Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Won't Start After Running ComboFix


  • This topic is locked This topic is locked
3 replies to this topic

#1 spark7

spark7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 13 June 2010 - 09:57 AM

Hi,

I ran combofix to cure the google redirect virus. I am now unable to log in to xp--computer freezes at login screen. I am able to login in safemode and have saved the combofix log on a flash drive and posted it below. Thanks in advance for your help and service.

Adding in further contextual information from a duplicate post. ~ OB

I ran combofix per instructions from a forum expert and I too am unable to login to xp except in safe mode. While combofix was running a message appeared and stated that it would have to restart because a rootkit or something like that was found. It shut down and while restarting a blue screen error appeared and it froze. I powered it down and truned it back on and it looked like it was starting but it froze at login. I saved my combofix log to a flash drive while in safe mode and it is pasted below. Thanks in advance for your help and expertise.

End of added information. ~ OB

ComboFix 10-06-10.06 - hwhelchel 06/12/2010 6:23.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.759 [GMT -4:00]
Running from: c:\documents and settings\hwhelchel.FAC-ITC24\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db
c:\windows\system32\userdata.dll

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-09 12:53 . 2010-06-09 12:53 -------- d-----w- c:\program files\Carbonite
2010-06-09 12:53 . 2010-06-09 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
2010-06-07 10:11 . 2010-06-07 10:11 -------- d-----w- c:\documents and settings\hwhelchel.FAC-ITC24\Client Security Solution
2010-06-01 12:16 . 2010-06-01 12:16 503808 ----a-w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25372954-n\msvcp71.dll
2010-06-01 12:16 . 2010-06-01 12:16 499712 ----a-w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25372954-n\jmc.dll
2010-06-01 12:16 . 2010-06-01 12:16 348160 ----a-w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25372954-n\msvcr71.dll
2010-06-01 12:16 . 2010-06-01 12:16 12800 ----a-w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3b088996-n\decora-d3d.dll
2010-06-01 12:16 . 2010-06-01 12:16 61440 ----a-w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3b088996-n\decora-sse.dll
2010-06-01 12:15 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-01 04:33 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-01 04:33 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-01 04:33 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-01 04:33 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-06-01 04:33 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-01 04:33 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-31 22:52 . 2010-05-31 22:52 -------- d-----w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Tific
2010-05-31 21:55 . 2010-05-31 21:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-31 21:55 . 2010-05-31 21:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-31 21:54 . 2010-06-01 11:34 -------- d-----w- c:\windows\system32\drivers\NAV
2010-05-31 21:54 . 2010-05-31 21:54 -------- d-----w- c:\program files\Norton AntiVirus
2010-05-31 21:54 . 2010-05-31 21:54 -------- d-----w- c:\program files\Windows Sidebar
2010-05-31 21:54 . 2010-05-31 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-31 21:53 . 2010-05-31 21:53 -------- d-----w- c:\program files\NortonInstaller
2010-05-31 21:39 . 2010-05-31 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-31 17:39 . 2010-05-31 17:39 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-31 17:38 . 2010-05-31 17:38 -------- d-----w- c:\program files\PDF Password Remover v3.0
2010-05-28 12:01 . 2010-05-28 12:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 03:51 . 2009-12-03 16:46 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-08 12:34 . 2008-09-05 20:49 -------- d-----w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\MP3Rocket
2010-06-08 12:34 . 2008-09-05 20:48 -------- d-----w- c:\program files\MP3 Rocket
2010-06-08 02:18 . 2009-03-26 16:50 -------- d-----w- c:\program files\Lx_cats
2010-06-02 20:28 . 2009-04-04 00:35 -------- d-----w- c:\program files\DivX
2010-06-01 16:09 . 2008-03-14 17:19 -------- d-----w- c:\program files\Java
2010-06-01 16:09 . 2008-03-14 17:19 -------- d-----w- c:\program files\Common Files\Java
2010-06-01 00:25 . 2010-06-01 00:40 230738 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-01 00:11 . 2010-02-22 15:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 23:05 . 2008-04-14 11:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-31 21:55 . 2008-04-14 11:48 -------- d-----w- c:\program files\Symantec
2010-05-31 21:55 . 2010-05-31 21:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-31 21:55 . 2010-05-31 21:55 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-31 21:46 . 2008-04-14 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-31 21:46 . 2008-04-14 11:48 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-31 21:10 . 2009-04-26 01:44 -------- d-----w- c:\program files\CCleaner
2010-05-31 17:38 . 2010-05-13 02:32 -------- d-----w- c:\program files\PDF Password Remover v3.1
2010-05-31 17:38 . 2010-02-04 06:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 10:22 . 2008-08-09 18:30 -------- d-----w- c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Apple Computer
2010-04-29 19:16 . 2010-04-29 19:15 -------- d-----w- c:\program files\iTunes
2010-04-29 19:16 . 2010-04-29 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-29 19:15 . 2010-04-29 19:15 -------- d-----w- c:\program files\iPod
2010-04-29 19:15 . 2008-08-09 18:29 -------- d-----w- c:\program files\Common Files\Apple
2010-04-29 19:08 . 2008-06-26 15:22 -------- d-----w- c:\program files\QuickTime
2010-04-29 19:01 . 2010-04-29 19:01 -------- d-----w- c:\program files\Bonjour
2010-04-29 18:50 . 2010-04-29 18:50 73000 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 18:42 . 2008-08-09 18:20 -------- d-----w- c:\program files\Safari
2010-04-29 18:33 . 2010-04-29 18:33 79144 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-25 04:02 . 2009-02-03 23:27 -------- d-----w- c:\program files\Lamp Light
2010-04-08 17:20 . 2010-04-08 17:20 91424 ------w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ------w- c:\windows\system32\dns-sd.exe
2010-03-30 04:46 . 2009-11-14 03:23 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-11-14 03:22 20824 ------w- c:\windows\system32\drivers\mbam.sys
2010-03-28 22:27 . 2010-03-28 22:27 45056 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-28 22:27 . 2010-03-28 22:27 45056 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-28 22:27 . 2010-03-28 22:27 45056 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-28 22:27 . 2010-03-28 22:27 45056 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-28 22:27 . 2010-03-28 22:27 49152 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-28 22:27 . 2010-03-28 22:27 308808 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-28 22:27 . 2010-03-28 22:27 40960 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-28 22:27 . 2010-03-28 22:27 14848 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-28 22:27 . 2010-03-28 22:27 341600 ------w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-22 14:46 . 2010-03-22 14:46 142 ------w- c:\documents and settings\hwhelchel.FAC-ITC24\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 20:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 20:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 20:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 16:36 2848568 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 16:36 2848568 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-04 39408]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-02-12 98304]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 31840]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 54824]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 89542]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-23 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-23 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-23 138008]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-26 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-03-23 294912]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-19 68592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-28 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 20:57 155648 ------w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\symds.sys [6/1/2010 12:33 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\symefa.sys [6/1/2010 12:33 AM 173104]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [5/24/2006 2:48 PM 10240]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 1:44 PM 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\cchpx86.sys [6/1/2010 12:33 AM 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\ironx86.sys [6/1/2010 12:33 AM 116784]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/30/2006 2:56 AM 14336]
S2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [5/10/2007 10:22 PM 54832]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [12/12/2009 11:27 AM 233472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 1:09 AM 135664]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [6/1/2010 12:33 AM 126392]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 4:11 PM 569344]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2010 6:29 PM 102448]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [6/22/2007 2:45 PM 106496]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [12/12/2009 11:27 AM 36608]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 6:52 PM 331640]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 6:59 PM 30336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 05:09]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 05:09]

2010-06-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2010-06-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3940528835-1097905864-3361260878-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3940528835-1097905864-3361260878-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Mozilla\Firefox\Profiles\vphfoflf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.spurgeongems.org/prayers.htm|http://www.sermonaudio.com/main.asp|http://www.ccel.org/ccel/spurgeon/morneve.today.html|http://www.biblegateway.com/passage/|http://www.monergism.com/thethreshold/articles/onsite/prayerlist.html
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)
Notify-NavLogon - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\hwhelchel.FAC-ITC24\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(304)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2010-06-12 06:34:25
ComboFix-quarantined-files.txt 2010-06-12 10:34

Pre-Run: 35,278,315,520 bytes free
Post-Run: 44,367,609,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FA17FFB049A0D4B0E468C7ABF36EC4FD

Edited by Orange Blossom, 13 June 2010 - 02:51 PM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 PM

Posted 17 June 2010 - 10:40 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
CODE
:filefind
imapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Let me have this scan when complete

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 PM

Posted 21 June 2010 - 03:14 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 PM

Posted 25 June 2010 - 03:21 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users