Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv B No Boot


  • This topic is locked This topic is locked
9 replies to this topic

#1 Marrzl

Marrzl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 20 January 2011 - 06:31 AM

Hi All,

I've got the same issue as dantilley... Used Norton Bootable Recovery Tool to discover I had this, but it can't remove it.

Boot the system (Win XP Pro 32bit), boots ok to login screen, click on user name and the system goes straight to logoff and then shutdown.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:46 AM

Posted 21 January 2011 - 05:54 AM

Hello, do you have an XP CD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Marrzl

Marrzl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 22 January 2011 - 07:20 PM

Hi elise025,

Yes, I do have an XP CD..

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:46 AM

Posted 23 January 2011 - 02:50 AM

Hi again,

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Marrzl

Marrzl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 23 January 2011 - 06:07 AM

Hi Elise,

Followed your instructions, all went ok except that the Extra.txt file was not created.

Here's the output of OTL.txt

OTL logfile created on: 1/23/2011 9:53:45 PM - Run
OTLPE by OldTimer - Version 3.1.44.0 Folder = D:\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,023.00 Mb Total Physical Memory | 847.00 Mb Available Physical Memory | 83.00% Memory free
923.00 Mb Paging File | 895.00 Mb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 53.85 Gb Free Space | 72.26% Space Free | Partition Type: NTFS
Drive D: | 3.72 Gb Total Space | 3.72 Gb Free Space | 99.92% Space Free | Partition Type: FAT32
Drive X: | 155.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MININT-JVC | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2010/08/13 01:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/03/26 03:06:24 | 000,292,864 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2009/09/30 04:18:22 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/02/22 00:15:56 | 000,137,216 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (nmwcd)
DRV - [2007/02/22 00:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (nmwcdcm)
DRV - [2007/02/22 00:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (nmwcdcj)
DRV - [2007/02/22 00:15:14 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (nmwcdc)
DRV - [2006/08/18 05:52:00 | 004,017,536 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006/07/24 05:05:00 | 000,005,632 | ---- | M] () [File_System | System] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2005/12/22 01:24:52 | 000,137,884 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/12/22 01:24:52 | 000,010,864 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/12/22 01:24:50 | 000,080,272 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Cameron_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
IE - HKU\Cameron_ON_C\Software\Microsoft\Internet Explorer\Main,SearchPage =
IE - HKU\Cameron_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\Cameron_ON_C\..\URLSearchHook: {d2f11d8b-3eb5-4b42-9511-370dbec707fb} - C:\Program Files\Oryte_Games_1.15\tbOry1.dll (Conduit Ltd.)
IE - HKU\Cameron_ON_C\..\URLSearchHook: {F08555B0-9CC3-11D2-AA8E-000000000567} - Reg Error: Key error. File not found
IE - HKU\Cameron_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\Cameron_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\Cameron_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8075




FF - HKLM\software\mozilla\Firefox\Extensions\\{6137ED43-8624-4EF6-B42B-982E618302C2}: C:\Documents and Settings\Cameron\Local Settings\Application Data\{6137ED43-8624-4EF6-B42B-982E618302C2} [2011/01/02 13:13:58 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/01/08 08:43:33 | 000,001,248 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.8minutedating.com
O1 - Hosts: 127.0.0.1 whysohardx.com
O1 - Hosts: 127.0.0.1 protectyourpc-11.com
O1 - Hosts: 127.0.0.1 checkserverstatux.com
O1 - Hosts: 127.0.0.1 xinmin.cn
O1 - Hosts: 127.0.0.1 xy95.cn
O1 - Hosts: 127.0.0.1 koralda.com
O1 - Hosts: 127.0.0.1 weirden.com
O1 - Hosts: 127.0.0.1 nanocloudcontroller.com
O1 - Hosts: 127.0.0.1 www.8minutedating.com
O1 - Hosts: 127.0.0.1 whysohardx.com
O1 - Hosts: 127.0.0.1 protectyourpc-11.com
O1 - Hosts: 127.0.0.1 checkserverstatux.com
O1 - Hosts: 127.0.0.1 xinmin.cn
O1 - Hosts: 127.0.0.1 xy95.cn
O1 - Hosts: 127.0.0.1 koralda.com
O1 - Hosts: 127.0.0.1 weirden.com
O1 - Hosts: 127.0.0.1 nanocloudcontroller.com
O1 - Hosts: 127.0.0.1 coo0lnet.net
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Oryte Games 1.15 Toolbar) - {d2f11d8b-3eb5-4b42-9511-370dbec707fb} - C:\Program Files\Oryte_Games_1.15\tbOry1.dll (Conduit Ltd.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Oryte Games 1.15 Toolbar) - {d2f11d8b-3eb5-4b42-9511-370dbec707fb} - C:\Program Files\Oryte_Games_1.15\tbOry1.dll (Conduit Ltd.)
O3 - HKU\Cameron_ON_C\..\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll (Conduit Ltd.)
O3 - HKU\Cameron_ON_C\..\Toolbar\WebBrowser: (Oryte Games 1.15 Toolbar) - {D2F11D8B-3EB5-4B42-9511-370DBEC707FB} - C:\Program Files\Oryte_Games_1.15\tbOry1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\Cameron_ON_C..\Run: [{C6CA47CA-044D-2B34-95EC-2269619C7E33}] C:\Documents and Settings\Cameron\Application Data\Ynozqy\qagey.exe (Adobe Systems Incorporated)
O4 - HKU\Cameron_ON_C..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\Cameron\Start Menu\Programs\Startup\s4e4xln1u.exe ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\voby.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Cameron_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261474638296 (WUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O27 - HKLM IFEO\userinit.exe: Debugger - C:\WINDOWS\system32\winhsetup.exe File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/22 08:35:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/11/02 04:04:58 | 000,000,046 | R--- | M] () - X:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/21 04:49:41 | 000,000,000 | ---D | C] -- C:\NBRT
[2011/01/15 12:05:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2011/01/12 06:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Application Data\Hedec
[2011/01/12 06:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Application Data\Amkuze
[2011/01/12 01:09:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Application Data\Huti
[2011/01/12 01:09:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Application Data\Atgiy
[2011/01/12 01:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup
[2011/01/12 01:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Start Menu
[2011/01/10 06:25:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/01/09 07:11:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Application Data\Ynozqy
[2011/01/09 07:11:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Application Data\Soybub
[2011/01/09 07:10:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/01/09 07:10:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/01/07 00:51:57 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/01/06 00:11:48 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IETldCache
[2011/01/04 05:07:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/01/03 05:46:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/01/03 05:09:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/01/03 05:07:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
[2011/01/02 15:07:20 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IETldCache
[2011/01/02 15:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/01/02 15:06:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/02 13:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Start Menu\Programs\Scanner
[2011/01/02 13:13:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cameron\Local Settings\Application Data\{6137ED43-8624-4EF6-B42B-982E618302C2}
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/21 05:54:18 | 068,157,440 | -HS- | M] () -- C:\NBRTPage.sys
[2011/01/20 10:51:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/20 10:51:36 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/20 08:11:39 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/17 05:51:21 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/14 11:29:17 | 000,035,328 | ---- | M] () -- C:\Documents and Settings\Cameron\My Documents\Cover Letter & Resume[1].doc
[2011/01/14 11:27:00 | 000,017,946 | ---- | M] () -- C:\Documents and Settings\Cameron\Application Data\data.dat
[2011/01/13 04:11:57 | 000,003,066 | ---- | M] () -- C:\WINDOWS\Rfowan.dat
[2011/01/12 23:36:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Omupivufepovax.bin
[2011/01/07 03:04:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/03 06:10:02 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/01/02 13:35:06 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\Cameron\Desktop\Scanner.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/21 05:54:18 | 068,157,440 | -HS- | C] () -- C:\NBRTPage.sys
[2011/01/20 08:29:01 | 1073,270,784 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/02 13:35:06 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\Cameron\Desktop\Scanner.lnk
[2011/01/02 13:13:59 | 000,003,066 | ---- | C] () -- C:\WINDOWS\Rfowan.dat
[2011/01/02 13:13:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Omupivufepovax.bin
[2011/01/02 13:12:23 | 000,017,946 | ---- | C] () -- C:\Documents and Settings\Cameron\Application Data\data.dat
[2010/10/16 11:47:24 | 000,000,097 | ---- | C] () -- C:\Documents and Settings\Cameron\SETUP.DAT
[2010/05/22 07:52:07 | 000,000,756 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2010/04/20 04:38:46 | 000,112,191 | ---- | C] () -- C:\Documents and Settings\Cameron\Application Data\NMM-MetaData.db
[2010/02/03 05:14:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Cameron\񀿉
[2009/12/30 08:49:50 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\Cameron\default.pls
[2009/12/24 10:37:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/24 10:37:13 | 000,129,536 | ---- | C] () -- C:\Documents and Settings\Cameron\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/24 09:02:30 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/12/22 19:57:17 | 000,001,024 | ---- | C] () -- C:\Documents and Settings\Cameron\.rnd
[2009/12/22 19:24:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/12/22 10:54:21 | 000,076,277 | ---- | C] () -- C:\Documents and Settings\Cameron\CCCInstall_200912222154213281.log
[2009/12/22 08:45:47 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/12/22 08:45:36 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/12/07 02:31:00 | 000,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
< End of report >

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:46 AM

Posted 23 January 2011 - 06:39 AM

I see what the problem is here, but it has nothing to do with a Tidserv infection. :)
Please rerun OTLPE and copy/paste the following text into the "custom scan/fix" field. Click Run Fix. Afterwards try to reboot.

:otl
IE - HKU\Cameron_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\Cameron_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8075
O4 - HKU\Cameron_ON_C..\Run: [{C6CA47CA-044D-2B34-95EC-2269619C7E33}] C:\Documents and Settings\Cameron\Application Data\Ynozqy\qagey.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\Cameron\Start Menu\Programs\Startup\s4e4xln1u.exe ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\voby.exe (Adobe Systems Incorporated)

:reg
[-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Marrzl

Marrzl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 24 January 2011 - 02:22 AM

Hi Elise,

Worked a treat. Thank you very much...
Norton took care of the rest after I logged in and ran a scan.

Ok, so any idea on how this may have happened?

Thanks again,

Mario.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:46 AM

Posted 24 January 2011 - 04:18 AM

One of the present infections, most likely a rogue, had hooked up userinit.exe. So, whenever userinit was started, the bad file also got executed. When something deleted the bad file, but not also the registry entry associated with it, the computer was still looking for the bad file when starting up, which was no longer there and thus the logon failed.

Please let me know if you want any more help making sure your computer is cleaned, or if this topic can be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Marrzl

Marrzl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 24 January 2011 - 05:33 AM

I think I'll be right from here.
Once again, many thanks for the cure and explaination.

Mario.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:46 AM

Posted 24 January 2011 - 05:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users