Author Topic: [InActive K] I get redirected and disk space filling quickly (Read 1323 times)

gshbassplucker · « **on:** December 25, 2011, 03:29:04 AM »

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:22:11, on 24/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80359&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80359
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80359
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54667
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_SEC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Rescue (64f4aa97-c861-4b8c-80cf-736d8eacc507) (LMIRescue_64f4aa97-c861-4b8c-80cf-736d8eacc507) - Unknown owner - C:\Documents and Settings\Dawn\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe (file missing)
O23 - Service: LogMeIn Rescue (a8da63e7-3f18-4e19-b062-d02d8d19bdf5) (LMIRescue_a8da63e7-3f18-4e19-b062-d02d8d19bdf5) - Unknown owner - C:\Documents and Settings\Dawn\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0003.tmp\LMI_Rescue_srv.exe (file missing)
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10066 bytes

kevinf80 · « **Reply #1 on:** December 25, 2011, 05:06:21 AM »

Hello gshbassplucker welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Step 1

There is a Proxy server running in IE, if you did not set that it needs to go. I`ve included instructions for other popular browsers:

Check for proxy server settings in your browser, the following are the most common used.

Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

Safari

Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...

Step 2

Download RogueKiller to your desktop

Quit all running programs
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 1 and validate by tapping Enter
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Kevin

gshbassplucker · « **Reply #2 on:** December 25, 2011, 07:25:00 AM »

Hi Kevin,
Had AVG until late November when I bought Trend Micro Titanium as I thought it would be a better bet - then nightmare - everything got redirected, computer slowed right down and the disk free space went from over 50% to 11%. Have tried remote help from Trend in France, but still getting redirected, mostly to Mediashifting.com now.
Not showing proxy browser in Internet Options.
Here is the report......

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Dawn [Admin rights]
Mode: Scan -- Date : 12/25/2011 13:17:08

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:54667) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] 9eec34ef76ce32cb3bdccf513169f359
[BSP] ae203e84dcb456630d870d8f3155a2b5 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 63 | Size: 39999 Mo
1 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 78124095 | Size: 8 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

gshbassplucker · « **Reply #3 on:** December 25, 2011, 07:42:04 AM »

There is only 9% free space showing on disk now. Computer very slow so I may appear slow to reply. Your help is greatly appreciated.

kevinf80 · « **Reply #4 on:** December 25, 2011, 08:02:14 AM »

Quit all running programs and run RogueKiller once again.

For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 2 and validate by tapping Enter
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Next,

Quit all running programs and run RogueKiller once again.

For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 4 and validate by tapping Enter
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Next,

You have ZeroAccess Rootkit infection, do this:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

Ensure that Combofix is saved directly to the Desktop <--- Very important

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:
Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
Close any open browsers and any other programs you might have running
Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
Instructions for running Combofix available Here if required.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Let me see those 3 logs in next reply...

Kevin

gshbassplucker · « **Reply #5 on:** December 25, 2011, 04:15:10 PM »

ComboFix seems to have worked, but will not run properly to the end or generate a report. Here are the other reports.
Computer now running properly.
RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Dawn [Admin rights]
Mode: Remove -- Date : 12/25/2011 14:28:36

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:54667) -> NOT REMOVED, USE PROXYFIX
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] 9eec34ef76ce32cb3bdccf513169f359
[BSP] ae203e84dcb456630d870d8f3155a2b5 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 63 | Size: 39999 Mo
1 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 78124095 | Size: 8 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Dawn [Admin rights]
Mode: ProxyFix -- Date : 12/25/2011 14:30:13

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:54667) -> DELETED

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

kevinf80 · « **Reply #6 on:** December 25, 2011, 04:25:40 PM »

Try Combofix again if it did not complete. Delete any versions that are on your Desktop, download a fresh version from Here do not re-name it, just double click on the icon then run as previously instructed..

Let me see the log in next reply

gshbassplucker · « **Reply #7 on:** December 26, 2011, 06:10:45 AM »

Reloaded and ran ComboFix again, tried it twice and the last time left it undisturbed for 12 hours - it is not leaving a report or completing it's work. I need to switch computer off to shut the program down. The disk free space is now stable at 9% and computer seems to operate normally. Not getting any redirects so you have worked wonders! Would like to look at removing some to the files clogging up the disk soon, but want to leave the programs in place that Trend want to analyse to ensure that my security will be in place to stop this happening again. Is there anything you can think of that may be affecting ComboFix or causing it to freeze?

kevinf80 · « **Reply #8 on:** December 26, 2011, 06:20:18 AM »

It could be many things affecting Combofix, do the following:

Download

TFC to your desktop, from either of the following links
Link 1
Link 2

Save any open work. TFC will close all open application windows.
Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
If prompted, click "Yes" to reboot.

Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Next,

Delete any version of ComboFix you have on your Desktop. Download a fresh copy from either of the following links:

Link 1
Link 2

Before you save it to the Desktop make sure to rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and type this command exactly as shown or better still, use copy/paste:

"%userprofile%\desktop\sega.com" /killall /nombr Tap enter or select OK.

See if it will run successfully now. Stop it after half an hour of no activity.

Post the log in next reply,

Kevin

gshbassplucker · « **Reply #9 on:** December 26, 2011, 12:29:50 PM »

Have tried safe mode, same result. Tried again after reboot, again same result. Back up to 11% free space, everything else seems to be running well.

kevinf80 · « **Reply #10 on:** December 26, 2011, 01:00:26 PM »

Do the following:

Step 1

Download aswMBR from Here
If it asks to update during the process please allow this to happen.

Save aswMBR.exe to your Desktop
Double click aswMBR.exe to run it
Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

Once the scan finishes click Save log to save the log to your Desktop.

Copy and paste the contents of aswMBR.txt back here for review
You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

Step 2

Download

OTL from any of the following links and save to your Desktop:

Link 1
Link 2
Link 3
Link 4

Double click on the icon to run it, Vista or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top, make sure Stadard output is selected.
Select Scan all users
Under the Extra Registry section, check Use SafeList
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Under the Custom Scan box paste this in:

Code: [Select]

[B]netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs[/B]

Click the button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

Let me see the following in your reply :-

aswMBR log
OTL scan log
Extras log
Attach the MBR.zip file

If the OTL logs exceed the character limit zip them up and attach them.....

Kevin

gshbassplucker · « **Reply #11 on:** December 26, 2011, 03:59:49 PM »

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-26 21:28:34
-----------------------------
21:28:34.046 OS Version: Windows 5.1.2600 Service Pack 3
21:28:34.046 Number of processors: 1 586 0xD08
21:28:34.046 ComputerName: DAWN-321 UserName: Dawn
21:28:39.625 Initialize success
21:35:36.187 AVAST engine defs: 11122601
21:35:44.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:35:44.968 Disk 0 Vendor: WDC_WD400VE-75HDT1 11.07D11 Size: 38154MB BusType: 3
21:35:47.031 Disk 0 MBR read successfully
21:35:47.031 Disk 0 MBR scan
21:35:47.125 Disk 0 Windows XP default MBR code
21:35:47.125 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 38146 MB offset 63
21:35:47.171 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 7 MB offset 78124095
21:35:47.187 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
21:35:47.187 Disk 0 scanning sectors +78140144
21:35:47.265 Disk 0 scanning C:\WINDOWS\system32\drivers
21:36:22.390 Service scanning
21:36:24.000 Modules scanning
21:36:54.703 Disk 0 trace - called modules:
21:36:54.750 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
21:36:54.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a0a1ab8]
21:36:54.750 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a0e5940]
21:36:57.671 AVAST engine scan C:\WINDOWS
21:37:38.921 AVAST engine scan C:\WINDOWS\system32
21:42:11.875 AVAST engine scan C:\WINDOWS\system32\drivers
21:42:41.515 AVAST engine scan C:\Documents and Settings\Dawn
21:47:20.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dawn\Desktop\MBR.dat"
21:47:20.593 The log file has been saved successfully to "C:\Documents and Settings\Dawn\Desktop\aswMBR scan 26th.txt"

gshbassplucker · « **Reply #12 on:** December 26, 2011, 04:20:25 PM »

OTL logfile created on: 26/12/2011 22:03:58 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dawn\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.24 Gb Total Physical Memory | 0.78 Gb Available Physical Memory | 62.89% Memory free
1.46 Gb Paging File | 1.17 Gb Available in Paging File | 79.84% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 3.91 Gb Free Space | 10.50% Space Free | Partition Type: NTFS

Computer Name: DAWN-321 | User Name: Dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/26 22:00:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL.exe
PRC - [2011/11/27 20:32:45 | 000,129,304 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2011/11/24 14:51:35 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2010/03/14 00:07:59 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/12/07 11:50:52 | 001,584,640 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/10 10:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

========== Modules (No Company Name) ==========

MOD - [2010/02/05 18:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2009/11/03 15:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/04/14 00:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 00:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/11/01 12:48:02 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - File not found [Auto | Stopped] -- -- (LMIRescue_a8da63e7-3f18-4e19-b062-d02d8d19bdf5) LogMeIn Rescue (a8da63e7-3f18-4e19-b062-d02d8d19bdf5)
SRV - File not found [Auto | Stopped] -- -- (LMIRescue_64f4aa97-c861-4b8c-80cf-736d8eacc507) LogMeIn Rescue (64f4aa97-c861-4b8c-80cf-736d8eacc507)
SRV - File not found [On_Demand | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/11/27 20:32:30 | 000,200,632 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV - [2011/11/24 14:51:35 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2011/08/24 15:01:02 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)

========== Driver Services (SafeList) ==========

DRV - [2011/11/27 16:08:33 | 000,205,072 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2011/11/27 16:08:33 | 000,171,280 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tmnciesc.sys -- (tmnciesc)
DRV - [2011/11/27 16:08:33 | 000,092,432 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2011/11/27 16:08:33 | 000,084,752 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmeext.sys -- (tmeext)
DRV - [2011/11/27 16:08:33 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2011/11/27 16:08:33 | 000,068,368 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2011/05/26 15:03:56 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2011/05/26 15:03:50 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/10/12 15:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/08/05 11:32:16 | 000,045,312 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/07/22 11:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 11:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 11:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80359

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.448: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2}: C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\firefoxextension [2011/12/25 12:54:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2011/12/25 12:56:16 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2006/02/28 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1072\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1086\7.0.1086\TmBpIe32.dll (Trend Micro Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (BT Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O3 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" File not found
O4 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE (SEIKO EPSON CORPORATION)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6A0D015-E3E9-46C6-B593-8A6BD4FCCDDB}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1086\7.0.1086\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1072\TmIEPlg.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dawn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/13 06:44:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b8a30803-e870-11dd-a33c-0014228f0df6}\Shell\AutoRun\command - "" = setupSNK.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/12/26 22:00:30 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL.exe
[2011/12/26 21:53:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\log
[2011/12/26 21:28:18 | 001,918,464 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dawn\Desktop\aswMBR.exe
[2011/12/26 17:16:58 | 000,000,000 | --SD | C] -- C:\sega15930s
[2011/12/26 17:14:49 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/12/26 15:07:18 | 000,000,000 | --SD | C] -- C:\sega
[2011/12/26 14:40:23 | 004,348,814 | R--- | C] (Swearware) -- C:\Documents and Settings\Dawn\Desktop\sega.com
[2011/12/26 14:25:19 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\TFC.exe
[2011/12/25 16:21:07 | 000,000,000 | ---D | C] -- C:\Gotcha
[2011/12/25 14:57:03 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2011/12/25 14:53:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/12/25 14:50:20 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/25 14:50:20 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/25 14:50:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/25 14:50:20 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/12/25 14:48:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/25 14:46:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/25 13:16:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\RK_Quarantine
[2011/12/22 04:13:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\ATTK_ZACCESS_KATUSHA
[2011/12/19 18:17:09 | 002,002,320 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Dawn\Desktop\HousecallLauncher.exe
[2011/12/19 17:19:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\RootkitBuster_POC_ZACCESS
[2011/12/16 10:42:49 | 008,798,208 | ---- | C] (trend_company_name) -- C:\Documents and Settings\Dawn\Desktop\Copy of RootkitBuster.exe
[2011/12/16 10:40:16 | 008,798,208 | ---- | C] (trend_company_name) -- C:\Documents and Settings\Dawn\Desktop\RootkitBuster.exe
[2011/12/16 10:25:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\TrendMicro AntiThreat Toolkit
[2011/12/16 09:47:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\backup
[2011/12/16 09:38:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/12/16 08:35:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Application Data\TeamViewer
[2011/12/16 08:35:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 7
[2011/12/16 08:34:59 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2011/12/15 17:00:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Local Settings\Application Data\PCHealth
[2011/12/12 16:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Start Menu\Programs\HiJackThis
[2011/12/12 16:38:08 | 002,002,424 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Dawn\My Documents\HousecallLauncher.exe
[2011/12/12 16:32:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Local Settings\Application Data\LogMeIn Rescue Applet
[2011/11/27 16:33:54 | 000,084,752 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmeext.sys
[2011/11/27 16:33:51 | 000,171,280 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmnciesc.sys
[2011/11/27 16:33:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Start Menu\Programs\Trend Micro Titanium Internet Security 2012
[2011/11/27 16:31:31 | 000,092,432 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2011/11/27 16:31:21 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/11/27 16:31:21 | 000,081,168 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2011/11/27 16:31:21 | 000,068,368 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/12/26 22:00:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL.exe
[2011/12/26 21:55:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/26 21:51:52 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\MBR.zip
[2011/12/26 21:47:20 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\MBR.dat
[2011/12/26 21:28:31 | 001,918,464 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dawn\Desktop\aswMBR.exe
[2011/12/26 14:51:59 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Word.lnk
[2011/12/26 14:40:24 | 004,348,814 | R--- | M] (Swearware) -- C:\Documents and Settings\Dawn\Desktop\sega.com
[2011/12/26 14:25:31 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\TFC.exe
[2011/12/25 14:53:51 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/12/25 14:30:05 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/12/25 14:28:12 | 000,771,072 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\RogueKiller.exe
[2011/12/25 10:10:42 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/24 22:07:34 | 000,102,400 | ---- | M] () -- C:\WINDOWS\RegBootClean.exe
[2011/12/24 22:07:34 | 000,022,032 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2011/12/24 17:44:12 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\housecall.guid.cache
[2011/12/24 17:34:33 | 000,008,441 | ---- | M] () -- C:\DAWN-321_2011.12.24-1733.20_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/24 17:26:01 | 000,571,760 | ---- | M] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\census.cache
[2011/12/24 17:25:59 | 000,190,575 | ---- | M] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\ars.cache
[2011/12/21 18:08:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/20 23:54:08 | 000,541,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/20 23:54:07 | 000,109,916 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/19 23:56:39 | 000,022,105 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Scan 19.12.11.CSV
[2011/12/19 18:17:22 | 002,002,320 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Dawn\Desktop\HousecallLauncher.exe
[2011/12/19 17:34:53 | 025,094,960 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\supportcustomizedpackage.exe
[2011/12/19 17:34:14 | 025,093,769 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\ATTK_ZACCESS_KATUSHA.zip
[2011/12/19 17:20:27 | 004,172,551 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\RootkitBuster_POC_ZACCESS.zip
[2011/12/17 20:57:36 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\___GeneratedbyATTK___.zip
[2011/12/17 20:50:47 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\TmRCMScanDebug20111216_00.zip
[2011/12/16 10:37:37 | 000,352,678 | ---- | M] () -- C:\DAWN-321_2011.12.16-1025.53_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/16 10:20:52 | 000,357,189 | ---- | M] () -- C:\DAWN-321_2011.12.16-1005.28_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/16 10:04:59 | 000,355,148 | ---- | M] () -- C:\DAWN-321_2011.12.16-0947.30_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/16 08:35:07 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 7.lnk
[2011/12/15 17:25:17 | 000,256,656 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/15 17:07:18 | 000,000,129 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/12/12 16:38:13 | 002,002,424 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Dawn\My Documents\HousecallLauncher.exe
[2011/12/01 20:48:10 | 008,798,208 | ---- | M] (trend_company_name) -- C:\Documents and Settings\Dawn\Desktop\RootkitBuster.exe
[2011/12/01 20:48:10 | 008,798,208 | ---- | M] (trend_company_name) -- C:\Documents and Settings\Dawn\Desktop\Copy of RootkitBuster.exe
[2011/11/27 16:34:33 | 000,000,932 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Trend Micro Titanium Internet Security 2012.lnk
[2011/11/27 16:27:49 | 000,000,056 | ---- | M] () -- C:\WINDOWS\System32\SupportTool.exe.bat
[2011/11/27 16:08:33 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/11/27 16:08:33 | 000,171,280 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmnciesc.sys
[2011/11/27 16:08:33 | 000,092,432 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2011/11/27 16:08:33 | 000,084,752 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmeext.sys
[2011/11/27 16:08:33 | 000,081,168 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2011/11/27 16:08:33 | 000,068,368 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2011/11/26 22:25:54 | 000,070,142 | ---- | M] () -- C:\Documents and Settings\Dawn\My Documents\ti_50_MR_2012_Generic.exe

========== Files Created - No Company Name ==========

[2011/12/26 21:51:52 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\MBR.zip
[2011/12/26 21:47:20 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\MBR.dat
[2011/12/25 14:53:51 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/12/25 14:53:47 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/12/25 14:50:20 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/25 14:50:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/25 14:50:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/25 14:50:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/25 14:50:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/25 14:28:01 | 000,771,072 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\RogueKiller.exe
[2011/12/25 13:16:37 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/12/24 17:34:34 | 000,008,441 | ---- | C] () -- C:\DAWN-321_2011.12.24-1733.20_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/19 23:56:39 | 000,022,105 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\Scan 19.12.11.CSV
[2011/12/17 20:57:36 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\___GeneratedbyATTK___.zip
[2011/12/17 20:50:47 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\TmRCMScanDebug20111216_00.zip
[2011/12/16 10:37:37 | 000,352,678 | ---- | C] () -- C:\DAWN-321_2011.12.16-1025.53_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/16 10:25:16 | 025,094,960 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\supportcustomizedpackage.exe
[2011/12/16 10:20:52 | 000,357,189 | ---- | C] () -- C:\DAWN-321_2011.12.16-1005.28_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/16 10:04:59 | 000,355,148 | ---- | C] () -- C:\DAWN-321_2011.12.16-0947.30_4576668b-8ad4-49ca-b73c-acb64488dbf3_3790.zip
[2011/12/16 09:45:52 | 025,093,769 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\ATTK_ZACCESS_KATUSHA.zip
[2011/12/16 09:21:49 | 004,172,551 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\RootkitBuster_POC_ZACCESS.zip
[2011/12/16 08:35:06 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 7.lnk
[2011/11/27 16:33:44 | 000,000,932 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\Trend Micro Titanium Internet Security 2012.lnk
[2011/11/26 22:25:53 | 000,070,142 | ---- | C] () -- C:\Documents and Settings\Dawn\My Documents\ti_50_MR_2012_Generic.exe
[2011/11/26 21:05:59 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2011/11/26 21:05:59 | 000,022,032 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2011/11/26 21:05:26 | 000,571,760 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\census.cache
[2011/11/26 21:05:01 | 000,190,575 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\ars.cache
[2011/11/24 20:17:18 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\housecall.guid.cache
[2011/11/23 18:07:48 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\SupportTool.exe.bat
[2010/02/02 09:41:57 | 000,001,878 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/01/23 13:26:20 | 000,053,236 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/19 20:43:33 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2009/08/19 20:43:33 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/08/19 20:43:33 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/08/19 20:43:33 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2009/08/19 20:43:33 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2009/08/19 20:43:33 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2009/08/19 20:43:33 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2009/08/19 20:43:33 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2009/08/19 20:43:33 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2009/08/19 20:43:33 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2009/08/19 20:43:33 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2009/08/19 20:43:33 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2009/08/19 20:43:33 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2009/08/19 20:43:33 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2009/08/19 20:43:33 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2009/08/19 20:43:33 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2009/08/19 20:43:33 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2009/08/19 20:43:33 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2009/08/19 20:43:33 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/08/19 20:41:36 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDED92Euro.ini
[2009/02/13 19:22:05 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/01/22 11:16:43 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/01/15 11:29:18 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/01/14 04:17:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dawn\Application Data\wklnhst.dat
[2009/01/14 03:59:05 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/14 03:36:37 | 000,153,088 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2009/01/14 01:56:12 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD-Start.INI
[2009/01/13 17:52:36 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/13 14:53:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/13 14:53:16 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/01/13 14:53:15 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/01/13 07:09:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/13 06:47:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/13 06:40:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/13 06:29:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/13 06:27:50 | 000,256,656 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/02/28 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 12:00:00 | 000,541,466 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 12:00:00 | 000,109,916 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 12:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/08/19 20:41:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/01/15 11:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2009/01/21 11:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/11/23 16:59:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/19 20:45:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2010/04/14 20:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/26 10:44:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/12/02 17:54:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\68CE4
[2010/04/01 14:03:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/06/22 14:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\com.roland.FriendJam
[2009/10/01 17:37:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\EPSON
[2011/11/22 19:58:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\GetRightToGo
[2010/02/15 10:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\IObit
[2011/07/21 10:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Sammsoft
[2011/12/16 08:35:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\TeamViewer
[2011/03/17 16:29:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Uniblue
[2009/01/13 15:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Windows Desktop Search
[2009/02/21 18:32:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Windows Search
[2009/01/14 03:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\wsInspector

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 11:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2006/02/28 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 00:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 00:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2006/02/28 12:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2006/02/28 12:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 00:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 00:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 00:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2006/02/28 12:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/14 00:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 00:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/10/31 20:56:25 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/10/31 20:56:25 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/10/31 20:56:25 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/10/31 10:46:00 | 000,634,504 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/10/31 20:56:25 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/10/31 20:56:25 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/10/31 20:56:25 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/10/31 10:46:00 | 000,634,504 | ---- | M] (Microsoft Corporation)

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs[/B] >
Invalid Switch: B]

========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\WINDOWS:0B9926B101DF72B8
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

gshbassplucker · « **Reply #13 on:** December 26, 2011, 04:23:22 PM »

OTL Extras logfile created on: 26/12/2011 22:03:58 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dawn\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.24 Gb Total Physical Memory | 0.78 Gb Available Physical Memory | 62.89% Memory free
1.46 Gb Paging File | 1.17 Gb Available in Paging File | 79.84% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 3.91 Gb Free Space | 10.50% Space Free | Partition Type: NTFS

Computer Name: DAWN-321 | User Name: Dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- C:\WINDOWS\system32\rundll32.exe shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\1GW2CMHR\Spybot-Spyware-Doctor-Install[1].exe" = C:\Documents and Settings\Dawn\Local Settings\Temporary Internet Files\Content.IE5\1GW2CMHR\Spybot-Spyware-Doctor-Install[1].exe:*:Enabled:RegNow Download Manager
"C:\Program Files\Apple Software Update\SoftwareUpdate.exe" = C:\Program Files\Apple Software Update\SoftwareUpdate.exe:*:Enabled:Apple Software Update -- (Apple Inc.)
"C:\Program Files\Trend Micro\TTi_50_MR_2012_TIS[1]\setup.exe" = C:\Program Files\Trend Micro\TTi_50_MR_2012_TIS[1]\setup.exe:*:Disabled:Setup Application -- (Trend Micro Inc.)
"C:\Program Files\Trend Micro\ti_50_MR_2012_Generic[1]\setup.exe" = C:\Program Files\Trend Micro\ti_50_MR_2012_Generic[1]\setup.exe:*:Enabled:Setup Application
"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" = C:\Program Files\Google\Google Updater\GoogleUpdater.exe:*:Disabled:Google Updater
"C:\Documents and Settings\Dawn\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.01\rnupgagent.exe" = C:\Documents and Settings\Dawn\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.01\rnupgagent.exe:*:Disabled:RealNetworks Installer -- (RealNetworks, Inc.)
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS9A.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS9A.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zSD2.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zSD2.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" = C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe:*:Enabled:Trend Micro Client Main Console -- (Trend Micro Inc.)
"C:\Program Files\Java\jre6\bin\jucheck.exe" = C:\Program Files\Java\jre6\bin\jucheck.exe:*:Enabled:Java(TM) Update Checker -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\Dawn\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe:*:Enabled:Java(TM) Platform SE binary
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS270.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS270.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\HouseCall\housecall.bin" = C:\Documents and Settings\Dawn\Local Settings\Temp\HouseCall\housecall.bin:*:Enabled:Trend Micro HouseCall
"C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe" = C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe:*:Enabled:HijackThis -- (Trend Micro Inc.)
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS6.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS6.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\jre-6u30-windows-i586-iftw-rv.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\jre-6u30-windows-i586-iftw-rv.exe:*:Enabled:Java(TM) Platform SE binary
"C:\Documents and Settings\Dawn\Local Settings\Temp\Rar$EX14.110\SICWin.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\Rar$EX14.110\SICWin.exe:*:Enabled:System Information Collector
"C:\Program Files\TeamViewer\Version7\TeamViewer.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)
"C:\Documents and Settings\Dawn\Local Settings\Temp\Rar$EX04.547\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin" = C:\Documents and Settings\Dawn\Local Settings\Temp\Rar$EX04.547\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin:*:Enabled:Anti-Threat Toolkit Main Program
"C:\Documents and Settings\Dawn\Local Settings\Temp\Rar$EX00.296\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin" = C:\Documents and Settings\Dawn\Local Settings\Temp\Rar$EX00.296\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin:*:Enabled:Anti-Threat Toolkit Main Program
"C:\Documents and Settings\Dawn\Desktop\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin" = C:\Documents and Settings\Dawn\Desktop\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin:*:Enabled:Anti-Threat Toolkit Main Program -- (Trend Micro Inc.)
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zSA4.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zSA4.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS95.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS95.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS12.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS12.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zSB4.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zSB4.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zSB.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zSB.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS8.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS8.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS2.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS2.tmp\Setup.exe:*:Enabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Local Settings\Temp\7zS7.tmp\Setup.exe" = C:\Documents and Settings\Dawn\Local Settings\Temp\7zS7.tmp\Setup.exe:*:Disabled:Trend Micro HouseCall Launcher
"C:\Documents and Settings\Dawn\Desktop\ATTK_ZACCESS_KATUSHA\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin" = C:\Documents and Settings\Dawn\Desktop\ATTK_ZACCESS_KATUSHA\TrendMicro AntiThreat Toolkit\HC_ATTK\ATTK.bin:*:Enabled:Anti-Threat Toolkit Main Program -- (Trend Micro Inc.)
"C:\Gotcha\ComboFix-Download.3XE" = C:\Gotcha\ComboFix-Download.3XE:*:Enabled:ComboFix-Download
"C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe" = C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe:*:Enabled:BT Broadband Desktop Help -- (Alcatel-Lucent)
"C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" = C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe:*:Enabled:BT Broadband Desktop Help Notifier -- (Alcatel-Lucent)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{2EB81825-E9EE-44F4-8F51-1240C3898DC6}" = EPSON File Manager
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel
"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}" = Camera RAW Plug-In for EPSON Creativity Suite
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium Internet Security 2012
"{ABBD4BA9-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B66E665A-DF96-4C38-9422-C7F74BC1B4E5}" = EPSON Easy Photo Print
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{DAB5C521-80B2-48C3-B0DA-326A1B331F55}" = GoToAssist Corporate
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F31C2DA2-2CB7-AEAF-D16F-5D7C3F0C6D94}" = V-Drums Friend Jam
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"BT Broadband Desktop Help" = BT Broadband Desktop Help
"BTHomeHub" = BTHomeHub
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.roland.FriendJam" = V-Drums Friend Jam
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Stylus C90_91_D92 User’s Guide" = EPSON Stylus C90_91_D92 Manual
"GoToAssist" = GoToAssist Corporate
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Optimize Memory for Windows" = Optimize Memory for Windows
"RealPlayer 12.0" = RealPlayer
"TeamViewer 7" = TeamViewer 7
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = BT Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-515967899-1454471165-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/11/2011 13:50:32 | Computer Name = DAWN-321 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DAWN\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES
LIBRARY.ITL> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)

Error - 27/11/2011 13:50:32 | Computer Name = DAWN-321 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DAWN\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES
LIBRARY.ITL> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)

Error - 28/11/2011 17:23:04 | Computer Name = DAWN-321 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DAWN\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES
LIBRARY EXTRAS.ITDB> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)

Error - 28/11/2011 17:23:04 | Computer Name = DAWN-321 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DAWN\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES
LIBRARY EXTRAS.ITDB> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)

Error - 30/11/2011 12:45:14 | Computer Name = DAWN-321 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 30/11/2011 12:45:16 | Computer Name = DAWN-321 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 03/12/2011 18:22:12 | Computer Name = DAWN-321 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 15/12/2011 20:00:26 | Computer Name = DAWN-321 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BF from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 20/12/2011 19:53:44 | Computer Name = DAWN-321 | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 24/12/2011 16:48:37 | Computer Name = DAWN-321 | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\DAWN\DESKTOP\ATTK_ZACCESS_KATUSHA\TRENDMICRO
ANTITHREAT TOOLKIT\HC_ATTK\V8CG6UB03420> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

[ System Events ]
Error - 26/12/2011 13:57:46 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi TfFsMon TfSysMon

Error - 26/12/2011 14:03:15 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Rescue (64f4aa97-c861-4b8c-80cf-736d8eacc507) service
failed to start due to the following error: %%2

Error - 26/12/2011 14:03:15 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Rescue (a8da63e7-3f18-4e19-b062-d02d8d19bdf5) service
failed to start due to the following error: %%2

Error - 26/12/2011 14:03:20 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi TfFsMon TfSysMon

Error - 26/12/2011 17:24:10 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Rescue (64f4aa97-c861-4b8c-80cf-736d8eacc507) service
failed to start due to the following error: %%2

Error - 26/12/2011 17:24:10 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Rescue (a8da63e7-3f18-4e19-b062-d02d8d19bdf5) service
failed to start due to the following error: %%2

Error - 26/12/2011 17:24:21 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi TfFsMon TfSysMon

Error - 26/12/2011 17:55:37 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Rescue (64f4aa97-c861-4b8c-80cf-736d8eacc507) service
failed to start due to the following error: %%2

Error - 26/12/2011 17:55:37 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Rescue (a8da63e7-3f18-4e19-b062-d02d8d19bdf5) service
failed to start due to the following error: %%2

Error - 26/12/2011 17:55:44 | Computer Name = DAWN-321 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi TfFsMon TfSysMon

< End of report

kevinf80 · « **Reply #14 on:** December 26, 2011, 04:45:11 PM »

I`d like to see a screenshot of your Disk Partition layout, do the following:

Select > start > right click on "My Computer" > select > Manage > Disk Management > You should now see your disk partiton layout. Select these keys together Ctrl Alt Prt SC SysRq open paint from your accessories folder, right click into the open space and select paste. Save taht as a jpeg not bitmap, attach to next reply...

You may have to put your cursor on the righthand side of the partition window, hold with left mouse button and drag to the right to extend the window. I`ve attached an example of what i`d like to see, this is just an example; yours maybe totally different...

News:

Author Topic: [InActive K] I get redirected and disk space filling quickly (Read 1323 times)

gshbassplucker

[InActive K] I get redirected and disk space filling quickly

kevinf80

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

kevinf80

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

kevinf80

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

kevinf80

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

kevinf80

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

gshbassplucker

Re: [InActive K] I get redirected and disk space filling quickly

kevinf80

Re: [InActive K] I get redirected and disk space filling quickly