earwicker
-
Posts
30 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by earwicker
-
-
Mr. C.,
Looks good so far. Testing it out. Updating AV files. What's next ?
-earwicker
-
Mr. C.,
Woohoo. That was maybe the final piece. Normal boot with access to Task Mgr, Cmd Prompt. Ran SecurityCheck, file posted below.
No internet access yet - I'll wait until you give the go-ahead.
---------------------------------------------------------
Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
A
V
G
ECHO is off.
I
n
t
e
r
n
e
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
2
0
1
2
ECHO is off.
M
i
c
r
o
s
o
f
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
E
s
e
n
t
i
a
l
s
ECHO is off.
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
CCleaner
Java 7 Update 9
Java version out of Date!
Adobe Reader 10.1.5 Adobe Reader out of Date!
Google Chrome 23.0.1271.97
Google Chrome 24.0.1312.52
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
CheckPoint ZoneAlarm vsmon.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````
-------------------------------------------------------------------------------------------------
-earwicker
-
YES. Got it.
-earwicker
-
Mr. C,
No attachment found. Using xfinity web account.
want to try another email address?
-earwicker
-
Mr. C,
Won't boot in normal or safemode. Msg is:
STOP: C0000221 {Bad Image Checksum}
The image user32.dll is possibly corrupt. The header checksum does not match the computed checksum.
------------------------------------------------------------------------------------------------------------------------------------------
FYI: This file is from XP Reinstallation CD that came with system. File was originally named USER32.DL_. I just renamed it.
-earwicker
-
Mr. C,
I booted into OTLPE to do this. That way I was thinking the dll file wouldn't be in use. is this correct ??
Here's the log.
========== FILES ==========
File C:\WINDOWS\system32\user32.dll successfully replaced with C:\user32.dll
File C:\WINDOWS\system32\dllcache\user32.dll successfully replaced with C:\user32.dll
OTLPE by OldTimer - Version 3.1.48.0 log created on 01262013_080334
-earwicker
-
Mr. C,
A copy of user32.dll (from XP installation disc) has been placed in C:\. Ready when you are.
-earwicker
-
Mr. C,
Looks like there's a copy, but not where the other file came from ?
--------------------------------------------------------------------------------------------------------------
SystemLook 30.07.11 by jpshortstuff
Log created at 22:33 on 25/01/2013 by Dell_Admin
Administrator - Elevation successful
========== Filefind ==========
Searching for "user32.dll"
C:\WINDOWS\system32\user32.dll ------- 610816 bytes [10:42 14/04/2008] [10:42 14/04/2008] 32FB41BB1AB85901858082FA9CA4AC7C
C:\WINDOWS\system32\dllcache\user32.dll --a--c- 610816 bytes [10:42 14/04/2008] [10:42 14/04/2008] 32FB41BB1AB85901858082FA9CA4AC7C
-= EOF =-
-------------------------------------------------------
Let's pick it up tomorrow. Thanks!
-earwicker
-
Mr. C,
Excellent. Booting to desktop, as before.
Now do we have to replace the user32.dll file ??
Is the virus contained in that file or many, unknown files ?
========== FILES ==========
File C:\WINDOWS\system32\userinit.exe successfully replaced with C:\WINDOWS\erdnt\cache\userinit.exe
OTLPE by OldTimer - Version 3.1.48.0 log created on 01252013_215138
-------------------------------------------------------------------------------------------------------------------------------------
-earwicker
-
Mr. C,
Here is OTL.txt
-------------------------------------------------------------------------------------------------------------
OTL logfile created on: 1/25/2013 5:01:33 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 96.15 Gb Free Space | 64.51% Space Free | Partition Type: NTFS
Drive D: | 596.17 Gb Total Space | 233.59 Gb Free Space | 39.18% Space Free | Partition Type: NTFS
Drive F: | 121.28 Mb Total Space | 108.05 Mb Free Space | 89.10% Space Free | Partition Type: FAT
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet005
========== Win32 Services (SafeList) ==========
SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2013/01/08 14:35:25 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/24 22:12:59 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/09/07 17:16:26 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/09/27 14:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [Auto] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2011/08/05 11:30:02 | 000,444,640 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2011/08/05 11:30:02 | 000,268,512 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2011/08/05 11:29:56 | 006,363,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2011/08/05 11:29:56 | 000,057,056 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2011/07/25 07:57:16 | 000,493,184 | ---- | M] (Check Point Software Technologies) [Auto] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2011/07/22 08:44:44 | 002,413,936 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2008/05/07 18:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2013/01/11 17:42:27 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2012/05/25 12:14:24 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2011/09/02 01:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 01:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 01:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2011/08/01 11:44:26 | 000,404,256 | R--- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SRS_AE_i386.sys -- (SRS_AE_Service)
DRV - [2011/07/25 07:57:10 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/22 08:43:08 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/06/25 12:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2008/03/17 11:45:52 | 000,019,584 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
DRV - [2008/02/27 12:49:00 | 000,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2006/11/02 06:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/02/09 19:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/23 13:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Dell_Admin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\Dell_Admin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.0.282: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.0: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.0.282: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/09 10:36:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{34712C68-7391-4c47-94F3-8F88D49AD632}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2012/12/24 09:00:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2012/12/24 09:00:48 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2013/01/22 18:02:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome\Application\24.0.1312.52\npchrome_frame.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\Dell_Admin_ON_C\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [iSW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe (TechSmith Corporation)
O4 - Startup: C:\Documents and Settings\Dell_Admin\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Dell_Admin_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Dell_Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340306100093 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome\Application\24.0.1312.52\npchrome_frame.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe ()
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/09/21 23:22:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - ff_vfw.dll File not found
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
========== Files/Folders - Created Within 30 Days ==========
[2013/01/23 15:36:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/01/22 18:37:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2013/01/22 08:06:03 | 005,025,054 | R--- | C] (Swearware) -- C:\Documents and Settings\Dell_Admin\Desktop\NoMbr.exe
[2013/01/21 21:07:44 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/01/21 21:05:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/01/21 21:05:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/01/21 21:05:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/01/21 21:05:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/01/21 20:56:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/01/21 20:48:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2013/01/21 19:57:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/01/21 08:13:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dell_Admin\Desktop\OTL.exe
[2013/01/20 20:28:32 | 000,101,112 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2013/01/20 20:28:32 | 000,042,864 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\sbbd.exe
[2013/01/20 20:28:18 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2013/01/12 15:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\_2012 TAX
[2013/01/11 17:42:27 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2013/01/11 17:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\LSoft Technologies
[2013/01/11 17:42:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Active@ ISO Burner
[2013/01/05 11:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\&_LOCAL Business
[2012/12/27 09:31:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell_Admin\My Documents\mom checking acct statements
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013/01/25 12:26:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/25 12:14:57 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\Windows Codec Update Service.job
[2013/01/25 12:04:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/25 12:03:59 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/25 12:03:59 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
[2013/01/25 12:03:59 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
[2013/01/25 09:47:00 | 000,000,894 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/25 09:35:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/23 14:41:38 | 000,881,914 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe
[2013/01/23 13:58:26 | 000,122,368 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/01/22 22:19:57 | 000,001,233 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2013/01/22 20:11:40 | 000,574,315 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe
[2013/01/22 18:02:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/01/22 08:06:05 | 005,025,054 | R--- | M] (Swearware) -- C:\Documents and Settings\Dell_Admin\Desktop\NoMbr.exe
[2013/01/22 07:59:37 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
[2013/01/21 21:07:50 | 000,000,441 | RHS- | M] () -- C:\boot.ini
[2013/01/21 08:09:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dell_Admin\Desktop\OTL.exe
[2013/01/18 16:15:41 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\wavepadShakeIcon.job
[2013/01/14 16:37:56 | 000,002,605 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ASellerTool PC Downloader.lnk
[2013/01/13 16:15:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
[2013/01/12 12:06:19 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Dell_Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/11 19:51:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2013/01/11 17:42:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Active@ ISO Burner
[2013/01/11 13:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2013/01/11 09:09:44 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/01/11 09:09:30 | 000,444,366 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/01/11 07:33:14 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2013/01/09 22:48:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive
[2013/01/09 00:23:52 | 000,516,780 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/01/09 00:23:52 | 000,091,378 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/01/09 00:06:39 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/08 14:35:22 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/08 14:35:22 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2013/01/02 10:07:36 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\switchShakeIcon.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013/01/25 09:52:33 | 000,010,077 | ---- | C] () -- C:\WINDOWS\System32\userinit.exe
[2013/01/22 21:31:37 | 000,881,914 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe
[2013/01/22 20:20:02 | 000,574,315 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe
[2013/01/21 21:07:49 | 000,000,325 | ---- | C] () -- C:\Boot.bak
[2013/01/21 21:07:46 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/01/21 21:05:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/01/21 21:05:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/01/21 21:05:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/01/21 21:05:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/01/21 21:05:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/01/18 16:15:40 | 000,000,286 | ---- | C] () -- C:\WINDOWS\tasks\wavepadShakeIcon.job
[2013/01/11 09:09:44 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/01/11 09:09:23 | 000,444,366 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/01/02 10:07:36 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\switchShakeIcon.job
[2012/09/21 16:32:04 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2012/04/27 06:45:55 | 000,034,814 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\dt.dat
[2012/04/11 19:01:03 | 000,025,713 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2012/02/14 19:54:42 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/05 15:14:55 | 002,231,452 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-448539723-1177238915-1003-0.dat
[2012/02/05 15:14:55 | 000,299,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/02/05 12:10:05 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2011/10/17 21:27:39 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc
[2011/10/10 11:49:50 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011/10/06 16:49:16 | 000,404,256 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_AE_i386.sys
[2011/10/03 13:51:58 | 000,122,368 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/28 07:00:55 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Application Data\$_hpcst$.hpc
[2011/09/26 20:34:42 | 000,000,064 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2011/09/26 18:19:10 | 000,001,233 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2011/09/26 16:45:47 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\PUTTY.RND
[2011/09/26 15:47:22 | 000,000,069 | ---- | C] () -- C:\WINDOWS\spwdr.INI
[2011/09/26 15:47:08 | 000,000,071 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2011/09/26 15:47:03 | 000,027,648 | R--- | C] () -- C:\WINDOWS\Setup_ck.exe
[2011/09/26 15:47:03 | 000,019,584 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2011/09/26 15:47:03 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2011/09/26 15:47:03 | 000,011,776 | ---- | C] () -- C:\WINDOWS\Ckrfresh.exe
[2011/09/21 23:35:04 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011/09/21 23:34:44 | 000,114,630 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/09/21 23:24:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/09/21 23:19:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/09/21 19:14:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/09/21 19:12:13 | 000,282,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 05:42:10 | 000,578,560 | ---- | C] () -- C:\WINDOWS\System32\user.dat
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/03/21 13:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 13:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 00:00:00 | 000,516,780 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 00:00:00 | 000,091,378 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
========== LOP Check ==========
[2011/10/10 13:21:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/09/21 23:38:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/12/18 14:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\install_clap
[2012/04/28 09:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/12/18 14:27:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PDVD
[2011/10/08 06:50:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2013/01/02 10:07:36 | 000,000,282 | ---- | M] () -- C:\WINDOWS\Tasks\switchShakeIcon.job
[2013/01/18 16:15:41 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\wavepadShakeIcon.job
[2013/01/25 12:14:57 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\Windows Codec Update Service.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.* >
[2013/01/22 20:20:47 | 000,005,664 | ---- | M] () -- C:\AdwCleaner[R1].txt
[2013/01/22 20:40:04 | 000,005,724 | ---- | M] () -- C:\AdwCleaner[R2].txt
[2013/01/22 20:53:26 | 000,005,594 | ---- | M] () -- C:\AdwCleaner[s1].txt
[2009/12/29 13:59:42 | 000,002,288 | ---- | M] () -- C:\astformat.txt
[2011/09/21 23:22:22 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/09/26 13:14:37 | 000,000,325 | ---- | M] () -- C:\Boot.bak
[2013/01/21 21:07:50 | 000,000,441 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2013/01/22 18:13:42 | 000,020,943 | ---- | M] () -- C:\ComboFix.txt
[2011/09/21 23:22:22 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2012/04/28 10:18:00 | 000,002,160 | ---- | M] () -- C:\FixitRegBackup.reg
[2013/01/13 21:21:08 | 000,191,614 | ---- | M] () -- C:\hpfr5550.log
[2011/09/21 23:22:22 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/09/21 23:22:22 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2013/01/25 12:03:14 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2011/09/26 15:46:17 | 006,532,926 | ---- | M] () -- C:\SP.Windows.Data.Recovery.4.1.0.1.zip
< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2008/04/29 10:42:08 | 000,090,624 | ---- | M] () MD5=FBB39A4487E11F64DCFFD36AEC2D2216 -- C:\Program Files\CheckPoint\ZAForceField\Heuristics\explorer.exe
< MD5 for: SERVICES.EXE >
[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\erdnt\cache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
< MD5 for: USERINIT.EXE >
[2003/07/16 11:43:14 | 000,010,077 | ---- | M] () MD5=630E0B5DBAD11EC3F9DA477D628031AC -- C:\WINDOWS\system32\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe
< MD5 for: WINLOGON.EXE >
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe
[2008/07/01 08:17:12 | 000,090,624 | ---- | M] () MD5=FBB39A4487E11F64DCFFD36AEC2D2216 -- C:\Program Files\CheckPoint\ZAForceField\Heuristics\winlogon.exe
========== Alternate Data Streams ==========
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Dell_Admin\Desktop\SecurityCheck.exe:SummaryInformation
< End of report >
---------------------------------------------------------------------------------------------------------------
-earwicker
-
Mr. C,
Yes, I tried System Restore initially and everyday since then, every way I could think of to get to it. I do not have System Restore. The virus took care of that very effectively.
-earwicker
-
Mr. C,
I was able to find the two files on the XP Installation disc: USERINIT.EX_ and USER32.DL_. I renamed them to .exe and .dll, and tried to move them over to c:\windows\system32. I copied the infected files first to retain a copy of them. I then copied userinit.exe to the computer. Looked OK, new file copied. I then tried to copy user32.dll, and couldn't -" in use by another program or user. "
With only the one system file copied, I rebooted. Maybe this wasn't a good idea, because now I'm not able to get a desktop anymore. Only the cursor on a blank desktop. I think this computer is circling the drain... if not already there.
-earwicker
-
Mr.C,
This is a very persistent virus that I have on my computer. I'm seeing the same behavior now as I did when it first began.
If I try to boot in Safe Mode or Safe Mode with Networking, I get a blue screen of death and text like this:
"A problem has been detected ... Windows has been shut down. Check for viruses on your computer
Tech info:
Stop: 0x0000007B
If I get into Safe Mode (via the backdoor through 'Directory Restore Services) I see the exact same behavior that I see when I boot normally.
* No System Restore // just flashes and dies
* No cmd prompt // just flashes and dies
* No task mgr // just flashes and dies
* SecurityCheck.exe won't run (although others like OTL, ComboFix will)
* No DVD drives, although they're present in My Computer.
Let me know what you think and what (if anything) there is to do next.
And thanks again for helping me with this SOB virus...
-earwicker
-
Mr. C,
This is funny. All the other .exe's ran, but SecurityCheck won't. It just flashes for an instant and dies, like command prompts.
I don't know if rebooting is required or not ?
After this post, I'm going to call it quits for the day. Thanks for all your work today.
--earwicker
-
Mr.C
Here it is:
-----------------------------------------------------------------------------------------------------------
# AdwCleaner v2.107 - Logfile created 01/22/2013 at 20:53:16
# Updated 21/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dell_Admin - PC1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe
# Option [Delete]
***** [services] *****
***** [Files / Folders] *****
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Dell_Admin\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\ZoneAlarm_Security_Suite
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Freeze.com
Folder Deleted : C:\Program Files\ZoneAlarm_Security_Suite
***** [Registry] *****
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\ZoneAlarm_Security_Suite
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3015261
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3196716
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{864357B0-6560-4B5B-A845-E456A2D3ACB6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4A81447-0874-4B6B-981C-06BBEF215D0A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\StartNow Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StartNow Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm_Security_Suite Toolbar
Key Deleted : HKLM\Software\ZoneAlarm_Security_Suite
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}]
***** [internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
-\\ Google Chrome v24.0.1312.52
File : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [5664 octets] - [22/01/2013 20:20:39]
AdwCleaner[R2].txt - [5724 octets] - [22/01/2013 20:39:57]
AdwCleaner[s1].txt - [5465 octets] - [22/01/2013 20:53:16]
########## EOF - C:\AdwCleaner[s1].txt - [5525 octets] ##########
-
Mr. C.,
Yes, I have the XP Reinstallation CD. But as of now, have no way to run it because the drives are dead.
Are the files to be deleted the ones in Files/Folders ?
If so, I don't recognize any of these except for ZoneAlarm_Security_Suite. I run ZA firewall. That would be interesting if it was infected.
You can delete any/all of those files.
-------------------------------------------------------------------------------------------------------------
# AdwCleaner v2.107 - Logfile created 01/22/2013 at 20:20:39
# Updated 21/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dell_Admin - PC1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dell_Admin\Desktop\adwcleaner.exe
# Option [search]
***** [services] *****
***** [Files / Folders] *****
Folder Found : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found : C:\Documents and Settings\Dell_Admin\Application Data\Babylon
Folder Found : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Babylon
Folder Found : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\ZoneAlarm_Security_Suite
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\Freeze.com
Folder Found : C:\Program Files\ZoneAlarm_Security_Suite
***** [Registry] *****
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\ZoneAlarm_Security_Suite
Key Found : HKCU\Toolbar
Key Found : HKLM\Software\Babylon
Key Found : HKLM\Software\BabylonToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169}
Key Found : HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}
Key Found : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\Toolbar.BandObject
Key Found : HKLM\SOFTWARE\Classes\Toolbar.BandObject.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3015261
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3196716
Key Found : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject
Key Found : HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{864357B0-6560-4B5B-A845-E456A2D3ACB6}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4A81447-0874-4B6B-981C-06BBEF215D0A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\StartNow Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B467979-AA47-4B8F-BDC7-94F9AAA473E3}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StartNow Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm_Security_Suite Toolbar
Key Found : HKLM\Software\ZoneAlarm_Security_Suite
Key Found : HKU\S-1-5-21-1659004503-448539723-1177238915-1003\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKU\S-1-5-21-1659004503-448539723-1177238915-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}]
***** [internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
-\\ Google Chrome v24.0.1312.52
File : C:\Documents and Settings\Dell_Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [5535 octets] - [22/01/2013 20:20:39]
########## EOF - C:\AdwCleaner[R1].txt - [5595 octets] ##########
------------------------------------------------------------------------------------------------------------
Regards,
-earwicker
-
-
Mr. C,
Here is the file
________________________________
ComboFix 13-01-21.04 - Dell_Admin 01/22/2013 8:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2666 [GMT -5:00]
Running from: c:\documents and settings\Dell_Admin\Desktop\NoMbr.exe
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Internet Security 2012 *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{F232C87C-6E92-4775-8210-DFE90B7777D9}\PostBuild.exe
c:\documents and settings\Dell_Admin\Application Data\PriceGong
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\17781.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\4436.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Dell_Admin\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Dell_Admin\My Documents\ShopToWin
c:\documents and settings\Dell_Admin\Recent\Thumbs.db
c:\windows\system32\roboot.exe
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET7D.tmp
c:\windows\system32\Thumbs.db
.
c:\windows\system32\userinit.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Updater_Service_for_StartNow_Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2012-12-22 to 2013-01-22 )))))))))))))))))))))))))))))))
.
.
2013-01-22 13:03 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E2448568-D689-4F4D-A1E5-505D9097AD89}\mpengine.dll
2013-01-22 01:48 . 2013-01-22 01:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2013-01-22 00:57 . 2013-01-22 00:57 -------- d-----w- C:\_OTL
2013-01-21 01:28 . 2012-05-25 17:14 42864 ----a-w- c:\windows\system32\sbbd.exe
2013-01-21 01:28 . 2012-05-25 17:14 101112 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2013-01-21 01:28 . 2013-01-21 22:37 -------- d-----w- C:\VIPRERESCUE
2013-01-14 15:11 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-11 22:42 . 2013-01-11 22:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2013-01-11 22:42 . 2013-01-11 22:42 -------- d-----w- c:\program files\LSoft Technologies
2012-12-30 23:44 . 2008-04-14 03:14 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2012-12-24 14:00 . 2012-12-24 14:00 -------- d-----w- c:\program files\RealNetworks
2012-12-24 14:00 . 2012-12-24 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\RealNetworks
2012-12-24 13:59 . 2012-12-24 13:59 -------- d-----w- c:\program files\Common Files\xing shared
2012-12-24 13:58 . 2012-12-24 13:58 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-12-24 13:58 . 2012-12-24 13:58 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-08 19:35 . 2012-04-03 15:44 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-08 19:35 . 2011-09-22 04:32 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2008-04-14 10:39 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2008-04-14 06:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-04-14 10:42 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2008-04-14 10:41 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 10:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 12:17 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 10:41 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 00:35 . 2008-04-14 05:07 385024 ------w- c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . 32FB41BB1AB85901858082FA9CA4AC7C . 610816 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-04-14 . 32FB41BB1AB85901858082FA9CA4AC7C . 610816 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{3ce45c4f-bfff-4988-9a3c-a75c1f491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3ce45c4f-bfff-4988-9a3c-a75c1f491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3CE45C4F-BFFF-4988-9A3C-A75C1F491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-07-25 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-07-22 72336]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-12-24 295072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\Dell_Admin\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-2-6 6379080]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/11/2013 5:42 PM 691696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [1/20/2013 8:28 PM 101112]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [7/25/2011 7:57 AM 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [7/25/2011 7:57 AM 493184]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [10/26/2011 11:07 AM 12184]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 8:31 PM 38608]
S3 SRS_AE_Service;SRS Audio Essentials;c:\windows\system32\drivers\SRS_AE_i386.sys [10/6/2011 4:49 PM 404256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-12 00:47 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 19:35]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-06 13:24]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-06 13:24]
.
2013-01-22 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30]
.
2013-01-22 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30]
.
2013-01-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30]
.
2013-01-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-448539723-1177238915-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 20:30]
.
2013-01-02 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Software\Switch\switch.exe [2011-12-31 01:02]
.
2013-01-18 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Software\WavePad\wavepad.exe [2011-12-31 01:02]
.
2013-01-22 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2012-02-03 09:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
AddRemove-Windows Essentials Media Codec Pack - c:\program files\Essentials Codec Pack\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-22 18:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-448539723-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(764)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\crypserv.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\TechSmith\SnagIt 8\TSCHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2013-01-22 18:13:39 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-22 23:13
.
Pre-Run: 100,053,336,064 bytes free
.
- - End Of File - - 295A67E79BB71A96FDF7B75708C16BD8
-
MrC,
Whew! Had a scary moment there.
I Just rebooted. ComboFIx made a log. Would you like it?
-
MrC,
I was afraid you'd say that. In the previous posts, I described what I saw and followed directions. It did this after running NoMbr.exe. It was at stage 60 or something. 20 minutes later I looked and it was at the Boot screen ' No Drive 0 found, No Drive 1 found. Strike the F1 key to continue, F2 to run setup. This was in the 10:09AM post today.
I don't know what to say either. That's how I got here.
-earwicker
-
Mr. C,
Not sure what you mean by 'get out of it'.
It's trying to boot, and allows F1 to continue or F2 to run setup. The only other option I have is the on/off button.
-
I'm worried now.
-------------------------------------------------------------------------------------
No boot device available - strike the F1 key to retry boot, F2 for setup utility
-----------------------------------------------------------------------------------
I retry with F1 and get the same. Is F2 is the only option left??
-
MrC,
NoMbr.exe was running fine, large number of stages. When I checked 20 minutes later, the computer was trying to reboot....
----------------------
Drive 0 not found
Drive 1 not found:
Strike the F1 key to continue, F2 to run setup...
Regards,
-
Mr. C,
It's been several hours and ComboFix seems to be stalled out. After completeing Stage 4, the cursor is blinking on next line ....
Since I don't have task mgr, no way to know what's going on ??
The scan couldn't really be taking this long, could it ?? I'll let it run until I receive further instructions.
Another FBI Virus Help Request
in Resolved Malware Removal Logs
Posted
Mr. C.,
OK, Java and Adobe Reader are updated.
Anything else?
-earwicker