earwicker

Members
  • Content count

    30
  • Joined

  • Last visited

About earwicker

  • Rank
    New Member
  1. Mr. C., OK, Java and Adobe Reader are updated. Anything else? -earwicker
  2. Mr. C., Looks good so far. Testing it out. Updating AV files. What's next ? -earwicker
  3. Mr. C., Woohoo. That was maybe the final piece. Normal boot with access to Task Mgr, Cmd Prompt. Ran SecurityCheck, file posted below. No internet access yet - I'll wait until you give the go-ahead. --------------------------------------------------------- Results of screen317's Security Check version 0.99.57 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Please wait while WMIC compiles updated MOF files.d i s p l a y N a m e ECHO is off. A V G ECHO is off. I n t e r n e t ECHO is off. S e c u r i t y ECHO is off. 2 0 1 2 ECHO is off. M i c r o s o f t ECHO is off. S e c u r i t y ECHO is off. E s e n t i a l s ECHO is off. Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` SUPERAntiSpyware CCleaner Java 7 Update 9 Java version out of Date! Adobe Reader 10.1.5 Adobe Reader out of Date! Google Chrome 23.0.1271.97 Google Chrome 24.0.1312.52 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe CheckPoint ZoneAlarm vsmon.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 5% ````````````````````End of Log`````````````````````` ------------------------------------------------------------------------------------------------- -earwicker
  4. YES. Got it. -earwicker
  5. Mr. C, No attachment found. Using xfinity web account. want to try another email address? -earwicker
  6. Mr. C, Won't boot in normal or safemode. Msg is: STOP: C0000221 {Bad Image Checksum} The image user32.dll is possibly corrupt. The header checksum does not match the computed checksum. ------------------------------------------------------------------------------------------------------------------------------------------ FYI: This file is from XP Reinstallation CD that came with system. File was originally named USER32.DL_. I just renamed it. -earwicker
  7. Mr. C, I booted into OTLPE to do this. That way I was thinking the dll file wouldn't be in use. is this correct ?? Here's the log. ========== FILES ========== File C:\WINDOWS\system32\user32.dll successfully replaced with C:\user32.dll File C:\WINDOWS\system32\dllcache\user32.dll successfully replaced with C:\user32.dll OTLPE by OldTimer - Version 3.1.48.0 log created on 01262013_080334 -earwicker
  8. Mr. C, A copy of user32.dll (from XP installation disc) has been placed in C:\. Ready when you are. -earwicker
  9. Mr. C, Looks like there's a copy, but not where the other file came from ? -------------------------------------------------------------------------------------------------------------- SystemLook 30.07.11 by jpshortstuff Log created at 22:33 on 25/01/2013 by Dell_Admin Administrator - Elevation successful ========== Filefind ========== Searching for "user32.dll" C:\WINDOWS\system32\user32.dll ------- 610816 bytes [10:42 14/04/2008] [10:42 14/04/2008] 32FB41BB1AB85901858082FA9CA4AC7C C:\WINDOWS\system32\dllcache\user32.dll --a--c- 610816 bytes [10:42 14/04/2008] [10:42 14/04/2008] 32FB41BB1AB85901858082FA9CA4AC7C -= EOF =- ------------------------------------------------------- Let's pick it up tomorrow. Thanks! -earwicker
  10. Mr. C, Excellent. Booting to desktop, as before. Now do we have to replace the user32.dll file ?? Is the virus contained in that file or many, unknown files ? ========== FILES ========== File C:\WINDOWS\system32\userinit.exe successfully replaced with C:\WINDOWS\erdnt\cache\userinit.exe OTLPE by OldTimer - Version 3.1.48.0 log created on 01252013_215138 ------------------------------------------------------------------------------------------------------------------------------------- -earwicker
  11. Mr. C, Here is OTL.txt ------------------------------------------------------------------------------------------------------------- OTL logfile created on: 1/25/2013 5:01:33 PM - Run OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 149.04 Gb Total Space | 96.15 Gb Free Space | 64.51% Space Free | Partition Type: NTFS Drive D: | 596.17 Gb Total Space | 233.59 Gb Free Space | 39.18% Space Free | Partition Type: NTFS Drive F: | 121.28 Mb Total Space | 108.05 Mb Free Space | 89.10% Space Free | Partition Type: FAT Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO | User Name: SYSTEM Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days Using ControlSet: ControlSet005 ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental) SRV - [2013/01/08 14:35:25 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/09/24 22:12:59 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2012/09/07 17:16:26 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE) SRV - [2011/09/27 14:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [Auto] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ) SRV - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4) SRV - [2011/08/05 11:30:02 | 000,444,640 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc) SRV - [2011/08/05 11:30:02 | 000,268,512 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm) SRV - [2011/08/05 11:29:56 | 006,363,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc) SRV - [2011/08/05 11:29:56 | 000,057,056 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum) SRV - [2011/07/25 07:57:16 | 000,493,184 | ---- | M] (Check Point Software Technologies) [Auto] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc) SRV - [2011/07/22 08:44:44 | 002,413,936 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon) SRV - [2008/05/07 18:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | System] -- -- (PCIDump) DRV - File not found [Kernel | On_Demand] -- -- (catchme) DRV - [2013/01/11 17:42:27 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd) DRV - [2012/05/25 12:14:24 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE) DRV - [2011/09/02 01:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt) DRV - [2011/09/02 01:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt) DRV - [2011/09/02 01:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE) DRV - [2011/08/01 11:44:26 | 000,404,256 | R--- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SRS_AE_i386.sys -- (SRS_AE_Service) DRV - [2011/07/25 07:57:10 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL) DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2011/07/22 08:43:08 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant) DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL) DRV - [2010/06/25 12:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) DRV - [2008/03/17 11:45:52 | 000,019,584 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX) DRV - [2008/02/27 12:49:00 | 000,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt) DRV - [2006/11/02 06:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB) DRV - [2006/02/09 19:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt) DRV - [2004/08/23 13:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Dell_Admin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKU\Dell_Admin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.0.282: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.0.282: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer) FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/09 10:36:17 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{34712C68-7391-4c47-94F3-8F88D49AD632}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2012/12/24 09:00:48 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2012/12/24 09:00:48 | 000,000,000 | ---D | M] O1 HOSTS File: ([2013/01/22 18:02:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader) O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome\Application\24.0.1312.52\npchrome_frame.dll (Google Inc.) O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation) O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O3 - HKU\Dell_Admin_ON_C\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.) O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP) O4 - HKLM..\Run: [iSW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies) O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD) O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation) O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe (TechSmith Corporation) O4 - Startup: C:\Documents and Settings\Dell_Admin\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\Dell_Admin_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340306100093 (MUWebControl Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76 O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome\Application\24.0.1312.52\npchrome_frame.dll (Google Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe () O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation) Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.) Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.) Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.) Drivers32: VIDC.FFDS - ff_vfw.dll File not found Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation) Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation) ========== Files/Folders - Created Within 30 Days ========== [2013/01/23 15:36:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2013/01/22 18:37:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies [2013/01/22 08:06:03 | 005,025,054 | R--- | C] (Swearware) -- C:\Documents and Settings\Dell_Admin\Desktop\NoMbr.exe [2013/01/21 21:07:44 | 000,000,000 | RHSD | C] -- C:\cmdcons [2013/01/21 21:05:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2013/01/21 21:05:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2013/01/21 21:05:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2013/01/21 21:05:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2013/01/21 20:56:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt [2013/01/21 20:48:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth [2013/01/21 19:57:07 | 000,000,000 | ---D | C] -- C:\_OTL [2013/01/21 08:13:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dell_Admin\Desktop\OTL.exe [2013/01/20 20:28:32 | 000,101,112 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys [2013/01/20 20:28:32 | 000,042,864 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\sbbd.exe [2013/01/20 20:28:18 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE [2013/01/12 15:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\_2012 TAX [2013/01/11 17:42:27 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys [2013/01/11 17:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\LSoft Technologies [2013/01/11 17:42:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Active@ ISO Burner [2013/01/05 11:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\&_LOCAL Business [2012/12/27 09:31:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\mom checking acct statements [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013/01/25 12:26:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013/01/25 12:14:57 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\Windows Codec Update Service.job [2013/01/25 12:04:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013/01/25 12:03:59 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2013/01/25 12:03:59 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/25 12:03:59 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/25 09:47:00 | 000,000,894 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2013/01/25 09:35:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2013/01/23 14:41:38 | 000,881,914 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe [2013/01/23 13:58:26 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2013/01/22 22:19:57 | 000,001,233 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI [2013/01/22 20:11:40 | 000,574,315 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe [2013/01/22 18:02:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2013/01/22 08:06:05 | 005,025,054 | R--- | M] (Swearware) -- C:\Documents and Settings\Dell_Admin\Desktop\NoMbr.exe [2013/01/22 07:59:37 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/21 21:07:50 | 000,000,441 | RHS- | M] () -- C:\boot.ini [2013/01/21 08:09:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dell_Admin\Desktop\OTL.exe [2013/01/18 16:15:41 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\wavepadShakeIcon.job [2013/01/14 16:37:56 | 000,002,605 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ASellerTool PC Downloader.lnk [2013/01/13 16:15:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/12 12:06:19 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [2013/01/11 19:51:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome [2013/01/11 17:42:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Active@ ISO Burner [2013/01/11 13:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office [2013/01/11 09:09:44 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp [2013/01/11 09:09:30 | 000,444,366 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg [2013/01/11 07:33:14 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk [2013/01/09 22:48:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive [2013/01/09 00:23:52 | 000,516,780 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2013/01/09 00:23:52 | 000,091,378 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2013/01/09 00:06:39 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2013/01/08 14:35:22 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2013/01/08 14:35:22 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll [2013/01/02 10:07:36 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\switchShakeIcon.job [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2013/01/25 09:52:33 | 000,010,077 | ---- | C] () -- C:\WINDOWS\System32\userinit.exe [2013/01/22 21:31:37 | 000,881,914 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe [2013/01/22 20:20:02 | 000,574,315 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe [2013/01/21 21:07:49 | 000,000,325 | ---- | C] () -- C:\Boot.bak [2013/01/21 21:07:46 | 000,260,272 | RHS- | C] () -- C:\cmldr [2013/01/21 21:05:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2013/01/21 21:05:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2013/01/21 21:05:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2013/01/21 21:05:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2013/01/21 21:05:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2013/01/18 16:15:40 | 000,000,286 | ---- | C] () -- C:\WINDOWS\tasks\wavepadShakeIcon.job [2013/01/11 09:09:44 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp [2013/01/11 09:09:23 | 000,444,366 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg [2013/01/02 10:07:36 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\switchShakeIcon.job [2012/09/21 16:32:04 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI [2012/04/27 06:45:55 | 000,034,814 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\dt.dat [2012/04/11 19:01:03 | 000,025,713 | ---- | C] () -- C:\WINDOWS\CSTBox.INI [2012/02/14 19:54:42 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012/02/05 15:14:55 | 002,231,452 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-448539723-1177238915-1003-0.dat [2012/02/05 15:14:55 | 000,299,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat [2012/02/05 12:10:05 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc [2011/10/17 21:27:39 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc [2011/10/10 11:49:50 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys [2011/10/06 16:49:16 | 000,404,256 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_AE_i386.sys [2011/10/03 13:51:58 | 000,122,368 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/09/28 07:00:55 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Application Data\$_hpcst$.hpc [2011/09/26 20:34:42 | 000,000,064 | ---- | C] () -- C:\WINDOWS\qwimp.ini [2011/09/26 18:19:10 | 000,001,233 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2011/09/26 16:45:47 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\PUTTY.RND [2011/09/26 15:47:22 | 000,000,069 | ---- | C] () -- C:\WINDOWS\spwdr.INI [2011/09/26 15:47:08 | 000,000,071 | ---- | C] () -- C:\WINDOWS\Crypkey.ini [2011/09/26 15:47:03 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe [2011/09/26 15:47:03 | 000,019,584 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys [2011/09/26 15:47:03 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll [2011/09/26 15:47:03 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe [2011/09/21 23:35:04 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe [2011/09/21 23:34:44 | 000,114,630 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2011/09/21 23:24:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2011/09/21 23:19:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2011/09/21 19:14:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2011/09/21 19:12:13 | 000,282,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll [2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin [2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin [2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin [2008/04/14 05:42:10 | 000,578,560 | ---- | C] () -- C:\WINDOWS\System32\user.dat [2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2005/03/21 13:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2005/03/21 13:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2004/08/04 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2004/08/04 00:00:00 | 000,516,780 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2004/08/04 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2004/08/04 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2004/08/04 00:00:00 | 000,091,378 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2004/08/04 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2004/08/04 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2004/08/04 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat ========== LOP Check ========== [2011/10/10 13:21:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint [2011/09/21 23:38:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files [2011/12/18 14:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\install_clap [2012/04/28 09:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData [2011/12/18 14:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PDVD [2011/10/08 06:50:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith [2013/01/02 10:07:36 | 000,000,282 | ---- | M] () -- C:\WINDOWS\Tasks\switchShakeIcon.job [2013/01/18 16:15:41 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\wavepadShakeIcon.job [2013/01/25 12:14:57 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\Windows Codec Update Service.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2013/01/22 20:20:47 | 000,005,664 | ---- | M] () -- C:\AdwCleaner[R1].txt [2013/01/22 20:40:04 | 000,005,724 | ---- | M] () -- C:\AdwCleaner[R2].txt [2013/01/22 20:53:26 | 000,005,594 | ---- | M] () -- C:\AdwCleaner[s1].txt [2009/12/29 13:59:42 | 000,002,288 | ---- | M] () -- C:\astformat.txt [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT [2011/09/26 13:14:37 | 000,000,325 | ---- | M] () -- C:\Boot.bak [2013/01/21 21:07:50 | 000,000,441 | RHS- | M] () -- C:\boot.ini [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr [2013/01/22 18:13:42 | 000,020,943 | ---- | M] () -- C:\ComboFix.txt [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2012/04/28 10:18:00 | 000,002,160 | ---- | M] () -- C:\FixitRegBackup.reg [2013/01/13 21:21:08 | 000,191,614 | ---- | M] () -- C:\hpfr5550.log [2011/09/21 23:22:22 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2011/09/21 23:22:22 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2008/04/13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2008/04/14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr [2013/01/25 12:03:14 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys [2011/09/26 15:46:17 | 006,532,926 | ---- | M] () -- C:\SP.Windows.Data.Recovery.4.1.0.1.zip < MD5 for: EXPLORER.EXE > [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe [2008/04/29 10:42:08 | 000,090,624 | ---- | M] () MD5=FBB39A4487E11F64DCFFD36AEC2D2216 -- C:\Program Files\CheckPoint\ZAForceField\Heuristics\explorer.exe < MD5 for: SERVICES.EXE > [2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe [2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\erdnt\cache\services.exe [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe < MD5 for: USERINIT.EXE > [2003/07/16 11:43:14 | 000,010,077 | ---- | M] () MD5=630E0B5DBAD11EC3F9DA477D628031AC -- C:\WINDOWS\system32\userinit.exe [2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe < MD5 for: WINLOGON.EXE > [2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe [2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe [2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe [2008/07/01 08:17:12 | 000,090,624 | ---- | M] () MD5=FBB39A4487E11F64DCFFD36AEC2D2216 -- C:\Program Files\CheckPoint\ZAForceField\Heuristics\winlogon.exe ========== Alternate Data Streams ========== @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe:SummaryInformation < End of report > --------------------------------------------------------------------------------------------------------------- -earwicker
  12. Mr. C, Yes, I tried System Restore initially and everyday since then, every way I could think of to get to it. I do not have System Restore. The virus took care of that very effectively. -earwicker
  13. Mr. C, I was able to find the two files on the XP Installation disc: USERINIT.EX_ and USER32.DL_. I renamed them to .exe and .dll, and tried to move them over to c:\windows\system32. I copied the infected files first to retain a copy of them. I then copied userinit.exe to the computer. Looked OK, new file copied. I then tried to copy user32.dll, and couldn't -" in use by another program or user. " With only the one system file copied, I rebooted. Maybe this wasn't a good idea, because now I'm not able to get a desktop anymore. Only the cursor on a blank desktop. I think this computer is circling the drain... if not already there. -earwicker
  14. Mr.C, This is a very persistent virus that I have on my computer. I'm seeing the same behavior now as I did when it first began. If I try to boot in Safe Mode or Safe Mode with Networking, I get a blue screen of death and text like this: "A problem has been detected ... Windows has been shut down. Check for viruses on your computer Tech info: Stop: 0x0000007B If I get into Safe Mode (via the backdoor through 'Directory Restore Services) I see the exact same behavior that I see when I boot normally. * No System Restore // just flashes and dies * No cmd prompt // just flashes and dies * No task mgr // just flashes and dies * SecurityCheck.exe won't run (although others like OTL, ComboFix will) * No DVD drives, although they're present in My Computer. Let me know what you think and what (if anything) there is to do next. And thanks again for helping me with this SOB virus... -earwicker
  15. Mr. C, This is funny. All the other .exe's ran, but SecurityCheck won't. It just flashes for an instant and dies, like command prompts. I don't know if rebooting is required or not ? After this post, I'm going to call it quits for the day. Thanks for all your work today. --earwicker