Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD and instant reboot


  • This topic is locked This topic is locked
70 replies to this topic

#1 Enulfson

Enulfson

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 05 November 2010 - 05:34 PM

Dear experts,


I have the exact same problem as described in this thread with the extra problem that after the Blue Screen appears, Windows immediately reboots.

I managed to capture the stop code. This is it: STOP: 0x0000007b (0xb84C7524, 0xc0000034, 0x00000000, 0x00000000)

What I already did before finding this forum:

* I tried booting in safe mode -> same BSOD -> instant reboot
* Returned to "Last Known Good Configuration" -> none was found. At reboot I got same BSOD and instant reboot.
* I booted from Windows Install disk and ran Recovery Console. I was happy to see that all my data was still there, on both disks and all partitions. I ran CHKDSK /P. It found some corrupt blocks on the C: drive (system drive). I didn't know about /R at that time. Experience is a cruel teacher.
* I tried with the install disk to 'fix' my Windows, hoping that it would replace corrupt files. -> BSOD + instant reboot.
* I created a bootdisk based on my Windows XP installation disk. It's not the one you advise to use, but it resembles a lot, based on the same tools. It's called UBCD4Win. Using that I backed up all my data to a SATA drive I installed for this backup. I also backed up files to a USB drive. (This took me several days). Both drives are now physically removed from the computer.

At this point I still didn't know what the BSOD stop code was since it only shows up for a split second.

* I looked for the Windows boot log file. None existed. I looked in other dirs than the standard, but found nothing.
* On UBCD there is a RegEdit clone that allows to read an existing "remote" registry. I read about how to set the time-out of the bleeping BSOD and changed that to a longer time. Reboot -> BSOD and instant reboot. It didn't work.
* Using remote regedit from UBCD I forced the filename of the Windows logs, both the Dumplog and Minidump. Next cycle, still none was created. I tried appending files, disabled overwriting them. No avail. My theory is that Windows doesn't run long enough to open a log dump file before the lights go out.
* Finally I tried a low-tech solution: I filmed the booting sequence and got one (1) single shot of the BSOD in a 25 frames a second clip. The only useful info on it was the stop code I mentioned above, which apparently is Mickeysoft-speak for "INACCESSABLE_BOOT_DEVICE".
* On later attempts to film the booger, I didn't even capture a full stop code before the BSOD went black. This s*cker is that quick!
* Here I started to think that even for Microsoft this is too evil. From UBCD I ran Avast to scout for pests. Clean bill of health, but still BSOD and instant reboot.
* Using Recovery Console, I tried FIXBOOT (without parameters). At reboot, same problem. I didn't dare trying FIXMBR.
* On UBCD there is a version of TestDisk that shows me the partitions. All seemed correct. No missing drives or tables. I wrote a new partition. Reboot -> same BSOD and instant reboot.
* I read about /R in CHKDSK, so I tried that. It ran for a long time (I did the dishes in the meanwhile) but after a completed scan and fix -> still BSOD and instant reboot.
* I tried Avira to check if there was a bootvirus. It found all sorts of potential infestations in game patches and other antiviri's vaults, but nothing that hasn't been there for ages.
* I have done everything short of an animal sacrifice... and then I found this topic on your wonderful forum and I knew there was still some hope left in Pandora's box to prolong my suffering.

So I followed the instructions and ran OTLPE. From UBCD instead of the boot CD you're suggesting, but it worked. The logs are in attachment.

Before I leave you, the thing that happened just before, is that I tried to install a webcam. It wouldn't work. A request came up on ZoneAlarm (the free firewall) to search for what I took for drivers and in a moment of weakness bordering insanity I opened up the gates (= shut down ZoneAlarm). I don't remember exactly, but I think the problems only started at the next reboot.

This webcam is really a cheap afair, probably asian import, without a name or anything. It came with a small CD of drivers that didn't get it to function. The only thing that resembles a brandname in the meager documentation is one mention of "AMCAP". The strange thing is that I got it at my last job, where a qualified IT staff thoroughly tested everything that was issued to the employees. So is it caused by the webcam's driver disk, or did something get sucked in when I opened up ZoneAlarm? I don't know.

Sorry if this post got a bit long and ranty. I think I needed to vent a little, and in a therapeutical sense, bleepingcomputer.com already did me a lot of good. I would really REALLY appreciate it if you would suggest my next move, so that I can prove to myself for at least a little while that these bleeping machines don't rule us just yet.

Thank you in advance for your time.


Best regards,

Enulfson

Attached Files


Edited by hamluis, 05 November 2010 - 05:52 PM.
Moved from XP forum to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 13 November 2010 - 05:49 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 13 November 2010 - 06:59 PM

Hello m0le,

Thanks for taking the time to help me solve my problem.

> Please subscribe to this topic

No need. I have been checking in daily and I will check in every couple of hours. I really need your help.

> Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Ok. I haven't changed a bit since running the OTLPE log on November 5th.

> Please reply to this post so I know you are there.

Done. :-)

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 13 November 2010 - 07:19 PM

The AT??.job files are an indicator of TDSS. This rootkit has disabled your PC so well done on getting the OTLPE to run. I need you to rerun it now to try and identify the infected driver that is running the show.

  • Run OTLPE. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#5 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 13 November 2010 - 08:00 PM

> The AT??.job files are an indicator of TDSS. This rootkit has disabled your PC (...)

That's not good. I've seen four similar tasks on my laptop. That's the back-up computer I'm using to post now.

> I need you to rerun it now to try and identify the infected driver that is running the show.
> Post the log in the next reply.

I've attached it. Do you prefer me to copy paste it into the post, like I see other people do sometimes?

Also, a friend who looked briefly at the first log, noticed this file been created shortly after the problems started.

C:\Program Files\t2r4disp.exe

I didn't do anything. I waited for one of you guys to get back at me first. I just thought I'd mention it now.

Anyway, here's the log.

Attached Files

  • Attached File  OTL.Txt   94.51KB   6 downloads


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 13 November 2010 - 09:23 PM

Yeah, copy/paste is easier to work from :)

The TDSS file is still a bit of a mystery. Let's try and remove what we can now. Be aware that TDSS can make this much harder for us and make OTLPE impossible to use. We still have other options though.

Open OTLPE

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
DRV - (WDICA) --  File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (PciCon) -- D:\PciCon.sys File not found
DRV - (lbrtfdc) --  File not found
DRV - (i2omgmt) --  File not found
DRV - (Changer) --  File not found
[2010/10/25 20:00:35 | 000,514,560 | ---- | M] () -- C:\Documents and Settings\Pazuzu\Application Data\hotfix.exe
[2010/10/25 19:59:48 | 000,000,408 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
:files
C:\WINDOWS\tasks\At*.job
C:\Program Files\t2r4disp.exe
:commands
[EmptyTemp]
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

This will probbaly not be enough to boot the PC but please try. If it boots then stop and tell me.


If not, please run the following scan using the same instructions as the previous scan (two posts back)

Please run OTLPE again and paste the following in the Customs Scans window
/md5start
setupapi.dll
/md5stop
Post that log too.
Posted Image
m0le is a proud member of UNITE

#7 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 14 November 2010 - 06:48 AM

Good morning m0le,

> Yeah, copy/paste is easier to work from :)

Ok, I'll do that then.

> Please post that log in your next reply. Note: If a file or folder cannot
> be moved immediately you may be asked to reboot the machine to finish the
> move process.

It ran fine. I didn't need to reboot to get to the log. Here it is:


--------------------------------------------------- START LOG ---------------------------------------------------------------

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WDICA deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PDRFRAME deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PDRELI deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PDFRAME deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PDCOMP deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PCIDump deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PciCon deleted successfully.
File D:\PciCon.sys File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lbrtfdc deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\i2omgmt deleted successfully.
File File not found not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Changer deleted successfully.
File File not found not found.
C:\Documents and Settings\Pazuzu\Application Data\hotfix.exe moved successfully.
C:\WINDOWS\system32\Remover.ini moved successfully.
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\Program Files\t2r4disp.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 826869 bytes
->Temporary Internet Files folder emptied: 155352 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Falco
->Temp folder emptied: 2865181 bytes
->Temporary Internet Files folder emptied: 219798 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 821810 bytes

User: Pazuzu
->Temp folder emptied: 3555943154 bytes
->Temporary Internet Files folder emptied: 320012961 bytes
->Java cache emptied: 140114864 bytes
->FireFox cache emptied: 106293196 bytes
->Google Chrome cache emptied: 144139811 bytes
->Flash cache emptied: 171021 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 1613377 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1477368 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Total Files Cleaned = 4,079.00 mb

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTLPE by OldTimer - Version 3.1.43.0 log created on 11142010_131750

--------------------------------------------------- END LOG ----------------------------------------------------------------

> This will probbaly not be enough to boot the PC but please try. If it boots then stop and tell me.

You're right. I reboot and got the BSOD again for one split second before the computer reboot again.

> If not, please run the following scan using the same instructions as the previous scan (two posts back)

Here's the second log:


--------------------------------------------------- START LOG ---------------------------------------------------------------

OTL logfile created on: 11/14/2010 1:33:56 PM - Run
OTLPE by OldTimer - Version 3.1.43.0 Folder = H:\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2800.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): e:\pagefile.sys 2046 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.00 Gb Total Space | 21.78 Gb Free Space | 68.05% Space Free | Partition Type: NTFS
Drive D: | 4.09 Gb Total Space | 4.07 Gb Free Space | 99.43% Space Free | Partition Type: NTFS
Drive E: | 216.87 Gb Total Space | 11.37 Gb Free Space | 5.24% Space Free | Partition Type: NTFS
Drive F: | 216.88 Gb Total Space | 8.53 Gb Free Space | 3.93% Space Free | Partition Type: NTFS
Drive G: | 461.66 Gb Total Space | 6.12 Gb Free Space | 1.32% Space Free | Partition Type: NTFS
Drive H: | 994.84 Mb Total Space | 994.03 Mb Free Space | 99.92% Space Free | Partition Type: FAT
Drive X: | 649.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MININT-JVC | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe -d -f %ProgramFiles%\WinPcap\rpcapd.ini File not found
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (avg8emc) -- C:\Tools\AVG\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd) -- C:\Tools\AVG\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (getPlus® Helper) getPlus® -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (NOS Microsystems Ltd.)
SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Zone Labs, LLC)
SRV - (NMSAccessU) -- C:\Tools\CDBurnerXP\NMSAccessU.exe ()
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)


========== Driver Services (SafeList) ==========

DRV - (atksgt) -- C:\WINDOWS\system32\drivers\atksgt.sys ()
DRV - (lirsgt) -- C:\WINDOWS\system32\drivers\lirsgt.sys ()
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (wip0204) -- C:\WINDOWS\system32\drivers\wip0204.sys (Wippien Software)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (srescan) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Zone Labs, LLC)
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)
DRV - (KLIF) -- C:\WINDOWS\system32\drivers\klif.sys (Kaspersky Lab)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (JRAID) -- C:\WINDOWS\system32\drivers\jraid.sys (JMicron Technology Corp.)
DRV - (AtcL001) -- C:\WINDOWS\system32\drivers\atl01_xp.sys (Attansic Technology corporation.)
DRV - (APLMp50) -- C:\WINDOWS\system32\drivers\APLMp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (JGOGO) -- C:\WINDOWS\system32\drivers\JGOGO.sys (JMicron )
DRV - (sfvfs02) StarForce Protection VFS Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfvfs02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\system32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfhlp02.sys (Protection Technology)
DRV - (CLEDX) -- C:\WINDOWS\system32\drivers\cledx.sys (Team H2O)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (a347bus) -- C:\WINDOWS\system32\drivers\a347bus.sys ( )
DRV - (a347scsi) -- C:\WINDOWS\system32\drivers\a347scsi.sys ( )
DRV - (Nsynas32) -- C:\WINDOWS\System32\drivers\NSynas32.sys (Syncrosoft Hard- und Software GmbH)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Tools\AVG\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackle.com/
IE - HKU\Administrator_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKU\Falco_ON_C\Software\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\Falco_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Falco_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\Falco_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\Falco_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\Falco_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\NetworkService_ON_C\Software\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\Pazuzu_ON_C\Software\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\Pazuzu_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\Pazuzu_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\Pazuzu_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackle.com/
IE - HKU\Pazuzu_ON_C\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll (Conduit Ltd.)
IE - HKU\Pazuzu_ON_C\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Tools\AVG\Toolbar\IEToolbar.dll ()
IE - HKU\Pazuzu_ON_C\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\Pazuzu_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Tools\AVG\Firefox [2009/12/22 12:27:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Tools\AVG\Toolbar\Firefox\avg@igeared [2009/06/12 15:03:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/11 12:02:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Tools\Mozilla Firefox\components [2010/10/21 10:25:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Tools\Mozilla Firefox\plugins [2010/10/21 10:25:35 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/08/27 16:06:48 | 000,000,812 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ut2004master2.epicgames.com
O1 - Hosts: 127.0.0.1 ut2004master1.epicgames.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll (Conduit Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Tools\AVG\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Tools\AVG\Toolbar\IEToolbar.dll ()
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Tools\AVG\Toolbar\IEToolbar.dll ()
O3 - HKU\Administrator_ON_C\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\Falco_ON_C\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\Pazuzu_ON_C\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\Pazuzu_ON_C\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files\Freecorder\tbFre1.dll (Conduit Ltd.)
O3 - HKU\Pazuzu_ON_C\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Tools\AVG\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Tools\Adobe\Reader\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Tools\AVG\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Freecorder FLV Service] C:\Tools\Freecorder\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE File not found
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Tools\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Tools\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKU\.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Administrator_ON_C..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Falco_ON_C..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Falco_ON_C..\Run: [QuickTime Task] C:\Tools\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKU\LocalService_ON_C..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\Pazuzu_ON_C..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] File not found
O4 - HKU\LocalService_ON_C..\RunOnce: [ShowDeskFix] File not found
O4 - HKU\NetworkService_ON_C..\RunOnce: [ShowDeskFix] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Falco_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Pazuzu_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.76.224.172 82.216.111.122 82.216.111.121 82.216.111.123
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Tools\AVG\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - HKU\Pazuzu_ON_C Winlogon: Shell - (C:\Documents and Settings\Pazuzu\Application Data\hotfix.exe) - C:\Documents and Settings\Pazuzu\Application Data\hotfix.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/11 21:56:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/11/02 14:05:00 | 000,000,046 | R--- | M] () - X:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/14 13:17:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/10/25 20:00:40 | 000,127,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.ocx
[2010/10/25 19:59:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/10/25 19:59:48 | 000,048,128 | ---- | C] (PixArt Imaging Incorporation) -- C:\WINDOWS\System32\Remove.exe
[2010/10/25 19:59:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\PixArt
[2010/10/25 19:59:45 | 000,000,000 | ---D | C] -- C:\Program Files\PC Camera
[2010/10/25 19:59:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PAC207
[2010/10/16 21:11:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/10/16 21:11:08 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/16 21:11:08 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/16 21:11:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/16 21:11:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2007/10/27 00:01:18 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2007/10/27 00:01:18 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys

========== Files - Modified Within 30 Days ==========

[2010/10/26 16:52:01 | 000,000,210 | RHS- | M] () -- C:\boot.ini
[2010/10/26 16:51:39 | 000,000,319 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/10/26 16:51:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/25 20:02:44 | 463,982,624 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/10/25 20:00:40 | 000,127,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.ocx
[2010/10/25 19:58:19 | 000,869,600 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2010/10/25 19:50:26 | 000,249,324 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/10/25 19:50:13 | 000,352,918 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/10/25 19:50:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/25 19:48:27 | 005,449,280 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/10/25 19:10:39 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/10/25 13:15:27 | 000,000,155 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2010/10/25 09:10:27 | 066,774,589 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/10/23 23:09:23 | 000,000,315 | ---- | M] () -- C:\Documents and Settings\Pazuzu\Desktop\Armagetron Advanced.lnk
[2010/10/22 10:03:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/21 10:25:37 | 000,001,534 | ---- | M] () -- C:\Documents and Settings\Pazuzu\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/18 15:33:20 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/10/15 23:02:24 | 000,002,191 | ---- | M] () -- C:\Documents and Settings\Pazuzu\Desktop\FlatOut2.lnk

========== Files Created - No Company Name ==========

[2010/06/05 12:29:33 | 000,000,271 | ---- | C] () -- C:\WINDOWS\game.ini
[2010/06/03 18:59:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Pazuzu\Local Settings\Application Data\Schedule8.dat
[2010/05/02 15:38:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2010/04/05 19:22:05 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Pazuzu\.recently-used.xbel
[2010/03/27 13:29:57 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/03/27 13:29:57 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/03/27 13:29:23 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/02/07 01:56:13 | 000,001,769 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2010/01/18 02:57:33 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Pazuzu\Local Settings\Application Data\fusioncache.dat
[2009/11/07 16:04:20 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/10/19 20:10:03 | 000,106,720 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/19 01:34:20 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/09/19 01:34:19 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/08/02 23:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/02 23:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/02 23:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2009/07/27 14:23:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/28 19:37:02 | 000,006,628 | ---- | C] () -- C:\Documents and Settings\Pazuzu\btdownloadgui_errors.log
[2009/04/16 20:34:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Pazuzu\.gtk-bookmarks
[2009/04/08 18:10:05 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/02/23 11:37:46 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Pazuzu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/06 20:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/10/27 00:37:45 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/10/14 11:20:44 | 000,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2007/10/13 20:29:03 | 000,015,446 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2007/10/13 20:26:03 | 000,019,912 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/10/13 20:26:02 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/10/13 20:25:49 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/10/11 22:05:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/05/21 07:32:40 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/05/21 07:32:40 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/05/21 07:32:38 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/05/21 07:32:38 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/05/21 07:32:38 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/11/02 08:27:46 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SP207.ini
[2003/03/11 16:25:54 | 000,313,856 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX000089.dll
[2003/03/11 16:25:54 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX000089SOUNDDX3.dll
[2003/03/11 10:56:52 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX010205PNG.dll
[2003/03/11 10:56:36 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX010104Z.dll
[2003/03/11 10:56:24 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX015003JP2.dll
[2003/01/29 09:10:06 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/01/29 09:10:06 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== LOP Check ==========

[2009/06/12 10:50:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
[2009/04/16 20:32:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\.bittorrent
[2010/05/06 13:36:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Allume Systems
[2010/02/15 22:37:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\AnvSoft
[2008/02/23 00:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Armagetron
[2009/05/23 22:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\AVGTOOLBAR
[2007/11/01 18:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Bioshock
[2008/05/28 20:51:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\CDBurnerXP_Soft
[2009/10/29 23:16:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\DeepBurner
[2010/04/05 18:51:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\gtk-2.0
[2010/06/04 01:38:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Hensense.com
[2010/05/11 01:22:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\mkvtoolnix
[2009/06/08 23:50:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\REAPER
[2008/09/18 19:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\SPORE
[2007/11/21 22:39:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Steinberg
[2009/09/19 02:01:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\SystemRequirementsLab
[2009/09/19 01:39:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Ubisoft
[2010/10/23 14:32:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\uTorrent
[2009/06/05 22:33:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pazuzu\Application Data\Wippien

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: SETUPAPI.DLL >
[2007/06/24 07:39:54 | 000,985,088 | ---- | M] (Microsoft Corporation) MD5=A1ABF509B1A1F01FBF52D34A0E1CDE3D -- C:\WINDOWS\system32\setupapi.dll
< End of report >


--------------------------------------------------- END LOG ----------------------------------------------------------------

This OLTPE program seems to be a very versatile tool. Do you know where I could learn more about it?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 14 November 2010 - 07:52 AM

OTLPE is the OTL tool but with the ability to work in the Preinstallation Environment, ie, when the operating system won't boot.

There is an OTL guide herewritten by Bleeping Computer member Starbuck.

OTLPE doesn't actually have a guide itself.


We need to identify the infected driver and replace it


We must use a different tool to find this information

Try this please. You will need a USB drive.
  • Download UNetbootin to the desktop of your working computer.
  • Download xpud-0.9.2.iso from noahdfear.net and save it to the desktop as well.
  • Once the download(s) have completed, double click the unetbootin-xpud-windows-387.exe file to run the installer.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file
  • Verify the correct drive letter is selected for your usb device then click OK
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
Posted Image
m0le is a proud member of UNITE

#9 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 14 November 2010 - 10:06 AM

> There is an OTL guide here written by Bleeping Computer member Starbuck.

Thanks, I'll definitely check that out.

> We need to identify the infected driver and replace it
> Try this please. You will need a USB drive.

I've installed all of it on my USB stick, but unfortunately my sick desktop's BIOS won't boot from the stick. I tried all kinds of BIOS options to see the USB device as a floppy, a hard disk or all sorts, but none of them seem to do the trick.

Is it possible that this only works with real USB drives, and not with a USB memory stick?

A few times during boot, I got to the point of the BSOD and reboot. Could my stick now be infected too?

I still have a couple of blank CDs lying around. Could I make a boot disk with these tools installed on it?

Or is there some kind of BIOS upgrade that can allow my desktop to boot of a USB stick?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 14 November 2010 - 10:47 AM

Okay, CD boot it is.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
Posted Image
m0le is a proud member of UNITE

#11 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 14 November 2010 - 09:12 PM

> Okay, CD boot it is.

Sorry I couldn't reply sooner. I had some family appointments to keep.

I created the xPUD boot CD and copied the driver.sh to the stick, and booted. xPUD loaded quickly, but in the mnt dir I only found my hard drives. Or at least all the partitions on both drives. No USB stick. It took me some boots to understand that I have to hook up the USB stick after xPUD is loaded.

Anyway, I opened the terminal and ran the bash driver.sh. Here is the report. (Since the CR/LF is in Linux format, I didn't copy paste it).

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 15 November 2010 - 04:34 PM

Please run this next.

Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#13 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 15 November 2010 - 05:14 PM

> Please run this next.

Wookie. Here's the log:

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 PM

Posted 15 November 2010 - 08:34 PM

Okay, good, you have some early restore points. This should bring you back to an earlier time. This should allow you to boot normally so please check that.

  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r
  • Type 555
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#15 Enulfson

Enulfson
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 16 November 2010 - 02:43 AM

> Okay, good, you have some early restore points.

Strange. Before coming to BleepingComputers I tried reverting to an earlier restore point through the Windows pre-boot menu, but it didn't find any.

> Please try to boot into normal Windows now and indicate if you were successful

I ran the bash in the terminal as per your instructions. The log seems to state it to be all right, but after booting I still get a BSOD and a reboot.

Here is the log:

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users