Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Space on D disk is shrinking, no matter what I do, virus or?


  • This topic is locked This topic is locked
5 replies to this topic

#1 yellow submarine

yellow submarine

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 29 September 2012 - 09:21 AM

My C disk is constantly running out of space, I've gotten form 8 GB to 200 MB and even if I delete files, I get some extra space for a short time then it keeps shrinking again. When I run TreeSize it shows that 69,4% of windows is taken up by installer files. I ran Avast and Spybot but they don't show any sign of virus or malware.
I tried Combo fix, here is the log, if that helps.


ComboFix 12-09-27.03 - User 22.09.2012 0:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.2038.1303 [GMT 2:00]
Running from: c:\desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\WINDOWS
c:\program files\SecureW2
c:\program files\SecureW2\SecureW2 TTLS Client\Uninstall.exe
c:\windows\system32\CddbCdda.dll
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\SET1D5.tmp
c:\windows\system32\SET1D9.tmp
c:\windows\system32\SET1E1.tmp
c:\windows\system32\Thumbs.db
c:\windows\system32\wpcap.dll
D:\~WRL0001.tmp
D:\~WRL0003.tmp
D:\~WRL0005.tmp
D:\~WRL0052.tmp
D:\~WRL0066.tmp
D:\~WRL0084.tmp
D:\~WRL0121.tmp
D:\~WRL0130.tmp
D:\~WRL0160.tmp
D:\~WRL0172.tmp
D:\~WRL0188.tmp
D:\~WRL0242.tmp
D:\~WRL0249.tmp
D:\~WRL0278.tmp
D:\~WRL0298.tmp
D:\~WRL0303.tmp
D:\~WRL0316.tmp
D:\~WRL0340.tmp
D:\~WRL0342.tmp
D:\~WRL0371.tmp
D:\~WRL0414.tmp
D:\~WRL0425.tmp
D:\~WRL0442.tmp
D:\~WRL0446.tmp
D:\~WRL0493.tmp
D:\~WRL0507.tmp
D:\~WRL0511.tmp
D:\~WRL0515.tmp
D:\~WRL0520.tmp
D:\~WRL0521.tmp
D:\~WRL0526.tmp
D:\~WRL0549.tmp
D:\~WRL0568.tmp
D:\~WRL0586.tmp
D:\~WRL0632.tmp
D:\~WRL0634.tmp
D:\~WRL0638.tmp
D:\~WRL0644.tmp
D:\~WRL0680.tmp
D:\~WRL0721.tmp
D:\~WRL0722.tmp
D:\~WRL0723.tmp
D:\~WRL0724.tmp
D:\~WRL0762.tmp
D:\~WRL0765.tmp
D:\~WRL0770.tmp
D:\~WRL0773.tmp
D:\~WRL0812.tmp
D:\~WRL0817.tmp
D:\~WRL0830.tmp
D:\~WRL0847.tmp
D:\~WRL0848.tmp
D:\~WRL0849.tmp
D:\~WRL0852.tmp
D:\~WRL0854.tmp
D:\~WRL0880.tmp
D:\~WRL0888.tmp
D:\~WRL0902.tmp
D:\~WRL0906.tmp
D:\~WRL0911.tmp
D:\~WRL0918.tmp
D:\~WRL0941.tmp
D:\~WRL0961.tmp
D:\~WRL0963.tmp
D:\~WRL0970.tmp
D:\~WRL0984.tmp
D:\~WRL0991.tmp
D:\~WRL0992.tmp
D:\~WRL0993.tmp
D:\~WRL1000.tmp
D:\~WRL1010.tmp
D:\~WRL1028.tmp
D:\~WRL1045.tmp
D:\~WRL1053.tmp
D:\~WRL1086.tmp
D:\~WRL1089.tmp
D:\~WRL1118.tmp
D:\~WRL1125.tmp
D:\~WRL1126.tmp
D:\~WRL1135.tmp
D:\~WRL1155.tmp
D:\~WRL1189.tmp
D:\~WRL1212.tmp
D:\~WRL1241.tmp
D:\~WRL1253.tmp
D:\~WRL1284.tmp
D:\~WRL1297.tmp
D:\~WRL1315.tmp
D:\~WRL1342.tmp
D:\~WRL1390.tmp
D:\~WRL1391.tmp
D:\~WRL1406.tmp
D:\~WRL1441.tmp
D:\~WRL1498.tmp
D:\~WRL1514.tmp
D:\~WRL1530.tmp
D:\~WRL1534.tmp
D:\~WRL1539.tmp
D:\~WRL1544.tmp
D:\~WRL1657.tmp
D:\~WRL1677.tmp
D:\~WRL1705.tmp
D:\~WRL1706.tmp
D:\~WRL1710.tmp
D:\~WRL1734.tmp
D:\~WRL1743.tmp
D:\~WRL1769.tmp
D:\~WRL1780.tmp
D:\~WRL1784.tmp
D:\~WRL1787.tmp
D:\~WRL1810.tmp
D:\~WRL1849.tmp
D:\~WRL1875.tmp
D:\~WRL1892.tmp
D:\~WRL1897.tmp
D:\~WRL1901.tmp
D:\~WRL1908.tmp
D:\~WRL1914.tmp
D:\~WRL1923.tmp
D:\~WRL1934.tmp
D:\~WRL1942.tmp
D:\~WRL1963.tmp
D:\~WRL1974.tmp
D:\~WRL1988.tmp
D:\~WRL1994.tmp
D:\~WRL2021.tmp
D:\~WRL2023.tmp
D:\~WRL2033.tmp
D:\~WRL2045.tmp
D:\~WRL2047.tmp
D:\~WRL2090.tmp
D:\~WRL2105.tmp
D:\~WRL2134.tmp
D:\~WRL2144.tmp
D:\~WRL2199.tmp
D:\~WRL2231.tmp
D:\~WRL2253.tmp
D:\~WRL2274.tmp
D:\~WRL2276.tmp
D:\~WRL2284.tmp
D:\~WRL2290.tmp
D:\~WRL2302.tmp
D:\~WRL2305.tmp
D:\~WRL2329.tmp
D:\~WRL2333.tmp
D:\~WRL2343.tmp
D:\~WRL2344.tmp
D:\~WRL2363.tmp
D:\~WRL2405.tmp
D:\~WRL2407.tmp
D:\~WRL2410.tmp
D:\~WRL2455.tmp
D:\~WRL2459.tmp
D:\~WRL2485.tmp
D:\~WRL2497.tmp
D:\~WRL2500.tmp
D:\~WRL2520.tmp
D:\~WRL2545.tmp
D:\~WRL2571.tmp
D:\~WRL2582.tmp
D:\~WRL2601.tmp
D:\~WRL2616.tmp
D:\~WRL2628.tmp
D:\~WRL2631.tmp
D:\~WRL2644.tmp
D:\~WRL2652.tmp
D:\~WRL2684.tmp
D:\~WRL2698.tmp
D:\~WRL2699.tmp
D:\~WRL2733.tmp
D:\~WRL2751.tmp
D:\~WRL2752.tmp
D:\~WRL2758.tmp
D:\~WRL2759.tmp
D:\~WRL2777.tmp
D:\~WRL2780.tmp
D:\~WRL2782.tmp
D:\~WRL2787.tmp
D:\~WRL2837.tmp
D:\~WRL2841.tmp
D:\~WRL2850.tmp
D:\~WRL2851.tmp
D:\~WRL2855.tmp
D:\~WRL2856.tmp
D:\~WRL2863.tmp
D:\~WRL2883.tmp
D:\~WRL2912.tmp
D:\~WRL2930.tmp
D:\~WRL2941.tmp
D:\~WRL2950.tmp
D:\~WRL2987.tmp
D:\~WRL2993.tmp
D:\~WRL3006.tmp
D:\~WRL3014.tmp
D:\~WRL3031.tmp
D:\~WRL3032.tmp
D:\~WRL3033.tmp
D:\~WRL3036.tmp
D:\~WRL3037.tmp
D:\~WRL3040.tmp
D:\~WRL3041.tmp
D:\~WRL3089.tmp
D:\~WRL3090.tmp
D:\~WRL3103.tmp
D:\~WRL3202.tmp
D:\~WRL3210.tmp
D:\~WRL3213.tmp
D:\~WRL3226.tmp
D:\~WRL3236.tmp
D:\~WRL3239.tmp
D:\~WRL3250.tmp
D:\~WRL3284.tmp
D:\~WRL3315.tmp
D:\~WRL3333.tmp
D:\~WRL3347.tmp
D:\~WRL3356.tmp
D:\~WRL3366.tmp
D:\~WRL3371.tmp
D:\~WRL3382.tmp
D:\~WRL3394.tmp
D:\~WRL3401.tmp
D:\~WRL3404.tmp
D:\~WRL3416.tmp
D:\~WRL3417.tmp
D:\~WRL3436.tmp
D:\~WRL3445.tmp
D:\~WRL3510.tmp
D:\~WRL3526.tmp
D:\~WRL3537.tmp
D:\~WRL3543.tmp
D:\~WRL3578.tmp
D:\~WRL3586.tmp
D:\~WRL3596.tmp
D:\~WRL3608.tmp
D:\~WRL3625.tmp
D:\~WRL3633.tmp
D:\~WRL3638.tmp
D:\~WRL3662.tmp
D:\~WRL3690.tmp
D:\~WRL3696.tmp
D:\~WRL3718.tmp
D:\~WRL3721.tmp
D:\~WRL3726.tmp
D:\~WRL3727.tmp
D:\~WRL3737.tmp
D:\~WRL3753.tmp
D:\~WRL3814.tmp
D:\~WRL3842.tmp
D:\~WRL3846.tmp
D:\~WRL3859.tmp
D:\~WRL3866.tmp
D:\~WRL3889.tmp
D:\~WRL3892.tmp
D:\~WRL3911.tmp
D:\~WRL3917.tmp
D:\~WRL3929.tmp
D:\~WRL3930.tmp
D:\~WRL3939.tmp
D:\~WRL3944.tmp
D:\~WRL3950.tmp
D:\~WRL3956.tmp
D:\~WRL3972.tmp
D:\~WRL3980.tmp
D:\~WRL3992.tmp
D:\~WRL3998.tmp
D:\~WRL4016.tmp
D:\~WRL4021.tmp
D:\~WRL4028.tmp
D:\~WRL4036.tmp
D:\~WRL4051.tmp
D:\~WRL4055.tmp
D:\~WRL4057.tmp
D:\~WRL4068.tmp
D:\~WRL4078.tmp
D:\~WRL4096.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-21 to 2012-09-21 )))))))))))))))))))))))))))))))
.
.
2012-09-19 23:04 . 2012-09-19 23:04 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\VS Revo Group
2012-09-19 23:04 . 2009-12-30 09:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-09-05 19:16 . 2012-09-05 19:16 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-09-02 01:11 . 2012-09-02 01:11 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-09-01 04:34 . 2012-09-01 04:34 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-08-21 09:13 . 2012-04-23 12:07 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2010-10-21 22:59 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2010-10-21 22:59 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2010-10-21 22:59 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2010-10-21 22:59 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-08-21 09:13 . 2010-10-21 22:59 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-08-21 09:13 . 2010-10-21 22:59 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:13 . 2010-10-21 22:59 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-08-21 09:12 . 2010-10-21 22:58 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 09:12 . 2010-10-21 22:58 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-15 21:44 . 2012-07-15 21:44 2560 -c--a-w- c:\windows\_MSRSTRT.EXE
2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-08 15:58 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-09-02 01:11 . 2012-02-13 00:45 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2011-05-09 04:10 194416 ----a-w- c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetUploading]
@="{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}"
[HKEY_CLASSES_ROOT\CLSID\{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}]
2011-05-09 04:13 194416 ----a-w- c:\program files\Nuance\Nuance Cloud Connector\GlOverlayIconU.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-01 322352]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-05-20 24576]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 16116224]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 89542]
"PrintDisp"="c:\windows\system32\PrintDisp.exe" [2011-01-03 976896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"OmniPage Preload"="c:\program files\Nuance\OmniPage18\OmniPage18.exe" [2011-05-10 2983200]
"Nuance OmniPage 18-reminder"="c:\program files\Nuance\OmniPage18\Ereg\Ereg.exe" [2010-10-27 333088]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Nuance Cloud Connector.lnk - c:\program files\Nuance\Nuance Cloud Connector\GladLauncher.exe [2011-5-9 87920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 16:04 2879488 -c--a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-11-01 18:14 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Nuance\\OmniPage18\\OmniPage18.exe"=
"c:\\Program Files\\Nuance\\OmniPage18\\PPMV.exe"=
"c:\\Program Files\\Nuance\\OmniPage18\\Ereg\\Ereg.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\GladinetClient.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvr.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvr2003.exe"=
"c:\\Program Files\\Nuance\\Nuance Cloud Connector\\WOSVSSSvrXP32.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [23.4.2012 14:07 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22.10.2010 0:59 355632]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [21.12.2005 14:09 10240]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.10.2010 0:59 21256]
R2 GladFileMonSvc;GladFileMonSvc;c:\program files\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [9.5.2011 6:18 29552]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1.6.2008 9:13 34064]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [27.9.2011 18:56 65536]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15.1.2010 14:49 227232]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [22.5.2012 21:47 114144]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [20.9.2012 1:04 27064]
S3 s1039bus;Sony Ericsson Device 1039 driver (WDM);c:\windows\system32\drivers\s1039bus.sys [14.12.2010 17:36 98672]
S3 s1039mdfl;Sony Ericsson Device 1039 USB WMC Modem Filter;c:\windows\system32\drivers\s1039mdfl.sys [14.12.2010 17:36 14960]
S3 s1039mdm;Sony Ericsson Device 1039 USB WMC Modem Driver;c:\windows\system32\drivers\s1039mdm.sys [14.12.2010 17:36 124016]
S3 s1039mgmt;Sony Ericsson Device 1039 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1039mgmt.sys [14.12.2010 17:36 117872]
S3 s1039nd5;Sony Ericsson Device 1039 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1039nd5.sys [14.12.2010 17:36 25456]
S3 s1039obex;Sony Ericsson Device 1039 USB WMC OBEX Interface;c:\windows\system32\drivers\s1039obex.sys [14.12.2010 17:36 113904]
S3 s1039unic;Sony Ericsson Device 1039 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1039unic.sys [14.12.2010 17:36 123504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - REVOFLT
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-21 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-02 09:12]
.
2012-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1303643608-1801674531-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-07 16:55]
.
2012-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1303643608-1801674531-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-07 16:55]
.
2012-09-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-10-26 20:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://isearch.avg.com/?cid={FEDFA5DB-432F-4EB7-89EA-C786FFC9FEF1}&mid=111b569532aa4d478e320801b1bc0923-626ebfc1b7cde23ec9f28a17d786794ccb0c3f8f&lang=en&ds=hk011&pr=sa&d=2012-06-24 20:59&v=11.1.0.7&sap=hp
uInternet Settings,ProxyServer = ftp=localhost:8080;gopher=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
uInternet Settings,ProxyOverride = <local>;127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\al8wd1vk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxps://www.google.hr/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B9c2b38f0-db19-400b-b576-ed280805874a%7D&mid=111b569532aa4d478e320801b1bc0923-626ebfc1b7cde23ec9f28a17d786794ccb0c3f8f&ds=hk011&v=11.1.0.7&lang=en&pr=sa&d=2012-06-24%2020%3A59%3A11&sap=ku&q=
FF - prefs.js: network.proxy.type - 4
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-OpAgent - OpAgent.exe
AddRemove-SecureW2 TTLS Client - c:\program files\SecureW2\SecureW2 TTLS Client\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-22 00:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-1303643608-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:13,8c,b7,d2,40,eb,53,04,0f,d7,cd,a5,8e,1c,61,17,e9,aa,0c,3c,a0,4b,57,
17,3b,be,eb,d0,72,0c,34,19,5c,41,58,b9,bd,8c,db,b7,2e,53,2a,f1,dd,b6,99,f0,\
"??"=hex:ff,ae,b6,8f,a2,43,c8,2d,8e,6d,b9,4a,a5,1d,09,7a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-09-22 00:53:19
ComboFix-quarantined-files.txt 2012-09-21 22:53
.
Pre-Run: 377.372.672 bytes free
Post-Run: 920.211.456 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 56A782EB7636FC24A4687712169C0AB6

Edited by hamluis, 29 September 2012 - 09:25 AM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:40 AM

Posted 30 September 2012 - 02:59 PM

Hello yellow submarine, and welcome to BC!! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

Step :step1:

Going over your logs I noticed that you have u Torrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall u Torrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Step :step2:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:

Firefox::
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\al8wd1vk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B9c2b38f0-db19-400b-b576-ed280805874a%7D&mid=111b569532aa4d478e320801b1bc0923-626ebfc1b7cde23ec9f28a17d786794ccb0c3f8f&ds=hk011&v=11.1.0.7&lang=en&pr=sa&d=2012-06-24%2020%3A59%3A11&sap=ku&q=
FF - prefs.js: network.proxy.type - 4

ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


==========

Step :step3:

Now I'll need the attach.txt from a DDS scan (it will be minimized after the scan runs):
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the DDS results, and the attach.txt will be minimized. Please copy and paste the attach.txt in your next reply!
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

Step :step4:

aswMBR scan

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

==========

What I would like to see in your next reply!

  • The Combofix log
  • The minimized attach.txt from the DDS scan
  • The aswMBR log
bloopie

#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:40 AM

Posted 03 October 2012 - 05:11 PM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie

#4 yellow submarine

yellow submarine
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 04 October 2012 - 10:31 AM

I am very sorry, but in the end I have solved the problem by downloading Windows Installer Clean Up Utility, and running Msizap. It cleared up 12GB from my C disk. Thank you very much for your help and thanks for your advice :)

#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:40 AM

Posted 04 October 2012 - 11:13 AM

Not a problem, and thanks for letting me know! :thumbup2:

Stay safe and best regards,


bloopie :)

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:40 AM

Posted 04 October 2012 - 11:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users