Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

curse client and various other probs


  • This topic is locked This topic is locked
22 replies to this topic

#1 Thegeekatron

Thegeekatron

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 05:22 AM

Hi, 

 

My sister's computer is behaving strangely.  On start up, black screen gives choice to select debugger mode or xp operating system, when selected during startup a popup appears to install curse client, we cannot uninstall skype click to call, and various pop ups keep appearing on chrome to weird addresses/downloads.  For instance, trying to download dds logs program, popup for flash player download appeared (but it was not adobe link).  here is the log, please help.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by hp at 11:12:47 on 2013-05-28
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2048.1205 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\3.0.287\SSScheduler.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
c:\program files\avira\antivir desktop\avscan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
BHO: SelectionLinks: {29AAADC9-DA30-4264-BCC4-D447F7146FC1} - 
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: TopArcadeHits Games: {A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} - c:\documents and settings\hp\local settings\application data\toparcadehits\Toparcadehits.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoogleChromeAutoLaunch_6F78D0E218FF4E0CAC1C716D79AE7185] "c:\program files\google\chrome\application\chrome.exe" --no-startup-window
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\hp\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.287\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1354577964063
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - 
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{3E817221-6807-4C81-B67C-C2A587DABD88} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
AppInit_DLLs= c:\docume~1\alluse~1\applic~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.94\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-1-11 37352]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-1-11 86752]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-1-11 110816]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-1-11 84744]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-5-14 3289208]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2012-12-4 97280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 voxaldriver;Voxal Filter Driver 2.10.00;c:\windows\system32\drivers\voxaldriverx86.sys [2013-4-15 42576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.287\McCHSvc.exe [2012-9-11 234776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-05-27 15:10:48 -------- d-----r- c:\program files\Skype
2013-05-10 18:35:10 -------- d-----w- c:\documents and settings\hp\local settings\application data\TopArcadeHits
2013-05-08 11:58:11 -------- d-----w- c:\program files\GIMP 2
.
==================== Find3M  ====================
.
2013-05-17 15:53:48 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-05-17 15:53:48 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-05-14 18:04:30 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-14 18:04:30 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-10 18:35:25 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ------w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-15 17:48:13 723230 ----a-w- c:\windows\unins001.exe
2013-04-15 12:10:35 42576 ----a-w- c:\windows\system32\drivers\voxaldriverx86.sys
2013-04-12 23:28:55 385024 ------w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 20:46:10 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-04 20:46:10 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-04 13:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 04:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-12 12:48:19 723230 ----a-w- c:\windows\unins000.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 11:13:33.00 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:27 AM

Posted 28 May 2013 - 06:36 AM

Hello Thegeekatron and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:
 

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I am looking at your logs now and will reply with instructions shortly.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:27 AM

Posted 28 May 2013 - 08:50 AM

Hello again Thegeekatron

According to your logs, you’ve were helped last month at another forum. Can you give me a link to it so that I can see what they did/didn't get rid of?

OK let’s see what is happening here.

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download one of these to your desktop:


for a 32-bt system download this version.
for 64-bit use this one

.

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.
Please post the contents of the RKreport.txt in your next reply.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.
 

  • run AdwCleaner and select Delete
  • when it has finished it will ask to reboot - allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
 

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

Logs to include in the next post:

RKreport.txt
AdwCleaner log
JRT.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#4 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 10:52 AM

Hi Satchfan, Thanks for your reply. The help I got last time was for my computer, this problem is on a different (my sister's) computer.  Here are the logs

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : hp [Admin rights]
Mode : Scan -- Date : 05/28/2013 16:36:20
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[TASK][SUSP PATH] TopArcadeHits.job : C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits\updater.exe  [7] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\docume~1\alluse~1\applic~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll) [x] -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xBA6E2F04)
SSDT[41] : NtCreateKey @ 0x8062423A -> HOOKED (Unknown @ 0xBA6E2EBE)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xBA6E2F0E)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xBA6E2EB4)
SSDT[63] : NtDeleteKey @ 0x806246D6 -> HOOKED (Unknown @ 0xBA6E2EC3)
SSDT[65] : NtDeleteValueKey @ 0x806248A6 -> HOOKED (Unknown @ 0xBA6E2ECD)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xBA6E2EFF)
SSDT[98] : NtLoadKey @ 0x8062645E -> HOOKED (Unknown @ 0xBA6E2ED2)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xBA6E2EA0)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xBA6E2EA5)
SSDT[177] : NtQueryValueKey @ 0x8062245E -> HOOKED (Unknown @ 0xBA6E2F27)
SSDT[193] : NtReplaceKey @ 0x8062630E -> HOOKED (Unknown @ 0xBA6E2EDC)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xBA6E2F18)
SSDT[204] : NtRestoreKey @ 0x80625C1A -> HOOKED (Unknown @ 0xBA6E2ED7)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xBA6E2F13)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xBA6E2F1D)
SSDT[247] : NtSetValueKey @ 0x806227AC -> HOOKED (Unknown @ 0xBA6E2EC8)
SSDT[255] : NtSystemDebugControl @ 0x8061820E -> HOOKED (Unknown @ 0xBA6E2F22)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xBA6E2EAF)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xBA6E2F36)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xBA6E2F3B)
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: FUJITSU MHV2120BH +++++
--- User ---
[MBR] 856ec555be77006ec16a10c1459c966e
[BSP] 609c09cb06eacec79c17630847f822ef : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114463 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[1]_S_05282013_02d1636.txt >>
RKreport[1]_S_05282013_02d1636.txt
 
 
 
# AdwCleaner v2.301 - Logfile created 05/28/2013 at 16:38:31
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : hp - NC6400
# Boot Mode : Normal
# Running from : C:\Documents and Settings\hp\My Documents\Downloads\adwcleaner (2).exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Deleted on reboot : C:\Documents and Settings\hp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mmlkabjddkpgkgfhdhpimhcbonapngoh
Deleted on reboot : C:\Documents and Settings\hp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mmlkabjddkpgkgfhdhpimhcbonapngoh
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\Google\Chrome\Extensions\mmlkabjddkpgkgfhdhpimhcbonapngoh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mmlkabjddkpgkgfhdhpimhcbonapngoh
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Google Chrome v27.0.1453.94
 
File : C:\Documents and Settings\hp\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [8448 octets] - [12/05/2013 09:17:16]
AdwCleaner[S1].txt - [4490 octets] - [27/04/2013 15:48:09]
AdwCleaner[S2].txt - [8649 octets] - [12/05/2013 09:17:40]
AdwCleaner[S3].txt - [2950 octets] - [28/05/2013 11:04:35]
AdwCleaner[S4].txt - [1593 octets] - [28/05/2013 16:38:31]
 
########## EOF - C:\AdwCleaner[S4].txt - [1653 octets] ##########
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by hp on 28/05/2013 at 16:44:22.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\torch
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\torch
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{22222222-2222-2222-2222-220222182204}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\WINDOWS\system32\roboot.exe"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\wincert"
Successfully deleted: [Folder] "C:\Documents and Settings\hp\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Documents and Settings\hp\Local Settings\Application Data\torch"
Successfully deleted: [Folder] "C:\Documents and Settings\hp\Local Settings\Application Data\updater21804"
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] hkey_current_user\software\policies\google\chrome\extensioninstallforcelist
Successfully deleted: [Registry Key] hkey_local_machine\software\policies\google\chrome\extensioninstallforcelist
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 28/05/2013 at 16:46:14.17
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#5 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:27 AM

Posted 28 May 2013 - 12:08 PM

The help I got last time was for my computer, this problem is on a different (my sister's) computer.
I think you’ll find that this computer has been used at a forum. This entry shows that:

RP2: 04/04/2013 21:51:44 - OTL Restore Point - 04/04/2013 17:39:37


Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again
 
  • close all programs
  • double-click RogueKiller.exe - Windows 7: right-click the program and select Run as Administrator'
  • after it has completed it's prescan click on the “Registry” tab
  • make sure these entries there are checked, then click on Delete:

[TASK][SUSP PATH] TopArcadeHits.job : C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits\updater.exe  [7] -> FOUND
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\docume~1\alluse~1\applic~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll) [x] -> FOUND

  • Please include the Delete log in your next post.

    ===================================================

    Uninstall programs

    Uninstall these programs:

    MixiDJ chrome Toolbar
    TopArcadeHits

     
  • click Start, Settings, Control Panel, Add or remove programs
  • click on MixiDJ chrome Toolbar and then Uninstall
  • repeat this for the other program listed above.

===================================================

Download and run OTL
 

  • download OTL to your desktop.
  • double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • click Scan all users.
  • under Custom Scan paste this in


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT

     

  • click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
  • when the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • you may need two posts to fit them both in.

===================================================

Run aswMBR
 

  • download aswMBR.exe to your desktop.
  • double click the aswMBR.exe to run it
  • if asked, accept the AVAST virus definition download
  • click the "Scan" button to start scan
  • on completion of the scan click Save log, save it to your desktop and post in your next reply. Note - do NOT attempt any Fix yet.

Logs to include with next post:

RogueKiller delete log
OTL.txt
Extras.txt
aswMBR log


Thanks

Satchfan
 

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 12:56 PM

Hi,  yes this computer has been here before but with another username, sorry I thought you were referring to mine with this username.

 

When I run rogue killer after the prescan and click on registry it is completely blank, do you think it removed stuff the last time I ran it?

Shall I continue with the rest of the instructions?



#7 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 01:02 PM

I tried to uninstall toparcade hits and it insists I restart the computer to complete uninstall which you told me not to do.  I tried to uninstall MixiDJchrome toolbar and it says an error occured but it has disappeared off this list



#8 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 01:13 PM

OTL logfile created on: 28/05/2013 19:04:50 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\hp\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.55% Memory free
3.85 Gb Paging File | 3.29 Gb Available in Paging File | 85.60% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 89.00 Gb Free Space | 79.62% Space Free | Partition Type: NTFS
Drive D: | 468.48 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: NC6400 | User Name: hp | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/05/28 19:03:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hp\My Documents\Downloads\OTL.exe
PRC - [2013/05/28 18:51:30 | 000,816,128 | ---- | M] () -- C:\Documents and Settings\hp\My Documents\Downloads\RogueKiller (1).exe
PRC - [2013/05/23 06:44:09 | 000,825,808 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2013/05/17 16:53:44 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2013/05/17 16:53:31 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2013/05/17 16:53:28 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2013/05/17 16:53:28 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2013/05/14 13:26:12 | 003,289,208 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/04/04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/11 17:13:04 | 000,271,808 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.287\SSScheduler.exe
PRC - [2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/18 17:27:12 | 000,013,312 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2006/03/03 16:28:18 | 000,136,736 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
PRC - [2006/02/27 18:02:06 | 000,581,693 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/02/27 18:00:58 | 001,265,748 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/05/23 06:44:07 | 000,393,168 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppgooglenaclpluginchrome.dll
MOD - [2013/05/23 06:43:59 | 004,051,408 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll
MOD - [2013/05/23 06:43:03 | 001,597,392 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\27.0.1453.94\ffmpegsumo.dll
MOD - [2012/09/19 19:17:40 | 000,397,088 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2008/04/14 12:00:00 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2008/04/14 12:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2006/02/27 18:03:28 | 000,053,248 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013/05/17 16:53:44 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013/05/17 16:53:28 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2013/05/14 19:04:31 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/05/14 13:26:12 | 003,289,208 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/04/04 05:32:53 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/11 17:12:18 | 000,234,776 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.287\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/03/18 17:27:12 | 000,013,312 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2013/05/28 18:51:55 | 000,015,616 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\TrueSight.sys -- (TrueSight)
DRV - [2013/05/17 16:53:48 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2013/05/17 16:53:48 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2013/05/17 16:53:48 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2013/04/15 13:10:35 | 000,042,576 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\voxaldriverx86.sys -- (voxaldriver)
DRV - [2012/08/27 15:50:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2011/01/06 21:27:02 | 000,025,144 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\hpdskflt.sys -- (hpdskflt)
DRV - [2011/01/06 21:26:52 | 000,032,440 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2010/02/25 01:02:56 | 000,014,904 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/11/17 16:23:16 | 003,636,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32)
DRV - [2008/03/21 17:13:00 | 001,203,776 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2007/12/14 10:21:56 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2007/10/31 11:23:20 | 002,236,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32)
DRV - [2007/08/28 16:47:36 | 000,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV)
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/05/09 14:27:00 | 000,097,280 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2007/03/02 13:53:20 | 001,972,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/02/27 17:48:20 | 000,401,664 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/02/27 17:45:48 | 001,342,602 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/02/27 17:43:06 | 000,057,096 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/02/27 17:40:16 | 000,148,168 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2005/11/29 17:56:28 | 000,036,768 | ---- | M] (Infineon Technologies AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\psd.sys -- (PersonalSecureDrive)
DRV - [2005/10/26 11:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/10/21 12:19:34 | 000,036,352 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 08 60 CA F6 11 36 CE 01  [binary data]
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@nsroblox.roblox.com/launcher: C:\Documents and Settings\hp\Local Settings\Application Data\RobloxVersions\version-54257e546c7e4443\\NPRobloxProxy.dll ()
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\hp\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
[2013/05/10 19:35:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\hp\Application Data\Mozilla\Extensions
[2013/04/18 19:12:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Roblox Launcher Plugin (Enabled) = C:\Documents and Settings\hp\Local Settings\Application Data\RobloxVersions\version-54257e546c7e4443\\NPRobloxProxy.dll
CHR - plugin: Unity Player (Enabled) = C:\Documents and Settings\hp\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 7 U21 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Skype Click to Call = C:\Documents and Settings\hp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.9.0.12585_0\
 
O1 HOSTS File: ([2013/02/19 18:47:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (SelectionLinks) - {29AAADC9-DA30-4264-BCC4-D447F7146FC1} - C:\Program Files\OApps\SelectionLinks.dll File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits114] C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits209] cmd.exe /c rmdir "C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits" /s /q File not found
O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits477] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits759] cmd.exe /c rmdir "C:\Documents and Settings\hp\Start Menu\Programs\TopArcadeHits\" /s /q File not found
O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits781] cmd.exe /c rmdir "C:\Documents and Settings\hp\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}" /s /q File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.287\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\hp\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1354577964063 (WUWebControl Class)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455}  (ExentInf Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3E817221-6807-4C81-B67C-C2A587DABD88}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IfxWlxEN: DllName - (IfxWlxEN.dll) - C:\WINDOWS\System32\IfxWlxEN.dll (Infineon Technologies AG)
O24 - Desktop WallPaper: C:\Documents and Settings\hp\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\hp\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/12/03 11:22:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/06 10:04:06 | 000,000,067 | RH-- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
CREATERESTOREPOINT 
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/05/28 16:43:51 | 000,000,000 | ---D | C] -- C:\JRT
[2013/05/28 16:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Desktop\RK_Quarantine
[2013/05/27 16:11:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Application Data\Skype
[2013/05/27 16:10:48 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2013/05/27 16:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2013/05/10 19:35:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Start Menu\Programs\TopArcadeHits
[2013/05/10 19:35:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Application Data\Mozilla
[2013/05/10 19:35:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits
[2013/05/08 15:49:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\My Documents\school homework (with all the work)
[2013/05/08 12:58:11 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP 2
[2013/05/04 20:39:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\NCH Software Suite
[2013/05/04 20:39:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Audio Related Programs
 
========== Files - Modified Within 30 Days ==========
 
[2013/05/28 19:04:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/05/28 19:00:20 | 000,000,416 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A79C6E64-B59E-4203-9D68-B94E93E5743F}.job
[2013/05/28 18:52:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/05/28 18:51:55 | 000,015,616 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2013/05/28 16:52:00 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/05/28 16:41:48 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/05/28 16:41:00 | 000,000,362 | ---- | M] () -- C:\WINDOWS\tasks\Sing Along Update.job
[2013/05/28 16:40:35 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\ROC_JAN2013_TB_rmv.job
[2013/05/28 16:40:35 | 000,000,272 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-790525478-1303643608-1801674531-1003.job
[2013/05/28 16:40:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/05/26 18:53:33 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/05/25 19:47:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/05/17 16:53:48 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2013/05/17 16:53:48 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2013/05/17 16:53:48 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2013/05/16 18:24:19 | 000,114,968 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/05/16 06:57:45 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\hp\Desktop\Microsoft Word.lnk
[2013/05/16 06:19:32 | 000,492,948 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/05/16 06:19:32 | 000,083,596 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/05/16 06:13:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/05/14 19:04:30 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/05/14 19:04:30 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/05/12 09:32:01 | 000,000,266 | ---- | M] () -- C:\WINDOWS\tasks\MixPadReminder.job
[2013/05/10 19:35:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\TempWmicBatchFile.bat
[2013/05/07 05:27:31 | 006,015,488 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2013/05/04 20:39:27 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MixPad.lnk
[2013/05/04 15:59:00 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-790525478-1303643608-1801674531-1003.job
 
========== Files Created - No Company Name ==========
 
[2013/05/28 18:51:55 | 000,015,616 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2013/05/16 06:11:20 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/05/06 09:32:50 | 000,000,266 | ---- | C] () -- C:\WINDOWS\tasks\MixPadReminder.job
[2013/05/04 20:39:27 | 000,000,751 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MixPad.lnk
[2013/05/04 20:39:27 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MixPad.lnk
[2013/04/18 19:14:27 | 000,000,752 | ---- | C] () -- C:\WINDOWS\animatordv.INI
[2013/04/18 19:12:34 | 000,000,064 | ---- | C] () -- C:\WINDOWS\GPlrLanc.dat
[2013/04/15 18:48:39 | 000,723,230 | ---- | C] () -- C:\WINDOWS\unins001.exe
[2013/04/15 18:48:39 | 000,048,014 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2013/04/15 13:10:35 | 000,042,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\voxaldriverx86.sys
[2013/04/15 12:48:01 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\hp\Local Settings\Application Data\rbxcsettings.rbx
[2013/03/12 13:48:22 | 000,723,230 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2013/03/12 13:48:22 | 000,219,287 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2013/03/12 13:39:02 | 000,000,408 | ---- | C] () -- C:\Documents and Settings\hp\Application Data\CamShapes.ini
[2013/03/12 13:39:02 | 000,000,408 | ---- | C] () -- C:\Documents and Settings\hp\Application Data\CamLayout.ini
[2013/03/12 13:39:02 | 000,000,046 | ---- | C] () -- C:\Documents and Settings\hp\Application Data\Camdata.ini
[2013/03/12 13:37:12 | 000,004,509 | ---- | C] () -- C:\Documents and Settings\hp\Application Data\CamStudio.cfg
[2013/02/19 21:03:06 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\hp\jagex_cl_runescape_LIVE.dat
[2013/02/19 21:03:06 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\hp\random.dat
[2013/02/19 10:26:11 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2013/02/03 12:50:48 | 000,134,189 | ---- | C] () -- C:\WINDOWS\hpwins10.dat
[2013/02/03 12:50:37 | 000,010,385 | ---- | C] () -- C:\WINDOWS\hpwscr10.dat
[2013/02/03 12:50:36 | 000,001,042 | ---- | C] () -- C:\WINDOWS\hpwmdl10.dat
[2013/01/15 09:02:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/14 20:53:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2013/01/12 18:21:18 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\hp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/12/04 01:00:19 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/12/03 11:25:10 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/12/03 11:18:49 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/12/02 10:34:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/12/02 10:32:42 | 000,114,968 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
 
========== ZeroAccess Check ==========
 
[2013/04/15 11:58:45 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2012/08/30 21:29:36 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 12:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Custom Scans ==========
 
< %SYSTEMDRIVE%\*.exe >
 
< MD5 for: EXPLORER.EXE  >
[2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe
 
< MD5 for: SERVICES.EXE  >
[2009/02/06 12:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/14 12:00:00 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\erdnt\cache\services.exe
[2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
 
< MD5 for: SVCHOST.EXE  >
[2008/04/14 12:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\erdnt\cache\svchost.exe
[2008/04/14 12:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 12:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
 
< MD5 for: USERINIT.EXE  >
[2008/04/14 12:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe
[2008/04/14 12:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 12:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe
 
< MD5 for: WINLOGON.EXE  >
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 12:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe
[2008/04/14 12:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 12:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe
 
< %systemroot%\*. /rp /s >
 
========== Drive Information ==========
 
Physical Drives
---------------
 
Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: FUJITSU MHV2120BH
Partitions: 1
Status: OK
Status Info: 0
 
Partitions
---------------
 
DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 112.00GB
Starting Offset: 32256
Hidden sectors: 0
 
 
========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35] -> C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 -> Junction
 
< End of report >

OTL Extras logfile created on: 28/05/2013 19:04:50 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\hp\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.55% Memory free
3.85 Gb Paging File | 3.29 Gb Available in Paging File | 85.60% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 89.00 Gb Free Space | 79.62% Space Free | Partition Type: NTFS
Drive D: | 468.48 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: NC6400 | User Name: hp | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- "C:\Documents and Settings\hp\Application Data\File Scout\filescout.exe" /open "%1"
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Search Results Toolbar\Datamngr\SRTOOL~1\dtUser.exe" = C:\Program Files\Search Results Toolbar\Datamngr\SRTOOL~1\dtUser.exe:*:Enabled:Search-Results Toolbar DTX Broker
"C:\Program Files\Java\jre7\bin\javaw.exe" = C:\Program Files\Java\jre7\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Oracle Corporation)
"C:\Documents and Settings\hp\Local Settings\Apps\2.0\N803D8M4.5W3\6W34WVJ9.1L1\curs..tion_9e9e83ddf3ed3ead_0005.0001_35ab96b41397406c\CurseClient.exe" = C:\Documents and Settings\hp\Local Settings\Apps\2.0\N803D8M4.5W3\6W34WVJ9.1L1\curs..tion_9e9e83ddf3ed3ead_0005.0001_35ab96b41397406c\CurseClient.exe:*:Enabled:Curse Client 4.0
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{10bdf115-2236-4c6d-8a40-7d74e77b05b7}_is1" = Audio Editor
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 21
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 J1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C43EAE7-22C0-4b33-ABFB-3757ECA5FD7B}" = HP Officejet All-In-One Series
"{3DD2E9EA-0544-4162-B8BE-E21E994E9F3B}" = LEGO Racers 2
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = HP Integrated Module with Bluetooth wireless technology
"{40BA976E-38B8-4C63-990C-50999C8C3521}" = BPD_Scan
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BA3DDD4-BC91-48B2-8896-7A02C34829D7}" = HP Embedded Security for ProtectTools
"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10
"{739126B3-1C80-4F1F-8D19-312A19633E1A}_is1" = Screen Recorder
"{767B964C-D9B4-422D-802B-F7ACBE2D310A}" = TIPCI
"{7F362F06-A9A3-440F-8B19-6A01A72723C4}" = AuthenTec Fingerprint Sensor Minimum Install
"{92C5DB3D-9D6F-4324-BB11-57825F4C2635}" = DVD Decoder Pak for Windows XP
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom NetXtreme Ethernet Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 2.0.2
"Avira AntiVir Desktop" = Avira Free Antivirus
"Bejeweled Twist 1.0" = Bejeweled Twist 1.0
"Blender" = Blender
"ESET Online Scanner" = ESET Online Scanner v3
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"InstallShield_{767B964C-D9B4-422D-802B-F7ACBE2D310A}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Map001" = 001 Game Creator 1.010.009
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft.Net.Client.3.5" = Microsoft .NET Framework Client Profile
"MixPad" = MixPad
"MSNINST" = MSN
"RapidTyping" = RapidTyping
"singalong@xenophesoft.com" = Sing Along
"sl-dlca" = SelectionLinks
"SONICADVDX" = SONIC ADVENTURE DX-Director's Cut
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ToneGen" = NCH Tone Generator
"Voxal" = Voxal Voice Changer
"WavePad" = WavePad Sound Editor
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WordBiz_0" = WordBiz 1.8.7
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-790525478-1303643608-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{2922D6F1-2865-4EFA-97A9-94EEAB3AFA14}" = ROBLOX Studio 2013 for hp
"Screencast-O-Matic" = Screencast-O-Matic
"UnityWebPlayer" = Unity Web Player
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 27/05/2013 06:14:32 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:19:26 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:24:20 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:24:22 | Computer Name = NC6400 | Source = Application Error | ID = 1001
Description = Fault bucket -683515821.
 
Error - 27/05/2013 06:29:14 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:34:08 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:39:02 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:44:56 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 27/05/2013 06:49:49 | Computer Name = NC6400 | Source = Application Error | ID = 1000
Description = Faulting application msfeedssync.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23487, fault address 0x000892d1.
 
Error - 28/05/2013 05:26:23 | Computer Name = NC6400 | Source = IFXWlxEN | ID = 2687344
Description = Failed to create instance of IWlxEvent interface.
 
[ System Events ]
Error - 28/05/2013 05:27:09 | Computer Name = NC6400 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
 failed to start because of the following error:   %%31
 
Error - 28/05/2013 05:27:09 | Computer Name = NC6400 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
 failed to start because of the following error:   %%31
 
Error - 28/05/2013 05:27:09 | Computer Name = NC6400 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   AFD  avipbb  avkmgr  Fips  intelppm  IPSec  MRxSmb  NetBIOS  NetBT  RasAcd  Rdbss  ssmdrv  Tcpip  WS2IFSL
 
Error - 28/05/2013 05:52:18 | Computer Name = NC6400 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 28/05/2013 05:54:07 | Computer Name = NC6400 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
 arguments ""  in order to run the server:  {000C101C-0000-0000-C000-000000000046}
 
Error - 28/05/2013 05:55:01 | Computer Name = NC6400 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
 arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 28/05/2013 05:55:02 | Computer Name = NC6400 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
 arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 28/05/2013 05:55:36 | Computer Name = NC6400 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service IFXSpMgtSrv
 with arguments "-Service"  in order to run the server:  {FBCD9C6A-72CB-47BB-99DD-2317551491DE}
 
Error - 28/05/2013 05:55:36 | Computer Name = NC6400 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 28/05/2013 11:28:58 | Computer Name = NC6400 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
 address 0019D2C01E73 has been  denied by the DHCP server 192.168.1.254 (The DHCP 
Server sent a DHCPNACK message).
 
 
< End of report >


#9 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 01:43 PM

Here is the last log - all done apart from the rogue killer which as I said shows me a blank registry page after the prescan
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-28 19:16:14
-----------------------------
19:16:14.718    OS Version: Windows 5.1.2600 Service Pack 3
19:16:14.718    Number of processors: 2 586 0xF06
19:16:14.718    ComputerName: NC6400  UserName: hp
19:16:15.546    Initialize success
19:28:57.218    AVAST engine defs: 13052800
19:29:54.093    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:29:54.093    Disk 0 Vendor: FUJITSU_MHV2120BH 00000029 Size: 114473MB BusType: 3
19:29:54.296    Disk 0 MBR read successfully
19:29:54.296    Disk 0 MBR scan
19:29:54.390    Disk 0 Windows XP default MBR code
19:29:54.390    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       114463 MB offset 63
19:29:54.421    Disk 0 scanning sectors +234420480
19:29:54.468    Disk 0 scanning C:\WINDOWS\system32\drivers
19:30:07.234    Service scanning
19:30:30.046    Modules scanning
19:30:37.734    Disk 0 trace - called modules:
19:30:37.750    ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys atapi.sys intelide.sys PCIIDEX.SYS 
19:30:37.750    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d63ab8]
19:30:37.781    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x89d779c0]
19:30:37.781    5 hpdskflt.sys[ba3395ae] -> nt!IofCallDriver -> \Device\00000096[0x89d68f18]
19:30:37.781    7 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89d78940]
19:30:38.468    AVAST engine scan C:\WINDOWS
19:30:42.953    AVAST engine scan C:\WINDOWS\system32
19:34:22.125    AVAST engine scan C:\WINDOWS\system32\drivers
19:34:37.828    AVAST engine scan C:\Documents and Settings\hp
19:40:50.078    AVAST engine scan C:\Documents and Settings\All Users
19:41:13.796    Scan finished successfully
19:41:37.375    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\hp\Desktop\MBR.dat"
19:41:37.406    The log file has been saved successfully to "C:\Documents and Settings\hp\Desktop\aswMBR.txt"


#10 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 01:56 PM

ok i ran the rogue killer scan and delete here is the log
 
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : hp [Admin rights]
Mode : Remove -- Date : 05/28/2013 19:56:00
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\RunOnce : TopArcadeHits209 (cmd.exe /c rmdir "C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits" /s /q) [x] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\RunOnce : TopArcadeHits781 (cmd.exe /c rmdir "C:\Documents and Settings\hp\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}" /s /q) [x] -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xBA7F4F4C)
SSDT[41] : NtCreateKey @ 0x8062423A -> HOOKED (Unknown @ 0xBA7F4F06)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xBA7F4F56)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xBA7F4EFC)
SSDT[63] : NtDeleteKey @ 0x806246D6 -> HOOKED (Unknown @ 0xBA7F4F0B)
SSDT[65] : NtDeleteValueKey @ 0x806248A6 -> HOOKED (Unknown @ 0xBA7F4F15)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xBA7F4F47)
SSDT[98] : NtLoadKey @ 0x8062645E -> HOOKED (Unknown @ 0xBA7F4F1A)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xBA7F4EE8)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xBA7F4EED)
SSDT[177] : NtQueryValueKey @ 0x8062245E -> HOOKED (Unknown @ 0xBA7F4F6F)
SSDT[193] : NtReplaceKey @ 0x8062630E -> HOOKED (Unknown @ 0xBA7F4F24)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xBA7F4F60)
SSDT[204] : NtRestoreKey @ 0x80625C1A -> HOOKED (Unknown @ 0xBA7F4F1F)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xBA7F4F5B)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xBA7F4F65)
SSDT[247] : NtSetValueKey @ 0x806227AC -> HOOKED (Unknown @ 0xBA7F4F10)
SSDT[255] : NtSystemDebugControl @ 0x8061820E -> HOOKED (Unknown @ 0xBA7F4F6A)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xBA7F4EF7)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xBA7F4F7E)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xBA7F4F83)
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: FUJITSU MHV2120BH +++++
--- User ---
[MBR] 856ec555be77006ec16a10c1459c966e
[BSP] 609c09cb06eacec79c17630847f822ef : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114463 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[3]_D_05282013_02d1956.txt >>
RKreport[1]_S_05282013_02d1636.txt ; RKreport[2]_S_05282013_02d1953.txt ; RKreport[3]_D_05282013_02d1956.txt


#11 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 28 May 2013 - 02:00 PM

On the rogue killer all the registry items were checked and I deleted them all (about 5 or 6)- is that ok or have I over done it?



#12 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:27 AM

Posted 29 May 2013 - 03:35 AM

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
These were not to have been selected. I only asked you to make sure that the first two were selected.

No harm done this time but please take care to read the instructions properly because damage can be done by deleting the wrong entries.

I tried to uninstall toparcade hits and it insists I restart the computer to complete uninstall which you told me not to do.  I tried to uninstall MixiDJchrome toolbar and it says an error occured but it has disappeared off this list
It is OK to restart the computer now so please check that they are no longer installed and also uninstall sl-dlca by SelectionLinks while you are in Add/remove programs.

===================================================

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Run OTL
 
  • double click on the icon to run it.
  • copy/paste ALL the following text written inside the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services
    
    :OTL
    O2 - BHO: (SelectionLinks) - {29AAADC9-DA30-4264-BCC4-D447F7146FC1} - C:\Program Files\OApps\SelectionLinks.dll File not found
    O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits114] C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
    O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits209] cmd.exe /c rmdir "C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits" /s /q File not found
    O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits477] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits759] cmd.exe /c rmdir "C:\Documents and Settings\hp\Start Menu\Programs\TopArcadeHits\" /s /q File not found
    O4 - HKU\S-1-5-21-790525478-1303643608-1801674531-1003..\RunOnce: [TopArcadeHits781] cmd.exe /c rmdir "C:\Documents and Settings\hp\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}" /s /q File not found
    [2013/05/10 19:35:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Start Menu\Programs\TopArcadeHits
    [2013/05/10 19:35:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hp\Local Settings\Application Data\TopArcadeHits
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • click the Run Fix button at the top
  • let the program run unhindered, reboot when it is done
  • please post the OTL fix log

===================================================

Download and run ComboFix

Download ComboFix from the following location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, as they may otherwise interfere with our tools. See here  for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

    IftheCFrecconsisalreadyinstalled.jpg


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    WhenCFrecconsisinstalled.jpg


    Click on Yes, to continue scanning for malware.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it will produce a log.   Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt

Logs to include in the next post:

OTL fix log
New OTL log
ComboFix.txt


Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:27 AM

Posted 02 June 2013 - 08:01 AM

Hi Thegeekatron

 

It has been several days since I sent my last set of instructions to help with your computer problem.

 

Please let me know if you are having problems.

 

Thanks

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 Thegeekatron

Thegeekatron
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 02 June 2013 - 02:04 PM

I did what you said, the same problems were there but her computer has literally died now... When you turn the computer on the screen stays black and a light which usually flashes to show the hard drive is working, is not lightning up. I can't get into safe mode or anything else the screen just stays black. PLEASE help!



#15 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:27 AM

Posted 02 June 2013 - 03:09 PM

When you turn the computer on the screen stays black and a light which usually flashes to show the hard drive is working, is not lightning up
That doesn’t sound like a malware problem but let’s try something to find out.


This is assuming that you have a flash drive.

Run Farbar Recovery Scan Tool

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flash drive into the infected PC.
 
  • restart the computer.
  • as soon as the BIOS is loaded begin tapping the F8 key until “Advanced Boot Options” appears.
  • follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter
  • in the next menu, use the arrow keys on the keyboard to select Command Prompt and press Enter
  • in the command window type in notepad and press Enter
  • the notepad opens. Under “File” menu select Open
  • select "Computer" and find your flash drive letter and close the notepad
  • in the command window type e:\frst.exe and press Enter

    Note: Replace letter e with the drive letter of your flash drive
     
  • the tool will start to run
  • when the tool opens click Yes to disclaimer
  • press the Scan button
  • it will produce a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users