7 replies to this topic

[kpgumbo]

Hi, I already posted in the general forum and tom said I should come here. My problem is that alot of disk space seems to be disappearing. All scans come back clear so i scanned with roorepeal. The file i posted in the general forum was strange (ask TEMERC) so I posted it, did'nt delete it and scanned again but the name was changed. I did further scans and all the results were different. Here are the logs. One is with av the other is with av off + internet off.

1/ internet and av on.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/06 00:21
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\EWEX9BSX\GetRules[1].asp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\JZXPWMHB\GetRules[1].asp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\user\local settings\application data\microsoft\desktop search\temp\rssgthrsvc\ntf7.tmp
Status: Allocation size mismatch (API: 72, Raw: 0)

Path: c:\documents and settings\user\local settings\application data\microsoft\desktop search\temp\rssgthrsvc\ntf8.tmp
Status: Allocation size mismatch (API: 72, Raw: 0)


It also says that there are 10 locked/hidden files



2/ internet and av off.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 23:44
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\User\LOCALS~1\Temp\aujasnkj.sys
Address: 0xA7455000 Size: 81664 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA94FB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AEF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7ADB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA89A1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==



hope you can help. kev

[Maurice Naggar]

Hello,
Start with this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=
Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Commands
  [purity]
  [emptytemp]
  [reboot]

  
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

• Make sure you read this document to understand how to use the program.
  Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded and SAVED from these links:
  
  • Sysclean Package
    
  • Virus Pattern Files that will be a LPTxxx.ZIP file
    
  • Spyware Pattern Files this is a SSAPIPTNxxx.ZIP
    It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) – Ssapiptn.Da5"

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista


Reply with a copy of the Sysclean.log
and tell me, How is your system now?

[kpgumbo]

hi i hope i've don everything right. I forgot to tell you that my harddrive space has been disappearing. roughly 10 gigs in 6 weeks. hope that helps.


All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 3410451 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 483263 bytes

User: Owner
->Temp folder emptied: 0 bytes

User: User
->Temp folder emptied: 4198158 bytes
->Temporary Internet Files folder emptied: 465503796 bytes
->Java cache emptied: 13695324 bytes
->FireFox cache emptied: 12859707 bytes
->Google Chrome cache emptied: 12664862 bytes
->Apple Safari cache emptied: 19370042 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 587281 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 508.22 mb

Error: Unable to interpret <[reboot> in the current context!

OTL by OldTimer - Version 3.0.10.7 log created on 09072009_183249

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-09-07, 18:56:33, Auto-clean mode specified.
2009-09-07, 18:56:34, Initialized Rootkit Driver version 2.2.0.1004.
2009-09-07, 18:56:34, Running scanner "C:\Documents and Settings\User\My Documents\trend new folder\TSC.BIN"...
2009-09-07, 18:56:57, Scanner "C:\Documents and Settings\User\My Documents\trend new folder\TSC.BIN" has finished running.
2009-09-07, 18:56:57, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : M o n S e p 0 7 2 0 0 9 1 8 : 5 6 : 3 5





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ U s e r \ M y D o c u m e n t s \ t r e n d n e w f o l d e r \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ U s e r \ M y D o c u m e n t s \ t r e n d n e w f o l d e r \ t s c . p t n " ( v e r s i o n 1 0 5 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : M o n S e p 0 7 2 0 0 9 1 8 : 5 6 : 5 7


E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-09-07, 18:56:57, Running scanner "C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN"...
2009-09-07, 19:41:51, Scanner "C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN" has finished running.
2009-09-07, 19:41:51, VSCANTM Log:

2009-09-07, 19:41:51, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/7/2009 18:56:58
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 423 (466326/466326 Patterns) (2009/09/06) (642300)

Command Line: C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\User\My Documents\trend new folder\lpt$vpn.423

67913 files have been read.
67913 files have been checked.
67881 files have been scanned.
147334 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/7/2009 19:41:51 44 minutes 53 seconds (2693.06 seconds) has elapsed.(39.655 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-07, 19:41:51, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/7/2009 18:56:58
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 423 (466326/466326 Patterns) (2009/09/06) (642300)

Command Line: C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\User\My Documents\trend new folder\lpt$vpn.423

67913 files have been read.
67913 files have been checked.
67881 files have been scanned.
147334 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/7/2009 19:41:51 44 minutes 53 seconds (2693.06 seconds) has elapsed.(39.655 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-07, 19:41:51, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/7/2009 18:56:58
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 423 (466326/466326 Patterns) (2009/09/06) (642300)

Command Line: C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\User\My Documents\trend new folder\lpt$vpn.423

67913 files have been read.
67913 files have been checked.
67881 files have been scanned.
147334 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/7/2009 19:41:51 44 minutes 53 seconds (2693.06 seconds) has elapsed.(39.655 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-07, 19:41:52, Running scanner "C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN"...
2009-09-07, 19:41:54, Scanner "C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN" has finished running.
2009-09-07, 19:41:54, VSCANTM Log:

2009-09-07, 19:41:54, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/7/2009 19:41:52
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 423 (466326/466326 Patterns) (2009/09/06) (642300)

Command Line: C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Documents and Settings\User\My Documents\trend new folder\lpt$vpn.423

16 files have been read.
16 files have been checked.
16 files have been scanned.
16 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/7/2009 19:41:54 1 second (0.69 seconds) has elapsed.(43.000 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-07, 19:41:54, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/7/2009 19:41:52
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 423 (466326/466326 Patterns) (2009/09/06) (642300)

Command Line: C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Documents and Settings\User\My Documents\trend new folder\lpt$vpn.423

16 files have been read.
16 files have been checked.
16 files have been scanned.
16 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/7/2009 19:41:54 1 second (0.69 seconds) has elapsed.(43.000 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-07, 19:41:54, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/7/2009 19:41:52
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 423 (466326/466326 Patterns) (2009/09/06) (642300)

Command Line: C:\Documents and Settings\User\My Documents\trend new folder\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Documents and Settings\User\My Documents\trend new folder\lpt$vpn.423

16 files have been read.
16 files have been checked.
16 files have been scanned.
16 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/7/2009 19:41:54 1 second (0.69 seconds) has elapsed.(43.000 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-07, 19:41:54, Running SSAPI scanner ""...
2009-09-07, 20:08:46, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 8.19
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 09/07/2009 19:41:58


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_Ask] Internet Explorer Cache\ask.com,Cookie:user@ask.com/,C:\Documents and Settings\User\Cookies\user@ask[1].txt
[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:user@insightexpressai.com/,C:\Documents and Settings\User\Cookies\user@insightexpressai[1].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:user@revsci.net/,C:\Documents and Settings\User\Cookies\user@revsci[1].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user@server.iad.liveperson.net/,C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user@server.iad.liveperson.net/hc/19452074,C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[3].txt
[CLEAN SUCCESS][Adware_CasinoOnNet] S-1-5-21-160748183-4202266960-1889809820-1006\Software\VHLD\
[CLEAN SUCCESS][Adware_2020Search] C:\Documents and Settings\User\Application Data\Boylesports5\home.bmp,C:\DOCUME~1\User\APPLIC~1\BOYLES~1\home.bmp,529
[CLEAN SUCCESS][Adware_CasinoOnNet] C:\Documents and Settings\User\Application Data\PacificPoker\casinopoker\GameHist\media\PowerPokerRes\WinNumbers.bmp,C:\DOCUME~1\User\APPLIC~1\PACIFI~1\CASINO~1\GameHist\media\POWERP~1\WINNUM~1.BMP,122
[CLEAN SUCCESS][Adware_CasinoOnNet] C:\Documents and Settings\User\Application Data\PacificPoker\casinopoker\PGP\media\Deal0.jpg,C:\DOCUME~1\User\APPLIC~1\PACIFI~1\CASINO~1\PGP\media\Deal0.jpg,122
[CLEAN SUCCESS][Adware_CasinoOnNet] C:\Documents and Settings\User\Application Data\PacificPoker\casinopoker\PGP\media\Deal1.jpg,C:\DOCUME~1\User\APPLIC~1\PACIFI~1\CASINO~1\PGP\media\Deal1.jpg,122
[CLEAN SUCCESS][Adware_CasinoOnNet] C:\Documents and Settings\User\Application Data\PacificPoker\casinopoker\PGP\media\Deal3.jpg,C:\DOCUME~1\User\APPLIC~1\PACIFI~1\CASINO~1\PGP\media\Deal3.jpg,122
[CLEAN SUCCESS][Adware_Playtech] C:\Poker\Boylepoker\data\shared\html\cashier_offline.js,C:\Poker\BOYLEP~1\data\shared\html\CASHIE~1.JS,545
[CLEAN SUCCESS][Adware_Playtech] C:\Poker\Boylepoker\data\shared\html\cashier_offline_functions.js,C:\Poker\BOYLEP~1\data\shared\html\CASHIE~2.JS,545
[CLEAN SUCCESS][Adware_Playtech] C:\Poker\Boylepoker\data\table\topview\cards\joker.bmp,C:\Poker\BOYLEP~1\data\table\topview\cards\joker.bmp,545
Detected: 14 items.
Cleaned Success: 14 items.
Clean Failed: 0 items.

Spyware Scan Ended: 09/07/2009 20:08:46
Scan Complete. Time=1611.888550.

[Maurice Naggar]

The OTL procedure has freed up 508.22 mb

A loss of 10 GB of space in 6 weeks is quite amazing. Do you have so called file-sharing-peer-to-peer apps? Like Limewire, etc?
If so, de-install all of those.
I notice usage of online gaming & poker. I would suggest againt those. A large number of poker websites are offshore and are of unknown ownership.
Caveat emptor?

If you feel the security of this system is lacking, the best to do (and safest longterm) is to wipe the system clean and do a fresh/clean Windows install.
Let me know if that is your decision.

We can try to look for malware, but there are no guarantees nor warranties.

[kpgumbo]

Thanks for your help. I'm not sure what to do but I would like to find whats causing it. I'm thinking a worm or something like that. Could it be someone else that who has hacked into my computer and is using it to store files ? I read something about that before but I dont know. Any ideas ?

as for the poker i un-installed those ages ago and i dont use p2p. thanks again

[kpgumbo]

I un-installed AVG this morning and replaced it with Avira. It came up with 2 detections. Here's the log, I hope this might have something to do with it. kev






Avira AntiVir Personal
Report file date: 08 September 2009 12:19

Scanning for 1694938 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DF9MSC2J

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 13:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 12:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 09:21:42
ANTIVIR2.VDF : 7.1.5.201 3414528 Bytes 9/3/2009 11:17:30
ANTIVIR3.VDF : 7.1.5.217 187904 Bytes 9/8/2009 11:17:32
Engineversion : 8.2.1.12
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 13:31:50
AESCRIPT.DLL : 8.1.2.30 471418 Bytes 9/8/2009 11:17:44
AESCN.DLL : 8.1.2.5 127346 Bytes 9/8/2009 11:17:43
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 09:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 13:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 09:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/8/2009 11:17:42
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/8/2009 11:17:35
AEGEN.DLL : 8.1.1.61 364916 Bytes 9/8/2009 11:17:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 14:32:40
AECORE.DLL : 8.1.7.8 184692 Bytes 9/8/2009 11:17:32
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 10:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 08 September 2009 12:19

Starting search for hidden objects.
'55188' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'DATALA~1.EXE' - '1' Module(s) have been scanned
Scan process 'WindowsSearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'WindowsSearch.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'netwaiting.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
57 processes with 57 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '72' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\User\Local Settings\Temp\OnlineScanner\updates\aquawin32\cran.cvd
[DETECTION] Contains recognition pattern of the Trivial-28 (A) virus
C:\Documents and Settings\User\Local Settings\Temp\OnlineScanner\updates\aquawin32\cran.ivd
[DETECTION] Contains recognition pattern of the HTML/Silly.Gen HTML script virus
Begin scan in 'D:\' <Backup>

Beginning disinfection:
C:\Documents and Settings\User\Local Settings\Temp\OnlineScanner\updates\aquawin32\cran.cvd
[DETECTION] Contains recognition pattern of the Trivial-28 (A) virus
[NOTE] The file was moved to '4b074a86.qua'!
C:\Documents and Settings\User\Local Settings\Temp\OnlineScanner\updates\aquawin32\cran.ivd
[DETECTION] Contains recognition pattern of the HTML/Silly.Gen HTML script virus
[NOTE] The file was moved to '4a862e77.qua'!


End of the scan: 08 September 2009 13:12
Used time: 46:25 Minute(s)

The scan has been done completely.

7713 Scanned directories
256987 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
256983 Files not concerned
3552 Archives were scanned
2 Warnings
4 Notes
55188 Objects were scanned with rootkit scan
0 Hidden objects were found

[kpgumbo]

Also i ran rootrepeal and this is what i got.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 18:54
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA1F5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ADF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8D34000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\user\my documents\my pictures\2006_0812fitzswedding\thumbs.db
Status: Allocation size mismatch (API: 282624, Raw: 245760)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7b9fd86

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7b9fd7c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7b9fd8b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7b9fd95

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7b9fd9a

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7b9fd68

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7b9fd6d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7b9fda4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7b9fd9f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7b9fd90

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7b9fd77

==EOF==

[Maurice Naggar]

Avira has quarantineed 2 files
C:\Documents and Settings\User\Local Settings\Temp\OnlineScanner\updates\aquawin32\cran.cvd

C:\Documents and Settings\User\Local Settings\Temp\OnlineScanner\updates\aquawin32\cran.ivd

and it did not tag anything else.

If you "suspect" that someone (by whatever means, external or otherwise) has compromised the pc's security,
then indeed do wipe/ pave/ and reload Windows from scratch.
Make very sure to have the AVIRA setup program saved to a CD or DVD or clean USB thumb drive, because after reloading Windows you must setup the antivirus.
5 steps to help protect your new computer before you go online
http://www.microsoft.com/hk/athome/securit...ewcomputer.mspx

A clean (new) Windows install will mean you'd lose personal documents, files, etc unless you had saved them before to offline media.