Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 32 Patched virus has knackered my desktop


  • This topic is locked This topic is locked
51 replies to this topic

#1 RichMT

RichMT

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 May 2010 - 06:39 AM

After some careless internet use yesterday afternoon I ended up getting my desktop PC infected by the Win32 Patched virus. I clicked a link that AVG warned was a known attack site, and clicked the X to close the tab rather than 'get me out of here'.

I started out with a google search on the problem, and found this thread on these boards - http://www.bleepingcomputer.com/forums/lof...hp/t256738.html.

I followed the instructions and installed Malwarebytes Anti-Malware (saving to desktop as zztoy.exe) and carried out a scan. If I remember correctly, it identified 11 malicious objects, then asked me to restart. As directed by the aformentioned post, I immediately rebooted. My computer is now stuck in an infinite loop of starting up, getting to the Windows loading page and then cutting out and starting again.

Is there anything I can do to fix this? Operating system in Windows XP.




BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 19 May 2010 - 04:48 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Please do this......
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 May 2010 - 05:10 AM

Thank you thcbytes for offering your help; it is much appreciated.

I have a confession to make - I posted this question in another forum after this one. I had selected 'email me with notifications', but I did not receive any such emails and assumed that my message had fallen by the wayside. My mistake, and, as pointed out by another user in the alternative forum, not the most helpful of moves.

So, by way of update, I am currently in the process of scanning the broken computer using Dr Web Live CD. My sincerest apologies as this probably screws up your previous approach.

If you can find it in your heart to forgive me, how would you recommend that I proceed once this scan is finished?

Many thanks
Richard

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 20 May 2010 - 09:01 AM

Hi Richard,

No problem. No apologies necessary. smile.gif

Where are you currently receiving help?
Could you provide a link so I can see what has be done thus far?

I am glad to help you but you will have to follow my instructions only. It gets confusing and could otherwise be harmful to progress.

What problems are you currently experiencing?

Please answer my questions and let me know if you would like my assistance.

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 May 2010 - 09:28 AM

In answer to your questions:

Where are you currently receiving help/Could you provide a link so I can see what has be done thus far?:

The site is 'Remove-Malware.com' and the thread is here: http://remove-malware.com/forums/viewtopic...;p=60064#p60064

So far, the only thing that I have done since posting the original question on this board is to run a scan with Dr. Web Live CD. In fact, that scan still hasn't actually finished, so in reality I've not actually done anything that would have changed any files as of yet. I have no problem stopping the scan and following your instructions.

I realised that I left out a key bit of info in my original post - once the scan with Malwarebytes was finished, I selected all of the 11 infections that it found and clicked the heal/remove (I'm afraid I don't remember what the exact words or options were) button which then prompted me to restart.

What problems are you currently experiencing?:

Following on from the restart, my computer simply will not load Windows. It gets to the black screen with the windows logo and the blue loading bar scrolling across the screen, then the power cuts out and automatically starts to load again. I have attempted to load in safe mode, but that doesn't work either.

I would like your assistance, as I'm very close to just cutting my losses and buying a new computer in any case!

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 20 May 2010 - 10:35 AM

Don't pitch the computer yet thumbup2.gif

Go ahead and follow my instructions from the 1st post. There is a very good chance I can get you up and running again.

Go ahead and abort the current scan.

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 May 2010 - 11:29 AM

As requested, please find below the text from OTL.txt:

OTL logfile created on: 5/20/2010 6:12:43 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 826.00 Mb Available Physical Memory | 81.00% Memory free
902.00 Mb Paging File | 845.00 Mb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.69 Gb Total Space | 11.53 Gb Free Space | 15.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 0.23 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 997.48 Mb Total Space | 997.47 Mb Free Space | 100.00% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/03/12 12:17:21 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/12 12:16:51 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2007/03/26 08:06:24 | 000,292,864 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2002/12/17 12:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 12:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand] -- -- (Jukebox3)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | Auto] -- -- (EAPPkt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/04/21 11:44:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/12 12:17:25 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/12 12:16:51 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/07/07 18:00:36 | 000,029,312 | ---- | M] (Line 6) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\l6dp.sys -- (L6DP)
DRV - [2009/07/07 18:00:32 | 000,532,992 | ---- | M] (Line 6) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L6POD.sys -- (L6POD)
DRV - [2009/02/24 13:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2007/07/28 10:21:16 | 000,451,456 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2007/02/22 05:15:56 | 000,137,216 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (nmwcd)
DRV - [2007/02/22 05:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (nmwcdcm)
DRV - [2007/02/22 05:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (nmwcdcj)
DRV - [2007/02/22 05:15:14 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (nmwcdc)
DRV - [2007/01/23 22:11:58 | 000,207,616 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2005/11/02 12:47:26 | 000,010,368 | R--- | M] (Padus, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2005/05/09 15:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2005/05/04 19:46:29 | 000,114,048 | ---- | M] (Line 6) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L6BOD.sys -- (L6BOD)
DRV - [2005/03/03 23:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 18:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2000/07/23 21:01:00 | 000,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\R.Williams_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.lpc-intranet.co.uk/sms/logon.asp
IE - HKU\R.Williams_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/21 13:35:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/01 11:46:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/29 09:59:33 | 000,000,000 | ---D | M]

[2010/05/18 08:42:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/29 09:59:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 12:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/13 18:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
[2009/07/30 18:24:36 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/07/30 18:24:36 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/07/30 18:24:36 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/07/30 18:24:36 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [H2O] C:\Program Files\Syncrosoft\POS\H2O\cledx.exe (Team H2O)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\R.Williams_ON_C..\Run: [{5EF3D5C0-F500-CA61-A573-7C163C7F4EA7}] C:\Documents and Settings\R.Williams\Application Data\Zeymm\dike.exe ()
O4 - HKU\R.Williams_ON_C..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\R.Williams_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1168601262293 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (logon.exe) - File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/12 06:02:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/12/23 22:54:42 | 000,000,141 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/01/12 06:01:35 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found




ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.2
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.2
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {965B39C9-529C-A82E-2F95-28F2232395E5} - NetShow
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {BA56C923-A8C3-36E8-22F8-F6A4F0F3BFAA} - NetShow
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Reg Error: Value error.
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/18 10:53:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/18 10:53:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/18 10:53:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/18 10:49:57 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\R.Williams\Desktop\zztoy.exe
[2010/05/08 09:00:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\R.Williams\My Documents\My Dropbox
[2010/05/08 08:59:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\R.Williams\Application Data\Dropbox
[2010/04/29 09:59:33 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/04/29 09:59:33 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/29 09:59:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/29 09:59:32 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/20 18:12:43 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/05/19 09:11:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/18 11:05:35 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/05/18 11:05:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/18 11:05:17 | 004,980,736 | -H-- | M] () -- C:\Documents and Settings\R.Williams\NTUSER.DAT
[2010/05/18 11:05:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\R.Williams\ntuser.ini
[2010/05/18 10:50:05 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\R.Williams\Desktop\zztoy.exe
[2010/05/18 08:19:51 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/18 07:12:17 | 060,116,395 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/18 07:06:15 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-436374069-1364589140-839522115-1003.job
[2010/05/17 13:01:41 | 000,061,780 | ---- | M] () -- C:\Documents and Settings\R.Williams\Desktop\NY kit.als
[2010/05/16 12:39:04 | 000,462,156 | ---- | M] () -- C:\Zeds dead wav.wav.asd
[2010/05/16 12:38:05 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/16 12:37:55 | 040,847,908 | ---- | M] () -- C:\Zeds dead wav.wav
[2010/05/16 12:37:55 | 000,396,484 | ---- | M] () -- C:\Zeds dead wav.pk
[2010/05/09 08:28:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/08 09:00:23 | 000,000,995 | ---- | M] () -- C:\Documents and Settings\R.Williams\Desktop\Dropbox.lnk
[2010/04/29 10:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 10:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 11:36:11 | 000,075,448 | ---- | M] () -- C:\Documents and Settings\R.Williams\Desktop\NY kit - 21 Bar Practice.als
[2010/04/21 11:44:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/16 12:39:04 | 000,462,156 | ---- | C] () -- C:\Zeds dead wav.wav.asd
[2010/05/16 12:37:55 | 000,396,484 | ---- | C] () -- C:\Zeds dead wav.pk
[2010/05/16 12:37:52 | 040,847,908 | ---- | C] () -- C:\Zeds dead wav.wav
[2010/05/08 09:00:23 | 000,000,995 | ---- | C] () -- C:\Documents and Settings\R.Williams\Desktop\Dropbox.lnk
[2010/02/21 13:47:03 | 706,842,624 | ---- | C] () -- C:\Documents and Settings\R.Williams\Journey to the Centre of the earh
[2009/12/06 08:19:34 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2009/12/06 08:19:34 | 000,000,023 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/12/06 08:19:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/12/06 08:19:30 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2009/12/06 08:19:27 | 000,008,981 | ---- | C] () -- C:\WINDOWS\HL-2030.INI
[2009/12/06 08:19:09 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/06/17 12:38:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\GearBox.ini
[2008/06/15 08:49:51 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\R.Williams\~$itland Pupillage Application.doc
[2008/06/15 08:49:46 | 000,045,056 | ---- | C] () -- C:\Documents and Settings\R.Williams\Maitland Pupillage Application.doc
[2008/06/15 08:14:55 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\R.Williams\Blackstone MP.doc
[2008/02/29 11:11:14 | 000,106,496 | ---- | C] () -- C:\WINDOWS\fileutil.dll
[2008/02/29 11:11:10 | 000,164,864 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2008/02/29 11:11:10 | 000,003,580 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2007/09/11 18:48:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/06/02 10:55:37 | 000,000,049 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/04/24 15:07:41 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ceme26.dll
[2007/04/23 17:34:14 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2007/04/23 17:34:14 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2007/04/23 17:34:14 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2007/04/23 17:34:14 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2007/04/23 17:34:14 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2007/04/14 09:28:18 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/12 16:21:02 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\R.Williams\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/12 08:59:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/12 07:05:08 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2007/01/12 07:05:02 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2007/01/12 07:05:01 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2007/01/12 07:04:54 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2007/01/12 06:59:42 | 000,004,033 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/01/12 06:59:41 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/01/12 06:18:23 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\R.Williams\ntuser.dat.LOG
[2007/01/12 06:18:23 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\R.Williams\ntuser.ini
[2007/01/12 06:18:21 | 004,980,736 | -H-- | C] () -- C:\Documents and Settings\R.Williams\NTUSER.DAT
[2007/01/12 06:07:58 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2007/01/12 06:07:58 | 000,049,152 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2007/01/12 06:07:58 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2007/01/12 06:07:14 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2007/01/12 06:07:13 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2007/01/12 06:07:12 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2006/10/03 12:53:03 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\com.fxpansion.fxshared.dll
[2004/08/03 19:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[1999/11/10 21:39:00 | 000,481,792 | ---- | C] () -- C:\WINDOWS\System32\RFFTW2dll.dll
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2007/04/18 12:13:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Ableton
[2007/02/05 16:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\DataLayer
[2010/05/09 08:30:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Dropbox
[2010/05/18 11:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Fiyg
[2007/09/11 18:46:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\ICAClient
[2009/08/05 11:39:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Image Zone Express
[2008/03/16 11:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Line 6
[2007/04/19 04:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\NetMedia Providers
[2007/04/18 18:53:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Nokia
[2007/02/04 17:05:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Opera
[2008/02/23 06:52:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\PC Suite
[2007/04/19 04:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Publish Providers
[2007/04/14 10:26:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\RhythmRascal
[2008/05/01 14:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Sony
[2010/05/18 08:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Spotify
[2007/04/23 17:16:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Steinberg
[2009/12/31 12:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\R.Williams\Application Data\Zeymm

========== Purity Check ==========



========== Custom Scans ==========


Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.

Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe

Invalid Environment Variable: %APPDATA%\*.

Invalid Environment Variable: %APPDATA%\*.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/03 20:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 20:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/03 18:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 18:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 17:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/03 19:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/03 19:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/03 19:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/03 19:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 19:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/03 19:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USERINIT.EXE >
[2004/08/03 19:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2004/08/03 19:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/01/12 05:38:39 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/01/12 05:38:39 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/01/12 05:38:39 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2006/06/26 13:37:10 | 000,148,480 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll
[2004/08/03 19:56:44 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll
[2004/08/03 19:56:46 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll
[2006/10/23 11:17:53 | 001,494,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shdocvw.dll
[2006/07/13 09:33:27 | 008,453,632 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll
[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< CREATERESTOREPOINT >
< End of report >


#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 20 May 2010 - 12:51 PM

Well done. thumbup2.gif

Do you have your Windows XP disc? Might need a file from there.

This next...
  1. Please reopen on your desktop.
  2. Select "None"
  3. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    /md5start
    winlogon.exe
    logon.exe
    /md5stop

  4. Push
  5. A report will open. Copy and Paste that report in your next reply.
==========

Navigate to C:\program files\Malwarebytes' Anti-Malware and post the most recent log.txt

Kind regards,
~ t

Edited by thcbytes, 20 May 2010 - 12:52 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 May 2010 - 01:06 PM

I'm afraid that I do not have a copy of an XP CD. In fact I'm not sure if I ever had one. I do not know whether or not the copy I have is a genuine copy - I bought this machine from a friend of the family who used to do all of our computer-related activities; I know very little about the provenance.

Below is the OTL text as requested. I found the Malwarebytes' folder, but there was no log in there. The only text file I could find was licence.txt.

OTL logfile created on: 5/20/2010 7:58:11 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,015.00 Mb Total Physical Memory | 760.00 Mb Available Physical Memory | 75.00% Memory free
902.00 Mb Paging File | 801.00 Mb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.69 Gb Total Space | 11.53 Gb Free Space | 15.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 0.23 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 997.48 Mb Total Space | 997.39 Mb Free Space | 99.99% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Custom Scans ==========



< MD5 for: WINLOGON.EXE >
[2004/08/03 19:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2004/08/03 19:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe
< End of report >


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 20 May 2010 - 02:20 PM

Let's continue...
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    O4 - HKU\R.Williams_ON_C..\Run: [{5EF3D5C0-F500-CA61-A573-7C163C7F4EA7}] C:\Documents and Settings\R.Williams\Application Data\Zeymm\dike.exe ()
    O20 - HKLM Winlogon: Shell - (logon.exe) - File not found
    O32 - AutoRun File - [2008/12/23 22:54:42 | 000,000,141 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

==========

If you are still unable to boot normally then please do this.....
  1. When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  2. Select "Disable Automatic Restart on System Failure", as shown here:
  3. When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:

If there is also a file listed please post this also!!!!!

==========

Next do this in Reatogo-x.....

* Click Start > Run and type chkdsk c:/f and the click OK.
o Note the space between the k and the /

* Allow the scan to run and when completed, reboot the system. It may not run until you reboot!

==========

With your next post please provide:

* OTL.txt
* Are you able to boot?
* STOP error code and associated file
* Did chkdsk run ok?

Kind regards,
~t



Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 May 2010 - 03:20 PM

I just ran the fix as you said, and it gave me the option to reboot so I clicked yes/ok (whichever it may have been). Nothing happened for a few minutes, so I restarted manually. No 'OK' button appeared and the OTL log is still the same one as from the last time.

What did I do wrong?

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 20 May 2010 - 05:04 PM

Did you accidentally press the "Run Scan" button instead of the "Run Fix" button?

Go to the C:\_OTL folder and the log should be in there. Please post it for my review.

Go ahead with the other steps I outlined too please.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 May 2010 - 06:15 PM

Thanks for bearing with me!

1) The most recent log:

========== OTL ==========
Registry value HKEY_USERS\R.Williams_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\{5EF3D5C0-F500-CA61-A573-7C163C7F4EA7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5EF3D5C0-F500-CA61-A573-7C163C7F4EA7}\ not found.
C:\Documents and Settings\R.Williams\Application Data\Zeymm\dike.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:logon.exe deleted successfully.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
File move failed. X:\AUTORUN.INF scheduled to be moved on reboot.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET14B.tmp deleted successfully.
C:\WINDOWS\System32\SET150.tmp deleted successfully.
C:\WINDOWS\System32\SET157.tmp deleted successfully.
C:\WINDOWS\System32\SET160.tmp deleted successfully.
C:\WINDOWS\System32\SET161.tmp deleted successfully.
C:\WINDOWS\System32\SET162.tmp deleted successfully.
C:\WINDOWS\System32\SET165.tmp deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: R.Williams
->Temp folder emptied: 802722933 bytes
->Temporary Internet Files folder emptied: 169689995 bytes
->Java cache emptied: 39375322 bytes
->FireFox cache emptied: 75089611 bytes
->Flash cache emptied: 1569347 bytes

User: RE4D4~1~WIL

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47975686 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

Total Files Cleaned = 1,084.00 mb


OTLPE by OldTimer - Version 3.1.39.0 log created on 05202010_220820

2) I am still unable to boot

3) BSOD displays the following text:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000135 (0x00000000 0x00000000).
The system has been shut down.

4) CHKDSK ran fine and completed successfully. Unfortunately, the computer still fails to load and I receive the same BSOD message as quoted above.

Is there any hope?

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 20 May 2010 - 10:04 PM

There still might be hope....but before we proceed I want you to back up your data!

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php


Your drive is completely accessible in Reatogo-X

After you have backup up your drive let me know and then we can continue. thumbup2.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 RichMT

RichMT
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 21 May 2010 - 05:02 AM

The backup is complete - thankfully I don't keep that many documents on this particular computer.

What do I do now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users