Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix - Recovery console - Stuck


  • This topic is locked This topic is locked
29 replies to this topic

#1 lukistrela

lukistrela

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 27 February 2010 - 02:34 PM

Hi experts! Here's my story:
Run Combofix, installed Recovery Console on the way
Combofix restart results in black screen (no prompt or anything, just black)
Switch computer off, then on, get a choice of Windows and Windows Recovery Console
choose Windows - get same black screen
choose Recovery - get a dos command prompt
Any way I can start up Windows?
Thanks!

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:57 AM

Posted 27 February 2010 - 04:31 PM

<<choose Recovery - get a dos command prompt>>

Does the following depict what occurs (except for running the command)?

How to use CHKDSK in the XP Recovery Console - http://pirules3.14.googlepages.com/recovery_console_chkdsk

If you get into the Recovery Console...I suggest running the chkdsk /r command...to be followed by running the fixmbr command.

Microsoft Windows XP - Fixmbr - http://www.microsoft.com/resources/documen...ons_fixmbr.mspx. If you use fixmbr, don't worry about parameters, just type the command.

System manufacturer and model?

Louis


#3 lukistrela

lukistrela
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 27 February 2010 - 08:58 PM

Sounds like a good plan. CHKDSK tells it has fixed something.
Now fixmbr warns:
"This computer appears to have a non-standard or invalid master boot record. Fixmbr may damage your partition tables... etc
Scary stuff...
Dell laptop Latitude D610
Thanks!

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:57 AM

Posted 27 February 2010 - 09:34 PM

The warning with the fixmbr command is standard...I'm not sure why Microsoft included it with that command, when there are many others available in the Recovery Console...that can do more damage and merit a warning.

Anyway, the intent is to warn users that having a damaged MBR may result in the system not booting. Of course, users already have figured this out or they would not be using the fixmbr command smile.gif.

Let us know if there is any joy smile.gif.

Louis

#5 lukistrela

lukistrela
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 27 February 2010 - 10:27 PM

Louis - Isn't it safer to restore XP from a cd? more chances to salvage information on the hard drive?

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:57 AM

Posted 27 February 2010 - 10:52 PM

<<Louis - Isn't it safer to restore XP from a cd?>>

Compared to what...using the fixmbr command?

If you are talking about recovery/restore CDs...those can be used anytime.

Not sure what you mean by "restore XP", since there is no mechanism for doing such that I know of, if I'm not using recovery/restore CDs.

If you explain what you have in mind...I can give a better answer.

Louis

#7 lukistrela

lukistrela
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 27 February 2010 - 11:20 PM

Yes, CD which came from Dell with the computer, officially called Reinstallation CD.
Do I have better chances to save my data files? (No worry about apps installed)
Thanks!

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:57 AM

Posted 28 February 2010 - 08:55 AM

You can save data files...by simply moving them from the drive.

If I was concerned about such, that is what I would do, move them from the drive.

As for recovery/restore CDs and how they work...I have none such so I believe that varies with the system manufacturer.

It's your system, your disk. You determine. I believe that the system manufacturer included instructions for using such...with the system. The owner/user manual should contain info like that. I don't know, I don't own any Dells.

FWIW: Risk is an inherent part of living in a universe where change is the constant. Nothing is guaranteed that I know of and it seems to me that things constantly don't go as planned.

Louis

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 28 February 2010 - 09:09 AM

If Combofix did this, it might be easily undone. Please let me know if you are able to download a 270 MB file and burn it to a CD.

If you want to go through with the repair I will move this topic to the appropriate forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:57 AM

Posted 28 February 2010 - 09:24 AM

Thanks, Elise smile.gif.

Louis

#11 lukistrela

lukistrela
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 28 February 2010 - 12:38 PM

Elise -
Yes, this all started with combofix. I can download and burn a disk on one of my other computers. Please instruct.

Louis - How do I move files from a non-working computer?

Thanks!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 28 February 2010 - 01:04 PM

QUOTE
Louis - How do I move files from a non-working computer?
You'll be able to do that with the CD we are going to create smile.gif

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 lukistrela

lukistrela
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 28 February 2010 - 05:24 PM

Thanks Elise! Here's the log:

OTL logfile created on: 2/28/2010 4:55:20 PM - Run
OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 25.44 Gb Free Space | 34.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2009/09/23 13:33:42 | 001,141,200 | ---- | M] (PC Tools) [On_Demand] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/09/23 12:17:22 | 000,358,600 | ---- | M] (PC Tools) [On_Demand] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/13 22:18:12 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2009/04/04 10:27:40 | 000,183,280 | ---- | M] (Google) [Auto] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/04/02 11:47:04 | 000,234,888 | ---- | M] () [Auto] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - [2009/03/26 21:58:08 | 000,431,472 | ---- | M] (Juniper Networks) [Auto] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2008/09/10 13:01:28 | 000,611,664 | ---- | M] (Lavasoft) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/07/15 15:03:02 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/07/15 15:03:02 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/07/15 15:03:00 | 002,479,488 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2008/07/15 15:03:00 | 000,288,136 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2008/07/15 15:02:58 | 002,240,944 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/09/27 11:18:44 | 000,266,240 | ---- | M] (Sophos Plc) [Auto] -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe -- (Sophos Agent)
SRV - [2007/09/27 11:18:21 | 000,790,528 | ---- | M] (Sophos Plc) [Auto] -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe -- (Sophos Message Router)
SRV - [2007/09/06 12:28:18 | 000,110,592 | ---- | M] (Apple, Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/08/11 19:05:27 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2007/01/25 16:32:28 | 000,081,920 | ---- | M] (PatchLink Corporation) [Auto] -- C:\Program Files\PatchLink\Update Agent\GravitixService.exe -- (PatchLink Update)
SRV - [2006/11/10 12:46:26 | 001,504,304 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/10/24 15:16:32 | 000,126,976 | ---- | M] (Netopia, Inc.) [Auto] -- C:\Program Files\Timbuktu Pro\tb2launch.exe -- (Tb2Launch)
SRV - [2005/07/06 23:59:20 | 000,364,544 | ---- | M] (ATI Technologies Inc.) [Auto] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2004/09/07 18:12:32 | 000,225,353 | ---- | M] (Intel® Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)
SRV - [2004/09/07 18:05:10 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/09/07 18:02:40 | 000,086,016 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/09/07 18:02:04 | 000,139,264 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2004/04/01 20:05:48 | 000,077,824 | ---- | M] (Broadcom Corp.) [Auto] -- C:\WINDOWS\system32\BAsfIpM.exe -- (BAsfIpM)
SRV - [2004/03/05 02:45:34 | 000,192,573 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2003/07/28 14:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (UIUSys)
DRV - File not found [Kernel | System] -- -- (Tb2MirrorSys)
DRV - File not found [Kernel | System] -- -- (Tb2Device)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (fmfdisk)
DRV - File not found [Kernel | On_Demand] -- -- (cpuz132)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2010/02/27 12:50:26 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\uyerubtp.sys -- (uyerubtp)
DRV - [2010/02/27 12:49:06 | 000,060,416 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Combo-Fix.sys -- (vkquwexg)
DRV - [2010/02/04 04:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100227.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/04 04:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100227.007\NAVENG.SYS -- (NAVENG)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/08/27 10:14:12 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/27 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/03 05:34:32 | 000,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2008/11/03 08:58:18 | 000,081,288 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | System] -- C:\WINDOWS\system32\drivers\iksyssec.sys -- (IKSysSec)
DRV - [2008/11/03 08:58:18 | 000,066,952 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | System] -- C:\WINDOWS\system32\drivers\iksysflt.sys -- (IKSysFlt)
DRV - [2008/11/03 08:58:16 | 000,040,840 | ---- | M] (PCTools Research Pty Ltd.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\ikfilesec.sys -- (IKFileSec)
DRV - [2008/09/03 13:17:34 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/07/15 15:03:02 | 000,317,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2008/07/15 15:03:02 | 000,279,088 | ---- | M] (Symantec Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2008/07/15 15:03:02 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2008/07/15 15:02:50 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/11/13 05:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/07 17:05:14 | 000,017,056 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2007/04/10 18:05:34 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2006/11/10 12:44:52 | 000,305,788 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2006/09/21 19:55:16 | 000,126,864 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2006/05/10 17:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/07/07 00:02:18 | 001,132,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/05/31 13:46:26 | 000,087,936 | R--- | M] (Texas Instruments) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2005/05/17 06:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/05/03 17:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/05/03 17:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/03 17:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/21 20:48:30 | 000,039,904 | ---- | M] (Adaptec, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6)
DRV - [2005/03/10 18:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2005/01/26 09:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | Disabled] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2004/10/21 17:56:04 | 003,210,496 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/08/31 10:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/12 10:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 07:00:00 | 000,007,936 | ---- | M] (Microsoft Corporation) [Recognizer | System] -- C:\WINDOWS\system32\drivers\fs_rec.sys -- (Fs_Rec)
DRV - [2004/08/04 07:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand] -- C:\WINDOWS\system32\winsock.dll -- (Winsock)
DRV - [2004/03/17 14:04:14 | 000,013,059 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2003/04/24 18:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\BASFND.sys -- (BASFND)
DRV - [2001/08/22 10:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\XXXXuser_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = https://vpn.janelia.org/dana-na/auth/url_7/welcome.cgi
IE - HKU\XXXXuser_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\XXXXuser_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\installer_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\PRIVET_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 00:39:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/07 15:32:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/01/18 23:23:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/02/07 15:32:19 | 000,000,000 | ---D | M]

[2010/02/21 22:44:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/02/04 22:02:56 | 001,642,496 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll

O1 HOSTS File: ([2010/02/21 22:28:19 | 000,362,867 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 12472 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (WinAVI FLVSense) - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll (ZJMedia)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF30192.cfx File not found
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [LogEnable] Reg Error: Invalid data type. File not found
O4 - HKLM..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe (PatchLink Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [ReimageFTP] C:\Program Files\Reimage\Reimage Repair\ReiFTPWatchDog.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TLogonPath] C:\Program Files\Timbuktu Pro\minitb2.exe (Netopia, Inc.)
O4 - HKU\XXXXuser_ON_C..\Run: [AlarmWiz] C:\Program Files\AlarmWiz\alarmwiz.exe File not found
O4 - HKU\XXXXuser_ON_C..\Run: [Google Update] C:\Documents and Settings\XXXXuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\XXXXuser_ON_C..\Run: [Paladin Antivirus] C:\Program Files\Paladin Antivirus\pav.exe File not found
O4 - HKU\XXXXuser_ON_C..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\XXXXuser_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF30192.cfx File not found
O4 - HKU\.DEFAULT..\RunOnce: [RealUpgradeHelper] C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe File not found
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\XXXXuser_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\XXXXuser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\XXXXuser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\XXXXuser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\installer_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\installer_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\PRIVET_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\PRIVET_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF [binary data]
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoColorChoice = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSizeChoice = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVisualStyleChoice = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SetVisualStyle = %SystemRoot%\Resources\Themes\Luna.theme ()
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll (ZJMedia)
O9 - Extra 'Tools' menuitem : WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll (ZJMedia)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://vpn.janelia.org/dana-cached/setup/J...perSetupSP1.cab (JuniperSetupSP1 Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = janelia.priv
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\Timbuktu Pro: DllName - C:\Program Files\Timbuktu Pro\Hook32.dll - C:\Program Files\Timbuktu Pro\HOOK32.DLL (Netopia, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/05 13:44:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/28 16:49:50 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft
[2010/02/28 16:48:37 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Local Settings\Application Data\Temp
[2010/02/28 16:48:36 | 000,000,000 | --SD | C] -- B:\Documents and Settings\Default User\Cookies
[2010/02/28 16:48:36 | 000,000,000 | R--D | C] -- B:\Documents and Settings\Default User\Recent
[2010/02/28 16:48:36 | 000,000,000 | R--D | C] -- B:\Documents and Settings\Default User\My Documents\My Pictures
[2010/02/28 16:48:36 | 000,000,000 | R--D | C] -- B:\Documents and Settings\Default User\My Documents\My Music
[2010/02/28 16:48:36 | 000,000,000 | R--D | C] -- B:\Documents and Settings\Default User\My Documents
[2010/02/28 16:48:36 | 000,000,000 | R--D | C] -- B:\Documents and Settings\Default User\Favorites
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Templates
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Start Menu
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\SendTo
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\PrintHood
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\NetHood
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\My Documents\My Videos
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Application Data\Microsoft
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Local Settings
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Desktop
[2010/02/28 16:48:36 | 000,000,000 | ---D | C] -- B:\Documents and Settings\Default User\Application Data
[2010/02/27 12:35:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/27 12:32:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/27 12:32:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/27 12:32:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/27 12:32:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/27 12:32:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/27 12:32:42 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/02/27 12:23:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/27 02:00:39 | 000,000,000 | ---D | C] -- C:\rei
[2010/02/27 02:00:17 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2010/02/20 17:32:52 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/02/20 16:28:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/20 16:28:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/08/03 05:34:32 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\XXXXuser\Application Data\pcouffin.sys
[2009/02/03 10:32:28 | 003,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\procexp.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/28 16:54:50 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
[2010/02/28 16:54:06 | 000,001,332 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\OTLPE.lnk
[2010/02/27 12:50:28 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/02/27 12:50:28 | 000,225,280 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/02/27 12:50:26 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\uyerubtp.sys
[2010/02/27 12:50:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/27 12:49:54 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\XXXXuser\NTUSER.DAT
[2010/02/27 12:49:54 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\XXXXuser\ntuser.ini
[2010/02/27 12:49:06 | 000,060,416 | ---- | M] () -- C:\WINDOWS\System32\drivers\Combo-Fix.sys
[2010/02/27 12:35:21 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/27 12:33:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/27 12:19:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/02/27 12:10:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-602162358-682003330-1003UA.job
[2010/02/27 09:10:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-602162358-682003330-1003Core.job
[2010/02/27 02:06:15 | 000,000,166 | ---- | M] () -- C:\WINDOWS\System32\Compress.res
[2010/02/27 02:06:10 | 000,000,232 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2010/02/27 02:00:44 | 000,001,715 | ---- | M] () -- C:\Documents and Settings\XXXXuser\Desktop\Reimage Repair.lnk
[2010/02/27 01:50:26 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/26 11:51:20 | 000,001,547 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\MSKeyViewer Plus.lnk
[2010/02/26 11:51:20 | 000,001,535 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\RegistryEditorPE.lnk
[2010/02/26 11:51:20 | 000,001,483 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\HandyRecovery 1.lnk
[2010/02/26 11:51:20 | 000,001,479 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Undelete Plus.lnk
[2010/02/26 11:51:20 | 000,001,475 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Magical Jelly Bean Keyfinder.lnk
[2010/02/26 11:51:20 | 000,001,469 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\DiskPartitioner.lnk
[2010/02/26 11:51:20 | 000,001,465 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Agent Ransack.lnk
[2010/02/26 11:51:20 | 000,001,437 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\notepad++.lnk
[2010/02/26 11:51:20 | 000,001,427 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\2xExplorer.lnk
[2010/02/26 11:51:20 | 000,001,371 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\ImgBurn.lnk
[2010/02/26 11:51:20 | 000,001,353 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\DriveImage XML.lnk
[2010/02/26 11:51:20 | 000,001,347 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\A43 File Management Utility.lnk
[2010/02/26 11:51:20 | 000,001,347 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\7-Zip File Manager.lnk
[2010/02/26 11:51:20 | 000,001,343 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Windows Registry Recovery.lnk
[2010/02/26 11:51:20 | 000,001,313 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Disk Investigator.lnk
[2010/02/26 11:51:20 | 000,001,261 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Internet Explorer.lnk
[2010/02/25 00:46:54 | 000,007,562 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010/02/25 00:46:38 | 000,000,238 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/02/25 00:30:46 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/02/21 22:28:19 | 000,362,867 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/11 20:06:35 | 000,002,309 | ---- | M] () -- C:\Documents and Settings\XXXXuser\Desktop\Google Chrome.lnk
[2010/02/10 13:58:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/07 23:21:02 | 000,000,283 | ---- | M] () -- C:\WINDOWS\matlab.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/28 16:48:37 | 000,001,547 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\MSKeyViewer Plus.lnk
[2010/02/28 16:48:37 | 000,001,535 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\RegistryEditorPE.lnk
[2010/02/28 16:48:37 | 000,001,483 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\HandyRecovery 1.lnk
[2010/02/28 16:48:37 | 000,001,479 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\Undelete Plus.lnk
[2010/02/28 16:48:37 | 000,001,475 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\Magical Jelly Bean Keyfinder.lnk
[2010/02/28 16:48:37 | 000,001,469 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\DiskPartitioner.lnk
[2010/02/28 16:48:37 | 000,001,465 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\Agent Ransack.lnk
[2010/02/28 16:48:37 | 000,001,437 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\notepad++.lnk
[2010/02/28 16:48:37 | 000,001,427 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\2xExplorer.lnk
[2010/02/28 16:48:37 | 000,001,371 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\ImgBurn.lnk
[2010/02/28 16:48:37 | 000,001,353 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\DriveImage XML.lnk
[2010/02/28 16:48:37 | 000,001,347 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\A43 File Management Utility.lnk
[2010/02/28 16:48:37 | 000,001,347 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\7-Zip File Manager.lnk
[2010/02/28 16:48:37 | 000,001,343 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\Windows Registry Recovery.lnk
[2010/02/28 16:48:37 | 000,001,332 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\OTLPE.lnk
[2010/02/28 16:48:37 | 000,001,313 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\Disk Investigator.lnk
[2010/02/28 16:48:37 | 000,001,261 | ---- | C] () -- B:\Documents and Settings\Default User\Desktop\Internet Explorer.lnk
[2010/02/27 12:49:06 | 000,060,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\Combo-Fix.sys
[2010/02/27 12:35:21 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/27 12:35:18 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/27 12:32:54 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/27 12:32:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/27 12:32:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/27 12:32:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/27 12:32:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/27 02:06:15 | 000,000,166 | ---- | C] () -- C:\WINDOWS\System32\Compress.res
[2010/02/27 02:02:00 | 000,000,232 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2010/02/27 02:00:44 | 000,001,715 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Desktop\Reimage Repair.lnk
[2010/02/20 17:50:55 | 000,000,238 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010/02/20 17:33:02 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/02/20 16:12:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\uyerubtp.sys
[2009/12/14 09:35:08 | 001,380,403 | ---- | C] () -- C:\WINDOWS\System32\avgsdk.dll
[2009/08/03 05:35:15 | 000,001,044 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Application Data\vso_ts_preview.xml
[2009/08/03 05:34:49 | 000,000,033 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Application Data\pcouffin.log
[2009/08/03 05:34:32 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Application Data\pcouffin.cat
[2009/08/03 05:34:32 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Application Data\pcouffin.inf
[2008/11/09 00:27:59 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Application Data\AVSMediaPlayer.m3u
[2008/06/06 09:53:11 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\PRIVET\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/01 08:59:12 | 000,000,843 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/17 15:52:27 | 000,040,328 | ---- | C] () -- C:\Documents and Settings\PRIVET\Local Settings\Application Data\FASTWiz.log
[2007/12/17 16:28:36 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/12/17 16:28:24 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/12/17 16:26:12 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/26 15:33:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/08/14 08:34:31 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\XXXXuser\Local Settings\Application Data\PUTTY.RND
[2007/08/09 13:13:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Tb2Desk.INI
[2007/08/09 13:04:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/09 13:01:56 | 000,029,752 | ---- | C] () -- C:\WINDOWS\System32\InstHelper.dll
[2007/08/09 13:00:53 | 000,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/08/09 13:00:52 | 000,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/08/09 12:18:04 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2007/08/07 18:23:24 | 000,007,562 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2007/08/07 18:15:20 | 000,000,283 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2004/08/12 10:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/19 19:30:00 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[1994/04/02 10:14:46 | 000,017,936 | ---- | C] () -- C:\Program Files\U2D.EXE

========== LOP Check ==========

[2007/12/05 18:57:26 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Juniper Networks
[2009/08/01 08:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\Canneverbe_Limited
[2009/07/22 15:43:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\FileOpen
[2009/07/12 13:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\Juniper Networks
[2008/06/09 10:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\Subversion
[2008/06/19 15:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\Thunderbird
[2009/08/16 09:29:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\uTorrent
[2009/09/04 21:32:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\Vso
[2009/08/12 16:54:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXXXuser\Application Data\WinAVI
[2007/11/30 16:42:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
[2008/05/18 22:25:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PRIVET\Application Data\PStill
[2008/06/22 21:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PRIVET\Application Data\Subversion
[2008/05/27 03:11:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PRIVET\Application Data\Thunderbird

========== Purity Check ==========


< End of report >


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:57 PM

Posted 01 March 2010 - 07:08 AM

Can you please post me the contents of the following folder: c:\qoobox

You can use My Computer on the ReatogoX desktop to access the folder. Please post also all subfolders for the c:\qoobox\c folder.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 lukistrela

lukistrela
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 01 March 2010 - 09:47 PM

Here it is. Thanks!

c:\Qoobox\BackEnv
c:\Qoobox\dir.txt
c:\Qoobox\LastRun
c:\Qoobox\Quarantine
c:\Qoobox\Test
c:\Qoobox\TestC
c:\Qoobox\BackEnv\appdata.folder.dat
c:\Qoobox\BackEnv\cache.folder.dat
c:\Qoobox\BackEnv\Cookies.folder.dat
c:\Qoobox\BackEnv\desktop.folder.dat
c:\Qoobox\BackEnv\favorites.folder.dat
c:\Qoobox\BackEnv\localappdata.folder.dat
c:\Qoobox\BackEnv\localsettings.folder.dat
c:\Qoobox\BackEnv\mypictures.folder.dat
c:\Qoobox\BackEnv\personal.folder.dat
c:\Qoobox\BackEnv\Profiles.Folder.dat
c:\Qoobox\BackEnv\Profiles.Folder.folder.dat
c:\Qoobox\BackEnv\programs.folder.dat
c:\Qoobox\BackEnv\SetPath.bat
c:\Qoobox\BackEnv\startmenu.folder.dat
c:\Qoobox\BackEnv\startup.folder.dat
c:\Qoobox\BackEnv\SysPath.dat
c:\Qoobox\BackEnv\templates.folder.dat
c:\Qoobox\LastRun\CregC.old
c:\Qoobox\LastRun\d-del2A.dat
c:\Qoobox\LastRun\d-del4AV.dat
c:\Qoobox\LastRun\drev_.dat
c:\Qoobox\LastRun\RenVDel.dat
c:\Qoobox\LastRun\SvcTarget.dat
c:\Qoobox\LastRun\zhsvc.old
c:\Qoobox\Quarantine\C
c:\Qoobox\Quarantine\catchme.log
c:\Qoobox\Quarantine\Registry_backups
c:\Qoobox\Quarantine\C\Documents and Settings
c:\Qoobox\Quarantine\C\WINDOWS
c:\Qoobox\Quarantine\C\Documents and Settings\XXXXuser
c:\Qoobox\Quarantine\C\Documents and Settings\XXXXuser\Application Data
c:\Qoobox\Quarantine\C\Documents and Settings\XXXXuser\Application Data\inst.exe.vir
c:\Qoobox\Quarantine\C\WINDOWS\EventSystem.log.vir
c:\Qoobox\Quarantine\C\WINDOWS\system32
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\FAD.sys.vir
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_uyerubtp_.sys.zip
c:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
c:\Qoobox\Quarantine\Registry_backups\Legacy_IAS.reg.dat
c:\Qoobox\Quarantine\Registry_backups\Legacy_uyerubtp.reg.dat
c:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
c:\Qoobox\Quarantine\Registry_backups\Service_Ias.reg.dat
c:\Qoobox\Quarantine\Registry_backups\Service_uyerubtp.reg.dat
c:\Qoobox\Quarantine\Registry_backups\tcpip.reg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users