explorer.exe won't run

michellemackay · October 14, 2010

Hello, I recently had a virus (27th Sept 2010) whereby selecting search results in Google would take me to random sites (selling stuff). I thought I had cleared this up using Malwarebytes' Anti-Malware and Avast scans and subsequent removals.

I don't know if the problem that I now have is related, it started just after I thought I had cleared the redirect problem. When I log on now I get no desktop icons, taskbar or start menu - explorer.exe is not running and when I try and run it from task manager I get "Windows cannot access the specifiec device, path or file. You may not have the appropriate permissions to access the item".

Explorer.exe does run in safe mode. I have tried restoring to a previous restore point but it fails. I have also tried creating a new user in case the profile was corrupt, but the same problem happens with the new user.

I am running Windows XP SP 3. Here are my logs as requested in the Pre-HJT Post Instructions:-

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4823

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

14/10/2010 17:54:13

mbam-log-2010-10-14 (17-54-13).txt

Scan type: Quick scan

Objects scanned: 195177

Time elapsed: 18 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:18:18, on 14/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK

O1 - Hosts: 65.54.239.80 dp.msnmessenger.skadns.net

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [Dit] Dit.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe

O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -update activex

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122498350531

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178816375234

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab

O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Google Update Service (gupdate1c9978fa970bc28) (gupdate1c9978fa970bc28) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--

End of file - 8320 bytes

Many thanks in advance

Michelle

kahdah · October 14, 2010

Hello michellemackay

Welcome to Malwarebytes.

=====================

Download OTL to your desktop.
Double click on OTL to run it.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Under Custom scan's and fixes section paste in the below in bold

netsvcs

%SYSTEMDRIVE%\*.*

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /90

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

Double-click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan
Check Drivers, Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it, typically your desktop. Click Close
Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

michellemackay · October 16, 2010

reports.txt

Hello - apologies in delay, I didn't get a notification that you had responded to my post (I have checked spam) so will keep a closer eye on this site from now on. Here are the outputs as requested:- Regards michelle.

It seems the text is too long to post by copy and paste so have uploaded as file - hope this is ok. michelle

kahdah · October 16, 2010

Yes this is fine.

You have an infection that has patched some critical system files.

Before we begin the risk of an unbootable machine is high when dealing with this infection because we will need to replace the files that are infected.

Let me know if you have your Xp disk for this machine.

michellemackay · October 17, 2010

Yes I do. I have Reinstallation CD Microsoft Windows XP Home Edition SP 1a which is the CD I got with the infected PC. I also have Reinstallation CD Recovery Media for MS Windows XP Home Edition SP 3 which came with my laptop.

Best regards

Michelle

kahdah · October 17, 2010

Great let's get started.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

michellemackay · October 17, 2010

Hi. It didn't go exactly how the instructions said it would, I hope I haven't done anything wrong.

I stopped all anti-virus and firewall. I did this by stopping services for these in services.msc as I have no tray icons to right-click on. When I ran combofix it said Avast realtime scanner was running, i double checked the services and all Avast services were stopped and no avast processes were showing as running in task manager. I brought up the avast UI and all realtime scan modules were showing as not running, so i continued (hopefully this won't be my undoing).

It all seemed to follow the guide after this until after combofix reported that it was going to reboot the system - do not reboot manually. It took a long time for the blue box to go and then I was just left with my wallpaper (the original problem is no icons etc.) and it sat like this for about 5 minutes, I popped to the loo and when I returned I had a blue-screen with the following message:-

Stop: C000021a {Fatal System Error}

The Windows Logon Process System Process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)

The system has been shut down.

I left it like this for about 5 minutes in case combofix was going to kick into action and do something amazing (and a bit scared to do anything as it did say don't do anything manually :lol: ), but nothing happened so I had to do a power off. When it restarted I searched for combofix.txt, but there isn't one.

Best Regards

Michelle

kahdah · October 18, 2010

So are you back into Windows now or are you still stuck at the blue screen?

michellemackay · October 18, 2010

I'm back in after powering down and restarting, but the original problem still exists. No desktop icons, start menu or task bar. There doesn't seem to be a c:\combofix.txt file anywhere.

Regards

Michelle

kahdah · October 18, 2010

Ok please open OTL

Under Custom scan's and fixes section paste in the below in bold

/md5start

explorer.exe

winlogon.exe

/md5stop

Then click the run scan at the top.

Please post the OTL.txt that opens please.

michellemackay · October 19, 2010

Something starnge has happened - i haven't completed your latest instructions yet, i'll tell you what has happened.

Since it Blue-screened after the Combofix reboot I have turned the PC on and off twice, once on saturday just after the blue screen and then again yesterday. The second time was to double check Combofix hadn't just ended silently and created the combofix.txt file you asked for. Each time I turned it on since running combofix I have had the same symptoms as originally stated and no other activity.

When I turned it on today to do the instructions below, my icons and taskbar appeared and a blue combofix box was displayed with the following message "Preparing Log Report. Do not run any programs until ComboFix has finished".

I haven't done anything between the blue screen and now apart from turn it on and search for combofix.txt, but it appears that combofix has picked up from where it left off when it blue-screened on saturday. is this behaviour you have seen before?

Once combofix completed and the log output displayed, my icons and everything disappeared again. Here is combofix.txt output - let me know if you still want me to run the instructions below (i'm not sure if combofix now completing has changed things )

Best Regards

Michelle

ComboFix.txt

kahdah · October 20, 2010

Hmm sounds like it never completed the bootup.

Either way yes do the steps in my previous post.

Then post that log.

michellemackay · October 22, 2010

Here it is -

OTL logfile created on: 21/10/2010 21:47:01 - Run 2

OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Michelle\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: | Country: | Language: | Date Format:

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.71 Gb Total Space | 55.53 Gb Free Space | 49.70% Space Free | Partition Type: NTFS

Computer Name: BONNIE | User Name: Michelle | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Michelle\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)

PRC - C:\WINDOWS\SYSTEM32\winlogon.exe ()

PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)

PRC - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzstc07.exe (HP)

PRC - C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Michelle\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\SYSTEM32\msscript.ocx (Microsoft Corporation)

MOD - C:\WINDOWS\SYSTEM32\framedyn.dll (Microsoft Corporation)

MOD - C:\WINDOWS\SYSTEM32\SSSensor.dll (Sygate Technologies, Inc.)

========== Win32 Services (SafeList) ==========

SRV - (RoxLiveShare9) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe File not found

SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found

SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (Maxtor Sync Service) -- C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)

SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (SmcService) -- C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP)

SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation)

SRV - (MSSEARCH) -- C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found

DRV - (RimUsb) -- C:\WINDOWS\System32\Drivers\RimUsb.sys File not found

DRV - (PCANDIS5) -- C:\WINDOWS\System32\PCANDIS5.SYS File not found

DRV - (MRVW245) -- C:\WINDOWS\System32\DRIVERS\MRVW245.sys File not found

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys File not found

DRV - (iAimTV2) -- C:\WINDOWS\System32\DRIVERS\wATV03nt.sys File not found

DRV - (catchme) -- C:\DOCUME~1\Michelle\LOCALS~1\Temp\catchme.sys File not found

DRV - (CardReaderFilter) -- C:\WINDOWS\SYSTEM32\DRIVERS\USBCRFT.SYS (ICSI Technology Ltd.)

DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)

DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)

DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)

DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)

DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)

DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)

DRV - (amdagp) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

DRV - (sisagp) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

DRV - (MXOPSWD) -- C:\WINDOWS\SYSTEM32\DRIVERS\mxopswd.sys (Maxtor Corp.)

DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()

DRV - (V0220Dev) -- C:\WINDOWS\SYSTEM32\DRIVERS\V0220Dev.sys (Creative Technology Ltd.)

DRV - (V0220Vfx) -- C:\WINDOWS\SYSTEM32\DRIVERS\V0220Vfx.sys (EyePower Games Pte. Ltd.)

DRV - (w800mdm) -- C:\WINDOWS\SYSTEM32\DRIVERS\w800mdm.sys (MCCI)

DRV - (w800mdfl) -- C:\WINDOWS\SYSTEM32\DRIVERS\w800mdfl.sys (MCCI)

DRV - (w800bus) Sony Ericsson W800 driver (WDM) -- C:\WINDOWS\SYSTEM32\DRIVERS\w800bus.sys (MCCI)

DRV - (PCLEPCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\Pclepci.sys (Pinnacle Systems GmbH)

DRV - (ASAPIW2K) -- C:\WINDOWS\SYSTEM32\DRIVERS\asapiW2k.sys (VOB Computersysteme GmbH)

DRV - (wg6n) -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys (Sygate Technologies, Inc.)

DRV - (wg5n) -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys (Sygate Technologies, Inc.)

DRV - (wg4n) -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys (Sygate Technologies, Inc.)

DRV - (wg3n) -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys (Sygate Technologies, Inc.)

DRV - (wpsdrvnt) -- C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys (Sygate Technologies, Inc.)

DRV - (Teefer) -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys (Sygate Technologies, Inc.)

DRV - (AFS2K) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)

DRV - (iAimFP4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys (Intel® Corporation)

DRV - (iAimFP3) -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys (Intel® Corporation)

DRV - (iAimTV4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys (Intel® Corporation)

DRV - (iAimTV3) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys (Intel® Corporation)

DRV - (iAimTV1) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys (Intel® Corporation)

DRV - (iAimTV0) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys (Intel® Corporation)

DRV - (iAimFP0) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys (Intel® Corporation)

DRV - (iAimFP1) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys (Intel® Corporation)

DRV - (iAimFP2) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys (Intel® Corporation)

DRV - (i81x) -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys (Intel® Corporation)

DRV - (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) -- C:\WINDOWS\SYSTEM32\DRIVERS\alcan5wn.sys (THOMSON)

DRV - (alcaudsl) -- C:\WINDOWS\SYSTEM32\DRIVERS\alcaudsl.sys (THOMSON)

DRV - (nv) -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)

DRV - (tfsnudfa) -- C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys (Sonic Solutions)

DRV - (tfsnudf) -- C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys (Sonic Solutions)

DRV - (tfsnifs) -- C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys (Sonic Solutions)

DRV - (tfsncofs) -- C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys (Sonic Solutions)

DRV - (tfsnboio) -- C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys (Sonic Solutions)

DRV - (tfsnopio) -- C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys (Sonic Solutions)

DRV - (tfsnpool) -- C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys (Sonic Solutions)

DRV - (tfsndrct) -- C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys (Sonic Solutions)

DRV - (tfsndres) -- C:\WINDOWS\SYSTEM32\dla\tfsndres.sys (Sonic Solutions)

DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)

DRV - (sscdbhk5) -- C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys (Sonic Solutions)

DRV - (ssrtln) -- C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys (Sonic Solutions)

DRV - (HSFHWBS2) -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)

DRV - (drvnddm) -- C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys (Sonic Solutions)

DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)

DRV - (Sparrow) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys (Adaptec, Inc.)

DRV - (sym_u3) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys (LSI Logic)

DRV - (sym_hi) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys (LSI Logic)

DRV - (symc8xx) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys (LSI Logic)

DRV - (symc810) -- C:\WINDOWS\System32\DRIVERS\symc810.sys (Symbios Logic Inc.)

DRV - (ultra) -- C:\WINDOWS\System32\DRIVERS\ultra.sys (Promise Technology, Inc.)

DRV - (ql12160) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys (QLogic Corporation)

DRV - (ql1080) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys (QLogic Corporation)

DRV - (ql1280) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys (QLogic Corporation)

DRV - (dac2w2k) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys (Mylex Corporation)

DRV - (mraid35x) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys (American Megatrends Inc.)

DRV - (asc) -- C:\WINDOWS\System32\DRIVERS\asc.sys (Advanced System Products, Inc.)

DRV - (asc3550) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)

DRV - (AliIde) -- C:\WINDOWS\System32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

DRV - (CmdIde) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

DRV - (EL90XBC) -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS (3Com Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

O1 HOSTS File: ([2010/10/19 22:32:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - No CLSID value found.

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)

O4 - HKLM..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe (Creative Technology Ltd.)

O4 - HKLM..\Run: [Dit] C:\WINDOWS\Dit.exe (ICSI Technology Ltd.)

O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe ()

O4 - HKLM..\Run: [smcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)

O4 - HKLM..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\HOMERunner.exe (TomTom)

O4 - HKLM..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe (Creative Technology Ltd.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKCU\..Trusted Domains: applabs.com ([time] https in Trusted sites)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab (VerifyGMN Class)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1122498350531 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1178816375234 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab (FlashXControl Object)

O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab (Flash Casino Helper Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe ()

O24 - Desktop WallPaper: C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/10/11 10:07:41 | 000,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/17 21:59:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2010/10/17 21:50:49 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/10/17 21:46:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/10/17 21:46:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/10/17 21:46:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/10/17 21:46:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/10/17 21:46:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/10/17 21:29:28 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/10/16 11:18:23 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michelle\Desktop\OTL.exe

[2010/10/14 18:08:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Michelle\PrivacIE

[2010/10/14 17:24:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Michelle\IETldCache

[2010/10/14 16:52:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2010/10/14 16:49:04 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2010/10/14 16:40:35 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll

[2010/10/14 13:34:04 | 000,000,000 | ---D | C] -- C:\Config.Msi

[2010/10/14 12:54:18 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll

[2010/10/14 12:54:18 | 000,954,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40.dll

[2010/10/14 12:54:18 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll

[2010/10/14 12:54:07 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll

[2010/09/28 16:28:24 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/09/28 11:07:01 | 000,165,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys

[2010/09/28 11:07:01 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys

[2010/09/28 11:06:57 | 000,023,376 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys

[2010/09/28 11:06:55 | 000,046,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys

[2010/09/28 11:06:52 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys

[2010/09/28 11:06:52 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys

[2010/09/28 11:06:52 | 000,028,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys

[2010/09/28 11:06:35 | 000,167,592 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

[2010/09/28 11:06:35 | 000,038,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr

[2010/09/28 11:06:25 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software

[2010/09/28 11:06:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software

[2010/09/28 10:55:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Application Data\WinPatrol

[2010/09/28 10:55:38 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios

[2010/09/27 16:34:44 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/09/27 15:47:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Local Settings\Application Data\Sunbelt Software

[2010/09/27 15:43:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

[2010/09/27 14:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Application Data\Malwarebytes

[2010/09/27 14:44:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/09/27 14:44:31 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/09/27 14:44:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/09/27 14:44:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/09/27 08:59:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/21 20:59:02 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/10/21 20:56:00 | 000,000,988 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2142830369-2160077652-1691362497-1006UA.job

[2010/10/21 20:28:04 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/10/21 20:14:36 | 000,000,520 | ---- | M] () -- C:\hpfr3420.xml

[2010/10/21 20:08:25 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL

[2010/10/21 20:08:18 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/10/21 20:07:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT

[2010/10/21 20:07:30 | 1609,633,792 | -HS- | M] () -- C:\hiberfil.sys

[2010/10/19 22:44:12 | 000,013,568 | ---- | M] (ICSI Technology Ltd.) -- C:\WINDOWS\System32\drivers\USBCRFT.SYS

[2010/10/19 22:32:45 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Michelle\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2010/10/19 22:32:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts

[2010/10/18 21:56:00 | 000,000,936 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2142830369-2160077652-1691362497-1006Core.job

[2010/10/17 21:50:55 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI

[2010/10/17 20:43:34 | 003,879,251 | R--- | M] () -- C:\Documents and Settings\Michelle\Desktop\ComboFix.exe

[2010/10/17 07:57:25 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/10/16 11:20:40 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Michelle\Desktop\RKUnhookerLE.EXE

[2010/10/16 11:15:48 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michelle\Desktop\OTL.exe

[2010/10/14 20:21:44 | 000,270,672 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/10/14 17:41:01 | 000,000,211 | ---- | M] () -- C:\Boot.bak

[2010/10/10 20:06:03 | 000,480,240 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT

[2010/10/10 20:06:03 | 000,085,402 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT

[2010/10/01 16:03:34 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2010/09/28 21:53:53 | 000,002,309 | ---- | M] () -- C:\Documents and Settings\Michelle\Desktop\Google Chrome.lnk

[2010/09/28 21:53:53 | 000,002,287 | ---- | M] () -- C:\Documents and Settings\Michelle\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2010/09/28 16:28:24 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Michelle\Desktop\HijackThis.lnk

[2010/09/28 11:07:02 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk

[2010/09/28 11:06:53 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2010/09/27 16:34:42 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/09/27 16:16:52 | 000,000,912 | ---- | M] () -- C:\Documents and Settings\Michelle\My Documents\My Sharing Folders.lnk

[2010/09/27 14:44:47 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Michelle\My Documents\Accounts.xls

[2010/09/27 14:44:35 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/09/26 22:11:23 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Michelle\My Documents\Motnhly Bills.xls

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/17 21:50:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/10/17 21:50:52 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2010/10/17 21:46:20 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/10/17 21:46:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/10/17 21:46:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/10/17 21:46:20 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/10/17 21:46:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/10/17 21:29:04 | 003,879,251 | R--- | C] () -- C:\Documents and Settings\Michelle\Desktop\ComboFix.exe

[2010/10/16 11:22:00 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Michelle\Desktop\RKUnhookerLE.EXE

[2010/10/14 17:02:35 | 1609,633,792 | -HS- | C] () -- C:\hiberfil.sys

[2010/10/01 16:03:34 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2010/09/28 21:53:53 | 000,002,309 | ---- | C] () -- C:\Documents and Settings\Michelle\Desktop\Google Chrome.lnk

[2010/09/28 21:53:53 | 000,002,287 | ---- | C] () -- C:\Documents and Settings\Michelle\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2010/09/28 21:51:47 | 000,000,988 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2142830369-2160077652-1691362497-1006UA.job

[2010/09/28 21:51:46 | 000,000,936 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2142830369-2160077652-1691362497-1006Core.job

[2010/09/28 16:28:24 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Michelle\Desktop\HijackThis.lnk

[2010/09/28 11:07:02 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk

[2010/09/27 14:44:35 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008/10/12 15:57:46 | 000,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI

[2007/12/27 14:26:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt

[2007/12/27 14:24:57 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys

[2007/10/12 18:15:42 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\SSLInsert.dll

[2007/04/26 11:46:58 | 000,278,528 | ---- | C] () -- C:\Program Files\Common Files\FDEUnInstaller.exe

[2007/02/07 18:36:16 | 000,000,120 | ---- | C] () -- C:\WINDOWS\PbkUser.INI

[2006/11/22 00:12:41 | 000,010,856 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2006/10/11 10:12:37 | 000,194,248 | ---- | C] () -- C:\WINDOWS\System32\LTRFD13n.DLL

[2006/10/11 10:07:41 | 000,001,208 | ---- | C] () -- C:\WINDOWS\VFO.INI

[2006/10/11 10:07:40 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\macd32.dll

[2006/10/11 10:07:40 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll

[2006/10/11 10:07:40 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\mamc32.dll

[2006/10/11 10:07:40 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\masd32.dll

[2006/10/11 10:07:40 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll

[2006/05/11 14:10:25 | 000,000,260 | R--- | C] () -- C:\WINDOWS\Dit.INI

[2006/02/26 19:44:58 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI

[2006/02/20 22:48:57 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini

[2006/01/11 18:17:26 | 000,037,376 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2005/10/22 20:09:20 | 000,007,207 | R--- | C] () -- C:\WINDOWS\Disktool.INI

[2005/10/22 20:09:20 | 000,006,399 | R--- | C] () -- C:\WINDOWS\fwupgrade.ini

[2005/10/22 20:09:20 | 000,003,677 | R--- | C] () -- C:\WINDOWS\PlaySnd.INI

[2005/10/17 22:25:02 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2005/07/29 19:38:24 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll

[2005/07/27 23:38:36 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2005/06/15 19:32:56 | 000,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll

[2005/05/02 17:30:15 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\fusioncache.dat

[2004/10/15 18:31:56 | 000,218,264 | ---- | C] () -- C:\WINDOWS\System32\SetAid.dll

[2004/01/31 12:07:28 | 000,000,652 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2004/01/15 10:04:20 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PMK_setup.ini

[2004/01/14 22:07:05 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2004/01/09 00:45:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2004/01/09 00:38:22 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2004/01/09 00:35:09 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/01/09 00:20:42 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2004/01/09 00:09:46 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2003/08/13 23:54:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2003/03/09 05:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll

[2002/09/03 09:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[1996/11/21 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL

[1996/11/21 01:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

[1996/11/21 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Custom Scans ==========

< MD5 for: EXPLORER.EXE >

[2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

[2007/06/13 12:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

[2007/06/13 11:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

[2004/08/04 08:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

[2004/08/04 08:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe

[2008/04/14 01:12:19 | 001,033,728 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >

[2004/08/04 08:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

[2004/08/04 08:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe

[2002/08/29 06:00:00 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=2246D8D8F4714A2CEDB21AB9B1849ABB -- C:\I386\WINLOGON.EXE

[2008/04/14 01:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

[2008/04/14 01:12:39 | 000,507,904 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\winlogon.exe

< >

< End of report >

kahdah · October 22, 2010

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files
C:\WINDOWS\explorer.exe|C:\WINDOWS\ServicePackFiles\i386\explorer.exe /replace
C:\WINDOWS\SYSTEM32\winlogon.exe|C:\WINDOWS\ServicePackFiles\i386\winlogon.exe /replace

:Commands
[emptytemp]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

michellemackay · October 24, 2010

As soon as I clicked Run Fix the PC Blue Screened with the following message

Stop: C000021a {Fatal System Error}

The Windows Logon Process System Process terminated unexpectedly with a status of 0x00000001 (0x00000000 0x00000000)

The system has been shut down.

When I powered off and on again my pc started normally and I had icons, taskbar etc., but I dont think OTL has created a log file. I have OTL.txt on the desktop, but it's the logfile that was created on 21st October.

A further restart takes me to my original icon-less problem.

Best Regards

Michelle

kahdah · October 25, 2010

Ok lets do it a different way then.

===============First===============

Please go to Start > Run then type in cmd then hit the ok button.

In the black box that comes up please copy the text in bold below into the command prompt window and hit enter.

copy /y "C:\WINDOWS\ServicePackFiles\i386\explorer.exe" C:\

copy /y "C:\WINDOWS\ServicePackFiles\i386\winlogon.exe" C:\

If it works correctly you will see a file(s) copied message.

If you do not see that message then DO NOT PROCEED but rather stop and alert me to it.

===============Second===============

If you do see the file(s) copied messages then do the following.

1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\explorer.exe | C:\Windows\explorer.exe
C:\winlogon.exe | C:\WINDOWS\SYSTEM32\winlogon.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

michellemackay · October 25, 2010

Here is the Avenger.txt

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\Windows\explorer.exe" is whitelisted

File move operation "C:\explorer.exe|C:\Windows\explorer.exe" failed!

Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Error: file "C:\WINDOWS\SYSTEM32\winlogon.exe" is whitelisted

File move operation "C:\winlogon.exe|C:\WINDOWS\SYSTEM32\winlogon.exe" failed!

Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And here is the OTL.txt

OTL logfile created on: 25/10/2010 22:15:20 - Run 3

OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Michelle\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: | Country: | Language: | Date Format:

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.71 Gb Total Space | 55.39 Gb Free Space | 49.58% Space Free | Partition Type: NTFS

Drive F: | 249.49 Mb Total Space | 97.78 Mb Free Space | 39.19% Space Free | Partition Type: FAT

Computer Name: BONNIE | User Name: Michelle | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Michelle\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)

PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe (Maxtor Corporation)

PRC - C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\TomTom HOME 2\HOMERunner.exe (TomTom)

PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe (Creative Technology Ltd.)

PRC - C:\WINDOWS\V0220Mon.exe (Creative Technology Ltd.)

PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

PRC - C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)

PRC - C:\WINDOWS\Dit.exe (ICSI Technology Ltd.)

PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)