Inactive System-check got to my laptop

I know have XP Home Security 2012 popping up. It will not allow me to access any websites or install MBAM. I also have random music playing that I cannot adjust the volume on.
 
Alright, got it to work. MBAM is now doing a full scan. I am going to retire now and I will check in approximately 6 hours when I get up for work. Thanks for your help.

James
 
1st MBAM Log from last night

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.09.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
egriffin :: NHS-H-11-LAPTOP [administrator]

1/8/2012 9:56:09 PM
mbam-log-2012-01-08 (21-56-09).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239168
Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 19
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\PHbYTC2kr1qcHb.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Qge5hWYOl5K53W.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\uEwKkQfYkoLVFj.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ind.exe.vir (Spyware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0002036.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0002037.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0002041.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0003001.sys (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\wjn.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\aorncmxesw.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\axmnscower.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ewnrocsmxa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\neorcxawsm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01072012_140607\C_Documents and Settings\All Users\Application Data\ei0wBpjTLbRPWj.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01072012_140607\C_Documents and Settings\All Users\Application Data\yBlqxAdBNPjQ.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01072012_140607\C_WINDOWS\system32\config\systemprofile\Local Settings\Application Data\clq.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.7477370792940955.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tue0.6876611661595331.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)
 
2nd MBAM Log from today

I ran MBAM again because the laptop was very unstable after sitting last night. XP Home Security popped up again. I went throught the process of removing it again and the ran MBAM. Now the laptop wont boot up. It does its normal cycle and as soon as it get to the black windows xp screen a blue screen flashes and it goes to the boot menu ie; safe mode and so on. I tried to boot in safe mode but it won't.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.09.03

Windows XP Service Pack 3 x86 FAT
Internet Explorer 8.0.6001.18702
egriffin :: NHS-H-11-LAPTOP [administrator]

1/9/2012 12:17:43 PM
mbam-log-2012-01-09 (12-44-07).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249790
Time elapsed: 25 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0003012.sys (Rootkit.0Access) -> No action taken.
C:\System Volume Information\_restore{18EDE9F8-9923-4DBB-8776-CE507161C9D9}\RP1\A0003024.sys (Rootkit.0Access) -> No action taken.
C:\WINDOWS\Temp\oiu0.8690567224734866.exe (Exploit.Drop.7) -> No action taken.
C:\WINDOWS\Temp\tue0.23957441698006576.exe (Exploit.Drop.7) -> No action taken.

(end)
 
Re-run the scan, fix those 4 issues as well and post new log.

Then give me fresh Combofix log.
 
Computer won't start

The last MBAM log is from 1230 today. The computer won't boot up now. It goes to the menu with the start up options and it stops there, a blue screen flashes, the Dell screen shows up then back to the start up menu page. It won't start in safe mode either. It was working good then after the MBAM scan I was prompted to reboot the computer and now it won't start up.

I did fix the issues that MBAM discovered last time. If I can get it to start I will do another scan.
 
Boot back to OTLPE CD.

Start OTL.
Under custom scans paste this:

/md5start
explorer.exe
winlogon.exe
userinit.exe
svchost.exe
/md5stop

Press Run Scan to start the scan.

Post the log.
 
OTL logfile created on: 1/9/2012 4:12:01 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 89.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 137.08 Gb Free Space | 91.97% Space Free | Partition Type: NTFS
Drive D: | 1.88 Gb Total Space | 0.08 Gb Free Space | 4.35% Space Free | Partition Type: FAT
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2010/09/18 00:14:22 | 000,460,144 | ---- | M] () [Auto] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/04/21 00:58:54 | 000,237,650 | ---- | M] (IDT, Inc.) [Auto] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2010/01/10 14:01:26 | 000,060,928 | ---- | M] () [Auto] -- C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe -- (InstallFilterService)
SRV - [2009/12/09 20:48:26 | 002,320,920 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2009/12/09 20:48:24 | 000,268,824 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2009/09/21 16:55:12 | 000,858,384 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009/09/21 16:50:04 | 000,364,544 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2009/09/21 16:44:48 | 000,954,368 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009/09/21 16:31:36 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (PBADRV)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand] -- -- (cpuz134)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2012/01/09 15:44:49 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mbysmrgm.sys -- (litaj)
DRV - [2012/01/09 00:52:48 | 000,062,976 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2010/04/21 00:58:54 | 001,660,051 | ---- | M] (IDT, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2010/03/19 18:39:08 | 000,059,904 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2010/02/27 01:31:24 | 000,132,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Impcd.sys -- (Impcd)
DRV - [2010/01/19 14:50:12 | 000,235,520 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV - [2010/01/18 09:56:26 | 000,042,672 | ---- | M] (ST Microelectronics) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/01/18 09:56:26 | 000,017,072 | ---- | M] (ST Microelectronics) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\stdfltn.sys -- (stdflt)
DRV - [2009/12/11 02:14:56 | 000,214,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/09/17 17:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/09/15 13:34:10 | 005,977,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2009/08/10 02:46:38 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2009/04/22 00:13:34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhs.nvusd.k12.ca.us/
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\egriffin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\egriffin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvusd.k12.ca.us/homex.asp?Q=Homepage
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\sobyrne_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 3F 43 FE DF 22 CB 01 [binary data]
IE - HKU\sobyrne_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



Hosts file not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin.NHS-H-11-LAPTOP_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\egriffin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\sobyrne_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nvusd.k12.ca.us
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/13 13:51:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = Lwo] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe" -a "%1" %* (?????????? ??????????)

========== Files/Folders - Created Within 30 Days ==========

[2012/01/09 15:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/01/09 05:54:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2012/01/09 05:51:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IETldCache
[2012/01/09 05:51:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/01/09 05:51:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/01/09 05:38:59 | 000,375,808 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe
[2012/01/09 05:38:56 | 000,396,288 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe
[2012/01/09 00:54:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Application Data\Malwarebytes
[2012/01/09 00:54:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/09 00:54:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/01/09 00:50:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Local Settings\Application Data\PCHealth
[2012/01/09 00:16:31 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/09 00:06:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2012/01/09 00:00:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\SanctionedMedia
[2012/01/08 23:59:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/08 23:57:50 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\egriffin\Desktop\mbam-setup-1.60.0.1800.exe
[2012/01/08 23:52:18 | 000,000,000 | ---D | C] -- C:\ReimageTmp
[2012/01/08 23:37:28 | 000,000,000 | ---D | C] -- C:\FRST
[2012/01/08 23:31:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Desktop\bootkit_remover
[2012/01/08 23:01:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/01/08 23:00:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin\Recent
[2012/01/08 22:36:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\System Check
[2012/01/08 22:23:54 | 000,000,000 | R--D | C] -- C:\WINDOWS\system32\config\systemprofile\Recent
[2012/01/08 21:56:08 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/01/08 18:45:44 | 002,237,440 | R--- | C] (OldTimer Tools) -- C:\OTLPE.exe
[2012/01/07 19:49:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin\Start Menu\Programs\Administrative Tools
[2012/01/07 18:20:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/07 18:20:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/07 18:20:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/07 18:20:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/07 18:20:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/07 18:20:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/07 18:19:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\My Documents\My Videos
[2012/01/07 18:19:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\egriffin.NHS-H-11-LAPTOP\Start Menu\Programs\Administrative Tools
[2012/01/07 14:06:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/06 22:04:58 | 000,000,000 | ---D | C] -- C:\ReimageUndo
[2012/01/06 21:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2012/01/06 21:51:59 | 000,000,000 | ---D | C] -- C:\rei
[2012/01/06 21:51:44 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2012/01/06 21:48:46 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IECompatCache
[2012/01/05 18:38:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2012/01/04 23:28:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Application Data\dvdcss
[2011/12/31 11:21:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Local Settings\Application Data\Help
[2011/12/31 11:21:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\egriffin\Application Data\Help
[2010/07/13 14:15:17 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[8 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/09 15:45:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/09 15:45:36 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/09 15:44:49 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbysmrgm.sys
[2012/01/09 15:21:14 | 000,498,382 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/09 15:21:14 | 000,086,342 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/09 15:17:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 08:07:48 | 000,011,254 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\624604299
[2012/01/09 07:41:05 | 000,011,250 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 05:38:59 | 000,375,808 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe
[2012/01/09 05:38:56 | 000,396,288 | ---- | M] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe
[2012/01/09 00:54:18 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/09 00:54:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/09 00:52:48 | 000,062,976 | ---- | M] () -- C:\WINDOWS\System32\drivers\cdrom.sys
[2012/01/09 00:14:29 | 000,009,332 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404
[2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357
[2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2310503404
[2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050
[2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4000975357
[2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050
[2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\488o5v2e4050
[2012/01/08 23:57:50 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\egriffin\Desktop\mbam-setup-1.60.0.1800.exe
[2012/01/08 23:52:32 | 000,000,286 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2012/01/08 23:37:26 | 000,859,264 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\FRST.exe
[2012/01/08 23:30:54 | 000,044,607 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\bootkit_remover.zip
[2012/01/08 23:28:12 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\MBR.dat
[2012/01/08 23:00:54 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/08 22:36:17 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 22:36:16 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 22:23:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/01/08 22:23:53 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Intel PROSet Wireless
[2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Broadcom
[2012/01/08 22:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\AutoEnginuity
[2012/01/08 22:23:52 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
[2012/01/08 22:17:05 | 000,009,584 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\912613170
[2012/01/08 22:12:34 | 000,009,690 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 21:56:13 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/01/06 21:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/01/04 23:33:19 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
[2011/12/31 13:45:42 | 000,015,202 | ---- | M] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
[2011/12/16 12:30:01 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\egriffin\Desktop\Microsoft Office Word 2007.lnk
[2011/12/15 13:11:22 | 000,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/15 13:09:34 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/12/10 18:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[8 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/09 15:44:49 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbysmrgm.sys
[2012/01/09 08:07:47 | 000,011,254 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\624604299
[2012/01/09 08:07:47 | 000,011,246 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 05:38:57 | 000,011,250 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 05:38:57 | 000,011,246 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 00:54:18 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/09 00:14:28 | 000,009,332 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404
[2012/01/09 00:13:24 | 000,009,328 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357
[2012/01/09 00:13:24 | 000,009,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2310503404
[2012/01/09 00:12:28 | 000,009,340 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050
[2012/01/09 00:12:28 | 000,009,340 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4000975357
[2012/01/09 00:00:19 | 000,009,328 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050
[2012/01/09 00:00:19 | 000,009,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\488o5v2e4050
[2012/01/08 23:37:20 | 000,859,264 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\FRST.exe
[2012/01/08 23:30:40 | 000,044,607 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\bootkit_remover.zip
[2012/01/08 23:28:12 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\MBR.dat
[2012/01/08 22:36:48 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\egriffin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/08 22:17:05 | 000,009,694 | -HS- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 22:17:05 | 000,009,584 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\912613170
[2012/01/08 22:10:26 | 000,009,694 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 22:10:26 | 000,009,690 | -HS- | C] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 21:56:13 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/01/08 21:56:09 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/01/07 18:20:17 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/07 18:20:17 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/07 18:20:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/07 18:20:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/07 18:20:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/06 21:52:17 | 000,000,286 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2012/01/04 23:33:19 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\egriffin\Desktop\Windows Media Player.lnk
[2012/01/02 10:49:42 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/31 13:32:06 | 000,015,202 | ---- | C] () -- C:\Documents and Settings\egriffin\My Documents\Ford-PowerStroke 7.3L-2000-December 31 2011.csv
[2011/06/16 12:20:29 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/06 14:18:35 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\egriffin\ntuser.pol
[2010/07/13 19:08:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/07/13 15:07:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hbcikrnl.ini
[2010/07/13 14:15:17 | 000,870,560 | ---- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2010/07/13 14:15:17 | 000,127,868 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2010/07/13 14:15:17 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2010/07/13 13:53:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/13 13:47:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/13 06:38:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/13 06:37:10 | 000,270,984 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 07:00:00 | 000,498,382 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 07:00:00 | 000,086,342 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 07:00:00 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\cdrom.sys
[2008/04/14 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/12/06 10:27:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/14 07:00:00 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=2F58E8791C7A1F61FD35BAEB73B0E9BE -- C:\WINDOWS\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 07:00:00 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=A3DF98E72C2594B60EB9F614CBD2FC63 -- C:\WINDOWS\system32\svchost.exe
[2011/12/24 20:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 07:00:00 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=B0E1A6D16B717F1D19055D6EC86556A1 -- C:\WINDOWS\system32\winlogon.exe
[2011/12/24 20:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
< End of report >
 
Do this on the computer you are posting from:
Copy the text in the codebox below:


Code: 
:OTL
O4 - HKLM..\Run: [UserFaultCheck] File not found
O37 - HKU\.DEFAULT\...exe [@ = Lwo] -- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe" -a "%1" %* (????????????????????)
[2012/01/09 05:38:59 | 000,375,808 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe
[2012/01/09 05:38:56 | 000,396,288 | ---- | C] (Корпорация Майкрософт) -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe
[8 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 08:11:15 | 000,011,246 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 08:07:48 | 000,011,254 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\624604299
[2012/01/09 07:41:05 | 000,011,250 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177
[2012/01/09 00:14:29 | 000,009,332 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404
[2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357
[2012/01/09 00:13:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2310503404
[2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050
[2012/01/09 00:12:29 | 000,009,340 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4000975357
[2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050
[2012/01/09 00:02:24 | 000,009,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\488o5v2e4050
[2012/01/08 22:36:17 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 22:36:16 | 000,009,694 | -HS- | M] () -- C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx
[2012/01/08 22:17:05 | 000,009,584 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\912613170
[2012/01/08 22:12:34 | 000,009,690 | -HS- | M] () -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx


:Services

:Reg

:Files
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Attempt to reboot normally into Windows.
 
My computer is not allowing me save the text. It is giving me an error message. How can I do a screen shot of the error message and post it?
 
I got on the internet through the OTLPE CD on the infected computer and ran the scan and fix that way. Here is the log.






========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck not found.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\Lwo\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
File C:\WINDOWS\system32\config\systemprofile\My Documents\8x5BM.exe not found.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gmo.exe not found.
File C:\Documents and Settings\egriffin\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177 not found.
File C:\Documents and Settings\All Users\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177 not found.
File C:\Documents and Settings\All Users\Application Data\624604299 not found.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\sv323po808khhb78787ec44106r84rs458g4hl2j0aj177 not found.
File C:\Documents and Settings\egriffin\Local Settings\Application Data\2310503404 not found.
File C:\Documents and Settings\egriffin\Local Settings\Application Data\4000975357 not found.
File C:\Documents and Settings\All Users\Application Data\2310503404 not found.
File C:\Documents and Settings\egriffin\Local Settings\Application Data\488o5v2e4050 not found.
File C:\Documents and Settings\All Users\Application Data\4000975357 not found.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\488o5v2e4050 not found.
File C:\Documents and Settings\All Users\Application Data\488o5v2e4050 not found.
File C:\Documents and Settings\All Users\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx not found.
File C:\Documents and Settings\egriffin\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx not found.
File C:\Documents and Settings\All Users\Application Data\912613170 not found.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\os3312wd2vtm55f50i478ap3o3n1mnkkm657rtmv4h81gx not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe not found.
File\Folder C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe not found.
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 01092012_180400
 
It is doing the same thing it was doing earlier. The start up menu comes on, I select "start windows normally". It then flashes a blue screen with some text on it. It will then go to the "Dell" page and then back to the startup menu. It will not startup in safe mode either.
 
Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

fixboot

exit

Reboot computer.

Any progress?
 
Microsoft Windows XP(TM) Recovery Console

The Recovery Console provides system repair and recovery functionality

Type EXIT to quit the Recovery Console and restart the computer

1: C:\WINDOWS

Which Windows installation would you like to log onto
(To cancel, press ENTER)? I input 1 here and I get the C:\WINDOWS prompt.

I input fixmbr, hit enter and I get a warning that FIXMBR may damage my partition tables becasue the computer appears to have a non-standard or invalid master boot record. It also states that if I am not having problems with my drive then i shouldn't continue. I assume I should continue?
 
You must log in or register to reply here.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
466
eriksnyman1
E
M
Web Meeting disconnects even though internet is connected
Replies
1
Views
605
madhav04
M
Jess_123
My num pad + doesn't work ...
Replies
0
Views
266
Jess_123
Jess_123

Latest posts

Back