Jump to content

BeefEater

Members
  • Posts

    3
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Great!! Thanks very much for your help. I will go ahead with the reformatting now. I have managed to backup the users documents (carefully selecting only the stuff I know is safe) to be restored to the new profile after reinstall. Could you please post the name of the rootkit for my reference? Thanks, Beefeater
  2. Hi Kahdah, Thanks for helping. Here's an update of what I have tried so far and some more information, including the contents of OTL.txt: I booted the system using my own winpe 3.0 flash disk and tried to install mbam and avg free9.0 to use the command line scanner options, both failed. Mbam gets an error saying a dll is missing and to try re-installing, which i did to no avail. It appears the install file I downloaded from AVG is just a downloader, so when I run it from the PE environment it just hangs trying to download the install files, so I gave up. In restarting the machine I got some more specific information about the blue screen error: Multiple_IPR_Complete_Requests Stop Error Code: 0x00000044 (0x8A746030, 0x000000D64, 0x00000000, 0x00000000) Did some research on this and microsoft says this is either related to a driver trying to complete an IPR request multiple times, indicating possibly a bad driver OR: An issue with the novel client on the xp machine (I don't think novell is installed but it might be, I am currently unaware of how to check this from a WinPE environment Another suggestion was to run the Windows Memory Diagnostic. I did this and it successfully completed one pass, so I think the hardware is ok. Additionally, I think that while it may indeed be a driver issue, I suspect that the issue is from some malicious software my user inadvertently ran from an email. The user informed me he was opening and emails to mark them as read, then turned away for a few minutes. When he went to use the computer again, he had the BSOD. (Yes i know this isn't a real good way of marking messages as read, and I have informed him to take more care with his email in the future.) Finally, after having completed all that, I checked this forum and got your response, so I performed your steps and have copied the otl log to a flash drive, please find the output below: OTL logfile created on: 6/4/2010 12:01:57 PM - Run OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 8.0.6001.18702) Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy 2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.76 Gb Total Space | 211.11 Gb Free Space | 90.70% Space Free | Partition Type: NTFS Drive D: | 1007.56 Mb Total Space | 524.36 Mb Free Space | 52.04% Space Free | Partition Type: FAT32 E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO Current User Name: SYSTEM Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard Using ControlSet: ControlSet001 ========== Win32 Services (SafeList) ========== SRV - [2010/03/18 06:29:12 | 001,353,968 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe -- (tmlisten) SRV - [2010/02/26 04:04:02 | 001,312,040 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe -- (ntrtscan) SRV - [2009/07/15 20:37:18 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe -- (TmProxy) SRV - [2009/06/21 06:35:00 | 000,341,256 | ---- | M] (Trend Micro Inc.) [On_Demand] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer) SRV - [2006/03/17 18:25:16 | 000,065,536 | ---- | M] (Broadcom Corporation) [Auto] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand] -- -- (WDICA) DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP) DRV - File not found [Kernel | System] -- -- (PCIDump) DRV - File not found [Kernel | System] -- -- (lbrtfdc) DRV - File not found [Kernel | System] -- -- (Changer) DRV - File not found [Kernel | On_Demand] -- -- ({223C4FDD-967A-458C-975CB68E4B828FCC}) DRV - [2009/12/04 19:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys -- (TmFilter) DRV - [2009/12/04 19:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter) DRV - [2009/12/04 19:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\Program Files\Trend Micro\Client Server Security Agent\vsapiNT.sys -- (VSApiNt) DRV - [2009/07/15 13:37:40 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi) DRV - [2009/07/06 10:11:12 | 000,158,224 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm) DRV - [2009/05/07 19:04:54 | 000,052,752 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon) DRV - [2009/05/07 19:04:52 | 000,050,192 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr) DRV - [2008/04/13 14:40:48 | 000,011,392 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\Sfloppy.sys.bak -- (Sfloppy) DRV - [2008/04/13 14:40:30 | 000,096,512 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\atapi.sys -- (atapi) DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp) DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp) DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus) DRV - [2008/02/27 16:49:00 | 000,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt) DRV - [2006/08/28 03:28:56 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) DRV - [2006/07/05 15:08:28 | 000,241,152 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService) DRV - [2006/06/07 16:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2006/03/17 18:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService) DRV - [2006/01/10 12:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand] -- C:\Program Files\Dell Support\GTAction\triggers\dsproct.sys -- (DSproct) DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2003/04/24 17:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND) DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow) DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3) DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi) DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx) DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810) DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra) DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160) DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080) DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280) DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k) DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x) DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc) DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550) DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde) DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Admin.CJP_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\Admin.CJP_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\Admin.CJP_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKU\Admin.CJP_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8 IE - HKU\Admin.CJP_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ IE - HKU\Admin.CJP_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Admin_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\Admin_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\Admin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\Admin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\dthompson_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\dthompson_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen IE - HKU\dthompson_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\dthompson_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\dthompson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\fcapati_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\fcapati_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen IE - HKU\fcapati_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\fcapati_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\fcapati_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\glin_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\glin_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen IE - HKU\glin_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\glin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\glin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\jbarrett_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com IE - HKU\jbarrett_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKU\jbarrett_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKU\jbarrett_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8 IE - HKU\jbarrett_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.alot.com/?client_id=095012F001...rsion=2.4.4.412 IE - HKU\jbarrett_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\jbarrett_ON_C\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKU\jbarrett_ON_C\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found IE - HKU\jbarrett_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\kyip_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ IE - HKU\kyip_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKU\kyip_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ IE - HKU\kyip_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\lgrymaloski_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\lgrymaloski_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen IE - HKU\lgrymaloski_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca IE - HKU\lgrymaloski_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070621 IE - HKU\lgrymaloski_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\Client Server Security Agent\bho\1007\FirefoxExtension [2010/05/12 07:21:38 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/01 15:59:43 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/15 20:56:33 | 000,000,000 | ---D | M] [2010/04/29 23:55:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/01/15 20:56:39 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2010/01/15 20:56:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\google-cjk@partners.mozilla.com [2010/01/15 20:56:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org [2006/12/12 23:12:30 | 000,066,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll [2006/12/12 23:12:31 | 000,054,352 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll [2006/12/12 23:12:32 | 000,034,928 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll [2006/12/12 23:12:33 | 000,046,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll [2006/12/12 23:12:34 | 000,172,120 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (ALOT Toolbar BHO) - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\alot.dll (Miva) O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\Client Server Security Agent\bho\1007\TmIEPlg.dll (Trend Micro Inc.) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.) O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKLM\..\Toolbar: (ALOT Toolbar) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (Miva) O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found. O3 - HKU\Admin.CJP_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\dthompson_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\fcapati_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\jbarrett_ON_C\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\jbarrett_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\kyip_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.) O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.) O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKU\Admin.CJP_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\Admin.CJP_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKU\Admin_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\Administrator_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\dthompson_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\dthompson_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKU\fcapati_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\fcapati_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKU\glin_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\jbarrett_ON_C..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated) O4 - HKU\jbarrett_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKU\kyip_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKU\lgrymaloski_ON_C..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\jbarrett\Start Menu\Programs\Startup\MailWasher.lnk = C:\Program Files\MailWasher\MailWasher.exe File not found O4 - Startup: C:\Documents and Settings\jbarrett\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe () O4 - Startup: C:\Documents and Settings\jbarrett\Start Menu\Programs\Startup\scandisk.dll () O4 - Startup: C:\Documents and Settings\jbarrett\Start Menu\Programs\Startup\scandisk.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\jbarrett\Start Menu\Programs\Startup\Yuuguu.lnk = C:\Program Files\Yuuguu\yuuguu.exe () O4 - Startup: C:\Documents and Settings\kyip\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\Admin.CJP_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\dthompson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\fcapati_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\glin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\jbarrett_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\jbarrett_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Cisco Systems = C:\WINDOWS\system32\1772.exe File not found O7 - HKU\kyip_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\lgrymaloski_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://dellserver.cjp.local:4343/officesca...ll/WinNTChk.cab (ObjWinNTCheck Class) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object) O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} https://dellserver.cjp.local:4343/officesca...stall/setup.cab (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} https://dellserver.cjp.local:4343/SMB/conso...root/AtxEnc.cab (Encrypt Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object) O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} http://webmap.abbotsford.ca/webmap/AppRequirements/Acgm.cab (ActiveCGM Control) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.30.63.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cjp.local O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\pm {A479F961-CC9E-11D0-A220-000000000000} - C:\Program Files\Common Files\Repro Desk\PmProtocol.dll (Oc
  3. Good morning / afternoon, First I would like to thank everyone in advance for any assistance they can provide. I got into work this morning and had received a report that one of the computers in our office can't load windows, it fails and dumps memory, displaying a blue screen. I checked our network anti-virus logs, and sure enough, they show two infections on the computer in question. Information about the infections from Trend Micro Worry Free Business Security (sorry, they aren't all that helpful, but maybe someone knows what they are) 6/3/2010 16:07:52 TROJ_GEN.PAE291B sitlpsqc.exe C:\DOCUME~1\jbarrett\LOCALS~1\Temp\ Real-time Scan Infected file was successfully detected, no action taken on probable virus/malware 6/3/2010 16:07:52 TROJ_GEN.PAE291B oriqbjdp[1].htm C:\Documents and Settings\jbarrett\Local Settings\Temporary Internet Files\Content.IE5\M6M7NNVE\ Real-time Scan Infected file was successfully detected, no action taken on probable virus/malware I can't load to the desktop to run any anti-virus programs or malware scans, but am currently trying to install them using a winpe flash disk to boot the computer and perform some actions using the command line parameters of malware bytes and AVG Free I will post an update with my success / failure / banging head against the wall results when I have them but wanted to make a topic and perhaps see if someone else out there had any other ideas. Thanks, Beefeater
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.