Jump to content

earwicker

Honorary Members
 View Profile  See their activity

  • Posts

    30

  • Joined

  • Last visited

 Content Type 

Everything posted by earwicker

  1. earwicker
    Mr. C., OK, Java and Adobe Reader are updated. Anything else? -earwicker
  2. earwicker
    Mr. C., Looks good so far. Testing it out. Updating AV files. What's next ? -earwicker
  3. earwicker
    Mr. C., Woohoo. That was maybe the final piece. Normal boot with access to Task Mgr, Cmd Prompt. Ran SecurityCheck, file posted below. No internet access yet - I'll wait until you give the go-ahead. --------------------------------------------------------- Results of screen317's Security Check version 0.99.57 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Please wait while WMIC compiles updated MOF files.d i s p l a y N a m e ECHO is off. A V G ECHO is off. I n t e r n e t ECHO is off. S e c u r i t y ECHO is off. 2 0 1 2 ECHO is off. M i c r o s o f t ECHO is off. S e c u r i t y ECHO is off. E s e n t i a l s ECHO is off. Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` SUPERAntiSpyware CCleaner Java 7 Update 9 Java version out of Date! Adobe Reader 10.1.5 Adobe Reader out of Date! Google Chrome 23.0.1271.97 Google Chrome 24.0.1312.52 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe CheckPoint ZoneAlarm vsmon.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 5% ````````````````````End of Log`````````````````````` ------------------------------------------------------------------------------------------------- -earwicker
  4. earwicker
    YES. Got it. -earwicker
  5. earwicker
    Mr. C, No attachment found. Using xfinity web account. want to try another email address? -earwicker
  6. earwicker
    Mr. C, Won't boot in normal or safemode. Msg is: STOP: C0000221 {Bad Image Checksum} The image user32.dll is possibly corrupt. The header checksum does not match the computed checksum. ------------------------------------------------------------------------------------------------------------------------------------------ FYI: This file is from XP Reinstallation CD that came with system. File was originally named USER32.DL_. I just renamed it. -earwicker
  7. earwicker
    Mr. C, I booted into OTLPE to do this. That way I was thinking the dll file wouldn't be in use. is this correct ?? Here's the log. ========== FILES ========== File C:\WINDOWS\system32\user32.dll successfully replaced with C:\user32.dll File C:\WINDOWS\system32\dllcache\user32.dll successfully replaced with C:\user32.dll OTLPE by OldTimer - Version 3.1.48.0 log created on 01262013_080334 -earwicker
  8. earwicker
    Mr. C, A copy of user32.dll (from XP installation disc) has been placed in C:\. Ready when you are. -earwicker
  9. earwicker
    Mr. C, Looks like there's a copy, but not where the other file came from ? -------------------------------------------------------------------------------------------------------------- SystemLook 30.07.11 by jpshortstuff Log created at 22:33 on 25/01/2013 by Dell_Admin Administrator - Elevation successful ========== Filefind ========== Searching for "user32.dll" C:\WINDOWS\system32\user32.dll ------- 610816 bytes [10:42 14/04/2008] [10:42 14/04/2008] 32FB41BB1AB85901858082FA9CA4AC7C C:\WINDOWS\system32\dllcache\user32.dll --a--c- 610816 bytes [10:42 14/04/2008] [10:42 14/04/2008] 32FB41BB1AB85901858082FA9CA4AC7C -= EOF =- ------------------------------------------------------- Let's pick it up tomorrow. Thanks! -earwicker
  10. earwicker
    Mr. C, Excellent. Booting to desktop, as before. Now do we have to replace the user32.dll file ?? Is the virus contained in that file or many, unknown files ? ========== FILES ========== File C:\WINDOWS\system32\userinit.exe successfully replaced with C:\WINDOWS\erdnt\cache\userinit.exe OTLPE by OldTimer - Version 3.1.48.0 log created on 01252013_215138 ------------------------------------------------------------------------------------------------------------------------------------- -earwicker
  11. earwicker
    Mr. C, Here is OTL.txt ------------------------------------------------------------------------------------------------------------- OTL logfile created on: 1/25/2013 5:01:33 PM - Run OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 149.04 Gb Total Space | 96.15 Gb Free Space | 64.51% Space Free | Partition Type: NTFS Drive D: | 596.17 Gb Total Space | 233.59 Gb Free Space | 39.18% Space Free | Partition Type: NTFS Drive F: | 121.28 Mb Total Space | 108.05 Mb Free Space | 89.10% Space Free | Partition Type: FAT Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO | User Name: SYSTEM Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days Using ControlSet: ControlSet005 ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental) SRV - [2013/01/08 14:35:25 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/09/24 22:12:59 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2012/09/07 17:16:26 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE) SRV - [2011/09/27 14:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [Auto] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ) SRV - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4) SRV - [2011/08/05 11:30:02 | 000,444,640 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc) SRV - [2011/08/05 11:30:02 | 000,268,512 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm) SRV - [2011/08/05 11:29:56 | 006,363,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc) SRV - [2011/08/05 11:29:56 | 000,057,056 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum) SRV - [2011/07/25 07:57:16 | 000,493,184 | ---- | M] (Check Point Software Technologies) [Auto] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc) SRV - [2011/07/22 08:44:44 | 002,413,936 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon) SRV - [2008/05/07 18:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | System] -- -- (PCIDump) DRV - File not found [Kernel | On_Demand] -- -- (catchme) DRV - [2013/01/11 17:42:27 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd) DRV - [2012/05/25 12:14:24 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE) DRV - [2011/09/02 01:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt) DRV - [2011/09/02 01:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt) DRV - [2011/09/02 01:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE) DRV - [2011/08/01 11:44:26 | 000,404,256 | R--- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SRS_AE_i386.sys -- (SRS_AE_Service) DRV - [2011/07/25 07:57:10 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL) DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2011/07/22 08:43:08 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant) DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL) DRV - [2010/06/25 12:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) DRV - [2008/03/17 11:45:52 | 000,019,584 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX) DRV - [2008/02/27 12:49:00 | 000,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt) DRV - [2006/11/02 06:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB) DRV - [2006/02/09 19:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt) DRV - [2004/08/23 13:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Dell_Admin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKU\Dell_Admin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.0.282: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.0.282: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer) FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/09 10:36:17 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{34712C68-7391-4c47-94F3-8F88D49AD632}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2012/12/24 09:00:48 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2012/12/24 09:00:48 | 000,000,000 | ---D | M] O1 HOSTS File: ([2013/01/22 18:02:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader) O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome\Application\24.0.1312.52\npchrome_frame.dll (Google Inc.) O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation) O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O3 - HKU\Dell_Admin_ON_C\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.) O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP) O4 - HKLM..\Run: [iSW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies) O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD) O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation) O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe (TechSmith Corporation) O4 - Startup: C:\Documents and Settings\Dell_Admin\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\Dell_Admin_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340306100093 (MUWebControl Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76 O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome\Application\24.0.1312.52\npchrome_frame.dll (Google Inc.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe () O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation) Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS) Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.) Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.) Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.) Drivers32: VIDC.FFDS - ff_vfw.dll File not found Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll () Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation) Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation) ========== Files/Folders - Created Within 30 Days ========== [2013/01/23 15:36:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2013/01/22 18:37:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies [2013/01/22 08:06:03 | 005,025,054 | R--- | C] (Swearware) -- C:\Documents and Settings\Dell_Admin\Desktop\NoMbr.exe [2013/01/21 21:07:44 | 000,000,000 | RHSD | C] -- C:\cmdcons [2013/01/21 21:05:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2013/01/21 21:05:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2013/01/21 21:05:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2013/01/21 21:05:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2013/01/21 20:56:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt [2013/01/21 20:48:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth [2013/01/21 19:57:07 | 000,000,000 | ---D | C] -- C:\_OTL [2013/01/21 08:13:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dell_Admin\Desktop\OTL.exe [2013/01/20 20:28:32 | 000,101,112 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys [2013/01/20 20:28:32 | 000,042,864 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\sbbd.exe [2013/01/20 20:28:18 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE [2013/01/12 15:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\_2012 TAX [2013/01/11 17:42:27 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys [2013/01/11 17:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\LSoft Technologies [2013/01/11 17:42:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Active@ ISO Burner [2013/01/05 11:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\&_LOCAL Business [2012/12/27 09:31:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\mom checking acct statements [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013/01/25 12:26:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2013/01/25 12:14:57 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\Windows Codec Update Service.job [2013/01/25 12:04:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2013/01/25 12:03:59 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2013/01/25 12:03:59 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/25 12:03:59 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/25 09:47:00 | 000,000,894 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2013/01/25 09:35:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2013/01/23 14:41:38 | 000,881,914 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe [2013/01/23 13:58:26 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2013/01/22 22:19:57 | 000,001,233 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI [2013/01/22 20:11:40 | 000,574,315 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe [2013/01/22 18:02:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2013/01/22 08:06:05 | 005,025,054 | R--- | M] (Swearware) -- C:\Documents and Settings\Dell_Admin\Desktop\NoMbr.exe [2013/01/22 07:59:37 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/21 21:07:50 | 000,000,441 | RHS- | M] () -- C:\boot.ini [2013/01/21 08:09:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dell_Admin\Desktop\OTL.exe [2013/01/18 16:15:41 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\wavepadShakeIcon.job [2013/01/14 16:37:56 | 000,002,605 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ASellerTool PC Downloader.lnk [2013/01/13 16:15:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job [2013/01/12 12:06:19 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [2013/01/11 19:51:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome [2013/01/11 17:42:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Active@ ISO Burner [2013/01/11 13:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office [2013/01/11 09:09:44 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp [2013/01/11 09:09:30 | 000,444,366 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg [2013/01/11 07:33:14 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk [2013/01/09 22:48:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive [2013/01/09 00:23:52 | 000,516,780 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2013/01/09 00:23:52 | 000,091,378 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2013/01/09 00:06:39 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2013/01/08 14:35:22 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2013/01/08 14:35:22 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll [2013/01/02 10:07:36 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\switchShakeIcon.job [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2013/01/25 09:52:33 | 000,010,077 | ---- | C] () -- C:\WINDOWS\System32\userinit.exe [2013/01/22 21:31:37 | 000,881,914 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe [2013/01/22 20:20:02 | 000,574,315 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe [2013/01/21 21:07:49 | 000,000,325 | ---- | C] () -- C:\Boot.bak [2013/01/21 21:07:46 | 000,260,272 | RHS- | C] () -- C:\cmldr [2013/01/21 21:05:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2013/01/21 21:05:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2013/01/21 21:05:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2013/01/21 21:05:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2013/01/21 21:05:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2013/01/18 16:15:40 | 000,000,286 | ---- | C] () -- C:\WINDOWS\tasks\wavepadShakeIcon.job [2013/01/11 09:09:44 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp [2013/01/11 09:09:23 | 000,444,366 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg [2013/01/02 10:07:36 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\switchShakeIcon.job [2012/09/21 16:32:04 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI [2012/04/27 06:45:55 | 000,034,814 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\dt.dat [2012/04/11 19:01:03 | 000,025,713 | ---- | C] () -- C:\WINDOWS\CSTBox.INI [2012/02/14 19:54:42 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012/02/05 15:14:55 | 002,231,452 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-448539723-1177238915-1003-0.dat [2012/02/05 15:14:55 | 000,299,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat [2012/02/05 12:10:05 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc [2011/10/17 21:27:39 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc [2011/10/10 11:49:50 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys [2011/10/06 16:49:16 | 000,404,256 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_AE_i386.sys [2011/10/03 13:51:58 | 000,122,368 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/09/28 07:00:55 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Application Data\$_hpcst$.hpc [2011/09/26 20:34:42 | 000,000,064 | ---- | C] () -- C:\WINDOWS\qwimp.ini [2011/09/26 18:19:10 | 000,001,233 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2011/09/26 16:45:47 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\PUTTY.RND [2011/09/26 15:47:22 | 000,000,069 | ---- | C] () -- C:\WINDOWS\spwdr.INI [2011/09/26 15:47:08 | 000,000,071 | ---- | C] () -- C:\WINDOWS\Crypkey.ini [2011/09/26 15:47:03 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe [2011/09/26 15:47:03 | 000,019,584 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys [2011/09/26 15:47:03 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll [2011/09/26 15:47:03 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe [2011/09/21 23:35:04 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe [2011/09/21 23:34:44 | 000,114,630 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2011/09/21 23:24:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2011/09/21 23:19:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2011/09/21 19:14:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2011/09/21 19:12:13 | 000,282,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll [2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin [2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin [2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin [2008/04/14 05:42:10 | 000,578,560 | ---- | C] () -- C:\WINDOWS\System32\user.dat [2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2005/03/21 13:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2005/03/21 13:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2004/08/04 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2004/08/04 00:00:00 | 000,516,780 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2004/08/04 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2004/08/04 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2004/08/04 00:00:00 | 000,091,378 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2004/08/04 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2004/08/04 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2004/08/04 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat ========== LOP Check ========== [2011/10/10 13:21:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint [2011/09/21 23:38:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files [2011/12/18 14:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\install_clap [2012/04/28 09:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData [2011/12/18 14:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PDVD [2011/10/08 06:50:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith [2013/01/02 10:07:36 | 000,000,282 | ---- | M] () -- C:\WINDOWS\Tasks\switchShakeIcon.job [2013/01/18 16:15:41 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\wavepadShakeIcon.job [2013/01/25 12:14:57 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\Windows Codec Update Service.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2013/01/22 20:20:47 | 000,005,664 | ---- | M] () -- C:\AdwCleaner[R1].txt [2013/01/22 20:40:04 | 000,005,724 | ---- | M] () -- C:\AdwCleaner[R2].txt [2013/01/22 20:53:26 | 000,005,594 | ---- | M] () -- C:\AdwCleaner[s1].txt [2009/12/29 13:59:42 | 000,002,288 | ---- | M] () -- C:\astformat.txt [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT [2011/09/26 13:14:37 | 000,000,325 | ---- | M] () -- C:\Boot.bak [2013/01/21 21:07:50 | 000,000,441 | RHS- | M] () -- C:\boot.ini [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr [2013/01/22 18:13:42 | 000,020,943 | ---- | M] () -- C:\ComboFix.txt [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2012/04/28 10:18:00 | 000,002,160 | ---- | M] () -- C:\FixitRegBackup.reg [2013/01/13 21:21:08 | 000,191,614 | ---- | M] () -- C:\hpfr5550.log [2011/09/21 23:22:22 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2011/09/21 23:22:22 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2008/04/13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2008/04/14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr [2013/01/25 12:03:14 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys [2011/09/26 15:46:17 | 006,532,926 | ---- | M] () -- C:\SP.Windows.Data.Recovery.4.1.0.1.zip < MD5 for: EXPLORER.EXE > [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe [2008/04/29 10:42:08 | 000,090,624 | ---- | M] () MD5=FBB39A4487E11F64DCFFD36AEC2D2216 -- C:\Program Files\CheckPoint\ZAForceField\Heuristics\explorer.exe < MD5 for: SERVICES.EXE > [2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe [2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\erdnt\cache\services.exe [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe < MD5 for: USERINIT.EXE > [2003/07/16 11:43:14 | 000,010,077 | ---- | M] () MD5=630E0B5DBAD11EC3F9DA477D628031AC -- C:\WINDOWS\system32\userinit.exe [2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe < MD5 for: WINLOGON.EXE > [2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe [2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe [2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe [2008/07/01 08:17:12 | 000,090,624 | ---- | M] () MD5=FBB39A4487E11F64DCFFD36AEC2D2216 -- C:\Program Files\CheckPoint\ZAForceField\Heuristics\winlogon.exe ========== Alternate Data Streams ========== @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe:SummaryInformation < End of report > --------------------------------------------------------------------------------------------------------------- -earwicker
  12. earwicker
    Mr. C, Yes, I tried System Restore initially and everyday since then, every way I could think of to get to it. I do not have System Restore. The virus took care of that very effectively. -earwicker
  13. earwicker
    Mr. C, I was able to find the two files on the XP Installation disc: USERINIT.EX_ and USER32.DL_. I renamed them to .exe and .dll, and tried to move them over to c:\windows\system32. I copied the infected files first to retain a copy of them. I then copied userinit.exe to the computer. Looked OK, new file copied. I then tried to copy user32.dll, and couldn't -" in use by another program or user. " With only the one system file copied, I rebooted. Maybe this wasn't a good idea, because now I'm not able to get a desktop anymore. Only the cursor on a blank desktop. I think this computer is circling the drain... if not already there. -earwicker
  14. earwicker
    Mr.C, This is a very persistent virus that I have on my computer. I'm seeing the same behavior now as I did when it first began. If I try to boot in Safe Mode or Safe Mode with Networking, I get a blue screen of death and text like this: "A problem has been detected ... Windows has been shut down. Check for viruses on your computer Tech info: Stop: 0x0000007B If I get into Safe Mode (via the backdoor through 'Directory Restore Services) I see the exact same behavior that I see when I boot normally. * No System Restore // just flashes and dies * No cmd prompt // just flashes and dies * No task mgr // just flashes and dies * SecurityCheck.exe won't run (although others like OTL, ComboFix will) * No DVD drives, although they're present in My Computer. Let me know what you think and what (if anything) there is to do next. And thanks again for helping me with this SOB virus... -earwicker
  15. earwicker
    Mr. C, This is funny. All the other .exe's ran, but SecurityCheck won't. It just flashes for an instant and dies, like command prompts. I don't know if rebooting is required or not ? After this post, I'm going to call it quits for the day. Thanks for all your work today. --earwicker
  16. earwicker
    Mr.C Here it is: ----------------------------------------------------------------------------------------------------------- # AdwCleaner v2.107 - Logfile created 01/22/2013 at 20:53:16 # Updated 21/01/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Dell_Admin - PC1 # Boot Mode : Normal # Running from : C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon Folder Deleted : C:\Documents and Settings\Dell_Admin\Application Data\Babylon Folder Deleted : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Babylon Folder Deleted : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Conduit Folder Deleted : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\ZoneAlarm_Security_Suite Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\Freeze.com Folder Deleted : C:\Program Files\ZoneAlarm_Security_Suite ***** [Registry] ***** Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\IGearSettings Key Deleted : HKCU\Software\InstallCore Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Deleted : HKCU\Software\Softonic Key Deleted : HKCU\Software\ZoneAlarm_Security_Suite Key Deleted : HKCU\Toolbar Key Deleted : HKLM\Software\Babylon Key Deleted : HKLM\Software\BabylonToolbar Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169} Key Deleted : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB} Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3015261 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3196716 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1 Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{864357B0-6560-4B5B-A845-E456A2D3ACB6} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4A81447-0874-4B6B-981C-06BBEF215D0A} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\StartNow Toolbar Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StartNow Toolbar Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm_Security_Suite Toolbar Key Deleted : HKLM\Software\ZoneAlarm_Security_Suite Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Google Chrome v24.0.1312.52 File : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [5664 octets] - [22/01/2013 20:20:39] AdwCleaner[R2].txt - [5724 octets] - [22/01/2013 20:39:57] AdwCleaner[s1].txt - [5465 octets] - [22/01/2013 20:53:16] ########## EOF - C:\AdwCleaner[s1].txt - [5525 octets] ##########
  17. earwicker
    Mr. C., Yes, I have the XP Reinstallation CD. But as of now, have no way to run it because the drives are dead. Are the files to be deleted the ones in Files/Folders ? If so, I don't recognize any of these except for ZoneAlarm_Security_Suite. I run ZA firewall. That would be interesting if it was infected. You can delete any/all of those files. ------------------------------------------------------------------------------------------------------------- # AdwCleaner v2.107 - Logfile created 01/22/2013 at 20:20:39 # Updated 21/01/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Dell_Admin - PC1 # Boot Mode : Normal # Running from : C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\Documents and Settings\All Users\Application Data\Babylon Folder Found : C:\Documents and Settings\Dell_Admin\Application Data\Babylon Folder Found : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Babylon Folder Found : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Conduit Folder Found : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\ZoneAlarm_Security_Suite Folder Found : C:\Program Files\Conduit Folder Found : C:\Program Files\Freeze.com Folder Found : C:\Program Files\ZoneAlarm_Security_Suite ***** [Registry] ***** Key Found : HKCU\Software\Conduit Key Found : HKCU\Software\IGearSettings Key Found : HKCU\Software\InstallCore Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : HKCU\Software\Softonic Key Found : HKCU\Software\ZoneAlarm_Security_Suite Key Found : HKCU\Toolbar Key Found : HKLM\Software\Babylon Key Found : HKLM\Software\BabylonToolbar Key Found : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169} Key Found : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277} Key Found : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA} Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB} Key Found : HKLM\SOFTWARE\Classes\Prod.cap Key Found : HKLM\SOFTWARE\Classes\Toolbar.BandObject Key Found : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1 Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3015261 Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3196716 Key Found : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject Key Found : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Found : HKLM\Software\Conduit Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{864357B0-6560-4B5B-A845-E456A2D3ACB6} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4A81447-0874-4B6B-981C-06BBEF215D0A} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\StartNow Toolbar Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StartNow Toolbar Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm_Security_Suite Toolbar Key Found : HKLM\Software\ZoneAlarm_Security_Suite Key Found : HKU\S-1-5-21-1659004503-448539723-1177238915-1003\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} Key Found : HKU\S-1-5-21-1659004503-448539723-1177238915-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}] Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}] Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. -\\ Google Chrome v24.0.1312.52 File : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [5535 octets] - [22/01/2013 20:20:39] ########## EOF - C:\AdwCleaner[R1].txt - [5595 octets] ########## ------------------------------------------------------------------------------------------------------------ Regards, -earwicker
  18. earwicker
    Mr. C, I hope this is what you want. userinit https://www.virustotal.com/file/944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f/analysis/1358902329/ user32.dll https://www.virustotal.com/file/9ca0a1b0a8f5118297db8021117dcd7baa056e08a51795d2b55f2ddb42453a16/analysis/1358902522/
  19. earwicker
    Mr. C, Here is the file ________________________________ ComboFix 13-01-21.04 - Dell_Admin 01/22/2013 8:23.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2666 [GMT -5:00] Running from: c:\documents and settings\Dell_Admin\Desktop\NoMbr.exe AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} FW: AVG Internet Security 2012 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\PostBuild.exe c:\documents and settings\Dell_Admin\Application Data\PriceGong c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\1.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\17781.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\4436.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\a.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\b.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\c.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\d.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\e.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\f.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\g.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\h.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\i.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\j.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\k.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\l.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\m.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\mru.xml c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\n.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\o.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\p.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\q.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\r.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\s.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\t.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\u.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\v.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\w.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\wlu.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\x.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\y.txt c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\z.txt c:\documents and settings\Dell_Admin\My Documents\ShopToWin c:\documents and settings\Dell_Admin\Recent\Thumbs.db c:\windows\system32\roboot.exe c:\windows\system32\SET6D.tmp c:\windows\system32\SET6F.tmp c:\windows\system32\SET7D.tmp c:\windows\system32\Thumbs.db . c:\windows\system32\userinit.exe . . . is infected!! . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_Updater_Service_for_StartNow_Toolbar -------\Service_Updater Service for StartNow Toolbar . . ((((((((((((((((((((((((( Files Created from 2012-12-22 to 2013-01-22 ))))))))))))))))))))))))))))))) . . 2013-01-22 13:03 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E2448568-D689-4F4D-A1E5-505D9097AD89}\mpengine.dll 2013-01-22 01:48 . 2013-01-22 01:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2013-01-22 00:57 . 2013-01-22 00:57 -------- d-----w- C:\_OTL 2013-01-21 01:28 . 2012-05-25 17:14 42864 ----a-w- c:\windows\system32\sbbd.exe 2013-01-21 01:28 . 2012-05-25 17:14 101112 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2013-01-21 01:28 . 2013-01-21 22:37 -------- d-----w- C:\VIPRERESCUE 2013-01-14 15:11 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-01-11 22:42 . 2013-01-11 22:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2013-01-11 22:42 . 2013-01-11 22:42 -------- d-----w- c:\program files\LSoft Technologies 2012-12-30 23:44 . 2008-04-14 03:14 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll 2012-12-24 14:00 . 2012-12-24 14:00 -------- d-----w- c:\program files\RealNetworks 2012-12-24 14:00 . 2012-12-24 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\RealNetworks 2012-12-24 13:59 . 2012-12-24 13:59 -------- d-----w- c:\program files\Common Files\xing shared 2012-12-24 13:58 . 2012-12-24 13:58 499712 ----a-w- c:\windows\system32\msvcp71.dll 2012-12-24 13:58 . 2012-12-24 13:58 348160 ----a-w- c:\windows\system32\msvcr71.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-08 19:35 . 2012-04-03 15:44 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-08 19:35 . 2011-09-22 04:32 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2008-04-14 10:39 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 01:25 . 2008-04-14 06:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-06 02:01 . 2008-04-14 10:42 1371648 ----a-w- c:\windows\system32\msxml6.dll 2012-11-02 02:02 . 2008-04-14 10:41 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2008-04-14 10:42 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 12:17 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2008-04-14 10:41 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 00:35 . 2008-04-14 05:07 385024 ------w- c:\windows\system32\html.iec . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-04-14 . 32FB41BB1AB85901858082FA9CA4AC7C . 610816 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2008-04-14 . 32FB41BB1AB85901858082FA9CA4AC7C . 610816 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{3ce45c4f-bfff-4988-9a3c-a75c1f491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}] 2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3ce45c4f-bfff-4988-9a3c-a75c1f491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-07-25 738944] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-07-22 72336] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416] "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-12-24 295072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVORUYtUEI2M0YtWDlaQVMtQU8zVEItSEk5Sk8tM0xQMkM&inst=NzctNzMyMjc0ODUzLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ∏=90&ver=2012.0.1809&mid=e01e8f10daef47d18adcd15857c5690c-80eb4ff0d34d56d8c6bf2367cf2394e9f4a2e0ad" [?] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584] . c:\documents and settings\Dell_Admin\Start Menu\Programs\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344] SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-2-6 6379080] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\explorer.exe," . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/11/2013 5:42 PM 691696] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [1/20/2013 8:28 PM 101112] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [7/25/2011 7:57 AM 27016] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [7/25/2011 7:57 AM 493184] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [10/26/2011 11:07 AM 12184] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088] R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 8:31 PM 38608] S3 SRS_AE_Service;SRS Audio Essentials;c:\windows\system32\drivers\SRS_AE_i386.sys [10/6/2011 4:49 PM 404256] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-01-12 00:47 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe . Contents of the 'Scheduled Tasks' folder . 2013-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 19:35] . 2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-10-06 13:24] . 2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-10-06 13:24] . 2013-01-22 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30] . 2013-01-22 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30] . 2013-01-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30] . 2013-01-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30] . 2013-01-02 c:\windows\Tasks\switchShakeIcon.job - c:\program files\NCH Software\Switch\switch.exe [2011-12-31 01:02] . 2013-01-18 c:\windows\Tasks\wavepadShakeIcon.job - c:\program files\NCH Software\WavePad\wavepad.exe [2011-12-31 01:02] . 2013-01-22 c:\windows\Tasks\Windows Codec Update Service.job - c:\program files\Essentials Codec Pack\WECPUpdate.exe [2012-02-03 09:14] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 . - - - - ORPHANS REMOVED - - - - . AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe AddRemove-Windows Essentials Media Codec Pack - c:\program files\Essentials Codec Pack\uninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-22 18:05 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1659004503-448539723-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(704) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(764) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'explorer.exe'(3788) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\program files\Google\Drive\googledrivesync32.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Microsoft Security Client\MsMpEng.exe c:\program files\Common Files\LogiShrd\Bluetooth\lbtserv.exe c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe c:\windows\system32\crypserv.exe c:\program files\Java\jre7\bin\jqs.exe c:\windows\system32\SearchIndexer.exe c:\program files\Zune\ZuneBusEnum.exe c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE c:\program files\TechSmith\SnagIt 8\TSCHelp.exe c:\program files\TechSmith\SnagIt 8\SnagPriv.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2013-01-22 18:13:39 - machine was rebooted ComboFix-quarantined-files.txt 2013-01-22 23:13 . Pre-Run: 100,053,336,064 bytes free . - - End Of File - - 295A67E79BB71A96FDF7B75708C16BD8
  20. earwicker
    MrC, Whew! Had a scary moment there. I Just rebooted. ComboFIx made a log. Would you like it?
  21. earwicker
    MrC, I was afraid you'd say that. In the previous posts, I described what I saw and followed directions. It did this after running NoMbr.exe. It was at stage 60 or something. 20 minutes later I looked and it was at the Boot screen ' No Drive 0 found, No Drive 1 found. Strike the F1 key to continue, F2 to run setup. This was in the 10:09AM post today. I don't know what to say either. That's how I got here. -earwicker
  22. earwicker
    Mr. C, Not sure what you mean by 'get out of it'. It's trying to boot, and allows F1 to continue or F2 to run setup. The only other option I have is the on/off button.
  23. earwicker
    I'm worried now. ------------------------------------------------------------------------------------- No boot device available - strike the F1 key to retry boot, F2 for setup utility ----------------------------------------------------------------------------------- I retry with F1 and get the same. Is F2 is the only option left??
  24. earwicker
    MrC, NoMbr.exe was running fine, large number of stages. When I checked 20 minutes later, the computer was trying to reboot.... ---------------------- Drive 0 not found Drive 1 not found: Strike the F1 key to continue, F2 to run setup... Regards,
  25. earwicker
    Mr. C, It's been several hours and ComboFix seems to be stalled out. After completeing Stage 4, the cursor is blinking on next line .... Since I don't have task mgr, no way to know what's going on ?? The scan couldn't really be taking this long, could it ?? I'll let it run until I receive further instructions.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.