Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need serious help please


  • This topic is locked This topic is locked
29 replies to this topic

#1 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 02 March 2010 - 12:04 AM

Hi there,

Trying to repair a laptop for a friend that had viruses on it, the initial plan was to clean it for her but when I started it up it would not boot up. It gets so far and then message comes up saying:

Windows cannot start as the following file is missing or corrupt:
\Windows\System3\Config\System

You can attempt to repair by using the Windows CD

Well tried that and kept getting this blue screen that said:
BAD_BOOT_CALLER
Technical Information: 0x000000c2 (0x00000043, 0xc2f1c000, 0x00000000, 0x00000000)
**I think last night the second bunch of numbers in the brackets was a little different, seem to remember it having a 5 in it...??**

Re-booted...went into setup.....and then recovery console, when it asked me to choose the drive I wanted to repair I chose 1 for "C" drive and then.....same blue screen BAD_BOOT_CALLER

Was working with some people here on the site in chat last nght and they advised to try taking out one of the ram cards as maybe it was malfunctioning and restart...did that....got into recovery console again...chose 1 for "c"...blue screen...

Managed to get into diagnostics testing once and did all the testing...all passed. but when it was done and it asked me if I wanted to start windows...I chose yes and ....you guessed it...blue screen...same message....put the ram card back in and re-started again....same issues.

Next tried OTLPE, as per instructions....downloaded it onto a clean computer, downloaded BurnCDCC and burned OTLPE to a CD...then put the CD into the problem computer....advised the computer to boot from the disc and Reatogo-X-PE installed and setup...got into the Reatogo desktop...and the instructions said to dbl click the OTLPE icon.....so I did...and....Blue Screen...same message...


The laptop is a Dell Vostro 1400 running Windows XP...
One of the questions I was asked last night might give more info - Yes, my friend did do a Windows Update recently.

At a loss now...anybody else have any idea's????? :-0

PS: @NetSurfer - Did I forget anything????

Thanks in advance for any help....

RhonB

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 02 March 2010 - 01:36 AM

Hello again RhonB, busy.gif

Hmmmm........ you forgot to mention that you tried last known configuration that did not work and you got the same error messages, So at this time you have tried recovery console and got the same messages and now we are trying to get you to post a log by using OTLPE that you followed using the OTLPE instructions that I send you but it keeps getting the same error after you created the bootable disk. whistling.gif

At this time I need some time so other members can look into your problem and can come up with a solution.

Please be patient while another member or myself reply to you back here.

Kind regards
Net_Surfer
horse.gif



#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 02 March 2010 - 10:02 AM

Hello again RhonB, busy.gif

QUOTE
Windows cannot start as the following file is missing or corrupt:
\Windows\System3\Config\System


Since the System hive is either missing or corrupted, OTLPE will fail.

Best way to deal with this is to replace the registry hives with a set of those present in the C:\System Volume Information folder
, (if Restore Points are available). whistling.gif

Please carefully follow my next set of steps:

step1.gif we need to create a batch file and save it into a flash drive to move information from the sick computer to a working computer. ("Note that flash drives are often also called thumb drives, keychain drives, pendrives, etc.") This batch is to list all directories in C:\system volume information. Which is useful for finding the backed up registry!.

Important note: Ensure that you Save it on the flash drive. Do NOT save this file on the working computer. You can accidentally run the file in the computer and damage its registry. This file will be ran in the non working computer after following the next set of instructions.


Using your clean working computer do the following:
    1. Go to Start -> Run, and type notepad into the box.
    2. Press ok.
    3. Copy and paste the following code into notepad: Do not copy the word: CODE

    CODE
    Ren C:\windows\system32\config\system system.123
    Dir "C:\System Volume Information" /s >C:\log.txt
    Ren C:\windows\system32\config\system.123 system
    Del %0


    4. Go to File -> Save as then enter: ren.bat (save it as all files (*.*))
    5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
    6. After that insert the flash drive into the infected computer before booting the system.
    7. Once booted with OTLPE then go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
    8. Then go to C:\log.txt copy and paste it back here as a reply to this post.
Note: You may have to copy and paste the log into the flash drive so you can post it back here.

Let me know if you run into any problems.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer



EDIT: Added the Warning!

Edited by Net_Surfer, 02 March 2010 - 12:36 PM.


#4 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 02 March 2010 - 08:02 PM

Ok yay!!! Finally something that worked!!!

Here is the log.....it was too long and would not let me post it in the reply window....and no choices to attach files.
So I went to chat and somebody (Orange Blossom) helped me by mocving this thread to a forum where I could attach the file.

PMing you the link to the new forum....

Let me know what you find out.

Thanks

RhonB

#5 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 03 March 2010 - 12:16 AM

Hello again RhonB, busy.gif

Good job following those instructions.

Now we will try to run another batch file to so we can put a good restore point to the infected computer then if it works I will ask you to run a scan with OTLPE

Please carefully follow my next set of steps:

step1.gif we need to create a batch file and save it into a flash drive to move information from the sick computer to a working computer. ("Note that flash drives are often also called thumb drives, keychain drives, pendrives, etc.")

Important note: Ensure that you Save it on the flash drive. Do NOT save this file on the working computer. You can accidentally run the file in the computer and damage its registry. This file will be ran in the non working computer after following the next set of instructions.


Using your clean working computer do the following:
    1. Go to Start -> Run, and type notepad into the box.
    2. Press ok.
    3. Copy and paste the following code into notepad: Do not copy the word: CODE

    CODE
    Ren C:\windows\system32\config\SYSTEM SYSTEM.123
    Ren C:\windows\system32\config\SAM SAM.123
    Ren C:\windows\system32\config\SECURITY SECURITY.123
    Ren C:\windows\system32\config\SOFTWARE SOFTWARE.123
    Ren C:\windows\system32\config\DEFAULT DEFAULT.123

    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP188\snapshot\_REGISTRY_MACHINE_SAM" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP188\snapshot\_REGISTRY_MACHINE_SECURITY" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP188\snapshot\_REGISTRY_MACHINE_SOFTWARE" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP188\snapshot\_REGISTRY_MACHINE_SYSTEM" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP188\snapshot\_REGISTRY_USER_.DEFAULT" C:\


    Copy C:\_REGISTRY_MACHINE_SAM C:\windows\system32\config\SAM
    Copy C:\_REGISTRY_MACHINE_SECURITY C:\windows\system32\config\SECURITY
    Copy C:\_REGISTRY_MACHINE_SOFTWARE C:\windows\system32\config\SOFTWARE
    Copy C:\_REGISTRY_MACHINE_SYSTEM C:\windows\system32\config\SYSTEM
    Copy C:\_REGISTRY_USER_.DEFAULT C:\windows\system32\config\DEFAULT

    Del %0


    4. Go to File -> Save as then enter: ren.bat (save it as all files (*.*))
    5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
    6. After that insert the flash drive into the infected computer before booting the system.
    7. Once booted with OTLPE then go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
Note: After you completed step #1 Reboot and follow the step #2

step2.gif Ensure that your reboot and run an OTLPE scan as follows:
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use SafeList
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the C:\OTL.txt file in your reply.
Let me know if you run into any problems.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer


Edited by Net_Surfer, 03 March 2010 - 12:31 AM.


#6 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 01:15 AM

There ya go.....the irst log... OTL.txt :-)

And I was able to reboot normally from the computer...no error messages!! :-) :-)

Will send extras.txt in next post

#7 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 01:18 AM

OTL Extras logfile created on: 3/3/2010 12:55:24 AM - Run
OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 827.00 Mb Available Physical Memory | 82.00% Memory free
902.00 Mb Paging File | 844.00 Mb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.21 Gb Total Space | 80.35 Gb Free Space | 73.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 429.26 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 
"FirewallDisableNotify" = 
"UpdatesDisableNotify" = 
"FirstRunDisabled" = 
"AntiVirusOverride" = 
"FirewallOverride" = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"80:TCP" = 80:TCP:*:Enabled:webserver
"53:TCP" = 53:TCP:*:Enabled:webserver
"8085:TCP" = 8085:TCP:*:Enabled:fio32

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Dell\MediaDirect\PCMService.exe" = C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Kazaa\kazaa.exe" = C:\Program Files\Kazaa\kazaa.exe:*:Enabled:Kazaa -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Corel\WordPerfect MAIL\Programs\bin\WPMail.exe" = C:\Program Files\Corel\WordPerfect MAIL\Programs\bin\WPMail.exe:*:Enabled:WordPerfect MAIL for Windows -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}" = WordPerfect Office X4
"{000AB2ED-5741-4C30-A1A4-0FCB8A529000}" = WordPerfect Office X4
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{16B6279B-9FF5-41fb-8BF9-404324F5DD1F}}_is1" = Media Access Startup
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18472E28-FCA0-421F-BDAC-AC65012E29F2}" = ArcSoft MediaImpression
"{1DF03ECE-6AF4-414E-B118-C316F151A9A2}" = Corel WordPerfect Office - iFilter
"{1FB52AB3-5987-45a2-85E0-F3EC30DDDC29}}_is1" = Internet Saving Optimizer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23A287DB-449A-462F-BDE1-8635A61671CE}" = Kiwee Toolbar
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{459E93B6-150E-45d5-8D4B-45C66FC035FE}" = getPlus® Download Manager for Corel
"{4873CC58-69D8-490D-9E5C-001DC2EE2000}" = WordPerfect Lightning
"{4873CC58-69D8-490D-9E5C-001DC2EE2010}" = WordPerfect Lightning - Messages
"{4873CC58-69D8-490D-9E5C-001DC2EE2020}" = WordPerfect Lightning - IPM
"{4873CC58-69D8-490D-9E5C-001DC2EE2100}" = WordPerfect Lightning - EN
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}" = Dell DataSafe Online
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77C71BFE-2598-4DB5-8F7C-0CF81A16DA40}" = ArcSoft MediaImpression
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{9FD81537-F8EC-41DB-BBEB-3FCFD70BB186}" = USB2.0 UVC VGA
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B26CAA68-6EBF-4A30-A0F0-0A0BFE3DA5DD}" = RD Platinum v5.0
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C5096216-7703-409E-B85A-8A6EE7395128}}_is1" = System Search Dispatcher
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}" = IntelliSonic Speech Enhancement
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}" = WordPerfect Office X4 - ICA
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529010}" = WordPerfect Office X4 - Common
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529011}" = WordPerfect Office X4 - WP
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529012}" = WordPerfect Office X4 - QP
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529013}" = WordPerfect Office X4 - PR
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529014}" = WordPerfect Office X4 - Content
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529016}" = WordPerfect Office X4 - Skins
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529017}" = WordPerfect Office X4 - Filters
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529018}" = WordPerfect Office X4 - Graphics
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529023}" = WordPerfect Office X4 - System
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529030}" = WordPerfect Office X4 - Migration Manager
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529040}" = WordPerfect Office X4 - IPM
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529046}" = WordPerfect Office X4 - IPM T EN
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529050}" = WordPerfect Office X4 - PerfectExperts
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529080}" = WordPerfect Office X4 - MAIL
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529100}" = WordPerfect Office X4 - EN
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F6EE49FD-B736-4888-A05A-115F3B1160FA}" = WordPerfect Lightning - MSOM
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"alotToolbar" = ALOT Toolbar
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Control-Center" = Control-Center
"Google Desktop" = Google Desktop
"GoToAssist" = GoToAssist 8.0.0.514
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LimeWire" = LimeWire 5.2.13
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MyWebSearch bar Uninstall" = My Web Search (Smiley Central)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SearchAssist" = SearchAssist
"Spyware Doctor" = Spyware Doctor 6.1
"VisualTool" = VisualTool
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\Brenda_Brown_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"PersonalSec" = Personal Security

< End of report >


#8 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 02:18 AM

Ok Computer booted up but so may viruses I had to run exe.helper & rkill ...below are the logs.

I am running malaware bytes now and will tell you how that went...tomorrow


exeHelper by Raktor
Build 20091220
Run at 02:06:41 on 03/03/10
Now searching...
Checking for numerical processes...
Killed numerical process 24823726
Deleting file C:\Documents and Settings\All Users\Application Data\24823726\24823726.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24823726
Deleting file C:\Documents and Settings\All Users\Application Data\19434324\19434324.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19434324
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\win32extension.dll
Deleting file C:\Documents and Settings\Brenda Brown\Desktop\Security Tool.lnk
Deleting file C:\Documents and Settings\Brenda Brown\Start Menu\Programs\Security Tool.lnk
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091220
Run at 02:17:32 on 03/03/10
Now searching...
Checking for numerical processes...


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Brenda Brown on 03/03/2010 at 2:11:17.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Documents and Settings\Brenda Brown\Desktop\rkill.pif
C:\Program Files\Dell\QuickSet\brightness.exe
C:\windows\ld16.exe
C:\windows\freddy81.exe
C:\windows\pp14.exe


Rkill completed on 03/03/2010 at 2:11:49.

#9 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 03 March 2010 - 03:44 AM

Hello again RhonB, busy.gif

welcome.gif to Bleeping Computer Virus, Trojan, Spyware, and Malware Removal Logs Forum. Since this topic was moved from the AII forum
.

Good job following the instructions I gave you over at the BleepingComputer live irc chat channel, I understand how annoying is to have all those pop up windows jumping all over your desktop most of them were rogue programs giving you fake window messages and I am glad you did not click on none of them and were able to run those tools to easy the fixing and we can now run other tools with no problem. thumbup.gif

My Nick is Net_Surfer and I'll be glad to help you with your computer problems. I will be working on your Malware issues, this may or may not solve other issues you may have with your machine. whistling.gif

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of thegoodness of our hearts.
Please be courteous and appreciative for the assistance provided!



Please take note of the following which will make our fix go more smoothly:
    1. The cleaning process is not instant. Very seldom can we remove the entire infection in one go. Many of today's infections install other infections and for the most part they do not like to go quietly. Please continue to review my answers until I tell you your machine is clean. Just because a symptom "disappears" does not mean your system is clean.
    2. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
    3. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
    4. If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.
    5. Do NOT run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
    6. If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
    7. The forum is busy and we need to have replies as soon as possible. After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
Please reply using the button in the lower right hand corner of your screen. Do not start a new topic.
If you can do these things, everything should go smoothly. thumbup2.gif


Since you now were able to boot into normal mode the infected computer and had ran exe.helper and rkill.exe plus MBAM I will like you to run this other tools , as your situation may have changed just ensure you run them after MBAM had finished the scan.

============****============


OK RhonB... let's do the following:

If you can not download and run the following tools, then I would like for you to try another approach:

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.


We need to see some additional information about what is happening in your machine.

step1.gif Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    o DDS.scr
    o DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

  • Instead of attaching, please copy/paste both logs into your next reply.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



step2.gif We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create a GMER log and copy and paste back here as reply. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


After you post the logs back here I will need a bit of time to review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware. clapping.gif

In the meantime Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult..

Note that reviewing your log(s) requires an amount of research, so please be patient.

Thanks and again sorry for the delay.

Kind regards
Net_Surfer




#10 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 12:55 PM

Hi Net Surfer,

Ok so as I posted late last night, I was able to finally get the exe.helper & rkill on the infected computer and ran them....thank goodness the pop ups stopped, so I ran Malare bytes and it found 1010 infected files... (OMG).
I clicked to remove them but some of them required re-start to delete. But when the computer was shutting down it automatically ran windows updates. I re-started to make sure that the updates did not cause us to not be able to reboot again, but all was fine. I tried to find my network again to see if I would be able to get an internet connection and this time it found it and connected. I did not open any browser, I just shut the machine down for the day.

When I get home from work this evening, I will do the next steps you posted but I have a question.
Seeing as this computer has no anti-virus protection on it, is it not risky for me to go get the tools you requested?
Should I install the anti-virus (I will be using Microsoft Security Essentials) before I do that?
Please let me know before I start your steps. Once I do these steps I will post the logs for you.

Also, I wanted to let you know that I ran MalawareBytes on my machine as well (the clean one) and it found 0 infected files, so I am not sure what caused my machine to shut down suddenly like that...it happened twice last night. Any thoughts? And...just reminding you that I will need the steps for disinfecting my flash drive please.

Thanks for all the great help so far...You're Awesome!!!!

RhonB



#11 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 03 March 2010 - 09:08 PM

Hi RhonB,

Glad that I can help.

The links I gave you to download those tools are safe to click on, so do not worry about that.

Here is the links to a free antivirus sites but I will prefer for you to wait to install any at this time at least until after we run combofix tool on our next round, antivirus can interfere with the running of our tools and that machine was pretty well infected by looking at your last logs you posted. wacko.gif

EXE.Helper and Rkill plus MBAM will get most of those rogues programs so we can run ComboFix next.
---------------------***-----------------------

Here are the links to the programs you requested but wait for the install of an antivirus.

Please run Flash Disinfector in the infected machine and your clean one also it was compromised !!!


Your system is infected with a Flash Drive infector

Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector.
We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system.
It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to remove the Flash Drive infector What will Flash Disinfector Do:

(- Clean up junks created by flash malwares - Deletes autorun.inf from every root folder - Fix back damages done to your system - Creates an autorun.inf folder in the root of your system drives.)

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For a free anti-virus, Click on one of this links:

AVG 9 Free Edition


Some more links to free anti-virus programs(Note. Choose only one)

Avira Avast (Mouse over Free Software in the upper right corner)

Here are some free firewalls: *PC Tool Firewall Plus or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here

Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

*If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.

Regards
Net_Surfer
horse.gif

#12 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 10:01 PM

Oh my...it never ends huh?? Now both machines have been compromisd by the flash drive?? Aarghhh
Ok, so when we do that? And...we are going to run Combofix? That one scares me!! But I know you will lead me through it...on chat I hope because last time it scared the crap out of me!! lol.

Ok, so I did not get ur response in time and was afraid to open a browser without antivirus so I used the flash drive to put the tools on the infected computer....

I have run DDS and will post the logs here....The GMER just finished running as I am typing this so I will include it in a next post.

Here arethe DDS logs....



DDS (Ver_09-12-01.01) - NTFSx86
Run by Brenda Brown at 20:27:05.45 on 03/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.433 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\PixArt\PAP7501\GUCI_AVS.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Kiwee Toolbar\2.9.201\kwtbaim.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Brenda Brown\Application Data\Control-Center\ccagent.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Brenda Brown\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.mywebsearch.com/index.jhtml?ptnrS=ZNxmk571YYCA&ptb=beX6TvRMFZ2G296W3hV63Q&n=77ce564f
uSearch Page = hxxp://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=2080425
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://ca.yahoo.com
mDefault_Search_URL = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
mSearch Page = hxxp://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
mStart Page = hxxp://ca.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
mSearchAssistant =
uURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - c:\program files\agi\common\agcutils.dll
uWinlogon: Shell=c:\documents and settings\brenda brown\application data\control-center\ccmain.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: &Security Update: {6551001f-a07b-40b1-8f55-b44bf35a42a6} - c:\windows\system32\win32extension.dll
BHO: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar\2.9.201\KiweeIEToolbar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar\2.9.201\KiweeIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ccagent.exe] c:\documents and settings\brenda brown\application data\control-center\ccagent.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [PAP7501_Monitor] c:\windows\pixart\pap7501\GUCI_AVS.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [KiweeHook] "c:\program files\kiwee toolbar\2.9.201\kwtbaim.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"
StartupFolder: c:\docume~1\brenda~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Search
IE: Copy to &Lightning Note - c:\program files\corel\wordperfect lightning\programs\WPLightningCopyToNote.hta
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 85.13.206.114 uuu20091124.info
Hosts: 85.13.206.114 u07012010u.com

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-11 206256]
R2 AGWinService;AG Windows Service;c:\program files\agi\common\win32\pythonservice.exe [2009-11-10 10240]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-22 54752]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 EraserUtilDrv10920;EraserUtilDrv10920;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10920.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10920.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-25 30192]
S3 GUCI_AVS;USB2.0 UVC VGA;c:\windows\system32\drivers\GUCI_AVS.sys [2009-10-1 533888]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]

=============== Created Last 30 ================

2010-03-03 07:15:24 0 d-----w- c:\docume~1\brenda~1\applic~1\Malwarebytes
2010-03-03 07:15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 07:15:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 07:15:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 07:15:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-03 05:34:10 290816 ----a-w- C:\_REGISTRY_USER_.DEFAULT
2010-03-03 05:34:09 7651328 ----a-w- C:\_REGISTRY_MACHINE_SYSTEM
2010-03-03 05:34:09 22827008 ----a-w- C:\_REGISTRY_MACHINE_SOFTWARE
2010-03-03 05:34:08 49152 ----a-w- C:\_REGISTRY_MACHINE_SECURITY
2010-03-03 05:34:08 20480 ----a-w- C:\_REGISTRY_MACHINE_SAM
2010-02-07 01:02:23 40960 ----a-w- c:\windows\rdr_1265504542.exe
2010-02-07 01:02:21 75264 ----a-w- c:\windows\rdr_1265504540.exe
2010-02-07 01:02:19 23552 ----a-w- c:\windows\rdr_1265504538.exe
2010-02-07 01:02:18 59392 ----a-w- c:\windows\rdr_1265504537.exe
2010-02-07 01:02:17 104960 ----a-w- c:\windows\rdr_1265504535.exe
2010-02-07 01:01:59 59392 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2996.exe
2010-02-07 00:50:07 40960 ----a-w- c:\windows\rdr_1265503806.exe
2010-02-07 00:50:05 75264 ----a-w- c:\windows\rdr_1265503803.exe
2010-02-07 00:50:03 23552 ----a-w- c:\windows\rdr_1265503801.exe
2010-02-07 00:49:59 59392 ----a-w- c:\windows\rdr_1265503797.exe
2010-02-07 00:49:59 59392 ----a-w- c:\documents and settings\brenda brown\df1a245s4_1240.exe
2010-02-07 00:49:56 104960 ----a-w- c:\windows\rdr_1265503793.exe
2010-02-07 00:19:53 40960 ----a-w- c:\windows\rdr_1265501991.exe
2010-02-07 00:19:51 75264 ----a-w- c:\windows\rdr_1265501988.exe
2010-02-07 00:19:48 23552 ----a-w- c:\windows\rdr_1265501986.exe
2010-02-07 00:19:46 59392 ----a-w- c:\windows\rdr_1265501984.exe
2010-02-07 00:19:44 104960 ----a-w- c:\windows\rdr_1265501979.exe
2010-02-07 00:19:37 59392 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2688.exe
2010-02-07 00:11:35 40960 ----a-w- c:\windows\rdr_1265501492.exe
2010-02-07 00:11:31 75264 ----a-w- c:\windows\rdr_1265501488.exe
2010-02-07 00:11:28 23552 ----a-w- c:\windows\rdr_1265501486.exe
2010-02-07 00:11:25 59392 ----a-w- c:\windows\rdr_1265501482.exe
2010-02-07 00:11:22 104960 ----a-w- c:\windows\rdr_1265501477.exe
2010-02-07 00:11:19 59392 ----a-w- c:\documents and settings\brenda brown\df1a245s4_4092.exe
2010-02-06 14:36:44 32256 ----a-w- c:\windows\rdr_1265467000.exe
2010-02-06 14:36:40 75264 ----a-w- c:\windows\rdr_1265466995.exe
2010-02-06 14:36:35 23552 ----a-w- c:\windows\rdr_1265466992.exe
2010-02-06 14:36:30 55296 ----a-w- c:\windows\rdr_1265466986.exe
2010-02-06 14:36:26 104960 ----a-w- c:\windows\rdr_1265466980.exe
2010-02-06 14:36:22 55296 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2268.exe
2010-02-06 04:59:25 0 d-----w- c:\docume~1\brenda~1\applic~1\Control-Center
2010-02-05 01:41:26 32256 ----a-w- c:\windows\rdr_1265334085.exe
2010-02-05 01:41:24 75264 ----a-w- c:\windows\rdr_1265334083.exe
2010-02-05 01:41:23 23552 ----a-w- c:\windows\rdr_1265334082.exe
2010-02-05 01:41:22 55296 ----a-w- c:\windows\rdr_1265334080.exe
2010-02-05 01:41:20 104960 ----a-w- c:\windows\rdr_1265334076.exe
2010-02-05 01:40:57 55296 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2184.exe
2010-02-04 02:32:26 40960 ----a-w- c:\windows\rdr_1265250745.exe
2010-02-04 02:32:25 75264 ----a-w- c:\windows\rdr_1265250744.exe
2010-02-04 02:32:24 23552 ----a-w- c:\windows\rdr_1265250742.exe
2010-02-04 02:32:20 61440 ----a-w- c:\windows\rdr_1265250739.exe
2010-02-04 02:32:19 104960 ----a-w- c:\windows\rdr_1265250737.exe
2010-02-04 02:32:14 61440 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2116.exe
2010-02-02 05:22:17 40960 ----a-w- c:\windows\rdr_1265088136.exe
2010-02-02 05:22:16 75264 ----a-w- c:\windows\rdr_1265088135.exe
2010-02-02 05:22:13 62464 ----a-w- c:\windows\rdr_1265088132.exe
2010-02-02 05:22:12 103424 ----a-w- c:\windows\rdr_1265088131.exe
2010-02-02 05:22:02 62464 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2248.exe

==================== Find3M ====================

2010-03-03 07:49:09 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-31 15:52:20 22528 ----a-w- c:\windows\rdr_1264953139.exe
2010-01-31 15:52:19 6656 ----a-w- c:\windows\rdr_1264953138.exe
2010-01-31 15:52:18 14848 ----a-w- c:\windows\rdr_1264953137.exe
2010-01-31 15:52:17 56832 ----a-w- c:\windows\rdr_1264953136.exe
2010-01-31 15:52:16 110592 ----a-w- c:\windows\rdr_1264953133.exe
2010-01-31 15:51:51 56832 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2180.exe
2010-01-30 19:41:40 44032 ----a-w- c:\windows\rdr_1264880495.exe
2010-01-30 19:41:35 75264 ----a-w- c:\windows\rdr_1264880489.exe
2010-01-30 19:41:29 22528 ----a-w- c:\windows\rdr_1264880485.exe
2010-01-30 19:41:25 61952 ----a-w- c:\windows\rdr_1264880480.exe
2010-01-30 19:41:19 103936 ----a-w- c:\windows\rdr_1264880472.exe
2010-01-30 19:40:51 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2024.exe
2010-01-30 07:20:37 44032 ----a-w- c:\windows\rdr_1264836033.exe
2010-01-30 07:20:33 75264 ----a-w- c:\windows\rdr_1264836030.exe
2010-01-30 07:20:30 22528 ----a-w- c:\windows\rdr_1264836028.exe
2010-01-30 07:20:28 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_220.exe
2010-01-30 07:20:27 61952 ----a-w- c:\windows\rdr_1264836024.exe
2010-01-30 07:20:23 103936 ----a-w- c:\windows\rdr_1264836019.exe
2010-01-30 04:15:13 44032 ----a-w- c:\windows\rdr_1264824912.exe
2010-01-30 04:15:12 75264 ----a-w- c:\windows\rdr_1264824910.exe
2010-01-30 04:15:10 22528 ----a-w- c:\windows\rdr_1264824909.exe
2010-01-30 04:15:09 61952 ----a-w- c:\windows\rdr_1264824908.exe
2010-01-30 04:15:07 103936 ----a-w- c:\windows\rdr_1264824905.exe
2010-01-30 04:14:39 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2328.exe
2010-01-30 04:07:53 22528 ----a-w- c:\windows\rdr_1264824472.exe
2010-01-30 04:07:52 6656 ----a-w- c:\windows\rdr_1264824471.exe
2010-01-30 04:07:51 14848 ----a-w- c:\windows\rdr_1264824469.exe
2010-01-30 04:07:49 61952 ----a-w- c:\windows\rdr_1264824467.exe
2010-01-30 04:07:47 103936 ----a-w- c:\windows\rdr_1264824465.exe
2010-01-30 04:07:27 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2372.exe
2010-01-29 18:54:01 22528 ----a-w- c:\windows\rdr_1264791238.exe
2010-01-29 18:53:58 6656 ----a-w- c:\windows\rdr_1264791236.exe
2010-01-29 18:53:56 61952 ----a-w- c:\windows\rdr_1264791232.exe
2010-01-29 18:53:51 103936 ----a-w- c:\windows\rdr_1264791225.exe
2010-01-29 18:53:44 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2164.exe
2010-01-29 07:19:28 22528 ----a-w- c:\windows\rdr_1264749567.exe
2010-01-29 07:19:26 6656 ----a-w- c:\windows\rdr_1264749566.exe
2010-01-29 07:19:26 61952 ----a-w- c:\windows\rdr_1264749564.exe
2010-01-29 07:19:24 103936 ----a-w- c:\windows\rdr_1264749562.exe
2010-01-29 07:18:53 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2376.exe
2010-01-29 04:37:50 22528 ----a-w- c:\windows\rdr_1264739869.exe
2010-01-29 04:37:49 6656 ----a-w- c:\windows\rdr_1264739867.exe
2010-01-29 04:37:47 14848 ----a-w- c:\windows\rdr_1264739866.exe
2010-01-29 04:37:45 61952 ----a-w- c:\windows\rdr_1264739863.exe
2010-01-29 04:37:44 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_564.exe
2010-01-29 04:37:43 103936 ----a-w- c:\windows\rdr_1264739860.exe
2010-01-29 04:23:16 23268 ----a-w- c:\windows\rdr_1264738856.exe
2010-01-29 04:20:56 4748 ----a-w- c:\windows\rdr_1264738782.exe
2010-01-29 04:13:16 29570 ----a-w- c:\windows\rdr_1264738232.exe
2010-01-29 04:10:40 61952 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2204.exe
2010-01-28 05:00:02 39936 ----a-w- c:\windows\rdr_1264654800.exe
2010-01-28 05:00:00 75264 ----a-w- c:\windows\rdr_1264654798.exe
2010-01-28 04:59:58 22528 ----a-w- c:\windows\rdr_1264654797.exe
2010-01-28 04:59:57 60928 ----a-w- c:\windows\rdr_1264654795.exe
2010-01-28 04:59:55 106496 ----a-w- c:\windows\rdr_1264654793.exe
2010-01-28 04:59:29 60928 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2468.exe
2010-01-27 17:02:26 31744 ----a-w- c:\windows\rdr_1264611744.exe
2010-01-27 17:02:24 75264 ----a-w- c:\windows\rdr_1264611742.exe
2010-01-27 17:02:22 22528 ----a-w- c:\windows\rdr_1264611741.exe
2010-01-27 17:02:20 54784 ----a-w- c:\windows\rdr_1264611739.exe
2010-01-27 17:02:19 106496 ----a-w- c:\windows\rdr_1264611735.exe
2010-01-27 17:02:08 54784 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2324.exe
2010-01-27 05:23:47 31744 ----a-w- c:\windows\rdr_1264569825.exe
2010-01-27 05:23:45 75264 ----a-w- c:\windows\rdr_1264569823.exe
2010-01-27 05:23:43 22528 ----a-w- c:\windows\rdr_1264569822.exe
2010-01-27 05:23:42 54784 ----a-w- c:\windows\rdr_1264569820.exe
2010-01-27 05:23:42 54784 ----a-w- c:\documents and settings\brenda brown\df1a245s4_1904.exe
2010-01-27 05:23:40 106496 ----a-w- c:\windows\rdr_1264569818.exe
2010-01-27 02:50:11 54784 ----a-w- c:\documents and settings\brenda brown\df1a245s4_1820.exe
2010-01-26 22:44:15 31744 ----a-w- c:\windows\rdr_1264545854.exe
2010-01-26 22:44:14 75264 ----a-w- c:\windows\rdr_1264545852.exe
2010-01-26 22:44:11 54784 ----a-w- c:\windows\rdr_1264545849.exe
2010-01-26 22:44:09 106496 ----a-w- c:\windows\rdr_1264545847.exe
2010-01-26 22:43:41 0 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2304.exe
2010-01-26 21:25:28 31744 ----a-w- c:\windows\rdr_1264541127.exe
2010-01-26 21:25:27 75264 ----a-w- c:\windows\rdr_1264541125.exe
2010-01-26 21:25:25 22528 ----a-w- c:\windows\rdr_1264541123.exe
2010-01-26 21:25:23 54784 ----a-w- c:\windows\rdr_1264541121.exe
2010-01-26 21:25:21 106496 ----a-w- c:\windows\rdr_1264541119.exe
2010-01-26 21:24:59 54784 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2412.exe
2010-01-26 21:04:47 31744 ----a-w- c:\windows\rdr_1264539885.exe
2010-01-26 21:04:45 75264 ----a-w- c:\windows\rdr_1264539883.exe
2010-01-26 21:04:43 22528 ----a-w- c:\windows\rdr_1264539881.exe
2010-01-26 21:04:41 54784 ----a-w- c:\windows\rdr_1264539878.exe
2010-01-26 21:04:38 106496 ----a-w- c:\windows\rdr_1264539870.exe
2010-01-26 21:04:30 54784 ----a-w- c:\documents and settings\brenda brown\df1a245s4_2312.exe
2010-01-26 05:08:46 39936 ----a-w- c:\windows\rdr_1264482525.exe
2010-01-26 05:08:45 75264 ----a-w- c:\windows\rdr_1264482522.exe
2010-01-26 05:08:42 22528 ----a-w- c:\windows\rdr_1264482521.exe
2010-01-26 05:08:38 106496 ----a-w- c:\windows\rdr_1264482516.exe
2010-01-26 02:35:04 39936 ----a-w- c:\windows\rdr_1264473303.exe
2010-01-26 02:35:02 75264 ----a-w- c:\windows\rdr_1264473300.exe
2010-01-26 02:35:00 22528 ----a-w- c:\windows\rdr_1264473298.exe
2010-01-26 02:34:54 106496 ----a-w- c:\windows\rdr_1264473287.exe
2010-01-26 02:25:45 39936 ----a-w- c:\windows\rdr_1264472738.exe
2010-01-26 02:25:38 75264 ----a-w- c:\windows\rdr_1264472729.exe
2010-01-26 02:25:29 22528 ----a-w- c:\windows\rdr_1264472723.exe
2010-01-26 02:25:14 106496 ----a-w- c:\windows\rdr_1264472704.exe
2010-01-25 04:38:56 75264 ----a-w- c:\windows\rdr_1264394334.exe

============= FINISH: 20:28:22.68 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 01/09/2008 4:56:43 PM
System Uptime: 03/03/2010 5:59:12 PM (3 hours ago)

Motherboard: Dell Inc. | | 0TT347
Processor: Intel Pentium II processor | Microprocessor | 1861/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 109 GiB total, 80.172 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP139: 05/12/2009 2:07:17 AM - System Checkpoint
RP140: 06/12/2009 3:29:28 AM - System Checkpoint
RP141: 07/12/2009 6:38:46 AM - System Checkpoint
RP142: 08/12/2009 6:52:49 AM - System Checkpoint
RP143: 09/12/2009 12:00:18 AM - Software Distribution Service 3.0
RP144: 10/12/2009 12:05:01 AM - System Checkpoint
RP145: 12/12/2009 1:04:42 AM - System Checkpoint
RP146: 13/12/2009 1:24:04 AM - System Checkpoint
RP147: 15/12/2009 12:25:33 AM - System Checkpoint
RP148: 17/12/2009 1:16:23 AM - Removed QUAD RegistryCleaner
RP149: 20/12/2009 12:12:03 AM - System Checkpoint
RP150: 21/12/2009 1:59:33 AM - System Checkpoint
RP151: 22/12/2009 1:59:56 AM - System Checkpoint
RP152: 23/12/2009 2:20:04 AM - System Checkpoint
RP153: 24/12/2009 3:13:49 AM - System Checkpoint
RP154: 25/12/2009 4:13:48 AM - System Checkpoint
RP155: 26/12/2009 7:40:33 PM - System Checkpoint
RP156: 27/12/2009 8:36:36 PM - System Checkpoint
RP157: 28/12/2009 8:40:24 PM - System Checkpoint
RP158: 29/12/2009 9:28:23 PM - System Checkpoint
RP159: 31/12/2009 3:17:34 AM - System Checkpoint
RP160: 01/01/2010 4:00:07 AM - System Checkpoint
RP161: 02/01/2010 5:00:07 AM - System Checkpoint
RP162: 03/01/2010 2:28:09 PM - System Checkpoint
RP163: 04/01/2010 3:22:54 PM - System Checkpoint
RP164: 05/01/2010 8:36:51 PM - System Checkpoint
RP165: 06/01/2010 11:34:22 PM - System Checkpoint
RP166: 08/01/2010 12:23:35 AM - System Checkpoint
RP167: 09/01/2010 12:53:50 AM - System Checkpoint
RP168: 10/01/2010 1:15:43 AM - System Checkpoint
RP169: 11/01/2010 11:42:56 PM - System Checkpoint
RP170: 13/01/2010 12:54:50 AM - System Checkpoint
RP171: 14/01/2010 12:00:14 AM - Software Distribution Service 3.0
RP172: 15/01/2010 12:29:16 AM - System Checkpoint
RP173: 16/01/2010 1:07:00 AM - Software Distribution Service 3.0
RP174: 17/01/2010 2:41:14 AM - System Checkpoint
RP175: 18/01/2010 3:32:14 AM - System Checkpoint
RP176: 19/01/2010 11:27:44 AM - System Checkpoint
RP177: 20/01/2010 12:00:14 AM - Software Distribution Service 3.0
RP178: 21/01/2010 2:10:20 AM - System Checkpoint
RP179: 22/01/2010 3:40:29 AM - System Checkpoint
RP180: 23/01/2010 12:00:13 AM - Software Distribution Service 3.0
RP181: 24/01/2010 1:08:18 AM - System Checkpoint
RP182: 25/01/2010 8:27:22 PM - System Checkpoint
RP183: 27/01/2010 3:07:41 AM - System Checkpoint
RP184: 28/01/2010 4:12:22 AM - System Checkpoint
RP185: 31/01/2010 11:16:18 AM - System Checkpoint
RP186: 02/02/2010 12:45:54 AM - System Checkpoint
RP187: 03/02/2010 9:02:56 PM - System Checkpoint
RP188: 06/02/2010 2:02:34 AM - System Checkpoint
RP189: 03/03/2010 2:50:57 AM - System Checkpoint
RP190: 03/03/2010 7:40:53 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
ALOT Toolbar
ArcSoft MediaImpression
Broadcom Management Programs
Browser Address Error Redirector
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Control-Center
Corel WordPerfect Office - iFilter
Critical Update for Windows Media Player 11 (KB959772)
Dell DataSafe Online
Dell Support Center (Support Software)
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
getPlus® Download Manager for Corel
Google Desktop
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.514
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® Graphics Media Accelerator Driver
IntelliSonic Speech Enhancement
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 15
Junk Mail filter update
Kiwee Toolbar
LimeWire 5.2.13
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Modem Diagnostic Tool
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
QuickSet
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Spyware Doctor 6.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 UVC VGA
VisualTool
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Lightning
WordPerfect Lightning - EN
WordPerfect Lightning - IPM
WordPerfect Lightning - Messages
WordPerfect Lightning - MSOM
WordPerfect Office X4
WordPerfect Office X4 - Common
WordPerfect Office X4 - Content
WordPerfect Office X4 - EN
WordPerfect Office X4 - Filters
WordPerfect Office X4 - Graphics
WordPerfect Office X4 - ICA
WordPerfect Office X4 - IPM
WordPerfect Office X4 - IPM T EN
WordPerfect Office X4 - MAIL
WordPerfect Office X4 - Migration Manager
WordPerfect Office X4 - PerfectExperts
WordPerfect Office X4 - PR
WordPerfect Office X4 - QP
WordPerfect Office X4 - Skins
WordPerfect Office X4 - System
WordPerfect Office X4 - WP
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

03/03/2010 7:31:54 AM, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.
03/03/2010 7:29:13 AM, error: PlugPlayManager [11] - The device Root\LEGACY_FIO32\0000 disappeared from the system without first being prepared for removal.
03/03/2010 6:09:01 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HOME that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3B499246-B167-4119-9750. The master browser is stopping or an election is being forced.
03/03/2010 5:29:07 AM, error: Service Control Manager [7000] - The webserver service failed to start due to the following error: The system cannot find the path specified.
03/03/2010 5:28:07 AM, error: Service Control Manager [7031] - The webserver service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/03/2010 2:12:54 AM, error: Service Control Manager [7034] - The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
03/03/2010 2:12:54 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
03/03/2010 1:54:00 AM, error: DCOM [10000] - Unable to start a DCOM Server: {B1DBD568-80B2-43FA-AE07-76FB23AA4650}. The error: "%5" Happened while starting this command: "C:\Program Files\Windows Live\Toolbar\wltuser.exe" -Embedding
03/03/2010 1:12:29 AM, error: Service Control Manager [7022] - The fioo32 service hung on starting.
03/03/2010 1:12:29 AM, error: Service Control Manager [7000] - The Guard Service service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================


#13 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 10:06 PM

And here is the GMER log.....

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 22:03:12
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\pfdoapow.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73FAD72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF73DB9A6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF73DBB98]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73FB568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73FB820]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73F9A80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73FBC8A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73FB036]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF73DB656]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 86C64856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#14 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:03:32 PM

Posted 03 March 2010 - 10:41 PM

Sorry...hit the button by mistake....so HERE is theMBAM log

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

03/03/2010 5:28:11 AM
mbam-log-2010-03-03 (05-28-11).txt

Scan type: Quick Scan
Objects scanned: 111754
Time elapsed: 9 minute(s), 55 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 192
Registry Values Infected: 22
Registry Data Items Infected: 0
Folders Infected: 65
Files Infected: 727

Memory Processes Infected:
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Unloaded process successfully.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Delete on reboot.
c:\WINDOWS\system32\fio32.dll (Worm.KoobFace) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\explorerbar.funexplorer (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{ac5ab953-ed25-4f9c-87f0-b086b0178ffa} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6160f76a-1992-4b17-a32d-0c706d159105} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\explorerbar.funexplorer.1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\explorerbar.funredirector (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{883dfc00-8a21-411d-956c-73a4e4b7d16f} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{480098c6-f6ad-4c61-9b5c-2bae228a34d1} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\explorerbar.funredirector.1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

#15 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 03 March 2010 - 10:59 PM

Hello again RhonB icon_hello.gif

We need to give you the standard "compromised system" schpeel before we go on:

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

Although we MIGHT be able to remove the rootkit, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that IF the rootkit can be removed the computer will then be secure.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.
============****============


*If you wish to proceed please follow my next set of steps:

OK, RhonB... let's do the following:

If you can not download and run the following tools, then I would like for you to try another approach:

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.


**Note: In the event you already have old versions of Combofix I need you to delete them, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • For Internet Explorer:
    o Choose to save, not open the file
    o When prompted - save the file to your desktop, and rename it to CFscan with .exe extension on the end.

step1.gif Please download Combofix from any of the links below but rename it to CFscan before saving it to your desktop.
Link 1
Link 2

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

step2.gif Please insert your flash drive and all usb-drives before running Combofix
    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
  • Close any open browsers.
    WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
-----------------------------------------------------------

step3.gif Double click on the renamed on your desktop & follow the prompts.
If you are unsure how to run ComboFix tool, please visit this webpage for instructions: How-to-use-combofix
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.

    NOTE: If you have Windows XP: Combofix may ask you to install the Recovery Console, please allow it to do so.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
*** When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review.***

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.


step4.gif * MBAM

You already have Malwarebytes' Anti-Malware installed.
  • Open MBAM
  • Go to the updates tab, and click Update to update to the latest version
  • Once the program has updated, select Perform a quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

    * Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
MBAM Tutorial if needed

step5.gif * Re-Scan with DDS and post the log.

Make sure, you re-enable your security programs, when you're done with Combofix.

Summary of the logs I will need in your next reply:
  • The report log of combofix C:\combofix.text
  • The report log of MBAM
  • The report log of DDS
And a description of any remaining problems.

How are things your end RhonB???.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users