zygis
2010-01-07, 20:30
Hello,
Well today i was trying to reformat my pc, got 1 partition with 20 gb with some programs and stuff i use and other 280gb are free and basically i downloaded AntiVir to do system scan and i got few errors, 1 of em was A0001406.exe and A000152.exe both were in D:\SystemVolumeInformation\.
I googl'd it a bit and found some topic with instruction how to fix it with ComboFix, i did it it worked fine etc but when i reinstalled AntiVir and did a check again the Errors were still there.
My HijackLog, empty coz i just installed freshly new windows Xp sp2 without any programs and drivers.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:29 PM, on 1/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
--
End of file - 2000 bytes
-------------
My ComboFix log thingy:
ComboFix 10-01-04.01 - ZYGiS 01/07/2010 19:57:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2029.1686 [GMT -8:00]
Running from: c:\documents and settings\ZYGiS\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 03:53 . 2010-01-08 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-08 03:51 . 2010-01-08 03:51 12328 ----a-w- c:\documents and settings\ZYGiS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-08 03:19 . 2010-01-08 03:19 -------- d-----w- c:\program files\microsoft frontpage
2010-01-08 03:19 . 2010-01-08 03:19 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-08 03:17 . 2010-01-08 03:17 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2005-05-16 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 19:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-01-07 19:58:27
ComboFix-quarantined-files.txt 2010-01-08 03:58
Pre-Run: 185,152,753,664 bytes free
Post-Run: 185,133,760,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 8E240DD1DF1C867CB33EDC152280B742
All i want to do is just clean everything up, keep my 1 partition and reinstall another new fresh windows.
Thanks for any help, Zygis.
=====================
Edit
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806 )
Well today i was trying to reformat my pc, got 1 partition with 20 gb with some programs and stuff i use and other 280gb are free and basically i downloaded AntiVir to do system scan and i got few errors, 1 of em was A0001406.exe and A000152.exe both were in D:\SystemVolumeInformation\.
I googl'd it a bit and found some topic with instruction how to fix it with ComboFix, i did it it worked fine etc but when i reinstalled AntiVir and did a check again the Errors were still there.
My HijackLog, empty coz i just installed freshly new windows Xp sp2 without any programs and drivers.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:29 PM, on 1/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
--
End of file - 2000 bytes
-------------
My ComboFix log thingy:
ComboFix 10-01-04.01 - ZYGiS 01/07/2010 19:57:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2029.1686 [GMT -8:00]
Running from: c:\documents and settings\ZYGiS\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 03:53 . 2010-01-08 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-08 03:51 . 2010-01-08 03:51 12328 ----a-w- c:\documents and settings\ZYGiS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-08 03:19 . 2010-01-08 03:19 -------- d-----w- c:\program files\microsoft frontpage
2010-01-08 03:19 . 2010-01-08 03:19 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-08 03:17 . 2010-01-08 03:17 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2005-05-16 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 19:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-01-07 19:58:27
ComboFix-quarantined-files.txt 2010-01-08 03:58
Pre-Run: 185,152,753,664 bytes free
Post-Run: 185,133,760,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 8E240DD1DF1C867CB33EDC152280B742
All i want to do is just clean everything up, keep my 1 partition and reinstall another new fresh windows.
Thanks for any help, Zygis.
=====================
Edit
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806 )