Inactive System-check got to my laptop

jgriffin82 · Jan 6, 2012

Good evening everybody. First time on this site... first time with this problem. My wife has a loaned laptop from her work and it was infected by system-check.com. When I start the computer in regular mode the desktop is black. The same thing happens in safe mode. There are no programs or prompts that work. I have read all of the instructions for removing the problem but it won't work since I seem to have zero control over the computer. Can someone help me please? I am fairly good with finding my way around on a computer. Let me know if I need to add anything else to my problem description. Thanks.

James

Forgot to mention the OS is XP.

Broni · Jan 7, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================================

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
Reboot your system using the boot CD you just created.
- Note : If you do not know how to set your computer to boot from CD follow the steps HERE
Your system should now display a REATOGO-X-PE desktop.
Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
Double-click on the OTLPE icon.
When asked Do you wish to load the remote registry, select Yes
When asked Do you wish to load remote user profile(s) for scanning, select Yes
Ensure the box Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

jgriffin82 · Jan 7, 2012

Unfortunately I do not have any blank cd's at this time. All I have is dvd's. I don't think they will work. I will go grab a pack of cd's in the morning. Thanks for the prompt help. It is greatly appreciated. I will post my results tomorrow.
James

jgriffin82 · Jan 7, 2012

I ended up finding a cd-rw. Erased it and burned the file onto it. I booted the computer, hit F12 for the boot menu and I get a menu that looks like this:

LEGACY BOOT:
Internal HDD
CD/DVD/CD-RW Drive
Onboard NIC

OTHER OPTIONS:
BIOS Setup
Diagnostics

I arrow down to the CD-RW option, hit enter and I get this:

Selected boot device failed.

Press any key to reboot.

What shall I do next? I confirmed the CD-RW contains the correct file. Thank you.

James

Broni · Jan 7, 2012

I don't think CDRW will work.
You need new, clean CDR.

jgriffin82 · Jan 7, 2012

I put the program onto a new CD-R. The laptop still says "selected boot device failed". Any other ideas? I appreciate the help. Thank you.

James

Broni · Jan 7, 2012

Bad CD drive?

See if another working computer will boot from the CD.

jgriffin82 · Jan 7, 2012

I spoke too soon. The laptop is now being scanned. I will post the log ASAP. Thank you. The problem with first was that I wasn't using IMGburn to make it.

James

jgriffin82 · Jan 7, 2012

As promised... Here is the log. Thanks again.

James

OTL logfile created on: 1/7/2012 1:33:53 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 137.94 Gb Free Space | 92.55% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2010/09/18 00:14:22 | 000,460,144 | -H-- | M] () [Auto] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/04/21 00:58:54 | 000,237,650 | -H-- | M] (IDT, Inc.) [Auto] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2010/01/10 14:01:26 | 000,060,928 | -H-- | M] () [Auto] -- C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe -- (InstallFilterService)
SRV - [2009/12/09 20:48:26 | 002,320,920 | -H-- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2009/12/09 20:48:24 | 000,268,824 | -H-- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2009/09/21 16:55:12 | 000,858,384 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009/09/21 16:50:04 | 000,364,544 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2009/09/21 16:44:48 | 000,954,368 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009/09/21 16:31:36 | 000,473,360 | -H-- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (PBADRV)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/04/21 00:58:54 | 001,660,051 | -H-- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2010/03/19 18:39:08 | 000,059,904 | -H-- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2010/02/27 01:31:24 | 000,132,480 | -H-- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Impcd.sys -- (Impcd)
DRV - [2010/01/19 14:50:12 | 000,235,520 | -H-- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV - [2010/01/18 09:56:26 | 000,042,672 | -H-- | M] (ST Microelectronics) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/01/18 09:56:26 | 000,017,072 | -H-- | M] (ST Microelectronics) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\stdfltn.sys -- (stdflt)
DRV - [2009/12/11 02:14:56 | 000,214,568 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/09/17 17:54:14 | 000,041,088 | -H-- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/09/15 13:34:10 | 005,977,216 | -H-- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2009/08/10 02:46:38 | 000,013,952 | -H-- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2009/04/22 00:13:34 | 000,113,664 | -H-- | M] (Andrea Electronics Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\egriffin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/homex.asp?Q=Homepage
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\sobyrne_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2012/01/05 14:51:35 | 000,000,884 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.240.131 www.google.com
O1 - Hosts: 94.63.240.132 www.bing.com
O4 - HKLM..\Run: [dplaysvr] File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [yBlqxAdBNPjQ.exe] C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe ()
O4 - HKU\.DEFAULT..\Run: [dplaysvr] File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\sobyrne_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nvusd.k12.ca.us
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/13 13:51:18 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = cd] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe" -a "%1" %* (Microsoft Corporation)
O37 - HKU\.DEFAULT\...exe [@ = cd] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe" -a "%1" %* (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2012/01/07 14:32:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\egriffin\Recent
[2012/01/06 22:04:58 | 000,000,000 | -H-D | C] -- C:\ReimageUndo
[2012/01/06 21:51:59 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2012/01/06 21:51:59 | 000,000,000 | -H-D | C] -- C:\rei
[2012/01/06 21:51:44 | 000,000,000 | -H-D | C] -- C:\Program Files\Reimage
[2012/01/06 21:48:46 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IECompatCache
[2012/01/06 21:42:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\System Check
[2012/01/05 23:28:01 | 000,274,432 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe
[2012/01/05 18:38:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\Sun
[2012/01/04 23:28:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Application Data\dvdcss
[2011/12/31 11:21:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Local Settings\Application Data\Help
[2011/12/31 11:21:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Application Data\Help
[2010/07/13 14:15:17 | 000,004,096 | -H-- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\*.tmp files -> C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/27 22:13:09 | 000,000,664 | -H-- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/07 16:07:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/07 14:31:03 | 000,010,726 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/07 14:31:03 | 000,010,726 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/07 14:29:57 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/06 23:03:05 | 000,000,853 | -H-- | M] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/06 22:09:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2012/01/06 22:08:06 | 000,000,432 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj
[2012/01/06 22:07:58 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWj
[2012/01/06 21:52:31 | 000,000,286 | -H-- | M] () -- C:\WINDOWS\reimage.ini
[2012/01/06 21:52:06 | 000,010,812 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\814788041
[2012/01/06 21:52:06 | 000,010,812 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\814788041
[2012/01/06 21:51:55 | 000,010,816 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2239678798
[2012/01/06 21:51:55 | 000,010,816 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2239678798
[2012/01/06 21:44:51 | 000,010,832 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/06 21:42:49 | 000,000,208 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWjr
[2012/01/06 21:42:11 | 000,000,835 | -H-- | M] () -- C:\Documents and Settings\egriffin\Desktop\System Check.lnk
[2012/01/06 21:41:57 | 000,358,178 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj.exe
[2012/01/06 21:41:30 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/01/06 21:41:30 | 000,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Intel PROSet Wireless
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
[2012/01/06 21:41:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\AutoEnginuity
[2012/01/05 23:28:02 | 000,066,560 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\19792079
[2012/01/05 23:28:01 | 000,441,122 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe
[2012/01/05 23:28:01 | 000,274,432 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe
[2012/01/05 23:27:39 | 000,497,480 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/05 23:27:39 | 000,085,798 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/04 23:33:19 | 000,000,782 | -H-- | M] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
[2011/12/31 13:45:42 | 000,015,202 | -H-- | M] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
[2011/12/16 12:30:01 | 000,002,515 | -H-- | M] () -- C:\Documents and Settings\egriffin\Desktop\Microsoft Office Word 2007.lnk
[2011/12/15 13:11:22 | 000,270,984 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/15 13:09:34 | 000,001,393 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\*.tmp files -> C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/06 23:03:05 | 000,000,853 | -H-- | C] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/06 21:52:17 | 000,000,286 | -H-- | C] () -- C:\WINDOWS\reimage.ini
[2012/01/06 21:52:04 | 000,010,812 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\814788041
[2012/01/06 21:52:04 | 000,010,812 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\814788041
[2012/01/06 21:51:44 | 000,010,816 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2239678798
[2012/01/06 21:51:44 | 000,010,816 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2239678798
[2012/01/06 21:42:49 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWj
[2012/01/06 21:42:49 | 000,000,208 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWjr
[2012/01/06 21:42:11 | 000,000,835 | -H-- | C] () -- C:\Documents and Settings\egriffin\Desktop\System Check.lnk
[2012/01/06 21:42:08 | 000,000,432 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj
[2012/01/06 21:41:57 | 000,358,178 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj.exe
[2012/01/06 21:36:12 | 000,010,726 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/05 23:31:08 | 000,441,122 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe
[2012/01/05 23:28:01 | 000,066,560 | -H-- | C] () -- C:\Documents and Settings\All Users\Documents\19792079
[2012/01/05 23:28:01 | 000,010,832 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/05 23:28:01 | 000,010,726 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/04 23:33:19 | 000,000,782 | -H-- | C] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
[2012/01/02 10:49:42 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/31 13:32:06 | 000,015,202 | -H-- | C] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
[2011/06/16 12:20:29 | 000,003,584 | -H-- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/06 14:18:35 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\egriffin\ntuser.pol
[2010/07/13 19:08:13 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
[2010/07/13 15:07:41 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\hbcikrnl.ini
[2010/07/13 14:15:17 | 000,870,560 | -H-- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2010/07/13 14:15:17 | 000,127,868 | -H-- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2010/07/13 14:15:17 | 000,000,151 | -H-- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2010/07/13 13:53:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/13 13:47:47 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/13 06:38:21 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/13 06:37:10 | 000,270,984 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 07:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 07:00:00 | 001,033,728 | -H-- | C] () -- C:\WINDOWS\expl.dat
[2008/04/14 07:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 07:00:00 | 000,507,904 | -H-- | C] () -- C:\WINDOWS\System32\winl.dat
[2008/04/14 07:00:00 | 000,497,480 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 07:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 07:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 07:00:00 | 000,085,798 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 07:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 07:00:00 | 000,039,936 | -H-- | C] () -- C:\WINDOWS\System32\svchost.exe
[2008/04/14 07:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 07:00:00 | 000,014,336 | -H-- | C] () -- C:\WINDOWS\System32\svch.dat
[2008/04/14 07:00:00 | 000,014,336 | -H-- | C] () -- C:\WINDOWS\System32\dllc.dat
[2008/04/14 07:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 07:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 07:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 07:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/12/06 10:27:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video

========== Purity Check ==========

< End of report >

Broni · Jan 7, 2012

Do this on the computer you are posting from:
Copy the text in the codebox below:

Code:

:OTL
O1 - Hosts: 94.63.240.131 www.google.com
O1 - Hosts: 94.63.240.132 www.bing.com
O4 - HKLM..\Run: [dplaysvr] File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [yBlqxAdBNPjQ.exe] C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe ()
O4 - HKU\.DEFAULT..\Run: [dplaysvr] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explor er: NoDesktop = 1
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O37 - HKLM\...exe [@ = cd] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe" -a "%1" %* (Microsoft Corporation)
O37 - HKU\.DEFAULT\...exe [@ = cd] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe" -a "%1" %* (Microsoft Corporation)
[2012/01/06 21:42:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\System Check
[2012/01/05 23:28:01 | 000,274,432 | -H-- | C] (Microsoft Corporation) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe
[4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\*.tmp files -> C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\*.tmp -> ]
[2012/01/07 14:31:03 | 000,010,726 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/07 14:31:03 | 000,010,726 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/06 23:03:05 | 000,000,853 | -H-- | M] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/06 22:08:06 | 000,000,432 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj
[2012/01/06 22:07:58 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWj
[2012/01/06 21:52:06 | 000,010,812 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\814788041
[2012/01/06 21:52:06 | 000,010,812 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\814788041
[2012/01/06 21:51:55 | 000,010,816 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2239678798
[2012/01/06 21:51:55 | 000,010,816 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2239678798
[2012/01/06 21:44:51 | 000,010,832 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o
[2012/01/06 21:42:49 | 000,000,208 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWjr
[2012/01/06 21:42:11 | 000,000,835 | -H-- | M] () -- C:\Documents and Settings\egriffin\Desktop\System Check.lnk
[2012/01/06 21:41:57 | 000,358,178 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj.exe
[2012/01/05 23:28:02 | 000,066,560 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\19792079
[2012/01/05 23:28:01 | 000,441,122 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe
[2012/01/05 23:28:01 | 000,274,432 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe


:Services

:Reg

:Files

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive

On the infected computer the following...

Run OTLPE

Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
- (The content of Fix.txt should appear in the box)
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log produced (you'll need to transfer it with USB stick)
Attempt to reboot normally into Windows.

jgriffin82 · Jan 7, 2012

fix log

========== OTL ==========
94.63.240.131 www.google.com removed from HOSTS file successfully
94.63.240.132 www.bing.com removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dplaysvr deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\yBlqxAdBNPjQ.exe deleted successfully.
C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\dplaysvr deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry key HKEY_USERS\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explor er not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\egriffin.NHS-H-11-LAPTOP_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\egriffin_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\sobyrne_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\shell\open\command\\|"%1" %* /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\cd\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Documents and Settings\egriffin\Start Menu\Programs\System Check folder moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\iqgqaaa.tmp deleted successfully.
C:\Documents and Settings\All Users\Application Data\jqgqaaa.tmp deleted successfully.
C:\Documents and Settings\All Users\Application Data\kqgqaaa.tmp deleted successfully.
C:\Documents and Settings\All Users\Application Data\mqgqaaa.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\PerfStringBackup.TMP deleted successfully.
C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\~WRL0005.tmp deleted successfully.
C:\Documents and Settings\egriffin\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o moved successfully.
C:\Documents and Settings\All Users\Application Data\458b23d65nwbwx3n7jmr6o moved successfully.
C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj moved successfully.
C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWj moved successfully.
C:\Documents and Settings\egriffin\Local Settings\Application Data\814788041 moved successfully.
C:\Documents and Settings\All Users\Application Data\814788041 moved successfully.
C:\Documents and Settings\egriffin\Local Settings\Application Data\2239678798 moved successfully.
C:\Documents and Settings\All Users\Application Data\2239678798 moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\458b23d65nwbwx3n7jmr6o moved successfully.
C:\Documents and Settings\All Users\Application Data\~ei0wBpjTLbRPWjr moved successfully.
C:\Documents and Settings\egriffin\Desktop\System Check.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj.exe moved successfully.
C:\Documents and Settings\All Users\Documents\19792079 moved successfully.
File C:\Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe not found.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 01072012_140607

jgriffin82 · Jan 7, 2012

I rebooted twice now and all I get is a blank blue screen. It prompted me to enter my password and I can get to Task Manager but nothing else.

James

Broni · Jan 7, 2012

In Task Manager click on "New task".
Type in:
explorer.exe
Click OK.

Better?

jgriffin82 · Jan 7, 2012

I am able to do that. It gives me the "open with" options. Do I need an internet connection? It doesn't look like I have one right now.

James

Broni · Jan 7, 2012

Download the following on good computer and transfer it to bad computer using USB flash drive....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

jgriffin82 · Jan 7, 2012

I am not having any luck setting up an internet connection on my bad computer. ComboFix is currently doing an auto scan. I had to run rkill and combofix in safe mode. It wouldn't allow me in normal mode to run CF. Any suggestions on getting an internet connection?

jgriffin82 · Jan 7, 2012

The bad computer has been running CF since the last post and it has been stuck at:

System file is infected!! Attempting to restore
"C":\WINDOWS\system\winlogon.exe"

Is it stuck or is it working? Do I need to do everything over? Thanks.

James

jgriffin82 · Jan 7, 2012

Well, as for starting over, I now have to. My 4 y/o son closed out the CF dialogue box. Do I need to rerun everything? The CF was running for 50+ minutes before he closed it and there was no change in the screen. The last post is where it was at when closed.

James

jgriffin82 · Jan 7, 2012

Ok, back to whereI was three posts ago. I ran rKill and started combo fix in normal mode, I got to "Attempting to create a new System Restore point". Then i get the error message " You do not appear to be connected to the internet. Kindly connect before click "OK". I still can't get an internet connection. I have it hooked straight to the modem my good computer is using. Thanks.

James

I will be unavailable for the next few hours. I will try again tonight.

Broni · Jan 7, 2012

Run Combofix from safe mode and disregard any warnings like about internet.
We'll fix it later as soon as we'll get your computer more stable.

jgriffin82 · Jan 8, 2012

Back at home now. Ran CF and ignored the internet prompt. It did the auto scan and I got a message after it completed stage 50 that reads:

"A readily available replacement was not found.
ComboFix needs to do an intensive search.

This may take some time."

Do I click ok and wait? This is what it did last time before my son closed it. I waited for an hour then. Before it does the auto scan it says it needs an active internet connection to install the MS Recovery Console because my laptop doesn't already have it.

Broni · Jan 8, 2012

Yes, click OK.

jgriffin82 · Jan 8, 2012

It has been stuck on the prompt below all night. Any ideas? Thanks.

System file is infected!! Attempting to restore
"C":\WINDOWS\system\winlogon.exe"

James

Broni · Jan 8, 2012

Stop the process.

Boot back to OTLPE CD.

Your system should now display a REATOGO-X-PE desktop.
Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
Double-click on the OTLPE icon.
When asked Do you wish to load the remote registry, select Yes
When asked Do you wish to load remote user profile(s) for scanning, select Yes
Ensure the box Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Under the Custom Scan box paste this in:

/md5start
explorer.exe
winlogon.exe
userinit.exe
svchost.exe
/md5stop
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

jgriffin82 · Jan 8, 2012

Sorry, I haven't been home. I will try this when I get home. Thanks.

James

P.S. I have the laptop on my wireless but I can very easily hook it up to my cable modem.

Inactive System-check got to my laptop

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 50 +0

Posts: 50 +0

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Posts: 56,041 +516

Posts: 50 +0

Similar threads