/31 20:08:36 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2007/01/31 20:08:26 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2007/01/31 20:08:18 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2007/01/31 20:08:08 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2007/01/31 20:08:00 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2007/01/31 20:07:50 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2007/01/31 20:07:42 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2007/01/31 20:07:34 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2007/01/31 20:07:24 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2007/01/31 13:09:46 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2007/01/31 13:09:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2007/01/31 13:09:06 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2007/01/31 13:08:46 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2007/01/31 13:08:26 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2007/01/31 13:08:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2007/01/31 13:07:46 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2007/01/31 13:07:26 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2007/01/31 13:07:04 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2007/01/31 13:06:46 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2007/01/02 09:14:20 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2004/09/10 12:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/09/10 12:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll

========== LOP Check ==========

[2010/02/17 14:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
[2007/09/27 11:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
[2009/08/08 22:59:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2010/03/16 15:00:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ICQ
[2007/09/27 11:09:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2010/04/01 07:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2007/09/20 19:44:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RightFax
[2009/07/05 11:38:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/03/08 15:30:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2007/09/27 11:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2007/09/28 08:15:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
[2007/09/28 07:54:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/02/17 11:26:27 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2007/09/27 11:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Wave Systems Corp
[2009/12/15 07:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\AntiMalware
[2010/02/18 21:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Downloaded Installations
[2009/10/04 20:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Error Fix
[2010/02/18 20:48:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Foxit
[2010/03/03 10:46:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Foxit Software
[2010/03/24 20:34:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\InfoSlips
[2009/05/05 19:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\PC Updater
[2010/02/03 11:13:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\PCPitstop
[2010/03/08 15:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\TuneUp Software
[2010/03/08 13:54:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Uniblue
[2007/09/27 11:12:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Wave Systems Corp
[2010/02/26 23:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Windows Desktop Search
[2009/03/23 22:49:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\helize.HVANVUUREN2\Application Data\Windows Search
[2010/03/08 16:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\TuneUp Software
[2010/04/06 11:41:28 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{CB430C20-AAB0-4DF7-8284-B2F87F771447}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/02/03 08:17:08 | 014,717,792 | ---- | M] (PC Pitstop LLC ) -- C:\pcmatic-setup.exe
[2010/04/04 21:10:50 | 009,308,032 | ---- | M] (Macrovision Corporation) -- C:\WPAO_en_v1.3_1033.exe


< MD5 for: AGP440.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/06/25 10:25:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/06/25 10:25:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/06/25 10:25:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/06/25 10:25:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2004/08/04 07:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 02:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 02:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 02:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 02:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 02:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 02:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 14:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 02:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 02:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 02:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 02:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/09/20 10:13:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/09/20 10:13:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/09/20 10:13:08 | 000,913,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


#14 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 07 April 2010 - 01:41 PM

Hi Tom

The intranet problem was solved today: the fault was on the ITS side of my workplace. So ignore that one...If I could only get help with how to deal with the HiJack.this log file, i will be fine (have been busy with the technical hitches for almost two weeks now...).

Regards
anna livia

#15 anna livia

anna livia
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 08 April 2010 - 05:48 AM

Hi Tom?

Two days without an answer: am I on my own now?
I sent the full OTL log text, attached again.

Regards
Anna livia

Attached File  OTL_3_.Txt   88.7KB   5 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users