Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot Loop after Total PC Defender removal


  • This topic is locked This topic is locked
78 replies to this topic

#1 NCJason

NCJason

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 09 March 2010 - 01:01 PM

My Windows XP Media Center Edition computer got infected with Total PC Defender. I used MalwareBytes and SuperAntiSpyware to remove the infection. After the removal, the computer randomly restarted. It ran a hard drive scan and then booted into Windows It worked ok for a few hours and then rebooted again. It ran the hard drive scan again and then booted into Windows. This happened a few times before the computer restarted and got stuck in a boot loop. The computer is giving a blue screen during boot before restarting but it closes before I can read it. The registry was edited to stop the auto reboot so I can read the BSOD but it still restarts. I don’t know why it does not stop like it should. When I select to boot into safe mode the computer restarts and it does not show the blue screen. I tried to boot into regular mode and saw the blue screen but it closed before I could read it. In thinking about it, I don't think that I have been able to boot into safe mode for quite some time. Several month ago, I had tried to boot into safe mode to remove some spyware but when I tried to use safe mode the computer just restarted.

I am not sure where I need to go from here.

Thanks,
Jason

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 09 March 2010 - 08:47 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Few questions first...

QUOTE
The registry was edited to stop the auto reboot so I can read the BSOD but it still restarts.

Please clarify. Did you actually edit your registry or did you use the startup screen &/or Windows interface to disable auto restart with BSOD? Did you make any other registry changes?

Do you have your Windows install disc?

Do you have a clean computer to create a boot disc?

==========

We need to create some logs


First.........

After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please post the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.


    Next........

  • Navigate here to the forum and click this link.
  • Download the program and save it to the REATOGO-X-PE desktop.
  • Once saved, close all other windows then double click the program to run it.
  • When completed, a log will open.
  • Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

Thanks,
~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 09 March 2010 - 10:41 PM

QUOTE(thcbytes @ Mar 9 2010, 08:47 PM) View Post
Few questions first...

QUOTE
The registry was edited to stop the auto reboot so I can read the BSOD but it still restarts.

Please clarify. Did you actually edit your registry or did you use the startup screen &/or Windows interface to disable auto restart with BSOD? Did you make any other registry changes?

Do you have your Windows install disc?

Do you have a clean computer to create a boot disc?



I was following instructions from http://www.bleepingcomputer.com/forums/ind...mp;hl=boot+loop and http://saveme.danfischbach.com to try and resolve my issues. I was still having problems after running his software and contacted Dan of http://saveme.danfischbach.com for additional help. On of the first things he had me do was manually edit the registry to turn off the auto reboot. I have double checked that it was done correctly but the system still restarts.

I did not get a Windows install disk with my computer. The disk that I have just formats and reinstalls the OS. I do have a disk that will let me access the Recovery Console.

I have a laptop but it is running a different operating system.

I ran the ISO that you linked to and had a issue. Once the PE loaded I clicked on the OTLPE icon. It can not find any hard drive, it only sees the removable drives. Is it because the drives are SATA?

Let me know where I need to go from here.
Thanks,
Jason

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 10 March 2010 - 06:25 PM

I spoke with OldTimer that created OTL. He said the most recent version of OTLPE has Sata drivers. Version...3.1.36.0

Please download it again. This time choose a slower burn speed. Make sure after you launch Reatogo that you double click the desktop OTL icon to run the app. From there follow the directions from my previous post.

Let me know how it goes...
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 10 March 2010 - 06:44 PM


When I burned the ISO I picked the slowest burn rate. I just want to verify that I am clicking the correct icon. On the desktop there is an icon that says OTLPE not OTL. I also clicked on the My Computer icon and it did not show the hard drives. I checked in Device Manager and it only lists the USB drives. The computer has a RAID controller in it but the hard drives are not in a RAID. Do I need to do something special because of that?

Jason

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 10 March 2010 - 07:02 PM

Hmmm.

Tell you what. Try this..

*** Please print these instructions ***
  1. Download Hiren's BootCD Iso to the desktop of a clean computer.
  2. Extract the zipped HirensBootCD.zip to your desktop.
  3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  5. Insert a blank CD in your drive.
  6. Press Start. This will burn the image to disc. After it has completed...
  7. Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  8. When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  9. You will be able to access your sick drive and save files/folders from here.
  10. Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • Success?
  11. You should now be connected to the internet.
  12. Navigate here to the forum and click this link.
  13. Download the program and save it to the desktop.
  14. Once saved, close all other windows then double click the program to run it.
  15. When completed, a log will open.
  16. Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

  17. In addition you now have access to all your files and folders amoungst many other utilities that we might need to use later. wink.gif
  18. If you double click your Windows Explorer icon on your desktop you will be able to access your hard drive.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 10 March 2010 - 08:01 PM

I was able to boot with Hirens BootCD and see the hard drives. I was not able to get an IP Address and see the internet. The drivers for the NIC will not load; I get an error about not enough resources.

Jason

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 10 March 2010 - 09:47 PM

Download this to a flash drive. Boot up Hiren's and plug in the flash drive. Run the program. Save the log to the flash drive and then post it here. thumbup2.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 12 March 2010 - 11:45 AM


DDS_BootCD_Version (Ver_09-10-04.01) - NTFSx86
Run at 11:42:06.42 on Fri 03/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

============== Pseudo HJT Report ===============

S-1-5-21-2033334333-1120879118-3212577264-500_Search Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5076E
S-1-5-21-2033334333-1120879118-3212577264-500_Start Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5076E
S-1-5-21-2033334333-1120879118-3212577264-1010_Winlogon: Shell=c:\windows\ehome\McrMgr.exe
S-1-5-21-2033334333-1120879118-3212577264-1011_Winlogon: Shell=c:\windows\ehome\McrMgr.exe
S-1-5-21-2033334333-1120879118-3212577264-1012_Winlogon: Shell=c:\windows\ehome\McrMgr.exe
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
S-1-5-21-2033334333-1120879118-3212577264-1007_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-2033334333-1120879118-3212577264-1007_Run: [P2kAutostart]
S-1-5-21-2033334333-1120879118-3212577264-1007_Run: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tweetd~1.lnk - c:\program files\tweetdeck\TweetDeck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\jason\startm~1\programs\startup\dropbox.lnk - x:\documents and settings\default user\application data\dropbox\bin\Dropbox.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Sally's%20Salon/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164558711899
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164558796759
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Sally's%20Salon/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\documents and settings\jason\application data\mozilla\firefox\profiles\c562de9d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.charter.net/google/index.php?q=
FF - plugin: c:\documents and settings\jason\application data\mozilla\firefox\profiles\c562de9d.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\jason\application data\mozilla\firefox\profiles\c562de9d.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\jason\application data\mozilla\firefox\profiles\c562de9d.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

4DW4R3; \??\c:\windows\system32\drivers\4DW4R3.sys
AVG; [x]
avg8emc; c:\progra~1\avg\avg8\avgemc.exe
avg8wd; c:\progra~1\avg\avg8\avgwdsvc.exe
AvgLdx86; \SystemRoot\System32\Drivers\avgldx86.sys
AvgTdiX; \SystemRoot\System32\Drivers\avgtdix.sys
LMIInfo; \??\c:\program files\logmein\x86\RaInfo.sys
LMIRfsClientNP; [x]
LMIRfsDriver; \??\c:\windows\system32\drivers\LMIRfsDriver.sys
MBAMSwissArmy; \??\c:\windows\system32\drivers\mbamswissarmy.sys
motccgp; system32\DRIVERS\motccgp.sys
motccgpfl; system32\DRIVERS\motccgpfl.sys
MotDev; system32\DRIVERS\motodrv.sys
motport; system32\DRIVERS\motport.sys
Outlook; [x]
SASDIFSV; \??\c:\program files\superantispyware\SASDIFSV.SYS
SASENUM; \??\c:\program files\superantispyware\SASENUM.SYS
SASKUTIL; \??\c:\program files\superantispyware\SASKUTIL.sys
Viewpoint Manager Service; "c:\program files\viewpoint\common\ViewpointService.exe"
wsvad_driver; system32\drivers\VirtualAudio.sys
{AA886AE1-4553-4A55-97CD-C942500F1131}; [x]
{D6A07737-1D37-41D4-BABC-14E27A06E314}; [x]
{F462C5E6-29F2-49D4-956C-3AA2E71EE282}; [x]

=============== Created Last 30 ================

2010-03-08 21:51 169,984 ac------ c:\windows\system32\dllcache\msconfig.exe
2010-03-08 21:51 507,904 ac------ c:\windows\system32\dllcache\winlogon.exe
2010-03-08 21:51 14,336 ac------ c:\windows\system32\dllcache\svchost.exe
2010-03-08 21:51 1,414,656 ac------ c:\windows\system32\dllcache\mmc.exe
2010-03-08 21:51 514,560 ac------ c:\windows\system32\dllcache\logonui.exe
2010-03-08 21:51 13,312 ac------ c:\windows\system32\dllcache\lsass.exe
2010-03-08 21:51 389,120 ac------ c:\windows\system32\dllcache\cmd.exe
2010-03-08 21:51 146,432 ac------ c:\windows\system32\dllcache\regedit.exe
2010-03-08 21:51 15,360 ac------ c:\windows\system32\dllcache\logoff.exe
2010-03-08 21:51 1,033,728 ac------ c:\windows\system32\dllcache\explorer.exe
2010-03-08 21:51 33,280 ac------ c:\windows\system32\dllcache\rundll32.exe
2010-03-08 21:51 26,112 ac------ c:\windows\system32\dllcache\userinit.exe
2010-03-07 03:51 20,992 a------- c:\windows\system32\kfla.ako
2010-03-05 23:42 223,744 a------- c:\windows\system32\CNMLM97.DLL
2010-03-05 22:18 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2010-03-05 22:18 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2010-03-05 21:34 <DIR> --d----- c:\program files\CCleaner
2010-03-02 17:39 <DIR> --d----- c:\documents and settings\jason\application data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-03-02 17:38 <DIR> --d----- c:\program files\TweetDeck
2010-02-19 20:49 25 a------- c:\windows\popcinfot.dat
2010-02-18 05:46 <DIR> --d----- c:\program files\Batch File Renamer 2.51
2010-02-16 22:34 40,960 a------- c:\windows\system32\MMAVILNG.exe
2010-02-16 22:34 <DIR> --d----- c:\program files\Morgan
2010-02-16 22:34 <DIR> --d----- c:\program files\abcAVI
2010-02-13 02:31 98,816 a------- c:\windows\system32\FGWVB32.DLL
2010-02-13 02:31 <DIR> --d----- c:\program files\KBStudio
2010-02-11 16:29 <DIR> --d----- c:\program files\Microsoft ActiveSync

==================== Find3M ====================

2010-03-08 21:54 262,144 a------- c:\documents and settings\all users\NTUSER.DAT
2010-02-03 14:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01007.Wdf
2010-02-03 14:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2010-02-03 14:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-02-03 14:39 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-02-03 14:39 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-12-21 19:14 916,480 a------- c:\windows\system32\wininet.dll
2009-12-16 18:43 343,040 a------- c:\windows\system32\mspaint.exe
2009-12-14 07:08 33,280 a------- c:\windows\system32\csrsrv.dll
2009-10-06 23:27 17,862 a------- c:\documents and settings\all users\application data\iwig.scr
2009-10-06 23:27 17,799 a------- c:\documents and settings\all users\application data\opatemuw.dat
2009-10-06 23:27 17,632 a------- c:\documents and settings\all users\application data\jehobewu.pif
2009-02-27 22:58 87,608 a------- c:\documents and settings\jason\application data\inst.exe
2009-02-27 22:58 47,360 a------- c:\documents and settings\jason\application data\pcouffin.sys
2009-01-09 13:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010920090110\index.dat

==== Installed Programs ======================

µTorrent
4 Elements
AAC Decoder
abcAVI
abgx360 v1.0.2
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 7
Allok Video Joiner 4.1.1129
AutoUpdate
AVG Anti-Rootkit Free
AVG Free 8.5
AviSynth 2.5
Batch File Renamer 2.51
BigFish games Interpol 2 Most Wanted 1.00
burnatonce
Canon iP2600 series
CCleaner
Charter Browser Updater
CoffeeCup Free FTP
Cooking Academy
Digital Media Reader
Dimension 4 v5.0
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Download Updater (AOL LLC)
Dropbox
DVD Solution
eMule2
FrostWire 4.13.1.2 BETA
Garmin City Navigator North America NT 2010.30
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Homeworld2
hotel SalesPro Enterprise 2.0 Build 5803
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB895961-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
ImgBurn
Intel Audio Studio 2.0
Intel Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® Quick Resume Technology Drivers
Intel® Viiv™
J2SE Runtime Environment 5.0 Update 2
Java™ 6 Update 14
Java™ 6 Update 5
Java™ 6 Update 7
K-Lite Mega Codec Pack 5.0.0
Karaoke Builder CD+G Player
LogMeIn
Macromedia Dreamweaver 8
Macromedia Extension Manager
Magic ISO Maker v5.4 (build 0251)
Magic MP3 Tagger 2.2.4f
Malwarebytes' Anti-Malware
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
Motorola Driver Installation 4.0.0
Mozilla Firefox (3.5.8)
MP3 CD Converter Professional 5.02
Mp3tag v2.45a
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
MusicBrainz Picard 0.11
Napster Burn Engine
Nero 7
Notepad++
NVIDIA Drivers
OpenedFilesView
Orb
PDF Settings
Power2Go 4.0
PowerDVD
PowerISO
Prince of Persia T2T
Prince of Persia The Two Thrones
QT Lite 2.3.0
QuickSFV (Remove only)
RealPlayer
Recovery Software Suite Gateway
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaTel Audio
Soft Data Fax Modem with SmartCP
Sonic Encoders
Sothink SWF Quicker
SUPERAntiSpyware Free Edition
SyncToy 2.0 Beta
Tag&Rename 3.5.4
TeamSpeak 2 RC2
TweetDeck
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
USB Wireless Keyboard Driver
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Videora Xbox 360 Converter 5.04
Viewpoint Media Player
VLC media player 1.0.1
WebFldrs XP
WinAVI Video Converter
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xilisoft DVD Ripper Ultimate
Xilisoft Video Converter Ultimate
XML Paper Specification Shared Components Pack 1.0

============= FINISH: 11:42:40.64 ===============


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 12 March 2010 - 12:28 PM

Alright. Well done. :thumbup2

Please do this...
  • Please open a command prompt in Hiren's
  • At the prompt copy and paste the following commands and press Enter

DIR /a/s %windir%\atapi.sys >Log.txt&log.txt


A log will be produced.

Please post that log for my review.

==========

Next....

In Hiren's....
  • Start
  • Programs
  • Checkdisk
  • Choose Volume C:\

==========

Thanks,
~ t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 12 March 2010 - 01:04 PM

Volume in drive C is XP
Volume Serial Number is ACAA-897F

Directory of c:\windows\$NtServicePackUninstall$

08/04/2004 06:59 AM 95360 atapi.sys
1 File(s) 95360 bytes

Directory of c:\windows\ServicePackFiles\i386

04/13/2008 06:40 PM 96512 atapi.sys
1 File(s) 96512 bytes

Directory of c:\windows\system32\drivers

04/13/2008 06:40 PM 96512 atapi.sys
1 File(s) 96512 bytes

Directory of c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386

08/10/2004 07:00 PM 95360 atapi.sys
1 File(s) 95360 bytes

Total Files Listed:
4 File(s) 383744 bytes
0 Dir(s) 33720352768 bytes free




#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 12 March 2010 - 05:58 PM

Try this please....

excl.gif Warning excl.gif
This file was written specifically for this user, for use on this particular machine.
Running this on another machine may cause irreparable damage to your operating system
  • Please copy the contents of the code box below
  • Open notepad in Hiren's and paste the contents of the code box there
  • On the top toolbar in notepad select file
  • Then save as
  • In the box that opens type in move.bat for the file name
  • Right below that click the down arrow in the line for save as type and select all files
  • Save this to your desktop and close notepad

CODE
cd /d c:\
ren C:\WINDOWS\system32\drivers\atapi.sys atapi.sys.vir
copy /y c:\windows\$NtServicePackUninstall$\atapi.sys C:\WINDOWS\system32\drivers\atapi.sys >c:\log.txt
md backup
copy C:\WINDOWS\system32\drivers\atapi.sys.vir c:\backup >>c:\log.txt


  • Locate the move.bat icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal. Copy and paste the log for my review.

    The log will be located at C:\log.txt.
    Use Explorer in Hiren's if you are unable to find the log.

Try to reboot into Windows.
Success?

Thanks,
~ t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 13 March 2010 - 10:14 AM


Log.txt
1 file(s) copied.
1 file(s) copied.


I still get the blue screen and reboot when I try to start Windows.

Jason

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 AM

Posted 13 March 2010 - 12:04 PM

Re-boot Hiren's
  • HBCD Menu
  • Menu
  • Partition/Boot
  • MBR Fix
  • Type MBRFix /C FIXMBR
Reboot
Success?

If that does not work then I want you to try Reatogo again and see if you can get OTL to recognize the C:\ drive. Boot the Reatogo on a clean computer and see if OTL is able to see C:\. If not then burn a new copy please.

Also.....
Did you happen to run Combofix prior to the crash? If so this might provide us another opportunity to recover.

Thanks,
~ t

Edited by thcbytes, 13 March 2010 - 12:52 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 NCJason

NCJason
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Weston, WV
  • Local time:05:02 AM

Posted 13 March 2010 - 09:35 PM

For some reason when I follow the instructions and type MBRFix /C FIXMBR all it does is list the instructions for how to use MBRFix. I was able to use some of the other MBRfix options successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users