Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 won't boot


  • This topic is locked This topic is locked
26 replies to this topic

#1 blurry eyes

blurry eyes

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 07 October 2011 - 12:48 PM

I hope I'm in the right place here. You did an outstanding job for someone having the exact same problem. Here is the URL to that topic:

http://www.bleepingcomputer.com/forums/topic418997.html

I have been able to use a startup disk to run frst64 from a USB drive. I have a fixlog but was prompted that my post need to be shortened so I didn't include it here.

This problem started after I ran Malwarebytes and removed selected items. Thanks in advance for your time.

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:44 AM

Posted 07 October 2011 - 05:44 PM

Members are not advised...to use malware log posts by other members...as a guide to attempting to clean their own systems.

I suggest that you follow the procedures indicated at Preparation Guide, Before Using Malware Removal Tools and Requesting Help - http://www.bleepingcomputer.com/forums/topic34773.html , taking note that the logs are to be posted in the forum referenced in the guide, not here.

Louis

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 08 October 2011 - 11:54 AM

Hello, this is caused by an incorrectly cleaned rootkit infection.
In order to fix it, we'll need to edit the registry remotely. First however, we need to know in which location to fix this.

On a working computer, press Windows key + R, type notepad and press enter. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt. Make sure frst64.exe is also located on the same flashdrive.

Reg: reg query hkey_local_machine\system\select

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Boot using the Recovery disk to enter the Recovery Environment. Open FRST.exe and click the Fix button.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Edited by elise025, 08 October 2011 - 11:57 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 blurry eyes

blurry eyes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 08 October 2011 - 02:53 PM

Thanks Elise, here's the log

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.3)
Ran by SYSTEM at 2011-10-08 13:45:48 R:1
Running from G:\

==============================================


========= reg query hkey_local_machine\system\select =========


HKEY_LOCAL_MACHINE\999\select
Current REG_DWORD 0x1
Default REG_DWORD 0x1
Failed REG_DWORD 0x0
LastKnownGood REG_DWORD 0x2


========= End of Reg: =========


==== End of Fixlog ====

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 08 October 2011 - 04:35 PM

Okay, next, do the same with the following script:

Reg: reg query "hkey_local_machine\system\controlset001\control\session manager\subsystems" /v Windows

Edited by elise025, 09 October 2011 - 01:08 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 blurry eyes

blurry eyes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 October 2011 - 12:37 PM

Here we go Elise:

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.3)
Ran by SYSTEM at 2011-10-09 11:31:39 R:2
Running from K:\

==============================================


========= reg query hkey_local_machine\system\controlset001\control\session manager\subsystems /v Windows =========

ERROR: Invalid syntax.
Type "REG QUERY /?" for usage.

========= End of Reg: =========


==== End of Fixlog ====

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 09 October 2011 - 01:09 PM

My apologies, I made a mistake in the script; it is fixed now in the script. Can you please run it once more?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 blurry eyes

blurry eyes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 October 2011 - 03:46 PM

No problem, I just appreciate your help.

Here's the next log:

Fix result of Farbars's Recovery Tool (FRST written by farbar version 2.2.3)
Ran by SYSTEM at 2011-10-09 14:40:19 R:3
Running from K:\

==============================================


========= reg query "hkey_local_machine\system\controlset001\control\session manager\subsystems" /v Windows =========


HKEY_LOCAL_MACHINE\999\controlset001\control\session manager\subsystems
Windows REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16


========= End of Reg: =========


==== End of Fixlog ====

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 10 October 2011 - 01:50 AM

Hi again,

Please run the following script. Let me know if you can boot afterwards.
SubSystems: [Windows] ==> ZeroAccess

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 blurry eyes

blurry eyes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 10 October 2011 - 10:54 AM

Hi Elise,

My computer did boot up this time. It took a long time. Once I saw the Microsoft progress bar, it took a lot longer than usual and then the screen after it is usually a cursor followed by the windows logo. This took over a minute to come up. Then when I tried to shut down it took several minutes. I decided to try to boot again and it took a long time but did boot up. This time I was able to shut down and I thought we had this problem beat. But...I tried to boot up again. Took along time on the same screens but now, once it appears to be almost fully booted up but before I get internet access and I can see all of my icons, I get a screen scramble followed by a blue screen telling me this is a crash dump.
Thanks again for your efforts.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 10 October 2011 - 11:20 AM

Please try to reboot in safe mode, and run the following.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 blurry eyes

blurry eyes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 10 October 2011 - 06:42 PM

I tried to turn off Norton but I noticed it did try to run a scan a couple of times. I would have used the uninstall tool if I would have known how pesky it would be. Let me know if it compromised this latest scan. And BTW, I had installed and ran at regular intervals Malwarebytes at the suggestion of a local technician.

Thank You!

ComboFix 11-10-10.02 - Owner 10/10/2011 14:09:51.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1575 [GMT -6:00]
Running from: c:\users\Public\Equipment\Software Downloads\ComboFix\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\1054.rtp
c:\users\Owner\AppData\Roaming\inst.exe
c:\users\Owner\AppData\Roaming\Kacam
c:\users\Owner\AppData\Roaming\Kacam\qyynr.rej
c:\users\Owner\g2mdlhlpx.exe
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.$
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))
.
.
2011-10-10 20:51 . 2011-10-10 21:06 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-10-10 20:51 . 2011-10-10 20:51 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-10-10 20:51 . 2011-10-10 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-10 20:51 . 2011-10-10 20:51 -------- d-----w- c:\users\Chris Standard\AppData\Local\temp
2011-10-10 16:02 . 2011-10-10 16:02 -------- d-----w- c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-07 03:53 . 2011-10-07 03:54 -------- d-----w- C:\FRST
2011-10-04 16:39 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-10-04 16:39 . 2011-10-04 16:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-04 16:39 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-04 14:06 . 2011-10-04 14:06 -------- d-----w- c:\program files (x86)\Windows Portable Devices
2011-10-04 14:06 . 2011-10-04 14:06 -------- d-----w- c:\program files\Windows Portable Devices
2011-10-04 13:45 . 2009-10-08 21:08 234496 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-10-04 13:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\SysWow64\oleaccrc.dll
2011-10-04 13:45 . 2009-10-08 21:07 315904 ----a-w- c:\windows\system32\oleacc.dll
2011-10-04 13:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-04 13:45 . 2009-10-08 21:08 736256 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-04 13:45 . 2009-10-08 21:08 555520 ----a-w- c:\windows\SysWow64\UIAutomationCore.dll
2011-10-04 13:31 . 2009-09-10 02:07 3815424 ----a-w- c:\windows\system32\UIRibbon.dll
2011-10-04 13:31 . 2009-09-10 02:06 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-10-04 13:31 . 2009-09-10 02:05 103424 ----a-w- c:\windows\system32\UIAnimation.dll
2011-10-04 13:31 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\SysWow64\UIRibbonRes.dll
2011-10-04 13:31 . 2009-09-10 02:00 92672 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2011-10-04 13:31 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\SysWow64\UIRibbon.dll
2011-10-03 22:16 . 2011-10-04 13:07 -------- d-----w- c:\windows\system32\drivers\N360x64\0501000.01D
2011-10-03 20:25 . 2011-06-17 20:14 1427344 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-10-03 17:30 . 2010-08-21 04:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-10-03 17:30 . 2011-10-03 22:16 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-10-03 17:30 . 2011-10-03 22:16 -------- d-----w- c:\program files\Symantec
2011-10-03 17:29 . 2011-10-03 17:29 -------- d-----w- c:\program files (x86)\Norton Security Suite
2011-10-03 17:29 . 2011-10-03 17:29 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-10-03 17:23 . 2011-09-19 13:33 91720 ----a-w- c:\program files (x86)\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
2011-10-03 17:23 . 2011-09-19 13:33 1615432 ----a-w- c:\program files (x86)\Mozilla Firefox\IdVaultCore.dll
2011-10-03 17:23 . 2011-09-19 13:33 134728 ----a-w- c:\program files (x86)\Mozilla Firefox\CommonDotNET.dll
2011-10-03 17:23 . 2011-06-14 19:23 8007680 ----a-w- c:\program files (x86)\Mozilla Firefox\Microsoft.mshtml.dll
2011-10-03 17:23 . 2011-07-05 16:18 29288 ------w- c:\windows\system32\drivers\gidv2.sys
2011-10-03 17:23 . 2011-07-05 16:25 467224 ------w- c:\windows\system32\GIDHOOK64.DLL
2011-10-03 17:23 . 2011-07-05 16:24 446752 ------w- c:\windows\system32\GIDHookLogon64.dll
2011-10-03 17:23 . 2011-07-05 16:23 102160 ------w- c:\windows\system32\GIDBIN3.DLL
2011-10-03 17:23 . 2011-07-05 16:23 206608 ------w- c:\windows\system32\GIDBIN1.DLL
2011-10-03 17:23 . 2009-06-12 21:32 109064 ------w- c:\windows\system32\EasyHook64.dll
2011-10-03 14:54 . 2011-10-03 14:55 -------- d-----w- c:\windows\SysWow64\ca-ES
2011-10-03 14:54 . 2011-10-03 14:55 -------- d-----w- c:\windows\SysWow64\eu-ES
2011-10-03 14:54 . 2011-10-03 14:55 -------- d-----w- c:\windows\SysWow64\vi-VN
2011-10-03 14:54 . 2011-10-03 14:54 -------- d-----w- c:\windows\system32\ca-ES
2011-10-03 14:54 . 2011-10-03 14:54 -------- d-----w- c:\windows\system32\eu-ES
2011-10-03 14:54 . 2011-10-03 14:54 -------- d-----w- c:\windows\system32\vi-VN
2011-10-01 15:38 . 2011-07-06 15:49 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-30 19:09 . 2011-09-30 19:09 -------- d-----we c:\windows\system64
2011-09-29 21:57 . 2011-07-05 16:25 65816 ------w- c:\windows\system32\GIDLogonCP64.dll
2011-09-29 21:21 . 2011-09-29 21:21 -------- d-----w- c:\users\Owner\AppData\Roaming\HzONyxA1uSoFpGs
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\s2ibF3pmGaJdKfZ
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\WkIBrzONyAuS
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\CCekIBrzOyA
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\YYCekIBrzN
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\E7fEL9gTXjCkBzN
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\jjYCekIBrO
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\users\Owner\AppData\Roaming\wEL8gTZqjCkVzNx
2011-09-29 21:15 . 2011-09-29 21:15 -------- d-----w- c:\users\Owner\AppData\Roaming\nnfVbEUSH
2011-09-29 21:14 . 2011-09-29 21:14 -------- d-----w- c:\users\Owner\AppData\Roaming\cxiGdLjBA
2011-09-29 21:12 . 2011-09-29 21:12 -------- d-----w- c:\users\Owner\AppData\Roaming\rmmGG5sQJ6dE
2011-09-29 21:12 . 2011-09-29 21:12 -------- d-----w- c:\users\Owner\AppData\Roaming\yRZZ9hhTXwjVeIB
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\nwwkkIVrlONt
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\zssWWJ7dEL8gZ
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\E5ssWWJ7dEL8TZh
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\OWWJJ7ddELgTZhC
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\oOOBBtxP0ucSib3
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\SVVrllOBtxP0c
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\Jeud
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\XUVVrllOBtx0uS1
2011-09-29 21:11 . 2011-09-29 21:11 -------- d-----w- c:\users\Owner\AppData\Roaming\EWKK7ffEL9gXq
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\RLL99gTXqjY
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\DEEEL9ggTXjYCkB
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\jekkIIBrzONyA1v
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\p111uvvS2
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\SmGG55sQJ7
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\OEEKK8gRZq
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\KdEEKK8gRZqhXwU
2011-09-29 21:10 . 2011-09-29 21:10 -------- d-----w- c:\users\Owner\AppData\Roaming\VrrllOBtx
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\fPPP0uccS1bD3n4
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\S4aaQQH6dW
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\zKKK7fRRL9
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\x99hhTXqqUCelBz
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\ErrrzPPNyc
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\gyccAA1uvD2oF4m
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\JF44pmmH5
2011-09-29 21:09 . 2011-09-29 21:09 -------- d-----w- c:\users\Owner\AppData\Roaming\WqhhYYCwkIVrONx
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\tOOONtxxA0cS2b3
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\uYYCCwkIVrlOtx0
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\zNNNtxxA0uc2iF3
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\PcccS22ibF3nGaQ
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\pJJ66dWKK
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\RWWWK88fRZ9TXjU
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\X99hhTXXwjVelBz
2011-09-29 21:08 . 2011-09-29 21:08 -------- d-----w- c:\users\Owner\AppData\Roaming\FBttzzP0ycA1vDo
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\EnnF44amH6
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\BammHH6sWJ7fL9T
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\aEEEL9ggTZjYCkV
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\sZZZqjjYCekVrON
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\LIIIVrrzONyA0vS
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\VbFF3ppmG
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\BGG55sQQJ6EK8R9
2011-09-29 21:07 . 2011-09-29 21:07 -------- d-----w- c:\users\Owner\AppData\Roaming\iZZZ9hhYXw
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\JyyycS11ib3on4Q
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\P44aQQH6sWK7RLg
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\U77ffRL9gTXqUCk
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\LAAA1uuvD2o
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\NCCeekIBrzPNxA
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\cffRLL9gTXqjCeI
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\KG44aQQH6sW7fL9
2011-09-29 21:06 . 2011-09-29 21:06 -------- d-----w- c:\users\Owner\AppData\Roaming\SBBttxP0ycS1bDo
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\p5ssQJJ6dEKgR9h
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\PAAA0uuvS2oF3mG
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\VOOONyxxA0vS
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\zqqjjYCekIVrONx
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\pjjYYCekkVrz
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\jiivvD3onF4aH6W
2011-09-29 21:05 . 2011-09-29 21:05 -------- d-----w- c:\users\Owner\AppData\Roaming\DfRRZZ9hTXwjVeI
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\IbbbF33pnG5QJdW
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\yTZZqhhYCwkVrO
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\TppmmH5ssJ7dE8T
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\UuuvvD2onF4pH5W
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\iCCCellIBrzNyA1
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\SHHH6ddWK7fL9TX
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\CQHH66dWK7fR9hX
2011-09-29 21:04 . 2011-09-29 21:04 -------- d-----w- c:\users\Owner\AppData\Roaming\vuuccS1ibD3pG4Q
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-27 12:28 . 2011-07-27 12:28 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files (x86)\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-08 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"StorageGuard"="c:\program files (x86)\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-06-05 599600]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-09-04 75048]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"GIDDesktop"="c:\program files (x86)\SFT\GuardedID\gidd.exe" [2011-07-05 395528]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-02 81920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Constant Guard.lnk - c:\program files (x86)\Constant Guard Protection Suite\IDVault.exe [2011-9-19 3508296]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
BigFix.lnk - c:\program files\BigFix\bigfix.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 12:25 144784 ----a-w- c:\program files (x86)\Java\jre1.6.0_05\bin\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ETService;Empowering Technology Service;c:\program files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-06-11 24576]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-10-31 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-01-10 79360]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110929.001\BHDrvx64.sys [2011-09-30 1152632]
S1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\DRIVERS\CLBStor.sys [x]
S1 GIDv2;GIDv2; [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111007.030\IDSvia64.sys [2011-09-30 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360x64\0501000.01D\SYMTDIV.SYS [x]
S2 ASKService;ASKService;c:\program files (x86)\AskBarDis\bar\bin\AskService.exe [2008-12-10 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files (x86)\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-10 234888]
S2 CLBUDF;CLBUDF;c:\windows\system32\DRIVERS\CLBUDF.sys [x]
S2 IDVaultSvc;CGPS Service;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2011-09-19 62536]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-10-02 136824]
S3 gwfilt64;gwfilt64;c:\windows\system32\drivers\gwfilt64.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-07-05 16:26 435976 ----a-w- c:\program files (x86)\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2960005529-3494219434-145418510-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-05 19:31]
.
2011-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2960005529-3494219434-145418510-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-05 19:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mygiftbasket.us/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.85.98 68.87.69.146 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\r6km5nx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-Skytel - Skytel.exe
AddRemove-GearDrivers - c:\windows\system32\DeIsL3.isu
AddRemove-Works2kSetup - c:\program files (x86)\Microsoft Works Suite 2000\Setup\Launcher.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:67,31,ee,dc,91,c7,bb,ef,05,60,5d,e9,d9,14,f9,f0,bb,0b,80,70,b8,
7d,bb,3b,b7,10,23,4b,6a,c5,d5,56,ac,bc,d5,72,48,36,21,b2,b3,64,47,70,04,a6,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:67,31,ee,dc,91,c7,bb,ef,05,60,5d,e9,d9,14,f9,f0,bb,0b,80,70,b8,
7d,bb,3b,b7,10,23,4b,6a,c5,d5,56,ac,bc,d5,72,48,36,21,b2,b3,64,47,70,04,a6,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\CyberLink\InstantBurn\Win2K\IBurn.exe
c:\program files (x86)\Windows Media Player\wmplayer.exe
.
**************************************************************************
.
Completion time: 2011-10-10 16:53:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-10 22:52
.
Pre-Run: 38,111,428,608 bytes free
Post-Run: 96,372,563,968 bytes free
.
- - End Of File - - 418C46D7316EFF683B4721E051581D95

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 11 October 2011 - 12:41 AM

How are things running at this point?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 blurry eyes

blurry eyes
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 11 October 2011 - 10:34 AM

Hi Elise,

Thanks so much for your continuing help. Yes! I can boot up now. I'm writing you because of an issue while trying to run TDSS. This computer has a couple of other issues that I didn't want to get into here (one problem at a time). Local techs couldn't fix it. I have had this problem for the last year in that my computer won't do a restart, but I can shut it down and then usually it will restart okay. Sometimes it will go into the mode of starting normally or trying to restore, but if I unplug my computer, then try a cold restart I can usually get it working.

Sorry to take your time tell you about this but it did have an effect on TDSS. As I was running TDSS, I was prompted to restart so it could remove the rootkit file. Because of the above issue, I tried a restart but it didn't work so I had to shut the computer down, unplug and then start up.

I'm contacting you because when I finally got it started back up again, TDSS was no longer open. Here's my question. Should I restart TDSS and run it again until I don't have anything it is trying to remove?

Thanks Elise.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 11 October 2011 - 11:40 AM

Yes, rerun TDSSkiller and let me know if it still detects something.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users