Malware? Error windows pop up on desktop when booting up. 8-step results

Inactive
By luckyedsall
Apr 5, 2011
Topic Status:
Not open for further replies.
  1. Hi,

    Three error windows have been popping up on the desktop for a while on my computer when it boots up. I close the windows, it carries on, and seems to run OK after that. I have followed the 8-step instructions and will post all the results here. I started last week, then came back to it today, so all the scans weren't run on the same day. Hope that doesn't matter.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6239

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/1/2011 2:43:07 PM
    mbam-log-2011-04-01 (14-43-07).txt

    Scan type: Quick scan
    Objects scanned: 157937
    Time elapsed: 4 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D} (Adware.EZlife) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD} (Adware.EZLife) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B} (Adware.Adrotator) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776C4DC-E894-7C06-2148-5D73CEF5F905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776C4DC-E894-7C06-2148-5D73CEF5F905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Value: sta -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\WINDOWS\$ntuninstallmtf1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

    Files Infected:
    c:\zrpt.xml (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\rob anderson\local settings\application data\windows server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\$ntuninstallmtf1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
  2. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    GMER results:

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-04-05 09:07:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.10.0
    Running: 62hjlzke.exe; Driver: C:\DOCUME~1\ROBAND~1\LOCALS~1\Temp\ufddqpog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
  3. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    dds results:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/31/2006 6:11:22 PM
    System Uptime: 4/5/2011 8:40:32 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0WG864
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 230 GiB total, 211.032 GiB free.
    D: is CDROM ()
    V: is NetworkDisk (NTFS) - 233 GiB total, 210.808 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP117: 1/5/2011 12:53:26 PM - System Checkpoint
    RP118: 1/5/2011 6:41:48 PM - Software Distribution Service 3.0
    RP119: 1/7/2011 10:54:45 AM - System Checkpoint
    RP120: 1/10/2011 8:06:51 AM - System Checkpoint
    RP121: 1/12/2011 8:08:44 AM - System Checkpoint
    RP122: 1/12/2011 6:30:41 PM - Software Distribution Service 3.0
    RP123: 1/14/2011 8:14:28 AM - System Checkpoint
    RP124: 1/17/2011 8:14:36 AM - System Checkpoint
    RP125: 1/18/2011 8:41:00 AM - System Checkpoint
    RP126: 1/19/2011 8:56:48 AM - System Checkpoint
    RP127: 1/21/2011 8:12:00 AM - System Checkpoint
    RP128: 1/24/2011 8:04:10 AM - System Checkpoint
    RP129: 1/25/2011 8:08:19 AM - System Checkpoint
    RP130: 1/26/2011 8:54:19 AM - System Checkpoint
    RP131: 1/27/2011 9:44:34 AM - System Checkpoint
    RP132: 1/28/2011 10:01:52 AM - System Checkpoint
    RP133: 1/31/2011 8:14:37 AM - System Checkpoint
    RP134: 2/1/2011 11:18:10 AM - System Checkpoint
    RP135: 2/2/2011 12:05:36 PM - System Checkpoint
    RP136: 2/3/2011 12:23:28 PM - System Checkpoint
    RP137: 2/4/2011 1:45:27 PM - System Checkpoint
    RP138: 2/7/2011 8:12:18 AM - System Checkpoint
    RP139: 2/8/2011 10:22:01 AM - System Checkpoint
    RP140: 2/8/2011 1:09:45 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP141: 2/8/2011 1:09:55 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP142: 2/8/2011 3:06:06 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP143: 2/8/2011 3:06:16 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP144: 2/8/2011 4:08:18 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP145: 2/8/2011 4:08:27 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP146: 2/8/2011 5:25:40 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP147: 2/8/2011 5:25:49 PM - Printer Driver Amyuni PDF Converter 2.07 Installed
    RP148: 2/9/2011 5:15:52 PM - Software Distribution Service 3.0
    RP149: 2/11/2011 8:07:37 AM - System Checkpoint
    RP150: 2/14/2011 8:14:02 AM - System Checkpoint
    RP151: 2/16/2011 10:44:49 AM - System Checkpoint
    RP152: 2/17/2011 11:21:05 AM - System Checkpoint
    RP153: 2/18/2011 11:59:06 AM - System Checkpoint
    RP154: 2/22/2011 8:07:31 AM - System Checkpoint
    RP155: 2/23/2011 8:08:41 AM - System Checkpoint
    RP156: 2/24/2011 11:43:48 AM - System Checkpoint
    RP157: 2/25/2011 12:19:58 PM - System Checkpoint
    RP158: 2/28/2011 8:08:48 AM - System Checkpoint
    RP159: 3/1/2011 8:11:31 AM - System Checkpoint
    RP160: 3/2/2011 8:18:37 AM - System Checkpoint
    RP161: 3/4/2011 8:11:57 AM - System Checkpoint
    RP162: 3/7/2011 8:07:32 AM - System Checkpoint
    RP163: 3/8/2011 4:39:00 PM - System Checkpoint
    RP164: 3/9/2011 4:58:04 PM - System Checkpoint
    RP165: 3/9/2011 5:58:56 PM - Software Distribution Service 3.0
    RP166: 3/11/2011 8:17:46 AM - System Checkpoint
    RP167: 3/14/2011 8:12:47 AM - System Checkpoint
    RP168: 3/15/2011 8:26:48 AM - System Checkpoint
    RP169: 3/16/2011 8:58:20 AM - System Checkpoint
    RP170: 3/16/2011 5:28:44 PM - Software Distribution Service 3.0
    RP171: 3/17/2011 5:34:05 PM - Software Distribution Service 3.0
    RP172: 3/21/2011 8:19:11 AM - System Checkpoint
    RP173: 3/22/2011 8:54:25 AM - System Checkpoint
    RP174: 3/23/2011 9:00:06 AM - System Checkpoint
    RP175: 3/24/2011 9:03:06 AM - System Checkpoint
    RP176: 3/24/2011 6:22:59 PM - Software Distribution Service 3.0
    RP177: 3/28/2011 8:09:16 AM - System Checkpoint
    RP178: 3/29/2011 9:58:00 AM - System Checkpoint
    RP179: 3/30/2011 9:59:31 AM - System Checkpoint
    RP180: 3/31/2011 11:13:04 AM - System Checkpoint
    RP181: 4/1/2011 8:25:07 AM - Installed Windows Internet Explorer 8.
    RP182: 4/1/2011 8:26:50 AM - Software Distribution Service 3.0
    RP183: 4/1/2011 1:08:55 PM - Installed Java(TM) 6 Update 24
    RP184: 4/1/2011 1:13:21 PM - Removed Java 2 Runtime Environment, SE v1.4.2_08
    RP185: 4/1/2011 1:14:06 PM - Removed J2SE Runtime Environment 5.0 Update 6
    RP186: 4/1/2011 1:14:42 PM - Removed J2SE Runtime Environment 5.0 Update 9
    RP187: 4/1/2011 1:15:23 PM - Removed J2SE Runtime Environment 5.0 Update 10
    RP188: 4/1/2011 1:15:58 PM - Removed J2SE Runtime Environment 5.0 Update 11
    RP189: 4/1/2011 1:16:39 PM - Removed Java(TM) SE Runtime Environment 6 Update 1
    RP190: 4/1/2011 1:28:19 PM - Removed Java(TM) 6 Update 2
    RP191: 4/1/2011 1:36:10 PM - Removed Java(TM) 6 Update 3
    RP192: 4/1/2011 1:36:48 PM - Removed Java(TM) 6 Update 5
    RP193: 4/1/2011 1:37:27 PM - Removed Java(TM) 6 Update 7
    RP194: 4/1/2011 1:41:11 PM - Software Distribution Service 3.0
    RP195: 4/4/2011 8:07:00 AM - System Checkpoint
    RP196: 4/5/2011 8:08:52 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.3
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL You've Got Pictures Screensaver
    APC PowerChute Personal Edition
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Core FTP LE 1.3c
    Corel Photo Album 6
    Critical Update for Windows Media Player 11 (KB959772)
    Dell CinePlayer
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Software Uninstall
    Dell Support 3.2
    Dell System Restore
    Digital Line Detect
    EncryptOnClick
    FileZilla Client 3.1.2
    Google SketchUp 7
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HTML-Kit
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections
    Java Auto Updater
    Java(TM) 6 Update 24
    Malwarebytes' Anti-Malware
    MCU
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Basic Edition 2003
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Modem Helper
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    Musicmatch for Windows Media Player
    Musicmatch® Jukebox
    NetWaiting
    Norton Internet Security
    QuickBooks Pro Edition 2006
    QuickTime
    RealPlayer Basic
    Roxio DLA
    Roxio MyDVD LE
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Schmap 2.0
    SearchAssist
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic Activation Module
    Sonic Update Manager
    SyncBack
    T4 Internet - T4 par Internet 7.0
    Times Reader
    TOD 012007
    Universal Document Converter (Demo)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    URL Assistant
    Viewpoint Media Player
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/5/2011 7:54:05 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    4/3/2011 3:50:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Software Updater service to connect.
    4/3/2011 3:50:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
    4/1/2011 2:45:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    4/1/2011 2:04:52 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    4/1/2011 2:04:52 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    4/1/2011 2:04:52 PM, error: Service Control Manager [7034] - The APC UPS Service service terminated unexpectedly. It has done this 1 time(s).
    4/1/2011 1:28:34 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    .
    ==== End Of File ===========================


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Rob Anderson at 9:10:04.18 on Tue 04/05/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.452 [GMT -4:00]
    .
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Rob Anderson\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.cbc.ca/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4061023
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Nlahejigulu] rundll32.exe "c:\windows\msaper4D.dll",Startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [<NO NAME>]
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [Lminunufu] rundll32.exe "c:\windows\abikilom.dll",Startup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    StartupFolder: c:\docume~1\roband~1\startm~1\programs\startup\syncback.lnk - c:\program files\2brightsparks\syncback\SyncBack.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    Trusted Zone: musicmatch.com\online
    DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162576401015
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FAA26872-BB40-4AB2-8A6D-A49183581AAA} - hxxp://clyc.dyndns.org:8000/user/TSBnwCam.CAB
    TCP: {061124E3-2A7E-4FE4-917C-C7955D828028} = 192.168.2.1,24.224.81.19
    Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
    Handler: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - c:\program files\schmap\schmap player\Schmapdoclib.dll
    Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: AVGRSSTX.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-24 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-24 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-24 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-24 116784]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-24 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-24 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20110401.001\IDSXpx86.sys [2011-4-5 341944]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20110404.033\NAVENG.SYS [2011-4-5 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20110404.033\NAVEX15.SYS [2011-4-5 1393144]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-17 135664]
    .
    =============== Created Last 30 ================
    .
    2011-04-01 18:28:12 -------- d-----w- c:\docume~1\roband~1\applic~1\Malwarebytes
    2011-04-01 18:27:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-01 18:27:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-01 18:27:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-01 18:27:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-01 13:37:56 -------- d-sh--w- c:\documents and settings\rob anderson\IECompatCache
    2011-04-01 13:37:29 -------- d-sh--w- c:\documents and settings\rob anderson\PrivacIE
    2011-04-01 12:51:32 -------- d-sh--w- c:\documents and settings\rob anderson\IETldCache
    2011-04-01 12:29:31 -------- d-----w- c:\windows\ie8updates
    2011-04-01 12:24:48 -------- dc-h--w- c:\windows\ie8
    2011-04-01 12:21:49 7680 ------w- c:\windows\system32\dllcache\iecompat.dll
    2011-04-01 12:21:46 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2011-04-01 12:21:45 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-04-01 12:21:45 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    .
    ==================== Find3M ====================
    .
    2011-03-09 14:56:01 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-03-09 14:55:58 88 --sh--r- c:\windows\system32\D776A1B148.sys
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 9:10:54.20 ===============
  4. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    I forgot to mention the contents of the error windows that pop up. The first one says "Error loading C:\WINDOWS\abikilom.dll. The specified module could not be found"

    The second one says "Error loading C:\WINDOWS\E1890.dll The specified module could not be found"

    The third one says "Error loading C:\WINDOWS\msaper4D.dll The specified module could not be found"

    Since running the 8-step scans, the second error window has stopped popping up.
  5. Broni

    Broni Malware Annihilator Posts: 45,309   +243

  6. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    No, this is computer number 2. The computer we dealt with on the weekend seems to be running well.
  7. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    MBRCheck results:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0020000c

    Kernel Drivers (total 139):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0xF79B0000 \WINDOWS\system32\KDCOM.DLL
    0xF78C0000 \WINDOWS\system32\BOOTVID.dll
    0xF7381000 ACPI.sys
    0xF79B2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7370000 pci.sys
    0xF74B0000 isapnp.sys
    0xF78C4000 compbatt.sys
    0xF78C8000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF74C0000 MountMgr.sys
    0xF7351000 ftdisk.sys
    0xF7730000 PartMgr.sys
    0xF74D0000 VolSnap.sys
    0xF729A000 iastor.sys
    0xF74E0000 disk.sys
    0xF74F0000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF727A000 fltmgr.sys
    0xF7224000 SYMDS.SYS
    0xF7212000 sr.sys
    0xF71E5000 SYMEFA.SYS
    0xF71CF000 DRVMCDB.SYS
    0xF7738000 PxHelp20.sys
    0xF71B8000 KSecDD.sys
    0xF712B000 Ntfs.sys
    0xF70FE000 NDIS.sys
    0xF70E4000 Mup.sys
    0xF75A0000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF5429000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF5415000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF53DC000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xF7790000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF53B8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7798000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF5390000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF535C000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
    0xF5339000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF523A000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xF5193000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF77A0000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF75B0000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7A26000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xF75C0000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF75D0000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7BDA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF75E0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF6C41000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF517C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF75F0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7600000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF77A8000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF516B000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7610000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF77B0000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF77B8000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7620000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF77C0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF77C8000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A28000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF510D000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6C35000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7980000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF7580000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF4836000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7A68000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA9D7D000 \SystemRoot\system32\drivers\sthda.sys
    0xA9D59000 \SystemRoot\system32\drivers\portcls.sys
    0xF4826000 \SystemRoot\system32\drivers\drmk.sys
    0xF3F18000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xA7876000 \SystemRoot\System32\Drivers\NIS\1108000.005\SRTSP.SYS
    0xF3F0C000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF47D6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF7768000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xA3001000 \SystemRoot\system32\drivers\NIS\1108000.005\Ironx86.SYS
    0xA4648000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xA48D7000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xA48CF000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xA446E000 \SystemRoot\system32\drivers\NIS\1108000.005\SRTSPX.SYS
    0xA2E89000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xF79CA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7ABC000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79CC000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7858000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
    0xF7860000 \SystemRoot\System32\drivers\vga.sys
    0xF79D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7868000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7870000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xA645D000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA2E42000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA2DE9000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA2D92000 \SystemRoot\System32\Drivers\NIS\1108000.005\SYMTDI.SYS
    0xA2D6C000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7660000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA2CEC000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA2CCA000 \SystemRoot\System32\drivers\afd.sys
    0xA9F3F000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA2C9F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA2C2F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA9EFF000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA2BD1000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xA2BB4000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xA2B35000 \SystemRoot\system32\drivers\NIS\1108000.005\ccHPx86.sys
    0xA2A6E000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20110309.001\BHDrvx86.sys
    0xA9EEF000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA29B7000 \SystemRoot\System32\Drivers\dump_iastor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA5E42000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF78A0000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xA893C000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF022000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF049000 \SystemRoot\System32\igxpdv32.DLL
    0xBF186000 \SystemRoot\System32\igxpdx32.DLL
    0xF47E6000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xA895F000 \SystemRoot\System32\DLA\DLADResN.SYS
    0xA29A1000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0xF6C4D000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0xF7A34000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0xF3829000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0xA2989000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0xA2973000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0xA48BB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBF386000 \SystemRoot\System32\ATMFD.DLL
    0xA291E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA34C4000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xA284E000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA2912000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA2347000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20110406.001\IDSxpx86.sys
    0xF3821000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xA2332000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF7720000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA19BE000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA2766000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xA070E000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20110407.002\NAVEX15.SYS
    0xA06FA000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20110407.002\NAVENG.SYS
    0xA0604000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 44):
    0 System Idle Process
    4 System
    656 C:\WINDOWS\system32\smss.exe
    704 csrss.exe
    728 C:\WINDOWS\system32\winlogon.exe
    780 C:\WINDOWS\system32\services.exe
    792 C:\WINDOWS\system32\lsass.exe
    980 C:\WINDOWS\system32\svchost.exe
    1072 svchost.exe
    1176 C:\WINDOWS\system32\svchost.exe
    1264 svchost.exe
    1372 svchost.exe
    1464 C:\WINDOWS\system32\spoolsv.exe
    1936 svchost.exe
    1968 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    2032 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    176 C:\Program Files\Java\jre6\bin\jqs.exe
    240 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    332 C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
    1388 alg.exe
    3760 C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
    4016 C:\WINDOWS\explorer.exe
    2328 C:\WINDOWS\system32\hkcmd.exe
    2372 C:\WINDOWS\system32\igfxpers.exe
    2588 C:\WINDOWS\stsystra.exe
    1752 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    2620 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    2484 C:\Program Files\Real\RealPlayer\realplay.exe
    2648 C:\WINDOWS\system32\svchost.exe
    2656 C:\Program Files\QuickTime\qttask.exe
    2668 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
    2812 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    2788 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    1364 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    2840 C:\WINDOWS\system32\svchost.exe
    2436 C:\WINDOWS\system32\ctfmon.exe
    2756 C:\Program Files\Dell Support\DSAgnt.exe
    3228 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    2856 C:\Program Files\Digital Line Detect\DLG.exe
    3484 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    3472 C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
    3824 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    3912 C:\Documents and Settings\Rob Anderson\Desktop\MBRCheck.exe
    3600 C:\WINDOWS\system32\taskmgr.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD2500JS-75NCB3, Rev: 10.02E04

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Dell MBR code detected
    SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


    Done!
  9. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    Problems! After running MBRCheck successfully, I ran Combofix as per your instructions. It ran, asked me to install Recovery Console, then started scanning, then crashed. Blue screen. I attempted to reboot, got the blue screen again. Tried rebooting in Safe Mode, got the blue screen. Was able to run some diagnostics, memory test, hardware test and all came back OK, but I still can't get windows to start. Any suggestions?
  10. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Did you try "Last known good configuration"?

    If you did....

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Under the Custom Scan box paste this in:

      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      /md5stop

    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
  11. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    Yep, I tried last configuration safe mode etc. Won't boot up any way I try it. I can get a C:\WINDOWS> prompt in windows recovery console, but i don't have a clue what I'm doing. I'll follow the instructions you posted.
  12. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    OK.....................
  13. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    OK, computer booted up OK using the CD I created. Ran OTL as you instructed and here are the results (I can't access internet from the computer in question):

    OTL logfile created on: 4/7/2011 7:07:35 PM - Run
    OTLPE by OldTimer - Version 3.1.46.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,014.00 Mb Total Physical Memory | 815.00 Mb Available Physical Memory | 80.00% Memory free
    902.00 Mb Paging File | 844.00 Mb Available in Paging File | 94.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 229.54 Gb Total Space | 212.36 Gb Free Space | 92.52% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand] -- -- (WudfSvc)
    SRV - File not found [On_Demand] -- -- (WMPNetworkSvc)
    SRV - File not found [On_Demand] -- -- (ose)
    SRV - File not found [Disabled] -- -- (NetTcpPortSharing)
    SRV - File not found [On_Demand] -- -- (idsvc)
    SRV - File not found [On_Demand] -- -- (aspnet_state)
    SRV - File not found [On_Demand] -- -- (AppMgmt)
    SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe -- (NIS)
    SRV - [2004/07/21 17:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) [Auto] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WudfRd)
    DRV - File not found [Kernel | On_Demand] -- -- (WudfPf)
    DRV - File not found [Kernel | On_Demand] -- -- (winachsf)
    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (Secdrv)
    DRV - File not found [Kernel | Boot] -- -- (PxHelp20)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | Auto] -- -- (mdmxsdk)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | Boot] -- -- (iastor)
    DRV - File not found [Kernel | On_Demand] -- -- (ialm)
    DRV - File not found [Kernel | On_Demand] -- -- (HSFHWBS2)
    DRV - File not found [Kernel | On_Demand] -- -- (HSF_DP)
    DRV - File not found [Kernel | On_Demand] -- -- (HDAudBus)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - File not found [Kernel | On_Demand] -- -- (bvrp_pci)
    DRV - [2011/04/07 14:52:28 | 000,060,416 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Combo-Fix.sys -- (vkquwexg)
    DRV - [2011/03/31 08:05:33 | 001,393,144 | ---- | M] () [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20110407.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2011/03/31 08:05:32 | 000,086,136 | ---- | M] () [Kernel | On_Demand] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20110407.002\NAVENG.SYS -- (NAVENG)
    DRV - [2010/08/24 08:43:48 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2010/08/24 08:43:48 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2010/08/24 08:25:30 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS -- (SYMTDI)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4061023
    IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4061023


    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4061023
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Faye_Crerar_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4061023
    IE - HKU\Faye_Crerar_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    IE - HKU\Faye_Crerar_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca
    IE - HKU\Faye_Crerar_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4061023
    IE - HKU\Faye_Crerar_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Rob_Anderson_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\Rob_Anderson_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\Rob_Anderson_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
    IE - HKU\Rob_Anderson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\IPSFFPlgn\ [2010/08/25 09:06:36 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\coFFPlgn\ [2010/08/24 08:26:04 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/04/07 14:52:24 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
    O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O3 - HKU\Faye_Crerar_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O3 - HKU\Rob_Anderson_ON_C\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O4 - HKLM..\Run: [Adobe ARM] File not found
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] File not found
    O4 - HKLM..\Run: [combofix] File not found
    O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.)
    O4 - HKLM..\Run: [DLA] File not found
    O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
    O4 - HKLM..\Run: [IAAnotif] File not found
    O4 - HKLM..\Run: [Lminunufu] File not found
    O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
    O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [QuickTime Task] File not found
    O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
    O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
    O4 - HKU\Faye_Crerar_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
    O4 - HKU\Rob_Anderson_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
    O4 - HKU\Rob_Anderson_ON_C..\Run: [Nlahejigulu] File not found
    O4 - HKLM..\RunOnce: [combofix] File not found
    O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
    O4 - Startup: C:\Documents and Settings\Rob Anderson\Start Menu\Programs\Startup\SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe (2BrightSparks)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Faye_Crerar_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Rob_Anderson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Rob_Anderson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Rob_Anderson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162576401015 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {FAA26872-BB40-4AB2-8A6D-A49183581AAA} http://clyc.dyndns.org:8000/user/TSBnwCam.CAB (TSBnwCam Control)
    O18 - Protocol\Handler\intu-res {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll ()
    O18 - Protocol\Handler\schmap-help {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\Schmapdoclib.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - File not found
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/04/07 14:44:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/04/07 14:42:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/04/07 14:42:27 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/04/07 14:42:27 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/04/07 14:42:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/04/07 14:42:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/04/07 14:42:16 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2011/04/07 14:42:01 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/04/01 14:49:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob Anderson\Desktop\Virus_Malware_Spyware Removal
    [2011/04/01 14:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob Anderson\Application Data\Malwarebytes
    [2011/04/01 14:27:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/04/01 14:27:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/04/01 14:27:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/04/01 14:27:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/04/01 14:27:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/04/01 13:09:44 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2011/04/01 13:09:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2011/04/01 13:09:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2011/04/01 09:37:56 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rob Anderson\IECompatCache
    [2011/04/01 09:37:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rob Anderson\PrivacIE
    [2011/04/01 08:51:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IETldCache
    [2011/04/01 08:51:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rob Anderson\IETldCache
    [2011/04/01 08:29:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
    [2011/04/01 08:24:48 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
    [2011/04/01 08:21:45 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
    [2006/11/02 16:07:01 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll

    ========== Files - Modified Within 30 Days ==========

    [2011/04/07 14:53:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/04/07 14:52:28 | 000,060,416 | ---- | M] () -- C:\WINDOWS\System32\drivers\Combo-Fix.sys
    [2011/04/07 14:52:24 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/04/07 14:44:31 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/04/07 14:07:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/04/07 12:01:12 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Rob Anderson\Desktop\Microsoft Office Word 2003.lnk
    [2011/04/07 12:00:00 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack daily local.job
    [2011/04/07 11:20:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Daily_Crerar5_Work.job
    [2011/04/07 10:15:01 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Daily_Crerar_5_Robs_Work.job
    [2011/04/07 08:17:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/04/07 08:17:53 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/04/07 07:57:10 | 1063,297,024 | -HS- | M] () -- C:\hiberfil.sys
    [2011/04/05 17:13:51 | 000,001,403 | ---- | M] () -- C:\WINDOWS\System32\LexFiles.usr
    [2011/04/01 14:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/04/01 13:42:04 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/04/01 08:51:35 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Rob Anderson\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/03/29 08:09:15 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
    [2011/03/29 08:09:15 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2011/03/17 17:35:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2011/03/14 11:28:20 | 000,445,836 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/03/14 11:28:20 | 000,073,042 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/03/09 10:56:01 | 000,003,350 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2011/03/09 10:55:58 | 000,000,088 | RHS- | M] () -- C:\WINDOWS\System32\D776A1B148.sys

    ========== Files Created - No Company Name ==========

    [2011/04/07 14:52:28 | 000,060,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\Combo-Fix.sys
    [2011/04/07 14:44:31 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/04/07 14:44:30 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/04/07 14:42:27 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/04/07 14:42:27 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/04/07 14:42:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/04/07 14:42:27 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/04/07 14:42:27 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/01/04 17:34:05 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Rob Anderson\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
    [2011/01/04 17:29:02 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
    [2010/11/11 17:55:35 | 000,073,656 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/08/20 16:51:34 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
    [2010/08/20 11:12:07 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Osejafugahopi.dat
    [2010/08/20 11:12:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qmiduxi.bin
    [2010/02/05 10:21:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/01/22 13:57:35 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\Rob Anderson\Application Data\dvd.bmk
    [2010/01/21 14:04:14 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Rob Anderson\Local Settings\Application Data\fusioncache.dat
    [2008/10/08 12:05:54 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
    [2008/05/27 11:33:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\AvgTdiX.sys
    [2007/08/14 10:19:15 | 000,000,014 | ---- | C] () -- C:\Documents and Settings\Rob Anderson\USB001
    [2007/07/31 18:56:12 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\ZSHP1020.EXE
    [2007/07/31 18:56:12 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
    [2007/05/14 10:01:39 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Rob Anderson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/02/02 16:06:46 | 000,265,416 | ---- | C] () -- C:\Documents and Settings\Faye Crerar\TRANSFORMS=1033.mst
    [2006/11/07 16:37:05 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2006/11/07 16:37:05 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\D776A1B148.sys
    [2006/11/02 16:06:53 | 000,000,507 | ---- | C] () -- C:\WINDOWS\DKAAY2DD.ini
    [2006/10/31 18:12:21 | 000,265,416 | ---- | C] () -- C:\Documents and Settings\Rob Anderson\TRANSFORMS=1033.mst
    [2006/10/31 18:11:21 | 000,265,416 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\TRANSFORMS=1033.mst
    [2006/10/23 14:48:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2006/10/23 14:41:10 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2006/10/23 14:38:04 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
    [2006/10/23 14:35:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/10/23 14:31:51 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2006/10/23 14:12:20 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
    [2006/10/23 14:12:09 | 000,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
    [2006/10/23 14:12:09 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll
    [2006/10/23 14:10:41 | 000,000,493 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2005/11/10 02:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2005/04/01 21:46:00 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\gencoin.dll
    [2005/04/01 21:46:00 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\softcoin.dll
    [2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/08/10 14:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2004/08/10 13:57:15 | 000,158,752 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/10 13:51:20 | 000,445,836 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/10 13:51:20 | 000,073,042 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/10 13:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2011/01/17 17:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Faye Crerar\Application Data\Schmap
    [2010/08/20 13:07:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\456BC871B8C5594703BE7C004B3474E4
    [2010/11/11 14:24:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2010/03/04 17:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1
    [2006/11/03 12:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\CoreFTP
    [2009/08/11 13:53:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\FileZilla
    [2006/12/28 18:52:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\Leadertech
    [2006/11/03 14:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\OfficeUpdate12
    [2011/01/11 17:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\Schmap
    [2010/11/11 14:33:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\UDC Profiles
    [2010/08/24 16:34:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2006/10/23 14:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2011/04/07 12:00:00 | 000,000,466 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack daily local.job
    [2011/04/07 11:20:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack Daily_Crerar5_Work.job
    [2011/04/07 10:15:01 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack Daily_Crerar_5_Robs_Work.job

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: EXPLORER.EXE >
    [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
    [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    [2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
    [2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

    < MD5 for: USERINIT.EXE >
    [2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
    [2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
    [2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
    [2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
    [2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
    [2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    [2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe
    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    DRV - [2011/04/07 14:52:28 | 000,060,416 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Combo-Fix.sys -- (vkquwexg)
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [combofix] File not found
    O4 - HKLM..\Run: [Lminunufu] File not found
    O4 - HKU\Rob_Anderson_ON_C..\Run: [Nlahejigulu] File not found
    O4 - HKLM..\RunOnce: [combofix] File not found
    O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/sh...1/mcinsctl.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    [2011/03/09 10:55:58 | 000,000,088 | RHS- | M] () -- C:\WINDOWS\System32\D776A1B148.sys
    [2010/08/20 11:12:07 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Osejafugahopi.dat
    [2010/08/20 11:12:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qmiduxi.bin
    [2010/08/20 13:07:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob Anderson\Application Data\456BC871B8C5594703BE7C004B3474E4
    [2010/08/24 16:34:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
    [2006/10/23 14:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into Windows.
  15. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    Here is the log after running the fix

    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vkquwexg deleted successfully.
    C:\WINDOWS\system32\drivers\Combo-Fix.sys moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\combofix deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Lminunufu deleted successfully.
    Registry value HKEY_USERS\Rob_Anderson_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\Nlahejigulu deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\combofix deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\flags deleted successfully.
    Starting removal of ActiveX control {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
    C:\WINDOWS\Downloaded Program Files\mcinsctl.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_USERS\Faye_Crerar_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_USERS\Rob_Anderson_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\Faye_Crerar_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\Rob_Anderson_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\WINDOWS\system32\D776A1B148.sys moved successfully.
    C:\WINDOWS\Osejafugahopi.dat moved successfully.
    C:\WINDOWS\Qmiduxi.bin moved successfully.
    C:\Documents and Settings\Rob Anderson\Application Data\456BC871B8C5594703BE7C004B3474E4 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update\prepare\temp folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update\backup folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\Temp folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\scanlogs folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\emc folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\Dumps folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\CfgAll folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\Cfg folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\AvgApi folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\AvgAm folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9\admincli folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Faye Crerar
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->Flash cache emptied: 0 bytes

    User: Owner

    User: Rob Anderson
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 2605015 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 983 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 255 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

    Total Files Cleaned = 3.00 mb


    OTLPE by OldTimer - Version 3.1.46.0 log created on 04072011_201533


    OTL didn't ask me to reboot when it was finished. Do I need to reboot using the CD-ROM first, then shut down and try to reboot normally again?
  16. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Remove the CD and see, if you can restart normally.
  17. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    No, it wouldn't restart normally, or with last known good configuration, or in safe mode.
  18. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    I just found out, that there was a bug in Combofix, fixed by now.
    I apologize for that.

    Let's see, if we use system restore to get your computer back.

    If you have Windows XP CD... (if you don't have Windows CD, scroll down)

    1. Boot from the CD.
    2. When the text-based part of Setup begins, follow the prompts. Select the repair or recover option by pressing R:

    [​IMG]

    3. You'll find yourself at this screen:

    [​IMG]

    4. Once you are at the Recovery Console you will be given at least one choice of Windows installations. Normally the choice you want is the number 1 choice. Click the number 1 key at the "top" of the keyboard and click enter.

    NOTE: at this point your numbers to the right of your keyboard are turned off. If you insist on using these keys for your numbers remember to hit the Numbers Lock key before clicking a number over there or your computer will automatically reboot and you will have to wait through the previous steps to get back to the console.

    5. You will be given a message asking for the administrator password. Unless someone or something has messed with your computer there is no password so you just click the Enter key.

    6. This will bring you to a prompt that says:

    C:\WINDOWS>

    7. Type:

    cd \

    Press Enter

    Note: between "cd" and "\" there should be a "blank space" otherwise the command won't work

    8. The prompt should now say:

    C:\>

    9. Type:

    cd system~1\_resto~1

    Press Enter.

    ===============================================================================

    Note: If it gives an error "Access Denied" while accessing the folder, follow the method below

    Type: cd \

    Press Enter

    Type: cd windows\system32\config

    Press Enter

    Type: ren system system.bak

    Press Enter

    (note the spaces between ren and system, and then between system and system.bak)

    Type: exit

    Press Enter

    now the computer should restart, then follow steps 1-9


    ===============================================================================

    10. Type:

    dir

    Press Enter

    NOTE: When you hit enter it will list all the restore points folders like "rp1", "rp2" we have to see the last restore point to copy the file from a recent backup. If the restore points have more than one page then you have keep on hitting the key to view the last restore point folder.

    NOTE: It is a good rule of thumb to choose the files from the restore point folder which the second to the last one.

    11. Type:

    cd rp{with the second to the last restore point number }

    Press Enter

    Example: cd rp9. if rp10 is the last restore point

    12. Type:

    cd snapshot

    Press Enter.

    NOTICE: Now the command prompt will look like this:

    c:\system~1\resto~1\rp9\snapshot

    Note : restore point 9 assumed for clarity of the content.


    13. Type:

    copy _registry_machine_system c:\windows\system32\config\system

    Press Enter

    14. Type:

    Exit

    Press Enter.

    Final note : If the above procedure won't solve the problem, repeat all steps, but in step 13 type:

    copy _registry_machine_software c:\windows\system32\config\software

    Alternatively, select different restore point.



    If you don't have Windows CD...

    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD (use "Write image file to disc" option).
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

    Follow steps 3 - 14.
  19. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    I don't have a windows cd, so I downloaded windows recovery console and imgburn, created a cd and tried to start the computer with the cd. It crashed again and I got a blue screen.
  20. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Are you sure, you're actually booting from the CD?
    How far did it boot?
  21. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    When booting up, it asks me to press any key to boot from CD, then a blue windows setup screen comes on with a silver message bar at the bottom. It says Setup is loading several files, then it says Setup is starting windows and after about 10 seconds, it crashes.
  22. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Well, you must have some other issues on a top of an infection.

    What does the BSOD say.
    I need all info from there.
  23. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    I just found a Windows XP Pro CD - should I try it as per your instructions?

    "If you have Windows XP CD... (if you don't have Windows CD, scroll down)

    1. Boot from the CD.
    2. When the text-based part of Setup begins, follow the prompts. Select the repair or recover option by pressing R:


    etc..."
  24. luckyedsall

    luckyedsall Newcomer, in training Topic Starter Posts: 66

    Not sure what this means

    "What does the BSOD say.
    I need all info from there. "
  25. Broni

    Broni Malware Annihilator Posts: 45,309   +243

    Absolutely.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.