Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified Malware


  • Please log in to reply
17 replies to this topic

#1 Popeye2000

Popeye2000

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 28 April 2013 - 11:55 AM

I apologize in advance for this being so long.

 

I was assisting my mother with a malware issue. She is running Windows XP SP3 on a dell latitude D620 (1.66 GHz Intel T2300 processor, 1Gb Ram, 80Gb HD).  I have the computer now.

 

It started, obviously, with some malware.  She originally called me and I told her to run SuperAntiSpywayre and Malwarebytes.  She told me she had been using Microsoft Security Essentials and that she kept running scans and it was always detecting the same files each scan, but never seemed to be removing them.  She was unable to install SAS or MBAM and unable to boot into Safe Mode.  Hoping that she would make some progress I had her turn off some suspicious items through MSCONFIG then run MSE one more time.  She received a “not an administrator” message from MSCONFIG, but it rebooted accepting most of the changes.  This time, MSE told her that it had removed some of the found items, but that she needed to run MS Defender-offline to completely remove one of the viruses found.  That is when she contacted Microsoft for a disc for Defender.  Unfortunately I cannot find any log files, nor does the history show, from MSE or the Defender program.

 

Apparently MS sent her a disc for that program, and found and removed some viruses.  When she rebooted, however, she could not connect to the internet.  She called MS back and they walked her through some steps to remove SP3 and IE8 (saying that this was necessary as part of the virus removal), then sent her a disc to reinstall everything.  After a few weeks of daily 3-4 hour tech support sessions, the assistance rendered her laptop as a paperweight.  Basically she could not boot in any mode (safe mode or regular).  Safe Mode flashed BSOD then rebooted.  Regular boot gave her Windows Genuine Advantage startup and prompted to activate, but then would lockup and do nothing, then eventually error out.  She mailed me the computer a few days ago hoping that I could resolve the issue.

 

On 4/24, when I got into the computer, I logged into recovery console to undo the IE8 install, batched the spuninst.txt, and was able to activate windows. When it booted normally, the screen resolution was 16-bit 800x600, and I wasn’t able to change through display properties - there was no "Settings" tab in the display properties (there were no tabs), only thing showing was ability to change theme.

 

Once I got it up and running, I noticed Ms Security Essentials was doing a scan, so I let it finish.  It found Trojan:JS/IframeRef.K and Trojan:Dos/Alureon.A.  I selected to remove that malware.

 

On 4/25 I installed malwarebytes, and ran a full scan.  Nothing came up.  (4/25 MBAM log attached).

 

The screen resolution was really bugging me so I saw in device manager that the graphics card (Nvidia Quadro NVS 110M) was indicating that the device could not start.  I tried to rollback driver, but there was no previous, so I went through the process of updating to the most recent available.  The driver loaded, the display went normal, and I thought it was good to go.

 

Tried to turn everything back on from MSCONFIG that was turned off 2 months ago (ordinarily I don’t turn stuff off that way, but she had no other choice originally), to only get the same administrator error: "An access denied error was returned while attempting to change a service.  You may need to log on as the administrator to make the changes."

 

Tried to boot in safe mode for administrator account (knowing that some malware changes account permissions), and got the same BSOD then reboot.  I turned off the "reboot on error" to see the error stop: 0x000007E then indicates "kdcom.dll - Address F79B5160 base at F79B4999".  Rebooted the computer normally and had same display issue.  Booted into 800x600 16 bit, and I did finally figure out that if I modified the desktop theme to a different wallpaper, that the tabs would momentarily appear.  I was able to get to settings tab and change to 1024x768 and 32 bit, but the device manager says that the Nvidia controller still isnt running, thus the display must be running from an onboard graphics adapter or some other default configuration.

 

4/25/13 Ran SAS and it found a few things, most of them was spyware cookies, but it showed 3 more Trojans (4/25 SAS log attached).

 

I scoured the internet and these forums looking for solutions, and tried several to no avail.  I tried the Safeboot registry and that didnt fix the SafeMode issue, I tried a bunch of different legacy drivers for the graphics card, each only working immediately after install, but then upon reboot each time the nvidia graphics adapter would inidicate the same problem, and the onboard graphics adapter would load instead (but maintiaining the 1024x768 32 bit settings).  

 

I rebooted last night (4/27) and I it sounded like some advertisements were running in the background, it sounded like 2 or 3 at one time, but IE or any other browser was running.  I ran another SAS scan, and it only found tracking cookies.  Overnight, MSE found Trojan:html/redirector.bb and Exploit:Java/CVE-2012-0507.  I quarantines these files.

 

On 4/28 ran MBAM, and it found nothing.  (4/28 log attached).  Tried to fix registry for safemode and reloaded driver same as above, but same thing.

 

So the ultimate issues are 1) there seems to still be some malware that isn’t being removed (thinking we need to do combofix, but I need help if that’s where we should go), 2) I cant boot into safe mode - get BSOD and 3) cannot keep Nvidia graphics adapter driver loaded.  Im thinking the malware is preventing me from changing/repairing registry for booting into safe mode.  I think once I can get into safe mode I can set the appropriate user permissions and get MSCONFIG fully enables and load the nvidia driver.

 

Any help is appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 28 April 2013 - 09:23 PM

I do have an update to this. I continued to look at other forums topics, and it seems that this may have been a rootkit virus from similar descriptions.  I followed a few of the different steps in those topics.

 

I downloaded MalwareBytes anti-rootkit and ran it.  Immediately it came up with the message "Registry Value 'AppInit_Dlls' has been found, which may be caused by rootkit activity".  I allowed the program to remove the value and start the scan.  It identified 2 rootkit virus.  (MBAR logs attached)  I rebooted, updated driver, ran safeboot registry fix, and rebooted.  This time I was able to restart in safe mode, login as "Administrator" and verified User account privileges were set to "Administrator" for the user account.

 

I rebooted normal, but graphics driver still defaulted.  Ran "Rogue Killer" and allowed it to scan.  It found some registry entries [BLACKLISTDLL] that seem like they would affect nvidia.  (rundll32.exe NVhotkey.dll, start).  I also had hit "fix shortcuts", and it found tons of attribute issues.  (See Logs attached).  

 

I rebooted, reloaded the nvidia driver, and rebooted again.  Still same issue.  Driver loads fine and works fine until reboot, where runs on a default driver.

 

Figured "what the heck" and ran Hitman Pro, it found even more stuff (tracking cookies and some malware).  Had it delete everything there.  There were also some toolbar remnants that it identified, which I had it delete. (See log attached).

 

Re-Ran MBAR, Rogue Killer and Hitman Pro.  Nothing except that Rogue Killer flagged the same registry entry as before (rundll32.exe NVhotkey.dll, start).

 

Uninstalled and reinstalled Nvidia driver again.  Same issue persists.  Driver loads fine and works fine until reboot, then goes to default driver.  Display properties doesnt show any tab other than the "Themes" tab until change theme.

 

Issues remaining:  1) Nvidia driver wont stay loaded, 2) still says not an administrator when coming out of MSCONFIG.   I think Combofix may be the last thing to try to see if anything there, but will need help with the CFS script.  Will wait for response before trying combofix.

 

 

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:54 AM

Posted 29 April 2013 - 08:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM

#4 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 29 April 2013 - 01:52 PM

Nasdaq,

 

Thank you for your help.  Ran Adwcleaner, combofix, and Security Check.  Will paste the contents of each log as separate posts.



#5 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 29 April 2013 - 01:54 PM

# AdwCleaner v2.300 - Logfile created 04/29/2013 at 14:12:39
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : YYYYY M. XXXXX - YYYYYMXXXXXCPA
# Boot Mode : Normal
# Running from : C:\Documents and Settings\YYYYY M. XXXXX\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2BDF3E992C0908741B7C11F4B4E0F775
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6B3BC4CF5ECE1F54BBA174C13A1AB907
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BEABAA33A5E68374DBF197F2A00CD011
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CB61AF52AD64B6B45930BE969F316720
Key Deleted : HKLM\Software\TENCENT
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Google Chrome v26.0.1410.64
 
File : C:\Documents and Settings\YYYYY M. XXXXX\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [4011 octets] - [29/04/2013 14:12:39]
 
########## EOF - C:\AdwCleaner[S1].txt - [4071 octets] ##########


ComboFix

 

 

ComboFix 13-04-28.01 - YYYYY M. XXXXX 04/29/2013  14:25:37.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.625 [GMT -4:00]
Running from: c:\documents and settings\YYYYY M. XXXXX\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\SET14.tmp
c:\windows\system32\SET15.tmp
c:\windows\system32\SET16.tmp
c:\windows\system32\SET17.tmp
c:\windows\system32\SET18.tmp
c:\windows\system32\SET19.tmp
c:\windows\system32\SET1A.tmp
c:\windows\system32\SET1B.tmp
c:\windows\system32\SET1C.tmp
c:\windows\system32\SET1D.tmp
c:\windows\system32\SET1E.tmp
c:\windows\system32\SET1F.tmp
c:\windows\system32\SET20.tmp
c:\windows\system32\SET21.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET23.tmp
c:\windows\system32\SET24.tmp
c:\windows\system32\SET25.tmp
c:\windows\system32\SET26.tmp
c:\windows\system32\SET27.tmp
c:\windows\system32\SET28.tmp
c:\windows\system32\SET29.tmp
c:\windows\system32\SET2B.tmp
c:\windows\system32\SET2C.tmp
c:\windows\system32\SET2D.tmp
c:\windows\system32\SET2E.tmp
c:\windows\system32\SET2F.tmp
c:\windows\system32\SET30.tmp
c:\windows\system32\SET31.tmp
c:\windows\system32\SET32.tmp
c:\windows\system32\SET33.tmp
c:\windows\system32\SET34.tmp
c:\windows\system32\SET35.tmp
c:\windows\system32\SET36.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET38.tmp
c:\windows\system32\SET39.tmp
c:\windows\system32\SET3A.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET3C.tmp
c:\windows\system32\SET3D.tmp
c:\windows\system32\SET3E.tmp
c:\windows\system32\SET3F.tmp
c:\windows\system32\SET40.tmp
c:\windows\system32\SET41.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SET43.tmp
c:\windows\system32\SET44.tmp
c:\windows\system32\SET689.tmp
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-29  )))))))))))))))))))))))))))))))
.
.
2013-04-29 18:39 . 2013-04-29 18:39 60872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C05A5EC-A8CD-43E1-81D8-3A75EE3C0FE2}\offreg.dll
2013-04-29 01:29 . 2013-04-29 01:29 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-04-29 01:22 . 2008-02-22 11:06 360448 ----a-w- c:\windows\system32\NVUNINST.EXE
2013-04-29 01:19 . 2013-04-29 01:19 -------- d-----w- c:\program files\HitmanPro
2013-04-29 01:15 . 2008-02-22 09:46 360448 ----a-w- c:\windows\system32\nvudisp.exe
2013-04-29 00:27 . 2013-04-29 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-04-28 23:03 . 2013-04-28 23:03 -------- d-s---w- c:\documents and settings\Administrator\IETldCache
2013-04-28 05:52 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C05A5EC-A8CD-43E1-81D8-3A75EE3C0FE2}\mpengine.dll
2013-04-28 00:06 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-26 00:19 . 2013-04-26 00:19 -------- d-----w- c:\documents and settings\YYYYY M. XXXXX\Application Data\SUPERAntiSpyware.com
2013-04-26 00:19 . 2013-04-26 00:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-04-26 00:19 . 2013-04-26 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2013-04-25 21:09 . 2013-04-25 21:09 -------- d-----w- c:\documents and settings\YYYYY M. XXXXX\Local Settings\Application Data\DTClient
2013-04-25 21:08 . 2013-04-25 21:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\DAEMON Tools Ultra
2013-04-25 21:04 . 2013-04-25 21:04 24704 ----a-w- c:\windows\system32\drivers\dtscsibus.sys
2013-04-25 21:04 . 2013-04-25 21:08 -------- d-----w- c:\documents and settings\YYYYY M. XXXXX\Application Data\DAEMON Tools Ultra
2013-04-25 21:04 . 2013-04-25 21:04 -------- d-----w- c:\program files\DAEMON Tools Ultra
2013-04-25 21:03 . 2013-04-25 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Ultra
2013-04-25 14:42 . 2013-04-25 14:42 -------- d-----w- c:\windows\system32\winrm
2013-04-25 14:42 . 2013-04-25 14:42 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-04-25 13:37 . 2013-04-25 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2013-04-25 07:41 . 2013-04-25 14:19 -------- d-----w- c:\windows\system32\XPSViewer
2013-04-25 07:41 . 2013-04-25 07:41 -------- d-----w- c:\program files\MSBuild
2013-04-25 07:40 . 2013-04-25 07:40 -------- d-----w- c:\program files\Reference Assemblies
2013-04-25 07:39 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-04-25 07:39 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-04-25 07:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2013-04-25 07:39 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-04-25 07:39 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-04-25 07:39 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-04-25 07:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-04-25 07:38 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-04-25 07:38 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-04-25 07:38 . 2013-04-25 07:39 -------- d-----w- C:\954d26615bef90bfbceb55593a25
2013-04-25 07:27 . 2013-04-25 07:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2013-04-25 07:25 . 2013-04-25 07:25 -------- d-----w- c:\documents and settings\YYYYY M. XXXXX\Application Data\Windows Desktop Search
2013-04-25 07:25 . 2013-04-25 14:04 -------- d-----w- c:\program files\Windows Desktop Search
2013-04-25 07:25 . 2013-04-25 07:25 -------- d-----w- c:\windows\system32\GroupPolicy
2013-04-25 07:24 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2013-04-25 07:24 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2013-04-25 07:24 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2013-04-25 07:16 . 2013-03-02 02:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2013-04-25 07:16 . 2013-03-02 02:06 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2013-04-25 07:16 . 2013-03-02 02:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2013-04-25 07:16 . 2013-03-02 02:06 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-04-25 07:14 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-04-25 07:14 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
2013-04-25 07:14 . 2012-12-16 12:23 290560 -c----w- c:\windows\system32\dllcache\atmfd.dll
2013-04-25 07:13 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2013-04-25 07:09 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2013-04-25 07:07 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2013-04-25 07:07 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2013-04-25 07:07 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2013-04-25 07:07 . 2011-03-11 14:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2013-04-25 07:04 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2013-04-25 07:04 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2013-04-25 07:04 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2013-04-25 07:04 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2013-04-25 07:04 . 2011-02-08 13:33 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2013-04-25 07:03 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2013-04-25 07:03 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2013-04-25 07:02 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2013-04-25 07:00 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2013-04-25 07:00 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2013-04-25 06:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2013-04-25 06:53 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2013-04-25 06:52 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2013-04-25 06:52 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2013-04-25 05:21 . 2008-04-14 09:42 380416 ------w- c:\windows\system32\irprops.cpl
2013-04-25 05:06 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000001_.tmp
2013-04-25 04:08 . 2008-02-22 09:46 2674688 ----a-w- c:\windows\system32\nvwssr.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-25 01:17 . 2012-04-05 23:57 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-25 01:17 . 2011-05-20 02:46 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-04 18:50 . 2010-07-25 16:03 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33 . 2009-10-03 03:02 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-08 08:36 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2009-07-23 01:55 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2009-07-23 01:55 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2009-07-23 01:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2006-02-28 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2008-09-30 02:49 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2013-02-23 20:10 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2006-02-28 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\YYYYY M. XXXXX\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\YYYYY M. XXXXX\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\YYYYY M. XXXXX\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\YYYYY M. XXXXX\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Ultra Agent"="c:\program files\DAEMON Tools Ultra\DTAgent.exe" [2013-03-06 3088448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2010-11-11 626688]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe" [2013-04-25 706776]
.
c:\documents and settings\YYYYY M. XXXXX\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\YYYYY M. XXXXX\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\YYYYY M. XXXXX\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/9/2010 9:49 PM 89792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 2:54 PM 116608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/9/2010 9:49 PM 151880]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3/19/2013 10:26 PM 3289208]
R3 Disc Soft Bus Service;Disc Soft Bus Service;c:\program files\DAEMON Tools Ultra\DiscSoftBusService.exe [3/6/2013 8:15 AM 580672]
R3 dtscsibus;DAEMON Tools Virtual SCSI Bus;c:\windows\system32\drivers\dtscsibus.sys [4/25/2013 5:04 PM 24704]
S2 gupdate1ca9005ff2b6270;Google Update Service (gupdate1ca9005ff2b6270);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 9:57 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/9/2010 9:50 PM 161632]
S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [7/22/2003 3:44 AM 18848]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/9/2010 9:49 PM 57600]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/28/2013 9:29 PM 35144]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/9/2010 9:49 PM 83856]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/9/2010 9:49 PM 83856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-25 03:50 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 01:17]
.
2013-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 01:57]
.
2013-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 01:57]
.
2013-04-29 c:\windows\Tasks\User_Feed_Synchronization-{21BAA898-9EE1-4D8B-9B0C-D5C338D9D25E}.job
- c:\windows\system32\msfeedssync.exe [2009-07-23 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.20.5 8.8.8.8
DPF: {A9375072-EECB-4F7C-8779-8C8F205E8959} - hxxp://juris.us.rgl.com/jurisweb/JurisWXC.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-38208063.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-29 14:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
- - - - - - - > 'explorer.exe'(5188)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\documents and settings\YYYYY M. XXXXX\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2013-04-29  14:46:09 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-29 18:46
ComboFix2.txt  2013-04-25 20:15
ComboFix3.txt  2010-07-31 19:12
ComboFix4.txt  2010-07-31 16:50
.
Pre-Run: 45,269,131,264 bytes free
Post-Run: 45,621,440,512 bytes free
.
- - End Of File - - C591EF8A215238F616D1223D09FFA8CF


#6 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 29 April 2013 - 01:55 PM

Security Check
 
 Results of screen317's Security Check version 0.99.63  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 SUPERAntiSpyware     
 Windows Defender    
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 3  
 Java™ 6 Update 5  
 Java™ 6 Update 7  
 Java version out of Date! 
 Adobe Reader XI  
 Google Chrome 26.0.1410.64  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 3% 
````````````````````End of Log`````````````````````` 


#7 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 29 April 2013 - 01:58 PM

Please note, if you come across something YYYYY M. XXXXX or some variation consisting of 5 Y's and 5 X's, I have redacted my mothers name since her computer name and user account is her full name and profession.  If need to I can amend any CFS script to call out the actual file name or location.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:54 AM

Posted 30 April 2013 - 07:46 AM

Looking better.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Old versions....

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Please let me know what problem persists.

#9 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 30 April 2013 - 12:23 PM

Thanks.  Got Java updated.  Still unable to 1) go through MSCONFIG without access denied message; and 2) keep NVIDIA display driver.

 

Fixed Display property tabs by replacing c:\windows\windowsshell.manifest.

 

MSCONFIG - Ive ensured the Pml Driver HPZ12 setting is set to manual (3) in the registry, and ive gone through administrator account to ensure that Administrators have ownership.  Not sure what else to do.  

 

NVIDIA Adapter Drivers - I can load the drivers, and they work until I reboot. When I load the driver through device manager, I can load the oldest (2006 driver) and the newest (2008 driver) and they work fine.  Once installed I can open Nvidia control panel and make changes to the settings and within the nvidia control panel.  The problem is that as soon as I reboot, it reboots with some default graphics driver and gives me a code 10 in device manager until I manually reload the driver again.  I notice that Rogue Killer is still flagging the registry entry for this, as well as a few other entries.  Same 4 as in previous log (new log pasted below)

 

Neither of these issues occurred originally (according to my mother).  There wasnt a problem with either until SP3 was uninstalled and reinstalled and we had to reactivate windows  So it is possible that what remains is not a malware issue, but I tried the solutions I could find in the windows xp forum, and none worked.

 

RogueKiller Log below showing the 4 registry entries that it previously flagged.  It does flag a rundll32 error.  I do recall some intermittent rundll32 errors when the computer was infected originally.  Should I replace the rundll32 from another machine?

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : YYYYY M. XXXXX [Admin rights]
Mode : Remove -- Date : 04/30/2013 12:48:25
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : nvHotkey.dll [x] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][PREVRUN] HKLM\[...]\Run : NVHotkey (rundll32.exe nvHotkey.dll,Start) [x] -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: TOSHIBA MK8032GSX +++++
--- User ---
[MBR] 9cbda931e632533371e9f3839ac6d967
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 76261 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: UFD USB Flash Drive USB Device +++++
--- User ---
[MBR] 8844a3bbfc09aed39a88cad9cafed7c2
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2264 | Size: 7646 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[2]_D_04302013_02d1248.txt >>
RKreport[1]_S_04302013_02d1247.txt ; RKreport[2]_D_04302013_02d1248.txt

Edited by Popeye2000, 30 April 2013 - 12:25 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:54 AM

Posted 30 April 2013 - 01:25 PM

Lets check for the NVhotkey.dll file and the registry setting.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    NVhotkey.dll

    :regfind
    NVhotkey.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#11 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 30 April 2013 - 01:52 PM

Thanks for the quick reply.

 

I ran it twice.  Once after the driver was loaded and working, and again after reboot.



Sytem Look Log File after driver reinstalled:

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:28 on 30/04/2013 by YYYYY M. XXXXX
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "NVhotkey.dll"
C:\i386\nvhotkey.dll --a---- 73728 bytes [22:22 04/09/2006] [13:14 19/01/2006] 0EA63EBB1D375217B96768463548DF6B
C:\WINDOWS\NV16042764.TMP\nvhotkey.dll --a---- 90112 bytes [04:08 25/04/2013] [11:23 09/06/2008] 8621D16ECFE2E455BCAF397D3671404B
C:\WINDOWS\system32\nvhotkey.dll --a---- 90112 bytes [00:03 23/08/2006] [11:23 09/06/2008] 8621D16ECFE2E455BCAF397D3671404B
 
========== regfind ==========
 
Searching for "NVhotkey.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="rundll32.exe nvHotkey.dll,Start"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Uninstall]
"CopyFiles"="default.tvp,nvcolor.exe,keystone.exe,nvappbar.exe,nvdspsch.exe,nvhotkey.dll,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm nvrsde.dll,nvwrsde.dll,nvcpde.hlp,nvwcpde.hlp,nvcpldeu.chm,nvdspdeu.chm,nv3ddeu.chm,nvmobdeu.chm nvrses.dll,nvwrses.dll,nvcpes.hlp,nvwcpes.hlp,nvcplesn.chm,nvdspesn.chm,nv3desn.chm,nvmobesn.chm nvrsesm.dll,nvwrsesm.dll,nvcpesm.hlp,nvwcpesm.hlp,nvcplesm.chm,nvdspesm.chm,nv3desm.chm,nvmobesm.chm nvrsfr.dll,nvwrsfr.dll,nvcpfr.hlp,nvwcpfr.hlp,nvcplfra.chm,nvdspfra.chm,nv3dfra.chm,nvmobfra.chm nvrsit.dll,nvwrsit.dll,nvcpit.hlp,nvwcpit.hlp,nvcplita.chm,nvdspita.chm,nv3dita.chm,nvmobita.chm nvrsja.dll,nvwrsja.dll,nvcpja.hlp,nvwcpja.hlp,nvcpljpn.chm,nvdspjpn.chm,nv3djpn.chm,nvmobjpn.chm nvrsko.dll,nvwrsko.dll,nvcpko.hlp,nvwcpko.hlp,nvcplkor.chm,nvdspkor.ch
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Uninstall]
"CopyFiles"="default.tvp,nvcolor.exe,keystone.exe,nvappbar.exe,nvdspsch.exe,nvhotkey.dll,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm nvrsde.dll,nvwrsde.dll,nvcpde.hlp,nvwcpde.hlp,nvcpldeu.chm,nvdspdeu.chm,nv3ddeu.chm,nvmobdeu.chm nvrses.dll,nvwrses.dll,nvcpes.hlp,nvwcpes.hlp,nvcplesn.chm,nvdspesn.chm,nv3desn.chm,nvmobesn.chm nvrsesm.dll,nvwrsesm.dll,nvcpesm.hlp,nvwcpesm.hlp,nvcplesm.chm,nvdspesm.chm,nv3desm.chm,nvmobesm.chm nvrsfr.dll,nvwrsfr.dll,nvcpfr.hlp,nvwcpfr.hlp,nvcplfra.chm,nvdspfra.chm,nv3dfra.chm,nvmobfra.chm nvrsit.dll,nvwrsit.dll,nvcpit.hlp,nvwcpit.hlp,nvcplita.chm,nvdspita.chm,nv3dita.chm,nvmobita.chm nvrsja.dll,nvwrsja.dll,nvcpja.hlp,nvwcpja.hlp,nvcpljpn.chm,nvdspjpn.chm,nv3djpn.chm,nvmobjpn.chm nvrsko.dll,nvwrsko.dll,nvcpko.hlp,nvwcpko.hlp,nvcplkor.chm,nvdspkor.ch
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Uninstall]
"CopyFiles"="default.tvp,nvcolor.exe,keystone.exe,nvappbar.exe,nvdspsch.exe,nvhotkey.dll,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm nvrsde.dll,nvwrsde.dll,nvcpde.hlp,nvwcpde.hlp,nvcpldeu.chm,nvdspdeu.chm,nv3ddeu.chm,nvmobdeu.chm nvrses.dll,nvwrses.dll,nvcpes.hlp,nvwcpes.hlp,nvcplesn.chm,nvdspesn.chm,nv3desn.chm,nvmobesn.chm nvrsesm.dll,nvwrsesm.dll,nvcpesm.hlp,nvwcpesm.hlp,nvcplesm.chm,nvdspesm.chm,nv3desm.chm,nvmobesm.chm nvrsfr.dll,nvwrsfr.dll,nvcpfr.hlp,nvwcpfr.hlp,nvcplfra.chm,nvdspfra.chm,nv3dfra.chm,nvmobfra.chm nvrsit.dll,nvwrsit.dll,nvcpit.hlp,nvwcpit.hlp,nvcplita.chm,nvdspita.chm,nv3dita.chm,nvmobita.chm nvrsja.dll,nvwrsja.dll,nvcpja.hlp,nvwcpja.hlp,nvcpljpn.chm,nvdspjpn.chm,nv3djpn.chm,nvmobjpn.chm nvrsko.dll,nvwrsko.dll,nvcpko.hlp,nvwcpko.hlp,nvcplkor.chm,nvdspko
 
-= EOF =-


#12 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 30 April 2013 - 01:54 PM

SystemLook Log File after reboot:

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:43 on 30/04/2013 by YYYYY M. XXXXX
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "NVhotkey.dll"
C:\i386\nvhotkey.dll --a---- 73728 bytes [22:22 04/09/2006] [13:14 19/01/2006] 0EA63EBB1D375217B96768463548DF6B
C:\WINDOWS\system32\nvhotkey.dll --a---- 90112 bytes [00:03 23/08/2006] [11:23 09/06/2008] 8621D16ECFE2E455BCAF397D3671404B
 
========== regfind ==========
 
Searching for "NVhotkey.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="rundll32.exe nvHotkey.dll,Start"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Uninstall]
"CopyFiles"="default.tvp,nvcolor.exe,keystone.exe,nvappbar.exe,nvdspsch.exe,nvhotkey.dll,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm nvrsde.dll,nvwrsde.dll,nvcpde.hlp,nvwcpde.hlp,nvcpldeu.chm,nvdspdeu.chm,nv3ddeu.chm,nvmobdeu.chm nvrses.dll,nvwrses.dll,nvcpes.hlp,nvwcpes.hlp,nvcplesn.chm,nvdspesn.chm,nv3desn.chm,nvmobesn.chm nvrsesm.dll,nvwrsesm.dll,nvcpesm.hlp,nvwcpesm.hlp,nvcplesm.chm,nvdspesm.chm,nv3desm.chm,nvmobesm.chm nvrsfr.dll,nvwrsfr.dll,nvcpfr.hlp,nvwcpfr.hlp,nvcplfra.chm,nvdspfra.chm,nv3dfra.chm,nvmobfra.chm nvrsit.dll,nvwrsit.dll,nvcpit.hlp,nvwcpit.hlp,nvcplita.chm,nvdspita.chm,nv3dita.chm,nvmobita.chm nvrsja.dll,nvwrsja.dll,nvcpja.hlp,nvwcpja.hlp,nvcpljpn.chm,nvdspjpn.chm,nv3djpn.chm,nvmobjpn.chm nvrsko.dll,nvwrsko.dll,nvcpko.hlp,nvwcpko.hlp,nvcplkor.chm,nvdspkor.ch
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Uninstall]
"CopyFiles"="default.tvp,nvcolor.exe,keystone.exe,nvappbar.exe,nvdspsch.exe,nvhotkey.dll,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm nvrsde.dll,nvwrsde.dll,nvcpde.hlp,nvwcpde.hlp,nvcpldeu.chm,nvdspdeu.chm,nv3ddeu.chm,nvmobdeu.chm nvrses.dll,nvwrses.dll,nvcpes.hlp,nvwcpes.hlp,nvcplesn.chm,nvdspesn.chm,nv3desn.chm,nvmobesn.chm nvrsesm.dll,nvwrsesm.dll,nvcpesm.hlp,nvwcpesm.hlp,nvcplesm.chm,nvdspesm.chm,nv3desm.chm,nvmobesm.chm nvrsfr.dll,nvwrsfr.dll,nvcpfr.hlp,nvwcpfr.hlp,nvcplfra.chm,nvdspfra.chm,nv3dfra.chm,nvmobfra.chm nvrsit.dll,nvwrsit.dll,nvcpit.hlp,nvwcpit.hlp,nvcplita.chm,nvdspita.chm,nv3dita.chm,nvmobita.chm nvrsja.dll,nvwrsja.dll,nvcpja.hlp,nvwcpja.hlp,nvcpljpn.chm,nvdspjpn.chm,nv3djpn.chm,nvmobjpn.chm nvrsko.dll,nvwrsko.dll,nvcpko.hlp,nvwcpko.hlp,nvcplkor.chm,nvdspkor.ch
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Uninstall]
"CopyFiles"="default.tvp,nvcolor.exe,keystone.exe,nvappbar.exe,nvdspsch.exe,nvhotkey.dll,nview.dll,nvshell.dll,nvtuicpl.cpl,nvwdmcpl.dll,nvwimg.dll,nwiz.exe,nvmccsrs.dll nvcpl.cpl,nvcplui.exe,nvcpluir.dll,nvexpbar.dll nvcpl.chm,nvdsp.chm,nv3d.chm,nvmob.chm nvrsde.dll,nvwrsde.dll,nvcpde.hlp,nvwcpde.hlp,nvcpldeu.chm,nvdspdeu.chm,nv3ddeu.chm,nvmobdeu.chm nvrses.dll,nvwrses.dll,nvcpes.hlp,nvwcpes.hlp,nvcplesn.chm,nvdspesn.chm,nv3desn.chm,nvmobesn.chm nvrsesm.dll,nvwrsesm.dll,nvcpesm.hlp,nvwcpesm.hlp,nvcplesm.chm,nvdspesm.chm,nv3desm.chm,nvmobesm.chm nvrsfr.dll,nvwrsfr.dll,nvcpfr.hlp,nvwcpfr.hlp,nvcplfra.chm,nvdspfra.chm,nv3dfra.chm,nvmobfra.chm nvrsit.dll,nvwrsit.dll,nvcpit.hlp,nvwcpit.hlp,nvcplita.chm,nvdspita.chm,nv3dita.chm,nvmobita.chm nvrsja.dll,nvwrsja.dll,nvcpja.hlp,nvwcpja.hlp,nvcpljpn.chm,nvdspjpn.chm,nv3djpn.chm,nvmobjpn.chm nvrsko.dll,nvwrsko.dll,nvcpko.hlp,nvwcpko.hlp,nvcplkor.chm,nvdspko
 
-= EOF =-


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:54 AM

Posted 01 May 2013 - 07:36 AM

Searching for "NVhotkey.dll"
C:\i386\nvhotkey.dll --a---- 73728 bytes [22:22 04/09/2006] [13:14 19/01/2006] 0EA63EBB1D375217B96768463548DF6B
is related to NVIDIA Hotkey Service, Version 175.97

C:\WINDOWS\system32\nvhotkey.dll --a---- 90112 bytes [00:03 23/08/2006] [11:23 09/06/2008] 8621D16ECFE2E455BCAF397D3671404B
is related to NVIDIA Hotkey Service, Version 83.13

Both are virus free.
===

I will refer you to this article.
http://pcsupport.about.com/od/findbyerrormessage/a/code-10-error.htm

After you have reviewed it I suggest you execute the following instructions.

6- Delete the UpperFilters and LowerFilters values in the registry. Two particular values in the Windows Registry could be corrupted, causing the Code 10 error.

The link in item 6 will transfer you to : http://pcsupport.about.com/od/driverssupport/ht/upperfilters-lowerfilters.htm
Before you proceed please make sure you back up your registry. How to link in the page.

===

If at any time you need help to proceed please ask.

#14 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 01 May 2013 - 10:15 AM

Thanks for the article.  For troubleshooting sake, I attempted all the solutions in the article, none seemed to help.  When I got to #6, I found that there were no upper and lower limit registry entries to delete.  The article basically says if no value is there, then this method isn't for you... Of course, the next step in the troubleshooting guide is to replace the hardware.  But I don't think that is the issue.

 

I note that if I uninstall the device, then let windows find the device, it adds the device, loads the drivers, and gets the device working ok, then prompts me to reboot.  When I reboot, it shuts down, and normally where you would see the boot sequence restart, the screen just goes to a cursor, and there is no hard drive activity.  Ctrl-Alt-Del doesn't do anything, so im forced to power down and power up to initiate the boot sequence.

 

Why does RogueKiller keep flagging the NVhotkey registry entry?

 

I wonder if there is a permissions issue that we are missing that is causing these issues? (MSCONFIG access denied and the graphics driver only loading when prompted by user).



#15 Popeye2000

Popeye2000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 01 May 2013 - 10:16 AM

Since this is a malware forum, do you think I should post these remaining issues on another forum?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users