1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Malware And Trogen Problems

Discussion in 'Malware Removal Help' started by wendy, Jan 18, 2010.

  1. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    Hi[fokkkkknthhhkdkfj="Arial Bhhhlack"] having probles
     

    Attached Files:

  2. BeeCeeBee

    BeeCeeBee ADMINISTRATOR IN MEMORY

    Joined:
    Apr 20, 2009
    Messages:
    7,201
    Location:
    New Jersey "Stronger than the Storm"
    Operating System:
    Windows 7
    I take it you are having problems and you want someone to read a HJT log. Please explain what is going on and please do not put links in your post unless they are needed as part of the explanation. I have removed a link to an unknown twitter page. Thank you!:)
     
  3. schrauber

    schrauber Guest

    Hello, wendy1
    Welcome to the ComputerHelp Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.



    Please take note of some guidelines for this fix:
    • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
    • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
    • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
    • Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
    • Please set your system to show all files.
      Click Start, open My Computer, select the Tools menu and click Folder Options.
      Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
      Uncheck: Hide file extensions for known file types
      Uncheck the Hide protected operating system files (recommended) option.
      Click Yes to confirm.


    Please explain the problems with your system. The main problem I can see is that you hate Windows Update and did not visit the last years ;)
     
  4. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home

    hiya I am trying to sort a laptop of my friends this laptop has a virus Trojen I think I loaded norton and they remotely have tried to fix the computer but then asked me for £69.00 extra to delete the virus which i could not afford nor could they (why I should pay after buying the product anyway!) so I then downloaded a free program called advanced system care which gave me a hijack file I am now lost and need your help to fix this computer in save mode all ok (well seems ok) I have down what you have told me the previous post and will wait futher instructions from you
     
  5. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    So sorry for that I have sent the report from the infected computer it was a hijack report and I did not know what this was, I have posted this on schrauber post and i hope he can help me. thanks again
    wendy
     
  6. schrauber

    schrauber Guest

    Hi,

    here we go:


    Step 1

    Your Microsoft Windows installation is out of date and you are using an unpatched version of Windows XP. Before we can proceed any further, please update to Service Pack 1a and install All CRITICAL Updates and security patches except SP2 which will help to prevent crippling malware attacks. Without doing this first, you are wide open to re-infection and other high security risks which are prone to an unpatched system and we are just wasting our time. If you are not sure how to do this, see How to use Microsoft Update. By applying all critical updates, you will close many of these security holes which make your computer vulnerable and not keep getting reinfected while cleaning your machine.

    Further, using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure or infected computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more machines become compromised. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer.

    Please download Windows XP Service Pack 1a Express Install (32-Bit) for End Users. Apply the patch and reboot.
    Then return to Microsoft's Update Page and install any remaining critical updates for your computer except SP2.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

    Please ensure you follow the above instructions BEFORE running HijackThis again and posting back with a new log.

    Again, DO NOT update to Service pack 2. Doing so before your computer is clean from malware can cause Windows to become unstable. According to Microsoft, malware seems to be the number one cause of problems when upgrading to XP SP2. You may apply that update when your system has been disinfected and is clean.



    Step 2

    1. Please download OTL from one of the following mirrors:
    2. Save it to your desktop.
    3. Double click on the [​IMG] icon on your desktop.
    4. Under the Custom Scan box paste this in
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized



    Step 3

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
     
  7. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    Wish me luck just checking do i leave advanced spycare on or delete it
    Cheers
    wendy
     
  8. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    hiya tried to download windows pack clicked on the link but message coming up Bad request HTTP ERROR the request is badly formed I then went on to Windows site to down load this service pack 1a as you said but it will not let me download this file can make any suggestions please
     
  9. schrauber

    schrauber Guest

    Do you get any error message when you try to download it from Microsoft?
     
  10. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    yes I do on that laptop but I have just downloaded on my computer and will try and save it on disc what do you think but it wont let me down load from the infected laptop
     
  11. schrauber

    schrauber Guest

    Yes, try to download it from another system and transfer it to this one. We cannot start fighting the baddies before sp1a is installed :).
     
  12. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    hiya did that it ran ok but message came up
    setup has detected tjattje service pack version of the system installed is newer than the update you are apply to it
    you can only instal this update on service pack 1

    next
     
  13. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    also checked the version
    microsoft window xp professional
    verson 5.12600
    service pack 2
    build 2600
    hope that helps
     
  14. schrauber

    schrauber Guest

    Did you checked that at the infected system?? :blink:

    Please run the two tools from my above instructions and post back with the logfiles.
     
  15. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    hiya sorry did not understand which tools from the above section could you please tell me again
    Thanks so sorry to be a pain
    wendy
     
  16. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    Also on the infection computer something is not right we know that but it will not let me go onto the mircrosoft update webpage at all just says bad request HTTP 400 is something not set up I have checked on updates but also wend looking in file add or remove programs it also comes up on windows as custom and if i change it to microsoft window it just goes back to custom set hope that helps a little
    regards
    wendy
     
  17. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
    OTL logfile created on: 20/01/2010 12:39:40 - Run 1
    OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Tasha Z\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    502.00 Mb Total Physical Memory | 166.00 Mb Available Physical Memory | 33.00% Memory free
    1.00 Gb Paging File | 1.00 Gb Available in Paging File | 74.00% Paging File free
    Paging file location(s): c:\pagefile.sys 756 1512 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 93.15 Gb Total Space | 83.73 Gb Free Space | 89.88% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: TASHA
    Current User Name: Tasha Z
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/01/20 12:26:26 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tasha Z\Desktop\OTL.exe
    PRC - [2010/01/06 15:33:06 | 02,335,952 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    PRC - [2009/02/06 18:21:00 | 00,224,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Toolbar\wltuser.exe
    PRC - [2009/01/14 17:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    PRC - [2007/06/13 10:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    PRC - [2004/08/04 10:00:00 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE


    ========== Modules (SafeList) ==========

    MOD - [2010/01/20 12:26:26 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tasha Z\Desktop\OTL.exe
    MOD - [2010/01/19 17:17:09 | 00,027,648 | ---- | M] () -- C:\WINDOWS\system32\__c007B6B4.dat
    MOD - [2006/08/25 15:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2009/11/14 09:10:05 | 00,050,688 | ---- | M] () [Auto | Start_Pending] -- C:\WINDOWS\system32\fio32.dll -- (fioo32)
    SRV - [2009/08/05 22:48:42 | 00,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
    SRV - [2009/01/14 17:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
    SRV - [2006/12/18 22:30:18 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
    SRV - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
    SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.co.uk/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\..\URLSearchHook: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIObi.dll (Conduit Ltd.)
    IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - Reg Error: Key error. File not found
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Google"
    FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
    FF - prefs.js..browser.search.selectedEngine: "Google"

    FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/09/23 13:00:04 | 00,000,000 | ---D | M]

    [2007/11/07 21:38:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tasha Z\Application Data\Mozilla\Firefox\Profiles\uykhn9v0.default\extensions

    O1 HOSTS File: ([2010/01/18 17:09:15 | 00,000,000 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
    O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C75C8E7E-5059-4469-AC11-D7544B260382} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (IObitCom Toolbar) - {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - C:\Program Files\IObitCom\tbIObi.dll (Conduit Ltd.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
    O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: Wallpaper =
    O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
    O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
    O15 - HKCU\..Trusted Domains: 8 domain(s) and sub-domain(s) not assigned to a zone.
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images ocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab (Reg Error: Value error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.4 85.255.112.14
    O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
    O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\__c007B6B4: DllName - C:\WINDOWS\system32\__c007B6B4.dat - C:\WINDOWS\system32\__c007B6B4.dat ()
    O20 - Winlogon\Notify\A3dxq: DllName - C:\WINDOWS\System32\a3dx8.dll - C:\WINDOWS\System32\a3dx8.dll File not found
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
    O24 - Desktop Components:1 () - http://www.orange.co.uk/
    O24 - Desktop WallPaper: C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/12/18 22:35:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - comfile [open] -- "%1" %*
    O35 - exefile [open] -- "%1" %*

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (53765113575899136)

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/01/20 12:26:19 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tasha Z\Desktop\OTL.exe
    [2010/01/17 10:13:30 | 00,000,000 | ---D | C] -- C:\Program Files\MyWebSearch
    [2010/01/17 10:12:40 | 00,000,000 | ---D | C] -- C:\Program Files\FunWebProducts
    [2010/01/16 23:33:09 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Sync Framework
    [2010/01/16 23:07:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\My Documents\Downloads
    [2010/01/16 23:01:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Temp
    [2010/01/16 22:27:00 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Tasha Z\My Documents\Copy of My Music
    [2010/01/16 22:25:44 | 00,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
    [2010/01/16 18:25:58 | 00,000,000 | ---D | C] -- C:\Program Files\IObitCom
    [2010/01/16 18:25:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\IObitCom
    [2010/01/16 18:25:58 | 00,000,000 | ---D | C] -- C:\Program Files\Conduit
    [2010/01/16 18:25:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Conduit
    [2010/01/16 18:25:50 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
    [2010/01/16 18:25:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Application Data\IObit
    [2010/01/16 18:24:32 | 09,537,816 | ---- | C] (IObit ) -- C:\Documents and Settings\Tasha Z\My Documents\asc-setup.exe
    [2010/01/16 16:45:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Logfiles
    [2010/01/16 16:45:05 | 00,000,000 | ---D | C] -- C:\Inetpub
    [2010/01/15 18:47:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Identities
    [2010/01/14 21:53:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/01/14 21:22:20 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/01/14 12:05:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\ICS
    [2010/01/14 12:05:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\LMI5.tmp
    [2010/01/13 22:57:09 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
    [2010/01/13 22:01:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
    [2010/01/13 22:01:21 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
    [2010/01/13 20:28:35 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
    [2010/01/13 20:28:33 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
    [2010/01/13 20:27:36 | 00,000,000 | ---D | C] -- C:\Config.Msi
    [2010/01/13 19:17:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Tracing
    [2010/01/13 19:15:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
    [2010/01/13 19:15:12 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
    [2010/01/13 15:23:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
    [2010/01/13 10:21:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Desktop\mike
    [2010/01/12 13:40:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Desktop\sue doc
    [2010/01/12 12:17:12 | 00,092,672 | ---- | C] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263298621.exe
    [2010/01/12 11:38:52 | 00,092,672 | ---- | C] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263296326.exe
    [2010/01/12 11:23:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\Symantec
    [2010/01/12 11:23:24 | 00,092,672 | ---- | C] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263295382.exe
    [2010/01/12 10:38:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
    [2010/01/12 10:36:16 | 00,092,672 | ---- | C] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263292567.exe
    [2010/01/12 10:35:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
    [2010/01/12 10:22:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
    [2010/01/12 10:12:48 | 00,092,672 | ---- | C] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263291159.exe
    [2010/01/12 10:12:40 | 00,000,000 | ---D | C] -- C:\Program Files\webserver
    [2007/07/27 13:55:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
    [2007/07/27 13:55:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
    [2007/05/30 11:08:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
    [2007/05/30 11:08:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
    [2006/12/18 22:34:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
    [2006/12/18 22:34:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 14 Days ==========

    [2010/01/20 12:26:26 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tasha Z\Desktop\OTL.exe
    [2010/01/20 12:06:06 | 00,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1500820517-725345543-1003UA.job
    [2010/01/20 12:03:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/01/20 12:03:00 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/01/19 21:50:17 | 08,538,476 | -H-- | M] () -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\IconCache.db
    [2010/01/19 21:40:32 | 00,002,444 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/01/19 21:31:12 | 03,932,160 | -H-- | M] () -- C:\Documents and Settings\Tasha Z\NTUSER.DAT
    [2010/01/19 17:20:57 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Tasha Z\ntuser.ini
    [2010/01/19 17:17:09 | 00,027,648 | ---- | M] () -- C:\WINDOWS\System32\__c007B6B4.dat
    [2010/01/18 17:09:15 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/01/17 10:35:07 | 00,315,408 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/01/17 10:35:07 | 00,041,586 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/01/17 10:35:06 | 00,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/01/16 23:06:00 | 00,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1500820517-725345543-1003Core.job
    [2010/01/16 22:17:15 | 00,005,569 | ---- | M] () -- C:\Documents and Settings\Tasha Z\My Documents\My Favorite Theme.theme
    [2010/01/16 18:56:28 | 00,502,752 | ---- | M] () -- C:\Documents and Settings\Tasha Z\My Documents\cfremover.exe
    [2010/01/16 18:25:56 | 00,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/01/16 18:25:19 | 09,537,816 | ---- | M] (IObit ) -- C:\Documents and Settings\Tasha Z\My Documents\asc-setup.exe
    [2010/01/15 19:27:04 | 00,003,739 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/01/15 18:31:51 | 52,659,8144 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
    [2010/01/14 23:20:16 | 00,000,162 | -H-- | M] () -- C:\Documents and Settings\Tasha Z\My Documents\~$ssage to Natasha Skye Zeraschi.doc
    [2010/01/14 21:57:52 | 00,000,779 | ---- | M] () -- C:\Documents and Settings\Tasha Z\Desktop\Launch Internet Explorer Browser.lnk
    [2010/01/14 18:31:15 | 61,551,4112 | -HS- | M] () -- C:\NRTPage.sys
    [2010/01/14 18:03:27 | 00,000,211 | ---- | M] () -- C:\boot.ini
    [2010/01/14 18:03:27 | 00,000,000 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/01/14 18:03:27 | 00,000,000 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/01/14 16:09:04 | 00,000,107 | ---- | M] () -- C:\xcrashdump.dat
    [2010/01/13 20:13:16 | 00,001,743 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2010/01/13 19:42:48 | 00,195,368 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/01/13 19:17:14 | 00,043,832 | ---- | M] () -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    [2010/01/13 10:24:35 | 25,753,6806 | ---- | M] () -- C:\Documents and Settings\Tasha Z\Desktop\photos 1.zip
    [2010/01/12 12:48:44 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Global.sw2
    [2010/01/12 12:45:59 | 00,099,207 | ---- | M] () -- C:\WINDOWS\System32\windev-peers.ini
    [2010/01/12 12:43:59 | 00,002,675 | -HS- | M] () -- C:\WINDOWS\System32\BcfgfMoq.ini
    [2010/01/12 12:42:59 | 00,002,626 | -HS- | M] () -- C:\WINDOWS\System32\BcfgfMoq.ini2
    [2010/01/12 12:17:12 | 00,092,672 | ---- | M] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263298621.exe
    [2010/01/12 11:38:52 | 00,092,672 | ---- | M] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263296326.exe
    [2010/01/12 11:23:24 | 00,092,672 | ---- | M] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263295382.exe
    [2010/01/12 11:10:55 | 00,001,683 | ---- | M] () -- C:\WINDOWS\rdr_1263294652.exe
    [2010/01/12 11:10:51 | 00,001,683 | ---- | M] () -- C:\WINDOWS\rdr_1263294647.exe
    [2010/01/12 11:10:46 | 00,001,683 | ---- | M] () -- C:\WINDOWS\rdr_1263294639.exe
    [2010/01/12 10:36:16 | 00,092,672 | ---- | M] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263292567.exe
    [2010/01/12 10:21:17 | 00,000,453 | ---- | M] () -- C:\WINDOWS\ODBC.INI
    [2010/01/12 10:12:48 | 00,092,672 | ---- | M] (LogMeIn Inc.) -- C:\WINDOWS\rdr_1263291159.exe
    [2010/01/12 10:12:39 | 00,000,002 | ---- | M] () -- C:\WINDOWS\010112010146114101.xxe
    [2010/01/12 10:12:21 | 00,000,002 | ---- | M] () -- C:\WINDOWS\010112010146115116.xxe
    [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/01/16 23:01:25 | 00,000,986 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1500820517-725345543-1003UA.job
    [2010/01/16 23:01:24 | 00,000,934 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1500820517-725345543-1003Core.job
    [2010/01/16 18:56:04 | 00,502,752 | ---- | C] () -- C:\Documents and Settings\Tasha Z\My Documents\cfremover.exe
    [2010/01/16 18:25:56 | 00,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
    [2010/01/14 23:20:16 | 00,000,162 | -H-- | C] () -- C:\Documents and Settings\Tasha Z\My Documents\~$ssage to Natasha Skye Zeraschi.doc
    [2010/01/14 18:31:15 | 61,551,4112 | -HS- | C] () -- C:\NRTPage.sys
    [2010/01/13 20:13:16 | 00,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2010/01/13 10:23:37 | 25,753,6806 | ---- | C] () -- C:\Documents and Settings\Tasha Z\Desktop\photos 1.zip
    [2010/01/12 12:56:02 | 00,000,107 | ---- | C] () -- C:\xcrashdump.dat
    [2010/01/12 12:21:18 | 00,005,569 | ---- | C] () -- C:\Documents and Settings\Tasha Z\My Documents\My Favorite Theme.theme
    [2010/01/12 11:10:55 | 00,001,683 | ---- | C] () -- C:\WINDOWS\rdr_1263294652.exe
    [2010/01/12 11:10:51 | 00,001,683 | ---- | C] () -- C:\WINDOWS\rdr_1263294647.exe
    [2010/01/12 11:10:46 | 00,001,683 | ---- | C] () -- C:\WINDOWS\rdr_1263294639.exe
    [2010/01/12 10:12:39 | 00,000,002 | ---- | C] () -- C:\WINDOWS\010112010146114101.xxe
    [2010/01/12 10:12:21 | 00,000,002 | ---- | C] () -- C:\WINDOWS\010112010146115116.xxe
    [2009/11/21 19:27:39 | 00,017,408 | RHS- | C] () -- C:\Program Files\captcha.dll
    [2009/11/14 09:10:05 | 00,050,688 | ---- | C] () -- C:\WINDOWS\System32\fio32.dll
    [2009/03/21 20:06:40 | 00,002,880 | ---- | C] () -- C:\Documents and Settings\Tasha Z\Application Data\NMM-MetaData.db
    [2008/07/03 19:50:34 | 00,002,626 | -HS- | C] () -- C:\WINDOWS\System32\BcfgfMoq.ini2
    [2008/07/03 19:50:33 | 00,002,675 | -HS- | C] () -- C:\WINDOWS\System32\BcfgfMoq.ini
    [2007/12/25 23:22:03 | 00,009,216 | ---- | C] () -- C:\Documents and Settings\Tasha Z\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/09/18 10:52:59 | 00,326,589 | ---- | C] () -- C:\Documents and Settings\Tasha Z\Application Data\update.log
    [2007/05/28 21:11:31 | 00,099,207 | ---- | C] () -- C:\WINDOWS\System32\windev-peers.ini
    [2007/05/28 21:11:09 | 01,174,416 | ---- | C] () -- C:\Documents and Settings\Tasha Z\Application Data\Install.dat
    [2007/03/29 23:00:40 | 00,203,264 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
    [2006/12/19 20:28:00 | 00,000,453 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/12/19 20:14:37 | 00,069,632 | R--- | C] () -- C:\WINDOWS\sm56spn.dll
    [2006/12/19 20:14:37 | 00,069,632 | R--- | C] () -- C:\WINDOWS\sm56itl.dll
    [2006/12/19 20:14:37 | 00,069,632 | R--- | C] () -- C:\WINDOWS\sm56eng.dll
    [2006/12/19 20:14:37 | 00,069,632 | R--- | C] () -- C:\WINDOWS\sm56brz.dll
    [2006/12/19 20:14:37 | 00,061,440 | R--- | C] () -- C:\WINDOWS\sm56ger.dll
    [2006/12/19 20:14:37 | 00,061,440 | R--- | C] () -- C:\WINDOWS\sm56fra.dll
    [2006/12/19 20:14:37 | 00,053,248 | R--- | C] () -- C:\WINDOWS\sm56jpn.dll
    [2006/12/19 20:14:37 | 00,049,152 | R--- | C] () -- C:\WINDOWS\sm56cht.dll
    [2006/12/19 20:14:37 | 00,049,152 | R--- | C] () -- C:\WINDOWS\sm56chs.dll
    [2005/01/21 04:02:28 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
    [2004/08/04 10:00:00 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
    [2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/09/24 06:59:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

    ========== LOP Check ==========

    [2009/03/21 19:41:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
    [2009/03/21 19:52:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2010/01/19 16:39:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tasha Z\Application Data\IObit
    [2009/10/30 08:34:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tasha Z\Application Data\Leadertech
    [2009/03/21 19:51:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tasha Z\Application Data\Nokia
    [2009/03/21 19:44:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tasha Z\Application Data\PC Suite

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2004/08/04 10:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2004/08/04 10:00:00 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2004/08/04 10:00:00 | 18,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2004/08/04 10:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2004/08/04 10:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
    [2004/08/04 10:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: IASTOR.SYS >
    [2006/05/11 16:30:52 | 00,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\dell\iastor\iastor.sys

    < MD5 for: NETLOGON.DLL >
    [2004/08/04 10:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
    [2004/08/04 10:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

    < MD5 for: NVATABUS.SYS >
    [2006/03/17 00:51:32 | 00,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

    < MD5 for: SCECLI.DLL >
    [2004/08/04 10:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
    [2004/08/04 10:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >
    < End of report >
     
  18. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
     
  19. schrauber

    schrauber Guest

    Hi,

    We have to clear something:

    You posted a hijackthis logfile at the beginning of this thread. This logfile shows

    Windows XP without any Servicepacks!!

    Now you posted an OTL logfile with

    Windows XP Servicepack 2

    So please explain me what you have done exactly.

    From which system was the hijackthis-logfile?

    From wich system are the OTL logfiles?

    At which system do you get the message that Servicepack 1a could not get installed because there where a newer version installed?
     
  20. wendy

    wendy Registered Members

    Joined:
    Jan 18, 2010
    Messages:
    49
    Location:
    wales uk
    Operating System:
    Windows XP Home
     

Share This Page