Inactive Rootkit.agent C:\WINDOWS\system32\drivers\ubschvbx.sys

Status
Not open for further replies.
L

Lahta

Posts: 22   +0
I'm trying to get rid of a rootkit.agent nasty thing and so far have not had any success. I have identified where it is hiding but I cannot delete the file. I have attached 2 logs from running hijackthis and combfix. Please help! Thanks.
 

Attachments

  • log.txt
    22.5 KB · Views: 3
  • HJ filelog.lahta.txt
    7.4 KB · Views: 0
Welcome aboard
yahooo.gif


Do not run Combofix without our guidance: https://www.techspot.com/vb/topic138086.html

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
 
Posting logs after 8 steps

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4511

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/30/2010 9:24:21 PM
mbam-log-2010-08-30 (21-24-21).txt

Scan type: Quick scan
Objects scanned: 132171
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\ubschvbx.sys (Rootkit.Agent) -> Delete on reboot.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-30 21:39:44
Windows 5.1.2600 Service Pack 3
Running: ln19s1u6.exe; Driver: C:\DOCUME~1\DELLCU~1\LOCALS~1\Temp\kfwirpod.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89A9CC48

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] ubschvbx <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-03-17.01) - NTFSx86
Run by Dell Customer at 22:02:06.54 on Mon 08/30/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1450 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dell Customer\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dell Customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bigseekpro.com/splitcam/{407B64BF-EC8A-487B-8B59-EDAF90E94F59}
mStart Page = hxxp://www.bigseekpro.com/splitcam/{407B64BF-EC8A-487B-8B59-EDAF90E94F59}
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\documents and settings\dell customer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\dellcu~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\dell customer\my documents\rca detective\RCADetective.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dellcu~1\applic~1\mozilla\firefox\profiles\v4fo41v2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\dell customer\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\dell customer\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\dell customer\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\dell customer\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\dell customer\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-22 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-18 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-18 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-18 243024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-22 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-22 267432]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-22 60936]
S2 gupdate1ca1fb41e9b77c0;Google Update Service (gupdate1ca1fb41e9b77c0);c:\program files\google\update\GoogleUpdate.exe [2009-8-17 133104]

=============== Created Last 30 ================

2010-08-31 01:52:30 0 d-----w- c:\windows\system32\wbem\Logs
2010-08-29 17:28:18 0 d-sha-r- C:\cmdcons
2010-08-29 17:18:33 98816 ----a-w- c:\windows\sed.exe
2010-08-29 17:18:33 77312 ----a-w- c:\windows\MBR.exe
2010-08-29 17:18:33 256512 ----a-w- c:\windows\PEV.exe
2010-08-29 17:18:33 161792 ----a-w- c:\windows\SWREG.exe
2010-08-29 16:40:16 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-25 04:52:49 0 d-----w- c:\windows\system32\NtmsData
2010-08-25 04:52:23 0 d-----w- c:\docume~1\dellcu~1\applic~1\Avira
2010-08-23 23:28:30 0 d-----w- c:\program files\Trend Micro
2010-08-23 03:13:26 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-23 03:13:25 0 d-----w- c:\program files\Avira
2010-08-23 03:13:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-08-23 02:52:53 38848 ----a-w- c:\windows\avastSS.scr
2010-08-23 02:52:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-08-20 00:57:13 5 ----a-w- C:\zrpt.xml
2010-08-20 00:57:10 0 ----a-w- c:\windows\system32\drivers\ubschvbx.sys
2010-08-20 00:56:44 0 d-----w- c:\docume~1\dellcu~1\applic~1\DMCache
2010-08-20 00:56:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-19 23:18:41 0 d-----w- c:\windows\system32\hdined32.nls.{00021401-0000-0000-C000-000000000046}
2010-08-19 23:18:16 0 d-----w- c:\program files\burnatonce
2010-08-18 05:53:35 0 d-----w- c:\docume~1\dellcu~1\applic~1\GetRight
2010-08-15 02:19:35 0 d-----w- c:\program files\Yahoo!
2010-08-03 19:43:40 0 d-----w- c:\program files\iPod
2010-08-03 19:43:35 0 d-----w- c:\program files\iTunes
2010-08-03 19:39:46 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-08-01 23:42:24 40740 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-25 22:08:01 28672 ----a-w- c:\windows\fonts\pyview.ttf
2010-07-15 13:51:08 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:51:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:50:25 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15:26 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 09:36:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 22:02:44.64 ===============
 

Attachments

  • Attach.zip
    3.4 KB · Views: 2
Please, never zip any logs.

=======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Delete your Combofix file and....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
MBR Text:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xB9EA1000 ubschvbx.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9E82000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9DAD000 iaStor.sys
0xB9D95000 atapi.sys
0xBA338000 cercsr6.sys
0xB9D7D000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9D5D000 fltmgr.sys
0xB9D4B000 sr.sys
0xB9D36000 drvmcdb.sys
0xBA340000 PxHelp20.sys
0xB9D1F000 KSecDD.sys
0xB9C92000 Ntfs.sys
0xB9C65000 NDIS.sys
0xB9C4B000 Mup.sys
0xB914C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8BB3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB1C71000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB0FC7000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA420000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB02D0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8FD1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xAEC6E000 \SystemRoot\system32\drivers\ctaud2k.sys
0xAE471000 \SystemRoot\system32\drivers\portcls.sys
0xB722A000 \SystemRoot\system32\drivers\drmk.sys
0xADC90000 \SystemRoot\system32\drivers\ks.sys
0xAD1E3000 \SystemRoot\system32\drivers\ctoss2k.sys
0xADD18000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xAD6ED000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA654000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xAD6DD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xAD6CD000 \SystemRoot\system32\DRIVERS\redbook.sys
0xADD10000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xAE255000 \SystemRoot\system32\DRIVERS\audstub.sys
0xAD6BD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xAE899000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xAC525000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xAD6AD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xAD69D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xADD08000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xAC514000 \SystemRoot\system32\DRIVERS\psched.sys
0xAD68D000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xADD00000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xADCF8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xAD67D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xADCF0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xADCE8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA656000 \SystemRoot\system32\DRIVERS\swenum.sys
0xAC4B6000 \SystemRoot\system32\DRIVERS\update.sys
0xAE88D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xABFA6000 \SystemRoot\system32\drivers\ha20x2k.sys
0xABF79000 \SystemRoot\system32\drivers\emupia2k.sys
0xABF52000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xABEB6000 \SystemRoot\system32\drivers\ctac32k.sys
0xACF12000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xACED2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA662000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA666000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAC605000 \SystemRoot\System32\Drivers\Null.SYS
0xBA668000 \SystemRoot\System32\Drivers\Beep.SYS
0xACF62000 \SystemRoot\system32\drivers\ssrtln.sys
0xACF5A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xACF52000 \SystemRoot\System32\drivers\vga.sys
0xBA66A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA66C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xACF4A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xACF42000 \SystemRoot\System32\Drivers\Npfs.SYS
0xACFCD000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA3E41000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA3DE8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA3DC2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA3D88000 \SystemRoot\System32\Drivers\avgtdix.sys
0xACEB2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA3D60000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA3D3E000 \SystemRoot\System32\drivers\afd.sys
0xACEA2000 \SystemRoot\system32\DRIVERS\netbios.sys
0xACF3A000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xA3D13000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA3CA3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xACE92000 \SystemRoot\System32\Drivers\Fips.SYS
0xA3C81000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xACF2A000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA3C4D000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB90A4000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAC554000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB8F91000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB8FA9000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xB8F99000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA1E8000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xAC550000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xAC544000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB477C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAC540000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB3C19000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA5BE000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xB474C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA3B78000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB928B000 \SystemRoot\System32\drivers\Dxapi.sys
0xB90DC000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7E0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA1963000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xBA318000 \SystemRoot\system32\drivers\drvnddm.sys
0xB1C98000 \SystemRoot\system32\dla\tfsndres.sys
0xA194E000 \SystemRoot\system32\dla\tfsnifs.sys
0xB4116000 \SystemRoot\system32\dla\tfsnopio.sys
0xACE38000 \SystemRoot\system32\dla\tfsnpool.sys
0xBA360000 \SystemRoot\system32\dla\tfsnboio.sys
0xBA158000 \SystemRoot\system32\dla\tfsncofs.sys
0xB1C97000 \SystemRoot\system32\dla\tfsndrct.sys
0xA1935000 \SystemRoot\system32\dla\tfsnudf.sys
0xA191C000 \SystemRoot\system32\dla\tfsnudfa.sys
0xAF07C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA1727000 \SystemRoot\system32\drivers\wdmaud.sys
0xAC574000 \SystemRoot\system32\drivers\sysaudio.sys
0xA1684000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAE33F000 \SystemRoot\System32\drivers\aspi32.sys
0xA0ECD000 \SystemRoot\system32\DRIVERS\srv.sys
0xA05A9000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
608 C:\WINDOWS\system32\smss.exe
656 csrss.exe
688 C:\WINDOWS\system32\winlogon.exe
732 C:\WINDOWS\system32\services.exe
744 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\ati2evxx.exe
980 C:\WINDOWS\system32\svchost.exe
1060 svchost.exe
1156 C:\WINDOWS\system32\svchost.exe
1252 svchost.exe
1364 svchost.exe
1468 C:\WINDOWS\system32\ati2evxx.exe
1484 C:\Program Files\AVG\AVG9\avgchsvx.exe
1496 C:\Program Files\AVG\AVG9\avgrsx.exe
1648 C:\WINDOWS\system32\spoolsv.exe
1684 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1832 C:\Program Files\Avira\AntiVir Desktop\sched.exe
436 svchost.exe
624 C:\WINDOWS\explorer.exe
1020 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
1164 C:\WINDOWS\CTHELPER.EXE
1188 C:\WINDOWS\system32\CTXFIHLP.EXE
1220 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
1240 C:\WINDOWS\system32\dla\tfswctrl.exe
1332 C:\WINDOWS\system32\CTXFISPI.EXE
1348 C:\PROGRA~1\AVG\AVG9\avgtray.exe
1388 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1524 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1544 C:\Program Files\iTunes\iTunesHelper.exe
1572 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1940 C:\WINDOWS\system32\ctfmon.exe
2224 C:\Documents and Settings\Dell Customer\My Documents\RCA Detective\RCADetective.exe
2464 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2504 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
2524 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2564 C:\Program Files\AVG\AVG9\avgwdsvc.exe
2636 C:\Program Files\Bonjour\mDNSResponder.exe
2692 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
3072 C:\Program Files\Java\jre6\bin\jqs.exe
3120 C:\WINDOWS\system32\HPZipm12.exe
3212 C:\WINDOWS\system32\PnkBstrA.exe
3320 C:\WINDOWS\system32\svchost.exe
3380 C:\Program Files\AVG\AVG9\avgnsx.exe
3600 C:\Program Files\AVG\AVG9\avgemc.exe
3784 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2440 C:\Program Files\iPod\bin\iPodService.exe
3180 alg.exe
3548 C:\Program Files\Mozilla Firefox\firefox.exe
2180 C:\Documents and Settings\Dell Customer\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JS-75NCB1, Rev: 10.02E01

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Houston we have a problem! The computer will not reboot. It goes to a black screen and stays there??
 
After I posted the MBR text and you said it looked good I went ahead and ran malware and it looked good and then avast and it looked good and then tried to reboot and it will not go past the dell logo screen. Cannot boot in safe mode. Recovery mode went as far as running the "driver" screen but it does appear that there could be a driver issue because the "list" ends 3/4 way down the screen and will not boot past that point.
 
I went ahead and ran malware and it looked good and then avast and it looked good
Click to expand...
First of all, I didn't ask you to do that....
By "malware" do you mean Malwarebytes?


Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • When asked Do you wish to load the remote registry, select Yes
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes
  • Ensure the box Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
 
Yes, I meant Malwarebytes. I did not mean to imply that you told me to run the scans, I just did. Was I supposed to do something else after posting the MBR text?

Here is the OTL.txt file:

(in two parts because it is so long)

OTL logfile created on: 9/1/2010 11:09:41 PM - Run
OTLPE by OldTimer - Version 3.1.40.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 43.41 Gb Free Space | 29.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/21 09:48:20 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/15 09:51:04 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/10 22:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/04/01 14:33:20 | 000,267,432 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 11:28:10 | 000,135,336 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\DRIVERS\splitcam.sys -- (SPLITCAM)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\DELLCU~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Auto] -- -- (adfs)
DRV - [2010/09/01 08:56:59 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\System32\drivers\ubschvbx.sys -- (ubschvbx)
DRV - [2010/07/15 09:51:08 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/15 09:50:25 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/02 09:19:38 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/01 11:05:26 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 15:24:02 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 13:49:20 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 11:12:50 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/25 18:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/05/06 02:01:50 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2006/04/24 15:12:52 | 001,096,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2005/11/08 22:15:00 | 000,439,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2005/11/08 22:15:00 | 000,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2005/11/08 22:14:00 | 000,502,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/11/08 22:14:00 | 000,143,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/11/08 22:14:00 | 000,114,688 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/11/08 22:14:00 | 000,077,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2005/07/13 19:18:00 | 000,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/04/25 11:28:14 | 000,871,040 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iastor)
DRV - [2005/03/31 19:04:52 | 000,180,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
DRV - [2004/03/15 03:04:00 | 000,100,597 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/03/15 03:04:00 | 000,098,580 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/03/15 03:04:00 | 000,085,972 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/03/15 03:04:00 | 000,034,837 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/03/15 03:04:00 | 000,025,685 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/03/15 03:04:00 | 000,014,229 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/03/15 03:04:00 | 000,006,357 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/03/15 03:04:00 | 000,004,117 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/03/15 03:04:00 | 000,002,233 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/02/27 04:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/02/13 05:21:00 | 000,086,160 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/01/14 21:18:16 | 000,005,621 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/01/14 21:18:04 | 000,023,219 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/splitcam/{407B64BF-EC8A-487B-8B59-EDAF90E94F59}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Dell_Customer_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/splitcam/{407B64BF-EC8A-487B-8B59-EDAF90E94F59}
IE - HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522



IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/07/21 09:49:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/13 07:06:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/18 15:47:48 | 000,000,000 | ---D | M]

[2010/08/31 19:30:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/18 15:47:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/06/22 05:36:30 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/08/29 13:54:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKU\Dell_Customer_ON_C..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\Dell_Customer_ON_C..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKU\Dell_Customer_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Dell Customer\Start Menu\Programs\Startup\RCA Detective.lnk = C:\Documents and Settings\Administrator\My Documents\RCA Detective\RCADetective.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Dell_Customer_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Dell_Customer_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Dell_Customer_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
 
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/25 23:07:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/31 18:34:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2010/08/30 23:03:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/30 21:53:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dell Customer\Recent
[2010/08/30 21:51:52 | 001,079,296 | ---- | C] (ADDPCs) -- C:\Documents and Settings\Dell Customer\Desktop\tempCleaner.exe
[2010/08/29 20:10:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Desktop\topic58138_files
[2010/08/29 13:28:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/29 13:18:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/29 13:18:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/29 13:18:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/29 13:18:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/29 13:18:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/29 13:17:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/29 12:40:16 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/08/25 00:52:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/25 00:52:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Application Data\Avira
[2010/08/23 19:28:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/08/23 19:28:05 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Dell Customer\Desktop\HJTInstall.exe
[2010/08/22 23:13:28 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/08/22 23:13:26 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/08/22 23:13:26 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/08/22 23:13:26 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/08/22 23:13:26 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/08/22 23:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/08/22 23:11:24 | 000,407,680 | ---- | C] (ALWIL Software) -- C:\Documents and Settings\Dell Customer\Desktop\aswclnr.exe
[2010/08/22 22:54:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\TSVNCache
[2010/08/22 22:54:14 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/08/22 22:54:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/08/22 22:54:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/08/22 22:54:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/08/22 22:54:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/08/22 22:54:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/08/22 22:54:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/08/22 22:54:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/08/22 22:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/08/22 22:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/08/22 22:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/08/22 22:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/08/22 22:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/08/22 22:52:53 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/08/22 22:52:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/08/21 00:37:13 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2010/08/21 00:36:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\rpdlnxdmm
[2010/08/20 23:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\My Documents
[2010/08/20 23:56:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/08/20 00:38:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/20 00:38:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/20 00:37:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LocalService\Favorites
[2010/08/19 21:14:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/08/19 21:14:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/08/19 20:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\qmuvrjkbe
[2010/08/19 20:56:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Application Data\DMCache
[2010/08/19 19:18:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\hdined32.nls.{00021401-0000-0000-C000-000000000046}
[2010/08/19 19:18:16 | 000,000,000 | ---D | C] -- C:\Program Files\burnatonce
[2010/08/18 01:53:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Application Data\GetRight
[2010/08/14 22:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Application Data\Yahoo!
[2010/08/14 22:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\Yahoo
[2010/08/14 22:19:35 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/08/11 20:43:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\My Documents\SOAPS
[2010/08/03 15:43:40 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/08/03 15:43:35 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/03 15:39:46 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/03/26 00:25:36 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/01 08:57:03 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/09/01 08:57:03 | 000,229,376 | ---- | M] () -- C:\Documents and Settings\LocalService\ntuser.dat
[2010/09/01 08:57:03 | 000,064,980 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
[2010/09/01 08:57:03 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
[2010/09/01 08:57:03 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
[2010/09/01 08:57:03 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/09/01 08:57:03 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/09/01 08:57:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/01 08:56:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\ubschvbx.sys
[2010/09/01 08:56:43 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Dell Customer\ntuser.dat
[2010/09/01 08:56:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/01 08:56:39 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dell Customer\ntuser.ini
[2010/09/01 07:59:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/01 07:57:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1580818891-839522115-1004UA.job
[2010/09/01 03:29:20 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/09/01 02:59:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/31 18:29:52 | 064,139,718 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/08/31 10:57:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1580818891-839522115-1004Core.job
[2010/08/30 23:10:15 | 000,003,512 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Desktop\Attach.zip
[2010/08/30 22:37:34 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Desktop\ln19s1u6.exe
[2010/08/30 22:24:49 | 004,315,648 | -H-- | M] () -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\IconCache.db
[2010/08/29 20:13:11 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/08/29 20:10:09 | 000,070,468 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Desktop\topic58138.html
[2010/08/29 13:54:52 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/29 13:54:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/29 13:28:24 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/29 12:40:14 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/08/27 16:46:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/25 04:01:14 | 000,002,662 | ---- | M] () -- C:\Documents and Settings\Dell Customer\My Documents\spirit.rtf
[2010/08/23 19:29:21 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Desktop\HijackThis.lnk
[2010/08/23 19:28:03 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Dell Customer\Desktop\HJTInstall.exe
[2010/08/23 02:58:06 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Desktop\Google Chrome.lnk
[2010/08/23 02:58:06 | 000,002,322 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/08/22 23:11:24 | 000,407,680 | ---- | M] (ALWIL Software) -- C:\Documents and Settings\Dell Customer\Desktop\aswclnr.exe
[2010/08/22 22:56:02 | 000,524,288 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/08/22 22:56:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/08/22 22:55:59 | 003,712,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/08/22 22:36:46 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\housecall.guid.cache
[2010/08/21 00:36:41 | 000,000,005 | ---- | M] () -- C:\zrpt.xml
[2010/08/21 00:24:26 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/19 21:05:00 | 000,047,392 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/19 21:03:02 | 002,080,056 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/19 19:18:19 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Desktop\burnatonce.lnk
[2010/08/19 03:29:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/15 14:53:59 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/14 22:20:01 | 000,001,730 | ---- | M] () -- C:\Documents and Settings\Dell Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/11 04:04:50 | 000,488,244 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/11 04:04:50 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/11 04:04:50 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/30 23:10:15 | 000,003,512 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Desktop\Attach.zip
[2010/08/30 22:37:33 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Desktop\ln19s1u6.exe
[2010/08/29 20:10:08 | 000,070,468 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Desktop\topic58138.html
[2010/08/29 13:28:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/29 13:28:20 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/29 13:18:33 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/29 13:18:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/29 13:18:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/29 13:18:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/29 13:18:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/25 03:48:21 | 000,002,662 | ---- | C] () -- C:\Documents and Settings\Dell Customer\My Documents\spirit.rtf
[2010/08/23 19:29:20 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Desktop\HijackThis.lnk
[2010/08/22 22:54:15 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/08/22 22:54:13 | 000,524,288 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/08/22 22:54:13 | 000,069,632 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.dat.LOG
[2010/08/22 22:36:46 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\housecall.guid.cache
[2010/08/19 20:57:13 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
[2010/08/19 20:57:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\ubschvbx.sys
[2010/08/19 19:18:19 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Desktop\burnatonce.lnk
[2010/08/14 22:20:01 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/08/11 16:47:49 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/27 14:53:05 | 007,340,032 | ---- | C] () -- C:\Documents and Settings\Dell Customer\ntuser.dat
[2010/04/27 14:53:05 | 000,229,376 | ---- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat
[2010/02/21 05:25:59 | 000,000,904 | ---- | C] () -- C:\Documents and Settings\Dell Customer\.recently-used.xbel
[2010/02/19 20:29:53 | 000,000,069 | ---- | C] () -- C:\Documents and Settings\Dell Customer\jagex_runescape_preferences2.dat
[2010/02/19 20:28:48 | 000,000,041 | ---- | C] () -- C:\Documents and Settings\Dell Customer\jagex_runescape_preferences.dat
[2010/02/11 23:48:09 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/02/11 23:48:09 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/02/11 23:48:06 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2010/02/11 23:48:04 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/02/11 23:48:04 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/01/06 01:10:55 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll
[2009/07/25 18:35:39 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/06/27 21:38:42 | 000,137,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/06/27 15:33:17 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/26 18:51:25 | 007,277,568 | ---- | C] () -- C:\WINDOWS\System32\iPodmedia.dll
[2009/06/14 22:56:23 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2009/06/14 22:56:20 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2009/06/09 17:42:15 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/06/09 17:42:15 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/01 14:08:44 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/03/26 00:44:23 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/03/26 00:25:50 | 000,050,432 | ---- | C] () -- C:\WINDOWS\System32\claptn.ini
[2009/03/26 00:25:50 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2009/03/26 00:25:50 | 000,000,190 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/03/26 00:25:37 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2009/03/26 00:25:36 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2009/03/25 23:21:22 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\Dell Customer\ntuser.dat.LOG
[2009/03/25 23:21:22 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Dell Customer\ntuser.ini
[2009/03/25 23:20:33 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2009/03/25 23:20:33 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2009/03/25 23:10:29 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2009/03/25 23:10:29 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2009/03/25 23:10:29 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2004/03/26 18:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

========== LOP Check ==========


========== Purity Check ==========


< End of report >

Thanks for your help.
 
What I'm saying id that you shouldn't run anything else, but what I ask you to run :)


Do this on the computer you are posting from:
Copy the text in the codebox below:


Code: 
:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
IE - HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
O4 - Startup: C:\Documents and Settings\Dell Customer\Start Menu\Programs\Startup\RCA Detective.lnk = C:\Documents and Settings\Administrator\My Documents\RCA Detective\RCADetective.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) 
[2010/08/19 20:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell Customer\Local Settings\Application Data\qmuvrjkbe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Attempt to reboot normally into windows.
 
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\Dell_Customer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\Documents and Settings\Dell Customer\Start Menu\Programs\Startup\RCA Detective.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_USERS\Dell_Customer_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
C:\Documents and Settings\Dell Customer\Local Settings\Application Data\qmuvrjkbe folder moved successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SETE5.tmp deleted successfully.
C:\WINDOWS\System32\SETE9.tmp deleted successfully.
C:\WINDOWS\System32\SETF1.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
Error: Unable to interpret <[emptytemp]Open Notepad and paste it.> in the current context!

OTLPE by OldTimer - Version 3.1.40.0 log created on 09022010_080929
 
I went ahead and ran malware and it looked good and then avast
Click to expand...
I didn't really see anything malicious in your OTL log, so I suspect, that one of the above scans removed some crucial Windows file (s).
That's why, it's so important not to do anything else, but what I ask for.

Do you have Windows XP CD?

Let's see, if we can use system restore here...

If you have Windows XP CD... (if you don't have Windows CD, scroll down)

1. Boot from the CD.
2. When the text-based part of Setup begins, follow the prompts. Select the repair or recover option by pressing R:

xp_src_welcome.gif


3. You'll find yourself at this screen:

xp_src_console.gif


4. Once you are at the Recovery Console you will be given at least one choice of Windows installations. Normally the choice you want is the number 1 choice. Click the number 1 key at the "top" of the keyboard and click enter.

NOTE: at this point your numbers to the right of your keyboard are turned off. If you insist on using these keys for your numbers remember to hit the Numbers Lock key before clicking a number over there or your computer will automatically reboot and you will have to wait through the previous steps to get back to the console.

5. You will be given a message asking for the administrator password. Unless someone or something has messed with your computer there is no password so you just click the Enter key.

6. This will bring you to a prompt that says:

C:\WINDOWS>

7. Type:

cd \

Press Enter

Note: between "cd" and "\" there should be a "blank space" otherwise the command won't work

8. The prompt should now say:

C:\>

9. Type:

cd system~1\_resto~1

Press Enter.

===============================================================================

Note: If it gives an error "Access Denied" while accessing the folder, follow the method below

Type: cd \

Press Enter

Type: cd windows\system32\config

Press Enter

Type: ren system system.bak

Press Enter

(note the spaces between ren and system, and then between system and system.bak)

Type: exit

Press Enter

now the computer should restart, then follow steps 1-9

===============================================================================

10. Type:

dir

Press Enter

NOTE: When you hit enter it will list all the restore points folders like "rp1", "rp2" we have to see the last restore point to copy the file from a recent backup. If the restore points have more than one page then you have keep on hitting the key to view the last restore point folder.

NOTE: It is a good rule of thumb to choose the files from the restore point folder which the second to the last one.

11. Type:

cd rp{with the second to the last restore point number }

Press Enter

Example: cd rp9. if rp10 is the last restore point

12. Type:

cd snapshot

Press Enter.

NOTICE: Now the command prompt will look like this:

c:\system~1\resto~1\rp9\snapshot

Note : restore point 9 assumed for clarity of the content.


13. Type:

copy _registry_machine_system c:\windows\system32\config\system

Press Enter

14. Type:

Exit

Press Enter.

Final note : If the above procedure won't solve the problem, repeat all steps, but in step 13 type:

copy _registry_machine_software c:\windows\system32\config\software

Alternatively, select different restore point.



If you don't have Windows CD...

Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

Follow steps 3 - 14.
 
[/QUOTE] Do you have Windows XP CD?

Using Imgburn, burn rc.iso to a CD.
[/QUOTE]

No, I do not have the cd. I tried to burn rc.iso to a cd using imgburn but so far no luck so I must be doing something wrong. There are multiple choices in imgburn so which one do I need? I assumed it was "write files/folders to disc"?
 
When booting from the cd it goes to the blue windows screen, but it is different than the one shown under #2 in the instructions. A series of commands scroll across the bottom of the screen, it never comes to the window to let me choose repair or recovery. The "blue screen" that says..a problem has been detected and windows has been shut down...etc. is all I get. ??
 
I don't think you're booting to the CD, but let's try another method.

Remove the CD and restart computer.
Watch the screen closely.
At some point, you should see the option to boot to Windows, or to boot to Recovery Console.
Using keyboard's arrow key, select Recovery Console and press Enter.
After a moment, you should see this:
xp_src_console.gif
 
Okay, so I tried taking the cd out, going through the steps and then rebooting with the cd and it did the same thing - went through the windows setup but went to the blue screen. I have attached a shot of the screen, even though you can't read what's on it. Am I doing a step wrong? Do I need to try something else?
 

Attachments

  • IMG00165.jpg
    IMG00165.jpg
    196.9 KB · Views: 1
At this point, I don't have a simple answer.
We need do more checking.

Firstly, I strongly suggest, you ask around, if you can borrow Windows CD from someone.

Now, let's see, if your hard drive is OK.

Run hard drive diagnostics: http://www.tacktech.com/display.cfm?ttid=287 (or http://www.bleepingcomputer.com/forums/index.php?showtopic=28744&hl=hard+drive+diagnostic)
Make sure, you select tool, which is appropriate for the brand of your hard drive.
Depending on the program, it'll create bootable floppy, or bootable CD.
If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), and make the CD bootable.
For Toshiba hard drives, see here: http://sdd.toshiba.com/main.aspx?Pa...rivesUSandCanada/SoftwareUtilities#diagnostic
 
Broni said:
At this point, I don't have a simple answer.
We need do more checking.

Firstly, I strongly suggest, you ask around, if you can borrow Windows CD from someone.

Now, let's see, if your hard drive is OK.

Run hard drive diagnostics: http://www.tacktech.com/display.cfm?ttid=287 (or http://www.bleepingcomputer.com/forums/index.php?showtopic=28744&hl=hard+drive+diagnostic)
Make sure, you select tool, which is appropriate for the brand of your hard drive.
Depending on the program, it'll create bootable floppy, or bootable CD.
If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), and make the CD bootable.
For Toshiba hard drives, see here: http://sdd.toshiba.com/main.aspx?Pa...rivesUSandCanada/SoftwareUtilities#diagnostic
Click to expand...

How can I do this if I cannot get past the BSOD?
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
475
eriksnyman1
E
A
Pirated Windows installer found to contain crypto-hijacker, exploit EFI partition
Replies
11
Views
702
AndreV
A
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back