System-check got to my laptop

Inactive
By jgriffin82
Jan 6, 2012
  1. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    It is taking a long time to install... is this normal?
  2. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    I know have XP Home Security 2012 popping up. It will not allow me to access any websites or install MBAM. I also have random music playing that I cannot adjust the volume on.
  3. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    If it shows some progress leave it alone.
  4. Broni

    Broni Malware Annihilator Posts: 46,179   +251

  5. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    Alright, got it to work. MBAM is now doing a full scan. I am going to retire now and I will check in approximately 6 hours when I get up for work. Thanks for your help.

    James
  6. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Very good :)

    I'll check on you tomorrow...
  7. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    1st MBAM Log from last night

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.09.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    egriffin :: NHS-H-11-LAPTOP [administrator]

    1/8/2012 9:56:09 PM
    mbam-log-2012-01-08 (21-56-09).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 239168
    Time elapsed: 17 minute(s), 19 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 19
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\PHbYTC2kr1qcHb.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Qge5hWYOl5K53W.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\uEwKkQfYkoLVFj.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ind.exe.vir (Spyware.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0002036.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0002037.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0002041.exe (Spyware.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0003001.sys (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\wjn.exe (Spyware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\aorncmxesw.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\axmnscower.exe (Spyware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\ewnrocsmxa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\neorcxawsm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\_OTL\MovedFiles\01072012_140607\C_Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\_OTL\MovedFiles\01072012_140607\C_Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\_OTL\MovedFiles\01072012_140607\C_WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe (Spyware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\oiu0.7477370792940955.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tue0.6876611661595331.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

    (end)
  8. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    2nd MBAM Log from today

    I ran MBAM again because the laptop was very unstable after sitting last night. XP Home Security popped up again. I went throught the process of removing it again and the ran MBAM. Now the laptop wont boot up. It does its normal cycle and as soon as it get to the black windows xp screen a blue screen flashes and it goes to the boot menu ie; safe mode and so on. I tried to boot in safe mode but it won't.

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.09.03

    Windows XP Service Pack 3 x86 FAT
    Internet Explorer 8.0.6001.18702
    egriffin :: NHS-H-11-LAPTOP [administrator]

    1/9/2012 12:17:43 PM
    mbam-log-2012-01-09 (12-44-07).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 249790
    Time elapsed: 25 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 4
    C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0003012.sys (Rootkit.0Access) -> No action taken.
    C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0003024.sys (Rootkit.0Access) -> No action taken.
    C:\WINDOWS\Temp\oiu0.8690567224734866.exe (Exploit.Drop.7) -> No action taken.
    C:\WINDOWS\Temp\tue0.23957441698006576.exe (Exploit.Drop.7) -> No action taken.

    (end)
  9. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Re-run the scan, fix those 4 issues as well and post new log.

    Then give me fresh Combofix log.
  10. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    Computer won't start

    The last MBAM log is from 1230 today. The computer won't boot up now. It goes to the menu with the start up options and it stops there, a blue screen flashes, the Dell screen shows up then back to the start up menu page. It won't start in safe mode either. It was working good then after the MBAM scan I was prompted to reboot the computer and now it won't start up.

    I did fix the issues that MBAM discovered last time. If I can get it to start I will do another scan.
  11. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Boot back to OTLPE CD.

    Start OTL.
    Under custom scans paste this:

    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    /md5stop


    Press Run Scan to start the scan.

    Post the log.
     
  12. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    OTL logfile created on: 1/9/2012 4:12:01 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 89.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 137.08 Gb Free Space | 91.97% Space Free | Partition Type: NTFS
    Drive D: | 1.88 Gb Total Space | 0.08 Gb Free Space | 4.35% Space Free | Partition Type: FAT
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - [2010/09/18 00:14:22 | 000,460,144 | ---- | M] () [Auto] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
    SRV - [2010/04/21 00:58:54 | 000,237,650 | ---- | M] (IDT, Inc.) [Auto] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
    SRV - [2010/01/10 14:01:26 | 000,060,928 | ---- | M] () [Auto] -- C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe -- (InstallFilterService)
    SRV - [2009/12/09 20:48:26 | 002,320,920 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
    SRV - [2009/12/09 20:48:24 | 000,268,824 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
    SRV - [2009/09/21 16:55:12 | 000,858,384 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2009/09/21 16:50:04 | 000,364,544 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
    SRV - [2009/09/21 16:44:48 | 000,954,368 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
    SRV - [2009/09/21 16:31:36 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | Boot] -- -- (PBADRV)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | On_Demand] -- -- (cpuz134)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - [2012/01/09 15:44:49 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mbysmrgm.sys -- (litaj)
    DRV - [2012/01/09 00:52:48 | 000,062,976 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
    DRV - [2010/04/21 00:58:54 | 001,660,051 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2010/03/19 18:39:08 | 000,059,904 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\risdpe86.sys -- (risdpcie)
    DRV - [2010/02/27 01:31:24 | 000,132,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Impcd.sys -- (Impcd)
    DRV - [2010/01/19 14:50:12 | 000,235,520 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
    DRV - [2010/01/18 09:56:26 | 000,042,672 | ---- | M] (ST Microelectronics) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Accelern.sys -- (Acceler)
    DRV - [2010/01/18 09:56:26 | 000,017,072 | ---- | M] (ST Microelectronics) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\stdfltn.sys -- (stdflt)
    DRV - [2009/12/11 02:14:56 | 000,214,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2009/09/17 17:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
    DRV - [2009/09/15 13:34:10 | 005,977,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
    DRV - [2009/08/10 02:46:38 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2009/04/22 00:13:34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
    IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
    IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
    IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
    IE - HKU\egriffin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/homex.asp?Q=Homepage
    IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
    IE - HKU\sobyrne_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



    Hosts file not found
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\sobyrne_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nvusd.k12.ca.us
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/07/13 13:51:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\.DEFAULT\...exe [@ = Lwo] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe" -a "%1" %* (?????????? ??????????)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/09 15:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2012/01/09 05:54:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
    [2012/01/09 05:51:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IETldCache
    [2012/01/09 05:51:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2012/01/09 05:51:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2012/01/09 05:38:59 | 000,375,808 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe
    [2012/01/09 05:38:56 | 000,396,288 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe
    [2012/01/09 00:54:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Application Data\Malwarebytes
    [2012/01/09 00:54:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/01/09 00:54:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/01/09 00:50:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Local Settings\Application Data\PCHealth
    [2012/01/09 00:16:31 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/01/09 00:06:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
    [2012/01/09 00:00:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\SanctionedMedia
    [2012/01/08 23:59:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/01/08 23:57:50 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\egriffin\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/08 23:52:18 | 000,000,000 | ---D | C] -- C:\ReimageTmp
    [2012/01/08 23:37:28 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/01/08 23:31:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Desktop\bootkit_remover
    [2012/01/08 23:01:29 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/01/08 23:00:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin\Recent
    [2012/01/08 22:36:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\System Check
    [2012/01/08 22:23:54 | 000,000,000 | R--D | C] -- C:\WINDOWS\system32\config\systemprofile\Recent
    [2012/01/08 21:56:08 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/01/08 18:45:44 | 002,237,440 | R--- | C] (OldTimer Tools) -- C:\OTLPE.exe
    [2012/01/07 19:49:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\Administrative Tools
    [2012/01/07 18:20:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/01/07 18:20:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/01/07 18:20:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/01/07 18:20:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/01/07 18:20:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/01/07 18:20:01 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/01/07 18:19:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\My Videos
    [2012/01/07 18:19:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Start Menu\Programs\Administrative Tools
    [2012/01/07 14:06:07 | 000,000,000 | ---D | C] -- C:\_OTL
    [2012/01/06 22:04:58 | 000,000,000 | ---D | C] -- C:\ReimageUndo
    [2012/01/06 21:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
    [2012/01/06 21:51:59 | 000,000,000 | ---D | C] -- C:\rei
    [2012/01/06 21:51:44 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
    [2012/01/06 21:48:46 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IECompatCache
    [2012/01/05 18:38:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
    [2012/01/04 23:28:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Application Data\dvdcss
    [2011/12/31 11:21:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Local Settings\Application Data\Help
    [2011/12/31 11:21:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Application Data\Help
    [2010/07/13 14:15:17 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
    [8 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/01/09 15:45:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/01/09 15:45:36 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/01/09 15:44:49 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbysmrgm.sys
    [2012/01/09 15:21:14 | 000,498,382 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/01/09 15:21:14 | 000,086,342 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/01/09 15:17:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 08:07:48 | 000,011,254 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\624604299
    [2012/01/09 07:41:05 | 000,011,250 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 05:38:59 | 000,375,808 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe
    [2012/01/09 05:38:56 | 000,396,288 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe
    [2012/01/09 00:54:18 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/09 00:54:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/01/09 00:52:48 | 000,062,976 | ---- | M] () -- C:\WINDOWS\System32\drivers\cdrom.sys
    [2012/01/09 00:14:29 | 000,009,332 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404
    [2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357
    [2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2310503404
    [2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050
    [2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4000975357
    [2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050
    [2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\488o5v2e4050
    [2012/01/08 23:57:50 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\egriffin\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/08 23:52:32 | 000,000,286 | ---- | M] () -- C:\WINDOWS\reimage.ini
    [2012/01/08 23:37:26 | 000,859,264 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\FRST.exe
    [2012/01/08 23:30:54 | 000,044,607 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\bootkit_remover.zip
    [2012/01/08 23:28:12 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\MBR.dat
    [2012/01/08 23:00:54 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/01/08 22:36:17 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 22:36:16 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 22:23:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
    [2012/01/08 22:23:53 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
    [2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
    [2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
    [2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Intel PROSet Wireless
    [2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
    [2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\AutoEnginuity
    [2012/01/08 22:23:52 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2012/01/08 22:17:05 | 000,009,584 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\912613170
    [2012/01/08 22:12:34 | 000,009,690 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 21:56:13 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2012/01/06 21:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    [2012/01/04 23:33:19 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
    [2011/12/31 13:45:42 | 000,015,202 | ---- | M] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
    [2011/12/16 12:30:01 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\Microsoft Office Word 2007.lnk
    [2011/12/15 13:11:22 | 000,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/12/15 13:09:34 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/12/10 18:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [8 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/01/09 15:44:49 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbysmrgm.sys
    [2012/01/09 08:07:47 | 000,011,254 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\624604299
    [2012/01/09 08:07:47 | 000,011,246 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 05:38:57 | 000,011,250 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 05:38:57 | 000,011,246 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 00:54:18 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/09 00:14:28 | 000,009,332 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404
    [2012/01/09 00:13:24 | 000,009,328 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357
    [2012/01/09 00:13:24 | 000,009,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2310503404
    [2012/01/09 00:12:28 | 000,009,340 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050
    [2012/01/09 00:12:28 | 000,009,340 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4000975357
    [2012/01/09 00:00:19 | 000,009,328 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050
    [2012/01/09 00:00:19 | 000,009,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\488o5v2e4050
    [2012/01/08 23:37:20 | 000,859,264 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\FRST.exe
    [2012/01/08 23:30:40 | 000,044,607 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\bootkit_remover.zip
    [2012/01/08 23:28:12 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\MBR.dat
    [2012/01/08 22:36:48 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/01/08 22:17:05 | 000,009,694 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 22:17:05 | 000,009,584 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\912613170
    [2012/01/08 22:10:26 | 000,009,694 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 22:10:26 | 000,009,690 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 21:56:13 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2012/01/08 21:56:09 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/01/07 18:20:17 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/01/07 18:20:17 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/01/07 18:20:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/01/07 18:20:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/01/07 18:20:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/01/06 21:52:17 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
    [2012/01/04 23:33:19 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
    [2012/01/02 10:49:42 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/12/31 13:32:06 | 000,015,202 | ---- | C] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
    [2011/06/16 12:20:29 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/06/06 14:18:35 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\egriffin\ntuser.pol
    [2010/07/13 19:08:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2010/07/13 15:07:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hbcikrnl.ini
    [2010/07/13 14:15:17 | 000,870,560 | ---- | C] () -- C:\WINDOWS\System32\igkrng575.bin
    [2010/07/13 14:15:17 | 000,127,868 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
    [2010/07/13 14:15:17 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
    [2010/07/13 13:53:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/07/13 13:47:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/07/13 06:38:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/07/13 06:37:10 | 000,270,984 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/04/14 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2008/04/14 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008/04/14 07:00:00 | 000,498,382 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008/04/14 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008/04/14 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008/04/14 07:00:00 | 000,086,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008/04/14 07:00:00 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\cdrom.sys
    [2008/04/14 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008/04/14 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008/04/14 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008/04/14 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2008/04/14 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008/04/14 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2011/12/06 10:27:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: EXPLORER.EXE >
    [2008/04/14 07:00:00 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=2F58E8791C7A1F61FD35BAEB73B0E9BE -- C:\WINDOWS\explorer.exe

    < MD5 for: SVCHOST.EXE >
    [2008/04/14 07:00:00 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=A3DF98E72C2594B60EB9F614CBD2FC63 -- C:\WINDOWS\system32\svchost.exe
    [2011/12/24 20:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

    < MD5 for: USERINIT.EXE >
    [2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
    [2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
    [2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2008/04/14 07:00:00 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=B0E1A6D16B717F1D19055D6EC86556A1 -- C:\WINDOWS\system32\winlogon.exe
    [2011/12/24 20:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    < End of report >
  13. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O37 - HKU\.DEFAULT\...exe [@ = Lwo] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe" -a "%1" %* (????????????????????)
    [2012/01/09 05:38:59 | 000,375,808 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe
    [2012/01/09 05:38:56 | 000,396,288 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe
    [8 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
    [2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 08:07:48 | 000,011,254 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\624604299
    [2012/01/09 07:41:05 | 000,011,250 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
    [2012/01/09 00:14:29 | 000,009,332 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404
    [2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357
    [2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2310503404
    [2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050
    [2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4000975357
    [2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050
    [2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\488o5v2e4050
    [2012/01/08 22:36:17 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 22:36:16 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    [2012/01/08 22:17:05 | 000,009,584 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\912613170
    [2012/01/08 22:12:34 | 000,009,690 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
    
    
    :Services
    
    :Reg
    
    :Files
    C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into Windows.
  14. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    My computer is not allowing me save the text. It is giving me an error message. How can I do a screen shot of the error message and post it?
  15. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    Should I just do it from the infected computer? I am able to get on the internet.
  16. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Are you saying that you're able to boot normally?
  17. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    I got on the internet through the OTLPE CD on the infected computer and ran the scan and fix that way. Here is the log.






    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck not found.
    Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ not found.
    Registry key HKEY_USERS\.DEFAULT\Software\Classes\Lwo\ not found.
    HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
    File C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe not found.
    File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe not found.
    File C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177 not found.
    File C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177 not found.
    File C:\Documents and Settings\All Users\Application Data\624604299 not found.
    File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177 not found.
    File C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404 not found.
    File C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357 not found.
    File C:\Documents and Settings\All Users\Application Data\2310503404 not found.
    File C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050 not found.
    File C:\Documents and Settings\All Users\Application Data\4000975357 not found.
    File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050 not found.
    File C:\Documents and Settings\All Users\Application Data\488o5v2e4050 not found.
    File C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx not found.
    File C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx not found.
    File C:\Documents and Settings\All Users\Application Data\912613170 not found.
    File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File\Folder C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe not found.
    File\Folder C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe not found.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 01092012_180400
  18. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Did you run the fix twice?

    Try to start computer normally.
  19. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    Yes, I unintentionally closed the fix log before I saved it. Will that cause an issue?
  20. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    It is not allowing me to shutdown or restart from the REATOGO-X-PE desktop. Should I do a hard shutdown?
  21. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    No.

    Remove CD and restart manually.
  22. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    It is doing the same thing it was doing earlier. The start up menu comes on, I select "start windows normally". It then flashes a blue screen with some text on it. It will then go to the "Dell" page and then back to the startup menu. It will not startup in safe mode either.
  23. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    fixboot

    exit

    Reboot computer.

    Any progress?
  24. jgriffin82

    jgriffin82 Newcomer, in training Topic Starter Posts: 50

    Microsoft Windows XP(TM) Recovery Console

    The Recovery Console provides system repair and recovery functionality

    Type EXIT to quit the Recovery Console and restart the computer

    1: C:\WINDOWS

    Which Windows installation would you like to log onto
    (To cancel, press ENTER)? I input 1 here and I get the C:\WINDOWS prompt.

    I input fixmbr, hit enter and I get a warning that FIXMBR may damage my partition tables becasue the computer appears to have a non-standard or invalid master boot record. It also states that if I am not having problems with my drive then i shouldn't continue. I assume I should continue?
  25. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Yes............


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.