TechSpot

BackdoorAgent

By joys247
Feb 18, 2012
  1. Per Ambassador instructions, the below information is being re-posted from a different forum. The original topic number in the other forum is 177689 if necessary for reference purposes. Please be advised that while I have finally successfully accessed the infected computer and am writing this from there, I am still running in Reatogo-x-pe for fear that if I try to re-boot I will lose access. The ambassador has also indicated it to be safe for me to begin the 5-step process so that is the next task I'm undertaking. Logs will be posted as soon as they are available. All help will be greatly appreciated.

    [Begin First Original Post]
    This nightmare began on the evening of 2/12/12. I've been scouring the forum threads since looking for answers. Assistance with a resolution will be immensely appreciated.

    A bit of history - During boot, AVG warned of a BackdoorAgent trojan virus. Obviously it was not effectively blocked or I would not be here now. Morning of 2/13/12 I began searching forums for a cure. Thought I was on the right track when I saw a recognizable filename reference in post #2, topic 156619. Started running scans which I have now discovered have been compiled here in topic 58138. Followed cleaning steps given in topic 156619 up to the point of the listed CF Scripts. It seemed the scripts might be unique to that thread so I did not run them. I did attempt deleting the files in c:\Recycler. Originally there were two -- one deleted just fine, the other would not delete saying instead it was in use by another program. Once I felt I had the infection quarantined, I also uninstalled AVG. Then attempted to download Comodo as a replacement. I'm guessing the infection was still active since it appeared the Comodo installer was corrupted at the end of download. With this suspicion, I did not even attempt running the Comodo installation.

    Morning of 2/14/12 went back to try and finish isolating and removing infection. Computer functionality seemed okay initially except for feeling certain I still had a serious problem. Loaded IE to resume search of the forums. Well...IE loaded but upon attempt to navigate, the first BSOD appeared instead. Tried to re-boot the system and got BSOD on boot. Tried after that to boot from Windows XP cd and still got BSOD. Finally got system to boot to a C: prompt. Renamed boot.ini to boot.old and renamed boot.bak to boot.ini. No success, BSOD still occurs. Also tried accessing c:\Recycler to delete the problem file. Access denied.

    Realizing this is way over my head, further resolution was not sought until 2/17/12. Found topic 177377 and followed instructions for downloading OTLPENet.exe and creating a bootable cd. Didn't even get a BSOD this time. System either hangs on boot choice selection or goes to solid black screen with only a blinking cursor near the top. Next step...creating this post to seek additional assistance.

    Based on all the above, I don't know if it matters that the unbootable system was running on Windows XP. I believe SP3 but cannot now confirm. Any help at all so that I can at least retrieve my data will be immensely appreciated. Once I recover data, I will be less hesitant about reformatting. Of course, I'm now accessing internet and seeking assistance from my laptop since the desktop won't boot.
    [End First Original Post]

    [Updated First Original Post -- with OTL.txt log]
    Made a second bootable cd using OTLPENet this morning (2/18/12) as described in topic 177377. Success! I have accessed my dead desktop computer and am writing this from there. Below is the scan log from the OTL.txt file created.

    OTL logfile created on: 2/18/2012 10:57:28 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.77 Gb Total Space | 209.99 Gb Free Space | 90.21% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2009/11/06 10:18:50 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2007/07/26 20:03:46 | 000,358,936 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
    SRV - [2007/06/20 15:30:18 | 000,079,168 | ---- | M] (Broadcom Corporation) [Auto] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - [2008/03/29 06:21:54 | 002,873,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2007/09/24 20:12:48 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
    DRV - [2007/07/25 21:55:36 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2007/06/20 15:30:20 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
    DRV - [2006/08/18 14:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
    DRV - [2006/08/18 14:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
    DRV - [2006/08/18 14:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
    DRV - [2006/08/18 14:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
    DRV - [2006/08/18 14:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
    DRV - [2006/08/18 14:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
    DRV - [2006/08/18 14:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
    DRV - [2006/08/18 14:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
    DRV - [2006/08/11 11:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
    DRV - [2006/08/11 11:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080216
    IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080216


    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080216
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61495

    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080216
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-us...channel=us-smb
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080216


    IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://okcrealtors.com/
    IE - HKU\Owner_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50848


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/13 17:55:51 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/30 11:48:24 | 000,000,000 | ---D | M]

    [2011/11/14 15:16:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/02/13 17:55:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/03/18 13:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
    [2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/03/18 13:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    [2012/02/13 17:55:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/02/13 17:55:49 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/02/13 17:14:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
    O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
    O4 - HKLM..\Run: [D09.exe] C:\Program Files\LP\E327\D09.exe ()
    O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [QuickFinder Scheduler] C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE (Novell, Inc., c/o Corel Corporation Limited)
    O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
    O4 - HKLM..\Run: [xImULAUPBbuJP.exe] C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe (Mioft)
    O4 - HKU\Owner_ON_C..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    F3 - HKU\.DEFAULT WinNT: Load - (C:\WINDOWS\TEMP\lvvm.exe) - C:\WINDOWS\Temp\lvvm.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\E xplorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex plorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKU\.DEFAULT Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Program Files\Windows NT\337E3.exe) - C:\Program Files\Windows NT\337E3.exe ()
    O20 - HKU\Owner_ON_C Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKU\Owner_ON_C Winlogon: Shell - (C:\Documents and Settings\Owner\Application Data\708B5\337E3.exe) - C:\Documents and Settings\Owner\Application Data\708B5\337E3.exe ()
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/14 10:43:30 | 000,451,584 | ---- | C] (Mioft) -- C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe
    [2012/02/14 10:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\708B5
    [2012/02/14 00:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\B5C75
    [2012/02/14 00:03:04 | 000,000,000 | ---D | C] -- C:\Program Files\LP
    [2012/02/13 23:32:15 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2012/02/13 23:29:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2012/02/13 21:53:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2012/02/13 21:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\HiJackThis
    [2012/02/13 19:52:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2012/02/13 16:55:36 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/02/13 16:51:20 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/02/13 16:51:20 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/02/13 16:51:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/02/13 16:51:20 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/02/13 16:51:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/02/13 16:49:11 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/02/13 16:49:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
    [2012/02/13 16:17:11 | 000,000,000 | ---D | C] -- C:\_OTM
    [2012/02/13 14:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2012/02/13 11:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\thecleaner
    [2012/02/13 11:39:46 | 000,000,000 | ---D | C] -- C:\Program Files\The Cleaner
    [2012/02/12 18:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2012/02/12 18:15:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2012/02/12 18:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2012/02/12 17:04:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2012/02/12 17:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2012/02/02 14:52:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{69F3C55D-7771-43B8-8292-3101E6B7C10B}
    [2012/02/02 14:52:29 | 006,600,192 | ---- | C] (Mirage Systems) -- C:\WINDOWS\System32\LicProtector310.exe
    [2012/02/02 14:52:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Free File Opener
    [2012/02/02 14:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
    [2012/02/02 14:52:19 | 000,000,000 | ---D | C] -- C:\Program Files\Free File Opener
    [2012/02/02 14:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Free File Opener
    [2012/02/02 14:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Free File Opener
    [2012/02/02 14:29:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Boost
    [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/02/17 16:20:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/02/14 10:40:18 | 000,451,584 | ---- | M] (Mioft) -- C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe
    [2012/02/14 10:36:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/02/14 10:36:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/02/14 10:35:57 | 2145,333,248 | -HS- | M] () -- C:\hiberfil.old
    [2012/02/14 00:04:42 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/02/13 21:53:18 | 000,001,984 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
    [2012/02/13 21:33:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/02/13 17:14:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/02/13 16:55:43 | 000,000,327 | RHS- | M] () -- C:\boot.old
    [2012/02/09 11:41:02 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\WordPerfect 10.lnk
    [2012/02/08 10:51:04 | 000,002,481 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Excel.lnk
    [2012/02/06 09:22:52 | 000,001,004 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\magicJack.lnk
    [2012/02/02 14:52:32 | 000,000,718 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Free File Opener.lnk
    [2012/02/02 14:52:32 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Free File Opener.lnk
    [2012/02/02 14:52:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Free File Opener
    [2012/01/21 12:29:50 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/02/13 21:53:18 | 000,001,984 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
    [2012/02/13 16:55:42 | 000,000,211 | ---- | C] () -- C:\boot.ini
    [2012/02/13 16:55:37 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/02/13 16:51:20 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/02/13 16:51:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/02/13 16:51:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/02/13 16:51:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/02/13 16:51:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/02/12 17:07:52 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/02/02 14:52:32 | 000,000,718 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Free File Opener.lnk
    [2012/02/02 14:52:32 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Free File Opener.lnk
    [2012/01/16 09:30:32 | 000,000,502 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\44ea2892
    [2012/01/16 09:30:32 | 000,000,364 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\d7bb3c6a
    [2008/06/26 16:32:39 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
    [2008/04/01 16:42:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\TEXTART.INI
    [2008/03/09 13:18:32 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\PFP100JPR.{PB
    [2008/03/09 13:18:32 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\PFP100JCM.{PB
    [2008/02/29 14:38:13 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/02/26 19:06:30 | 000,142,067 | ---- | C] () -- C:\WINDOWS\hpwins05.dat
    [2008/02/26 13:21:33 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
    [2008/02/22 17:43:26 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2008/02/22 15:28:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2008/02/22 15:06:26 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
    [2008/02/16 08:28:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2008/02/16 08:27:00 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
    [2008/02/16 08:27:00 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2008/02/16 08:26:13 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
    [2008/02/16 08:10:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
    [2008/02/16 08:09:04 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
    [2008/02/16 08:09:04 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
    [2008/02/16 08:09:04 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
    [2008/02/16 08:09:04 | 000,168,883 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2008/02/16 08:09:04 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
    [2008/02/16 08:09:04 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
    [2008/02/16 08:08:51 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
    [2008/02/16 08:07:51 | 000,001,119 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2006/11/07 05:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2006/09/20 03:25:44 | 000,012,416 | ---- | C] () -- C:\WINDOWS\hpwscr05.dat
    [2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
    [2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
    [2006/09/07 14:41:04 | 000,003,953 | ---- | C] () -- C:\WINDOWS\hpwmdl05.dat
    [2004/08/11 18:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/08/11 18:19:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2004/08/11 18:12:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2004/08/11 18:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2004/08/11 18:06:43 | 000,233,576 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/11 18:00:30 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/11 18:00:28 | 000,443,232 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/11 18:00:28 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/11 18:00:28 | 000,072,372 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/11 18:00:28 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/11 18:00:27 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/11 18:00:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/11 18:00:24 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2004/08/11 18:00:19 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/11 18:00:19 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/11 18:00:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/11 18:00:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2012/02/14 10:37:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\708B5
    [2012/01/21 18:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Image Zone Express
    [2012/02/06 09:22:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mjusbsp
    [2008/06/19 15:54:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nova Development
    [2011/07/25 13:14:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
    [2008/08/27 13:56:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Printer Info Cache
    [2012/02/13 11:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\thecleaner
    [2012/02/13 17:41:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
    [2010/12/03 10:29:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2012/02/02 14:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Free File Opener
    [2011/02/16 18:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
    [2012/02/13 17:40:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2008/06/19 15:54:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nova Development
    [2012/02/02 14:52:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{69F3C55D-7771-43B8-8292-3101E6B7C10B}

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: ATAPI.SYS >
    [2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
    [2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2008/09/12 13:42:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
    [2008/09/12 13:42:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
    [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
    [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
    [2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
    [2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

    < MD5 for: EXPLORER.EXE >
    [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
    [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
    [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    [2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\i386\explorer.exe
    [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

    < MD5 for: SVCHOST.EXE >
    [2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
    [2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    [2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
    [2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
    [2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

    < MD5 for: USERINIT.EXE >
    [2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
    [2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
    [2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
    [2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
    [2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    [2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe
    < End of report >


    I highly suspect I will still need help with scripts at some point and will greatly appreciate guidance in analysis of log files as I move forward. I will be watching this thread closely with hopes of achieving the soonest resolution possible.
    [End Updated First Original Post]
     
  2. joys247

    joys247 TS Rookie Topic Starter Posts: 17

    Further Update

    I was trying to reply to a private message from Bobbye regarding this matter. The system will not allow me. Makes no sense to me how someone is supposed to be able to move forward when the system is uncooperative.
     
  3. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================================================

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61495
    IE - HKU\Owner_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50848
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O4 - HKLM..\Run: [D09.exe] C:\Program Files\LP\E327\D09.exe ()
    O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
    O4 - HKLM..\Run: [xImULAUPBbuJP.exe] C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe (Mioft)
    F3 - HKU\.DEFAULT WinNT: Load - (C:\WINDOWS\TEMP\lvvm.exe) - C:\WINDOWS\Temp\lvvm.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O20 - HKU\Owner_ON_C Winlogon: Shell - (C:\Documents and Settings\Owner\Application Data\708B5\337E3.exe) - C:\Documents and Settings\Owner\Application Data\708B5\337E3.exe ()
    [2012/02/14 10:43:30 | 000,451,584 | ---- | C] (Mioft) -- C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe
    [2012/02/14 10:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\708B5
    [2012/02/14 00:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\B5C75
    [2012/02/14 00:03:04 | 000,000,000 | ---D | C] -- C:\Program Files\LP
    [2012/01/16 09:30:32 | 000,000,502 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\44ea2892
    [2012/01/16 09:30:32 | 000,000,364 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\d7bb3c6a
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
     
  4. joys247

    joys247 TS Rookie Topic Starter Posts: 17

    Run Fix complete

    Broni,

    First and foremost, thank you very much for your guidance. I successfully completed the "Run Fix" procedure you stated on the infected computer. The log it generated is posted below as requested. I also attempted to re-boot the infected computer normally, in safe mode with networking and in safe mode. All three resulted in BSOD. This is being written from my laptop rather than my infected desktop.

    ========== OTL ==========
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Registry value HKEY_USERS\Owner_ON_C\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
    HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
    HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Registry value HKEY_USERS\Owner_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\D09.exe deleted successfully.
    C:\Program Files\LP\E327\D09.exe moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ECenter deleted successfully.
    C:\dell\E-Center\EULALauncher.exe moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\xImULAUPBbuJP.exe deleted successfully.
    C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe moved successfully.
    C:\WINDOWS\Temp\lvvm.exe moved successfully.
    Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\WINDOWS\TEMP\lvvm.exe deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
    Registry value HKEY_USERS\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Owner_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Owner_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Owner_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\Owner_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry value HKEY_USERS\Owner_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Owner\Application Data\708B5\337E3.exe deleted successfully.
    C:\Documents and Settings\Owner\Application Data\708B5\337E3.exe moved successfully.
    File C:\Documents and Settings\All Users\Application Data\xImULAUPBbuJP.exe not found.
    C:\Documents and Settings\Owner\Application Data\708B5 folder moved successfully.
    C:\Program Files\B5C75 folder moved successfully.
    C:\Program Files\LP\E327 folder moved successfully.
    C:\Program Files\LP folder moved successfully.
    C:\Documents and Settings\Owner\Application Data\44ea2892 moved successfully.
    C:\Documents and Settings\Owner\Local Settings\Application Data\d7bb3c6a moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 02182012_153602

    Awaiting further instruction and assuming the infected desktop might be bootable again from the Reatogo cd.
     
  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    fixboot

    exit

    Attempt to reboot computer normally.

    ====================================================================

    NOTE.
    In case you don't see Recovery Console option it may be not installed.

    • You'll need to find your Windows XP installation disk.
    • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
    • If prompted, click any options that are required to start the computer from the CD-ROM drive.
    • When the Welcome to Setup screen appears, press R to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to.
      • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    • You will now be presented with a C:\Windows> prompt

    ==========================================================================

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
     
  6. joys247

    joys247 TS Rookie Topic Starter Posts: 17

    Recovery

    I must be doing something wrong. I did not see the Recovery Console as an option. Rather odd since I thought I had seen it there before. Regardless, I then tried booting from my Windows installation cd. There was no option for pressing R. An option for booting from a recovery disk was presented by pressing F2. It then asked that a recovery disk be placed in the floppy disk drive. Makes no sense since I have no floppy disk drive or recovery disk. When I escaped from F2 procedure, the boot process only went to a screen titled System Setup and began loading files and such. When finished, BSOD appeared. Proceeded to download recovery console and imgburn, burned rc.iso to cd. Attempt to boot from burned rc.iso cd. Same processes occurred as when attempting to boot from installation cd. Result was again BSOD.

    The infected system does, however, still boot with the Reatogo cd. This is again being written from my laptop.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Well, in that case we don't really have too many options.
    I suggest backing up your data using OTLPE CD and formatting the drive.
     
  8. joys247

    joys247 TS Rookie Topic Starter Posts: 17

    Possibility

    I was afraid that suggestion might be just waiting in the wings. I am at least thankful that I'll be able to back up and thus recover all my data through Reatogo.

    I did happen to notice on the Reatogo desktop there is an icon labeled mbrfix. The logo for it is a c:\ prompt window. Might it be possible before totally giving up to use that icon for performing the "fixmbr--fixboot--exit" commands you stated earlier?
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Give it a shot.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Note please: advise member I received 2 PMs.
     
  11. joys247

    joys247 TS Rookie Topic Starter Posts: 17

    Final Update

    First and foremost I would like to thank you for all your assistance and every second of your time. As a last ditch effort prior to formatting my hard drive, I located a local Microsoft certified technician and took my system to him.

    At this stage, he has successfully restored and disinfected my computer. Beginning with the steps you provided me for booting from the Windows cd then running fixmbr and fixboot. Of course there was much more involved beyond that point. Anyway, I find it highly suspicious that he had no issue whatsoever booting the system from his Windows cd. I can only conclude then that either I was indeed doing something wrong OR my Windows cd is not viable. Based on what has been described to me I'm leaning heavily toward the latter. Suggesting that perhaps I should now also contact Dell and ask some questions about the validity of the discs they ship with new systems.

    I did want to get this update to you so you would know that resolution was indeed achieved so this thread can be closed. Thanks again ever so very much.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I'm glad to see happy ending :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...