cant remove trojan cyclers in any mode :-( please help

[lucie87]

I have aquired a trojan cycler virus known as mebroot in nod32 and i cant get rid of it! I have scanned nod32 which says a restart is needed but it comes back after the restart, and nod32 wont scan in safe mode.

I have got firefoxes bit defender which also finds it but cant remove it and wont run in safe mode.

I have downloaded nod32 specific removal kit for it which says the rootkit cannot be removed and wont run in safe mode.

It is smss.exe and i have tried ending the process through task manager in normal and safe mode but it wont as it is a critical process, and i have run malwarebytes (free version) in both modes but it cannot delete it in either modes and comes right back at restart.

Soo, im at a complete loss now, i dont have a memory stick or cd writer drive so i cant back up my files so i dont really want to wipe it if possible, plus i dont have a windows disk.

Does anyone have any suggestions? in malwarebytes the results come up with 4 infected files, system volume information\microsoft\services.exe and system volume information\microsoft\smss.exe one each as a file, and one each in the memory.

Thanks

[piano9playa5]

Hello, welcome to MalwareBytes' forums.

It looks like you've acquired one of the more recent infections. It can be a real bugger to remove.

What is the make and model of your computer? Does it have an recovery partition, or boot multiple OS's?

Download Bootkit remover to your Desktop.

This is a .rar file. If you do not have a program to open it then download and install Peazip

• Extract Remover to your desktop
  
• Double-click Remover to run it (Vista users right-click and select Run as Administrator)
  
• It will show a Black screen with some data on it
  
• Right click on the screen and click Select All
  
• Press Ctrl+C (on keyboard) to copy the data
  
• Open a notepad and press Ctrl+V to paste the data
  

Please copy\paste the contents of Notepad here for me to review.

[lucie87]

Hello, welcome to MalwareBytes' forums.

It looks like you've acquired one of the more recent infections. It can be a real bugger to remove.

What is the make and model of your computer? Does it have an recovery partition, or boot multiple OS's?

Download Bootkit remover to your Desktop.

This is a .rar file. If you do not have a program to open it then download and install Peazip

• Extract Remover to your desktop
  
• Right click Remover and select Run as Administrator
  
• It will show a Black screen with some data on it
  
• Right click on the screen and click Select All
  
• Press Ctrl+C (on keyboard) to copy the data
  
• Open a notepad and press Ctrl+V to paste the data
  

Please copy\paste the contents of Notepad here for me to review.

Hi, thanks for your reply

I have an IBM T43 and i dont think it has a recovery partition, it has the access IMB button which i had to use last time to wipe it but i had an external cd rewriter then so i could back up all my stuff, but i cant back anything up this tme so i would rather try and rescue it somehow.

I have downloaded peazip and the remover however i cant set it to run as administrator as i dont know the administrator password i cant remember what is was!! i will keep trying.

Thanks

[lucie87]

Actually, i misread it, i am not a vista user i have xp, i have run it but i cant copy it because as soon as i strike a key it ends it!!

[lucie87]

oh, i did it wrong....

this is what it came up with

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: 33651d4929a84a7ab9d65c115ce1bdc0

Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

Press any key to quit...

sorry, ive been sat at my laptop for ages, my head is fried!

[piano9playa5]

It's alright.

It should be a straight forward fix from here.

Step ? One

• Go to Start > All Programs > Accessories > Notepad
  
• Please Copy\Paste the following to notepad:
  

  @ECHO OFF
  START remover.exe fix \\.\PhysicalDrive0
  EXIT

  
  

• Go to File > Save As:
  • On the Save In: click on the drop-down menu and select Desktop
    
  • In File Name: type in Fixup.bat
    
  • In Save as Type: use the drop-down menu to change it to All Files
    
  • Click Save
    

  [*]Close Notepad

  [*]Double-Click on Fixup

  [*]A black window will briefly flash on the screen. This is normal.

Once that bit has been completed:

Run Remover exactly as you did previously, copying the data afterward, and post the results back here for me to review.

Step ? Two

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scans/Fixes box at the bottom, paste in the following:
  C:\System Volume Information\Microsoft\smss.exe
  
  
  C:\System Volume Information\Microsoft\services.exe

  
  

• Then click the Quick Scan button at the top. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    

Logs&Info

Remember to post back the following logs:

1. Bootkit Remover Results
   
2. OTL.txt
   
3. Extras.txt
   

[lucie87]

ok i have done that,

bootkit log was

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Press any key to quit...

otl.txt was

OTL logfile created on: 30/06/2010 19:10:42 - Run 1

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\vicki\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 564.00 Mb Available Physical Memory | 55.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 33.16 Gb Total Space | 5.48 Gb Free Space | 16.53% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: IBM-692B5480E34

Current User Name: vicki

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/30 18:51:52 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\vicki\Desktop\OTL.exe

PRC - [2010/03/24 20:31:50 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe

PRC - [2010/03/24 20:31:00 | 002,145,000 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe

PRC - [2009/10/30 05:48:36 | 000,306,296 | ---- | M] (Sony Ericsson Mobile Communications) -- C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe

PRC - [2009/10/30 05:48:36 | 000,162,936 | ---- | M] (Sony Ericsson Mobile Communications) -- C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe

PRC - [2009/09/24 23:41:58 | 000,434,176 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

PRC - [2009/08/24 14:30:10 | 000,386,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe

PRC - [2009/04/30 21:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

PRC - [2008/10/10 00:32:56 | 000,014,336 | ---- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

PRC - [2005/04/27 19:09:46 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

PRC - [2005/04/27 17:53:08 | 000,090,112 | ---- | M] (IBM Corp.) -- C:\IBMTOOLS\utils\ibmprc.exe

PRC - [2005/04/05 23:14:34 | 000,106,496 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\TpShocks.exe

PRC - [2005/04/04 20:43:32 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

PRC - [2005/03/25 00:20:34 | 000,086,016 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

PRC - [2005/03/23 10:11:00 | 000,217,088 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE

PRC - [2005/03/18 11:07:00 | 000,745,472 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

PRC - [2005/03/18 11:07:00 | 000,086,016 | ---- | M] (IBM Corp.) -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

PRC - [2005/03/18 11:07:00 | 000,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE

PRC - [2005/02/18 15:05:30 | 000,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2005/02/18 15:03:38 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2005/02/18 15:02:24 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PRC - [2004/11/08 19:17:56 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

PRC - [2004/11/05 09:30:00 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe

PRC - [2004/10/14 17:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

PRC - [2004/09/07 00:03:52 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

PRC - [2004/08/06 10:10:00 | 000,442,368 | ---- | M] (IBM) -- C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

PRC - [2004/08/04 13:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2004/05/24 18:25:04 | 000,077,824 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\TPHDEXLG.exe

PRC - [2003/10/29 11:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe

PRC - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe

PRC - [2002/09/20 22:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

PRC - [2002/08/30 12:02:58 | 002,392,064 | ---- | M] (TLC Education Properties LLC) -- C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe

========== Modules (SafeList) ==========

MOD - [2010/06/30 18:51:52 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\vicki\Desktop\OTL.exe

MOD - [2004/11/08 19:17:50 | 000,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll

MOD - [2004/08/04 13:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

MOD - [2004/08/04 13:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2002/08/14 11:08:40 | 000,118,784 | ---- | M] (Broderbund) -- C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/03/24 20:39:48 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)

SRV - [2010/03/24 20:31:50 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)

SRV - [2009/10/30 05:48:36 | 000,306,296 | ---- | M] (Sony Ericsson Mobile Communications) [Auto | Running] -- C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe -- (EmmaDevMgmtSvc)

SRV - [2009/10/30 05:48:36 | 000,162,936 | ---- | M] (Sony Ericsson Mobile Communications) [Auto | Running] -- C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe -- (EmmaUpdMgmtSvc)

SRV - [2009/08/06 22:46:16 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)

SRV - [2009/04/30 21:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)

SRV - [2008/10/10 00:32:56 | 000,014,336 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)

SRV - [2005/04/27 19:09:46 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)

SRV - [2005/03/18 11:07:00 | 000,077,824 | ---- | M] (IBM Corp.) [Auto | Running] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)

SRV - [2005/02/18 15:05:30 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)

SRV - [2005/02/18 15:03:38 | 000,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)

SRV - [2005/02/18 15:02:24 | 000,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)

SRV - [2004/11/05 09:30:00 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)

SRV - [2004/05/24 18:25:04 | 000,077,824 | ---- | M] (IBM Corporation) [Auto | Running] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)

SRV - [2003/07/12 02:19:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)

SRV - [2002/09/20 22:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2010/03/24 20:33:50 | 000,055,232 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)

DRV - [2010/03/24 20:33:50 | 000,032,584 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)

DRV - [2010/03/24 20:33:46 | 000,134,488 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)

DRV - [2010/03/24 20:31:06 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)

DRV - [2010/03/24 20:23:52 | 000,139,192 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

DRV - [2010/02/11 12:08:25 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)

DRV - [2009/11/27 16:56:29 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)

DRV - [2009/11/27 16:56:29 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)

DRV - [2009/08/06 22:46:16 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)

DRV - [2009/03/26 02:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdm.sys -- (s1018mdm)

DRV - [2009/03/26 02:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018unic.sys -- (s1018unic) Sony Ericsson Device 1018 USB Ethernet Emulation (WDM)

DRV - [2009/03/26 02:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mgmt.sys -- (s1018mgmt) Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM)

DRV - [2009/03/26 02:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018obex.sys -- (s1018obex)

DRV - [2009/03/26 02:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018bus.sys -- (s1018bus) Sony Ericsson Device 1018 driver (WDM)

DRV - [2009/03/26 02:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018nd5.sys -- (s1018nd5) Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS)

DRV - [2009/03/26 02:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdfl.sys -- (s1018mdfl)

DRV - [2008/10/21 19:22:48 | 000,114,600 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdm.sys -- (s0017mdm)

DRV - [2008/10/21 19:22:48 | 000,109,736 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017unic.sys -- (s0017unic) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM)

DRV - [2008/10/21 19:22:48 | 000,108,328 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mgmt.sys -- (s0017mgmt) Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)

DRV - [2008/10/21 19:22:48 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017obex.sys -- (s0017obex)

DRV - [2008/10/21 19:22:48 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017bus.sys -- (s0017bus) Sony Ericsson Device 0017 driver (WDM)

DRV - [2008/10/21 19:22:48 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017nd5.sys -- (s0017nd5) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS)

DRV - [2008/10/21 19:22:48 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0017mdfl.sys -- (s0017mdfl)

DRV - [2008/07/04 23:33:40 | 000,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)

DRV - [2008/03/22 22:37:20 | 000,113,896 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)

DRV - [2008/01/09 20:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)

DRV - [2005/05/17 10:34:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)

DRV - [2005/05/11 06:07:44 | 001,133,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/04/27 18:27:34 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)

DRV - [2005/04/27 17:16:46 | 000,005,427 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\egathdrv.sys -- (EGATHDRV)

DRV - [2005/04/22 00:44:54 | 000,014,336 | ---- | M] (National Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nsctpm11.sys -- (TPM11)

DRV - [2005/04/13 09:01:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)

DRV - [2005/03/18 11:07:00 | 000,012,288 | ---- | M] (IBM Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)

DRV - [2005/03/18 11:07:00 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)

DRV - [2005/03/18 11:07:00 | 000,002,432 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)

DRV - [2005/03/18 00:30:10 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)

DRV - [2005/02/14 16:00:10 | 003,255,168 | ---- | M] (Intel

[lucie87]

and the extras was

OTL Extras logfile created on: 30/06/2010 19:10:42 - Run 1

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\vicki\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 564.00 Mb Available Physical Memory | 55.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 33.16 Gb Total Space | 5.48 Gb Free Space | 16.53% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: IBM-692B5480E34

Current User Name: vicki

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [Add to archive] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-add2multi" "%1" (Giorgio Tani)

Directory [browse path with PeaZip] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-ext2browsepath" "%1" (Giorgio Tani)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- File not found

"C:\Program Files\Kodak\Digital Display\KodakDigitalDisplaySoftware.exe" = C:\Program Files\Kodak\Digital Display\KodakDigitalDisplaySoftware.exe:*:Enabled:Kodak Digital Display Software -- File not found

"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Sony Ericsson\SEMC OMSI Module\SEMC OMSI Module.exe" = C:\Program Files\Sony Ericsson\SEMC OMSI Module\SEMC OMSI Module.exe:*:Enabled:SEMC OMSI Module -- ()

"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0873B1A3-00A9-40D6-BACE-3DB4BC5DA840}" = IBM SATA Power Management Driver

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message

"{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore

"{11D3D948-2789-2E3D-03D7-282B537D8C01}" = BBC iPlayer Desktop

"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = IBM ThinkPad EasyEject Utility

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility

"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 13

"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver

"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 6.009.00

"{34BDF3BF-AA61-42E7-8818-C16A304910FC}" = Emma Core

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform

"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1" = PeaZip 3.2

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes

"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore

"{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = IBM ThinkPad UltraNav Wizard

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr

"{8F55B163-7B42-42A3-9307-C7FCB9655225}" = PC-Doctor for Windows

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9516A4F3-A620-4C4B-B17C-750C6B87AF4B}" = ESET Smart Security

"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML

"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = IBM ThinkPad Power Manager

"{A1F2EF0E-1EE5-4F0B-8A31-EE875EBD3F01}" = Mavis Beacon Teaches Typing 15

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C656142F-EFE1-44CD-BFAD-6CBC6DCB9860}" = Vodafone Mobile Connect Lite

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes

"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1

"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2

"{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features

"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers

"{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = IBM ThinkPad Configuration

"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop

"BitTorrent" = BitTorrent

"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"FrostWire" = FrostWire 4.20.3

"ie8" = Windows Internet Explorer 8

"InstallShield_{8F55B163-7B42-42A3-9307-C7FCB9655225}" = PC-Doctor for Windows

"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2

"KeyScrambler" = KeyScrambler

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Power Management Driver" = IBM ThinkPad Power Management Driver

"Presentation Director" = IBM ThinkPad Presentation Director

"ProInst" = Intel® PROSet/Wireless Software

"SEMC OMSI Module" = SEMC OMSI Module

"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver

"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier

"ThinkPadSoftwareInstaller" = Software Installer

"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"WinLiveSuite_Wave3" = Windows Live Essentials

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 29/06/2010 09:59:01 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 29/06/2010 10:33:09 | Computer Name = IBM-692B5480E34 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting

module unknown, version 0.0.0.0, fault address 0x016f204d.

Error - 29/06/2010 10:54:29 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 29/06/2010 11:56:09 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 29/06/2010 12:00:13 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 30/06/2010 05:42:14 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 30/06/2010 13:42:13 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 30/06/2010 13:45:21 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 30/06/2010 13:49:21 | Computer Name = IBM-692B5480E34 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 30/06/2010 14:05:26 | Computer Name = IBM-692B5480E34 | Source = Application Hang | ID = 1002

Description = Hanging application OTL.exe, version 3.2.7.0, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

[ System Events ]

Error - 30/06/2010 05:42:16 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7023

Description = The Client Service for NetWare service terminated with the following

error: %%2

Error - 30/06/2010 08:55:11 | Computer Name = IBM-692B5480E34 | Source = atapi | ID = 262153

Description = The device, \Device\Ide\IdePort0, did not respond within the timeout

period.

Error - 30/06/2010 11:25:09 | Computer Name = IBM-692B5480E34 | Source = atapi | ID = 262153

Description = The device, \Device\Ide\IdePort0, did not respond within the timeout

period.

Error - 30/06/2010 13:36:42 | Computer Name = IBM-692B5480E34 | Source = atapi | ID = 262153

Description = The device, \Device\Ide\IdePort0, did not respond within the timeout

period.

Error - 30/06/2010 13:42:17 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7000

Description = The NWLink IPX/SPX/NetBIOS Compatible Transport Protocol service failed

to start due to the following error: %%87

Error - 30/06/2010 13:42:17 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7023

Description = The Client Service for NetWare service terminated with the following

error: %%2

there seems to be alot of errors there....is that normal?

Error - 30/06/2010 13:45:22 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7000

Description = The NWLink IPX/SPX/NetBIOS Compatible Transport Protocol service failed

to start due to the following error: %%87

Error - 30/06/2010 13:45:22 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7023

Description = The Client Service for NetWare service terminated with the following

error: %%2

Error - 30/06/2010 13:49:19 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7000

Description = The NWLink IPX/SPX/NetBIOS Compatible Transport Protocol service failed

to start due to the following error: %%87

Error - 30/06/2010 13:49:19 | Computer Name = IBM-692B5480E34 | Source = Service Control Manager | ID = 7023

Description = The Client Service for NetWare service terminated with the following

error: %%2

< End of report >

[piano9playa5]

Hello,

That was beautifully done on your part.

I`ve never seen a log that hasn`t had that many errors. So yes, it`s normal.

How`s the computer running now? Any problems?

Please open Malwarebytes' Anti-Malware.

• Click the Update tab, and then click Check for Updates.
  
• After updating, click the Scanner tab.
  
• Select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[lucie87]

malwarebytes scan

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4253

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

30/06/2010 19:33:14

mbam-log-2010-06-30 (19-33-14).txt

Scan type: Quick scan

Objects scanned: 143327

Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

all clean :-) i also didnt believe it since it has been causing so many problems so i scanned with nod32 as well and that came back all clean too, no restart required for any (i think between them they got rid of everything except the system volume ones before so its all good)

thank you so much for all your help! i really thought i was never going to get rid of it!! i cant thank you enough

is there a way i can delete my log posts from this thread by the way? just so all my files arnt kept on?

And thank you again

[piano9playa5]

No problem

The logs on the forums shouldn`t matter. There are hundreds of thousands of logs floating around. This topic will get burried under them shortly. If it`s really bothering you, I can request it be deleted. (I don`t have the moderation powers to do so myself)

You're in the All Clear! Here are a few cleanup procedures that are a must after malware removal. Also, I have a few program recommendations I like to suggest.

System Restore

System Restore creates snapshots of your computer, called Restore Points, so that in the event something goes wrong, you can restore your computer to an earlier date. Viruses would have gotten got in the Restore Point snapshots also and can reinfect you if you restore to an infected date. Clearing the Restore Points and making a new one is essential after removal:

• Open OTL.
  
• Under the Custom Scans/Fixes box at the bottom, paste in the following:
  

  :commands
  [CLEARALLRESTOREPOINTS]

  
  

• Then click the Run Fix button at the top.
  
• You may or may not be asked to reboot. In any case, I don't need the log that follows.
  

Removal of Removal-Tools

This is to make sure that tools that any powerful tools we used aren't left behind and to make sure that if you ever get reinfected, you will download all the most recent tools.

• Open OTL.
  
• In the top right corner will be a button called "Clean Up!"; click it.
  
• Follow any prompts, and reboot when prompted.
  
• OTL will be gone on startup also. Delete any logs or leftover tools manually.
  

Windows Updates

You should visit Windows Update about once a month, to receive Security Fixes, Hot Fixes and Service Packs. These are all important to fix things like bugs to vulnerabilities which could lead to infection.

Go to Tools > Windows Update, within Internet Explorer

• Click Express. It will check for updates for your computer.
  
• Click Install Updates. A windows should pop up giving the status of each update.
  
• Reboot when prompted.
  

If you're feeling lazy you can turn on Automatic Updates which will do the work for you.

• Click Start, then Control Panel
  
• Click Automatic Updates
  
• Check Automatic (Recommended)
  
• Ok your way out.
  

More information about Windows Updates and clear configuration instructions can be found here.

Prevention Programs and Practices

• Two AntiSpyware \ AntiMalware programs that are effective, easy to use, and free. A weekly scanning with one or both of these tools can be very useful in preventing\removing a wide variety of infections. I strongly recommend these products:
  • MalwareBytes' Anti-Malware
    
  • SUPERantispyware
    

  [*]The following are two alternative web-browsers. Both are great choices (And can be installed and used with Internet Explorer still present!) You may wish to experiment with the two, to decide which you prefer.

  • Firefox
    
  • Opera
    

  [*]Cleans out temporary files safely and effective. It does not clean out URL history, prefetch, or cookies.

  • TFC - Temp File Cleaner
    

  [*]Keep your programs and applications up to date. This is important, not only for content, but for vulnerability-fixes. Here are a few you should definitely keep up-to-date if you have them:

  • Java
    
  • Adobe Reader
    
  • Adobe Flash Player
    

Glad I could help, piano9playa5 :cheers:

[lucie87]

ahh ok, if they cant be linked to my comp its ok. I already have firefox thats how i noticed the virus as they opened in internet explorer, but i am funny about what free downloads i use as there are so many fakes but i have malwarebytes and i will try superantispyware if that is good and safe.

And i will go through all the clear up steps and updates etc. thank you much again. I shall be recomending malwarebytes to everyone!

[lucie87]

Also one last question, i didnt have system restore to start with, the last time it got a virus ages ago i turned it off, is it a good idea to turn it on? i only turned it off as i knew viruses could sneak into them?

[lucie87]

aaaand, windows update wants me to install service pack 3, should i do this? i didnt think that was an update, i thought you had to download it specifically?

[piano9playa5]

I wouldn't recommend something to you if it were a scam or virus. But do use some caution with what programs you download.

System Restore is incredibly useful if you ever need to rollback your computer to an earlier time. There are many reasons you may have to do this. I'd say that if you use good judgment on what you download and everything, that the benefits of being able to restore your computer outweighs the risk of an infection hiding out in there.

[piano9playa5]

Didn't catch that last post...

I would say yes. It includes all previous updates and hot fixes if you missed any, and also addresses many new issues itself.

[lucie87]

I knew you would recomend something that wasnt safe i meant me personally i wouldnt have downloaded if you hadnt recomended it as i have never heard of it, but i shall be doing since i know for definate it is ok.

Well i shall leave you in peace now, thanks once again for all your help

[piano9playa5]

No problem.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!