Rootkit or Malware infection

Royville · Sep 30, 2009

Hello all,
Please can someone help me?
I think I unintentionally downloaded a rootkit or some other malware to my Laptop. Now I'm stuck and don't know what to do to rid it from my computers.
Last Friday I downloaded a file that I thought was a free piece of software (Yep,- I should have known better!).
When I clicked on it to install, nothing happened at first, then the file just seemed to disappear. Next my firewall (outpost) crashed, then avast started showing a strange ('Yellow') advert to upgrade. I have since installed Sunbelts firewall and vipre antivirus.
Also (I feel such a fool!) I transfered the file to my PC via USB Stick and think both my computers may be affected.
Now if that wasn't enough, I'm 'really' sorry, but I also have tried several malware removal programs, some of which crashed half way through and every time I do a rescan the malware remains. My main worry is that our sensitive details eg banking and stuff are now compromised. There are 4 users on the Laptop.
I have backed up the Laptop registry with erunt and included a HJT log as required.
I would greatly appreciate any help,
Waiting in earnest
Royville

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:54 PM, on 30/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Roy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: 64c56c89598 - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7692 bytes

ken545 · Oct 3, 2009

Hello Royville

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Not sure what you have but we will find out. The first thing I would do as a precaution is to go to a known clean computer and change all your passwords for accounts that you access especially any online banking or sites that you use a credit card.

We need to move HJT off the desktop and into its own folder for backup purposes.

C:\Documents and Settings\Roy\Desktop\HijackThis.exe <--Delete this

Download Trendmicros Hijackthis to your desktop.

Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - Winlogon Notify: 64c56c89598 - C:\WINDOWS\

O24 - Desktop Component 0: Privacy Protection - (no file)

Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

Open

on your desktop.
Click the

tab.
Click the

button.
Check just these boxes:
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the

button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

Royville · Oct 4, 2009

Hi Ken545,
Thank you for having a look at me.

"The first thing I would do as a precaution is to go to a known clean computer and change all your passwords for accounts that you access especially any online banking or sites that you use a credit card."
This is a problem for me as I don't have any confidence in any of them at the moment. However I have avoided using any of them since I did that foolish download.

I did as you asked with HJT, and straight after my laptop seemed faster!
I also ran RootRepealer and the results are below for you.
Kind regards
Royville.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 11:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6AFE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A82000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF616F000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c5e0

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c2ce

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c310

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c3be

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sbaphd.sys" at address 0xf7a744d0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623cc66

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623ccf2

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623cd82

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c40e

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c450

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c494

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c4d6

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c518

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c55a

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c628

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c59c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c66a

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c6b2

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c742

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c6f4

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c7e6

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c828

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c86a

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf623c8b8

==EOF==

ken545 · Oct 4, 2009

Hi,

Not looking at any rootkit. Lets check a bit more.

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

Royville · Oct 4, 2009

Hi Ken,

The TFC program removed around 86Mb, but then a dialog box appeared saying:-

"The File or Directory C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat is corrupt and unreadable.
Please run Chkdsk Utility."

Clicking on the OK button would not clear the box, so I just moved it out of the way and clicked OK to Reboot.

I also ran the Malwarebytes program and the results, along with a new HJT log are listed below. I need to tell you Ken that I did actualy run Malwarebytes previously (sorry!), so I have included the results of those scans after the HJT log.
Hope this is OK
Regards
Royville

Malwarebytes' Anti-Malware 1.41
Database version: 2905
Windows 5.1.2600 Service Pack 3

04/10/2009 4:53:06 PM
mbam-log-2009-10-04 (16-53-06).txt

Scan type: Quick Scan
Objects scanned: 125406
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:50 PM, on 04/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7316 bytes
=======================================================

Previous Malwarebytes scans below.

Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 3

29/09/2009 10:16:38 PM
mbam-log-2009-09-29 (22-16-38).txt

Scan type: Quick Scan
Objects scanned: 166794
Time elapsed: 58 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MediaEntertainmentCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MediaEntertainmentCodec\install.ico (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\141.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\141.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\142.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\142.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\143.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\143.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\144.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\144.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\145.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\145.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\146.music1.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\146.music1.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\147.music2.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\147.music2.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\148.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\148.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.
----------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 3

29/09/2009 10:16:38 PM
mbam-log-2009-09-29 (22-16-38).txt

Scan type: Quick Scan
Objects scanned: 166794
Time elapsed: 58 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MediaEntertainmentCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MediaEntertainmentCodec\install.ico (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\141.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\141.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\142.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\142.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\143.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\143.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\144.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\144.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\145.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\145.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\146.music1.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\146.music1.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\147.music2.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\147.music2.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\148.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\148.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

ken545 · Oct 4, 2009

Royville,

You or someone you authorized to access your computer has downloaded illegal software. Besides this being illegal its also the biggest source of infections.

This forum as most others do not condone the downloading of illegal software, If I was to continue helping you it could construed in the eyes of the law as aiding and abetting a crime.

These where all downloaded from cracked/keygen or warez sites

Files Infected:
C:\WINDOWS\system32\SystemService32\141.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\141.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\142.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\142.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\143.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\143.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\144.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\144.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\145.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\145.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\146.music1.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\146.music1.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\147.music2.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\147.music2.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\148.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemService32\148.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.

Sorry, but no more help will be offered.

Royville · Oct 4, 2009

Dear Ken,

As I mentioned at the beginning there are other users on this computer, and I was not always aware of what it was being used for.
However, as the owner I must accept responsibility, and as such I humbly apologise to you for putting you in this position.
I respect your decision and I'd like to thank you for helping me as far as you could.
Keep up the good work.
Regards
Royville.

ken545 · Oct 4, 2009

Royville,

C:\WINDOWS\system32\SystemService32 If your willing to delete this folder than we can proceed.

Please download OTM by OldTimer.

Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes
explorer.exe

:Services

:Reg

:Files
C:\WINDOWS\system32\SystemService32


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Royville · Oct 5, 2009

Thanks Ken, I appreciate being given another chance.

I've done as you asked and posted the log below.
Royville.

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\SystemService32 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Christine
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 32269 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Roy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 2405 bytes

User: Sarah
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 17048 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.11 mb

OTM by OldTimer - Version 3.0.0.6 log created on 10052009_124353

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat not found!

Registry entries deleted on Reboot...

ken545 · Oct 5, 2009

Roy, that was just a doublecheck but I was sure the other scans removed it.

How are things running now ?

Royville · Oct 5, 2009

Hi Ken,
It does seem to be running quicker now, more responsive and behaving as it should.
I still have a problem with File C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat though, - its still on the system and that same dialog box came up again on that last 'check/fix' eg:-

"The File or Directory C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat is corrupt and unreadable.
Please run Chkdsk Utility."

Clicking on the OK button still would not clear the box, so I just moved it out of the way again and clicked OK to Reboot.
I cant delete it and Malwarebytes 'FileASSASSIN' doesn't remove it either.
Regards
Royville

ken545 · Oct 5, 2009

C:\WINDOWS\Temp <--Delete everything inside this folder but not the folder itself.

See if that helps

Royville · Oct 5, 2009

Ken, There are 2 files that I can't delete.

C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat
C:\WINDOWS\Temp\Perflib_Perfdata_720.dat

The first one is "corrupt and unreadable" and the second one is "in use by another person or program".

ken545 · Oct 5, 2009

Lets do this.

Please download OTM by OldTimer.

Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes
explorer.exe

:Services

:Reg

:Files
C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat
C:\WINDOWS\Temp\Perflib_Perfdata_720.dat


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Royville · Oct 5, 2009

Hi Ken,
When I tried it this time all the icons on the desktop disappeared, and the laptop just sat there doing nothing. I eventually did ctrl/alt/del and rebooted via task manager.
System came up OK but the only log in C:\_OTM\MovedFiles folder is the one that was there earlier:-

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\SystemService32 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Christine
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 32269 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Roy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 2405 bytes

User: Sarah
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 17048 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.11 mb

OTM by OldTimer - Version 3.0.0.6 log created on 10052009_124353

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat not found!

Registry entries deleted on Reboot...
----------------------------------------------------------------
I looked in WINDOWS\Temp folder and the file is still there and the others are back again see list below.

Perflib_Perfdata_1a8.dat 16kb 10/07/2009 9:17am
Perflib_Perfdata_650.dat 16kb 05/10/2009 4:05pm
T30DebugLogFile.txt 0kb 05/10/2009 4:05pm
WGAErrLog.txt 1kb 05/10/2009 4:05pm
WGANotify.settings 1kb 05/10/2009 4:05pm

I notice that Perflib_Perfdata_720.dat has gone and is replaced by Perflib_Perfdata_650.dat.

Royville

ken545 · Oct 5, 2009

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat scheduled to be deleted on reboot. Have you rebooted ?

These files are not malicious but are part of the windows process. If someone is shutting down the computer by just pressing the power button instead of the normal shut down these files could get corrupted.

Has the error gone away after the reboot ?

Royville · Oct 5, 2009

Hi Ken,
Yes I've rebooted several times but the file remains with the same date and time of 10/07/2009 9:17am (10th Jul 09 - UK settings).
Royville.

ken545 · Oct 5, 2009

Has the error gone away after the reboot

Royville · Oct 5, 2009

Sorry, which error?

ken545 · Oct 5, 2009

From your post # 5

The TFC program removed around 86Mb, but then a dialog box appeared saying:-

"The File or Directory C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat is corrupt and unreadable.
Please run Chkdsk Utility."

Clicking on the OK button would not clear the box, so I just moved it out of the way and clicked OK to Reboot.

Rootkit or Malware infection

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert