Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI ransomware - Tried current removal methods


  • This topic is locked This topic is locked
23 replies to this topic

#1 Steg

Steg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 12 May 2013 - 01:47 PM

Hello,
My wife's computer now has the FBI locked ransomware requesting $300. I have tried booting in to safe mode but, all three types simply reboot the system.
Without being able to gain access via safe mode, is my only option to now slave her hard drive to another computer?
AVG popped up ~10 seconds before the "FBI" screen appeared and messaged that it had stopped a trojan horse. I did not get a chance to see all info from AVG before it was covered.
If slaving the HDD is my only course of action; will malwarebytes be enough to clean it?

Thank you for any assistance you can offer.

*EDIT* Her computer is running Vista

Edited by Steg, 12 May 2013 - 01:58 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:44 AM

Posted 12 May 2013 - 05:42 PM

Welcome aboard p22002758.gif

 

I'll report this topic to appropriate helpers.

Hold on....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Steg

Steg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 14 May 2013 - 01:35 AM

*UPDATE*

After doing some more research I discovered Hitman Kickstart and was able to get the ransomware stopped.  I say "stopped" because now when I boot this computer it goes to the command prompt with the following message: '"C:\Users\Trish\Documents\51be897.exe"' is not recognized as an internal or external command, operable program or batch file. Then I get the normal C:\Windows\System32 prompt line. If I type "explorer" here and enter the desktop/windows finsihes loading normally.  The only other thing I have noticed is at the Dell splash screen prior to the Windows splash there is a beep,  like a keyboard failure beep.  I am guessing that is the 51be897.exe trying to start the ransomware again.

After reading some other posts I discovered this one http://www.bleepingcomputer.com/forums/t/494369/help-used-hitmanpro-to-remove-fbi-virus-now-command-prompt-on-startup-no-explore/ and I have completed all the steps Broni posted there. I hope I did not jump the gun here...just trying to "lean forward" a bit.

If the steps laid out by Broni were the correct actions should I go ahead now and post all the .txt files?

 

Thank you for any assistance you can provide.



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 14 May 2013 - 02:28 AM

Hello,
Can you please do the following: at the command prompt type regedit and press enter, does it open the registry editor?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Steg

Steg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 14 May 2013 - 09:50 AM

Elise,
Yes, after a long pause it did finally open.

Thank you for your assistance on this.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 14 May 2013 - 10:22 AM

Please download OTL to a flashdrive. Insert the flashdrive in the sick computer and type the appropriate path (assuming your flashdrive's letter is E, type e:\otl.exe) and press enter.


Please download OTL from one of the following mirrors:
  • Save it to your flashdrive.
  • Once started (from the command prompt) do the following:
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Steg

Steg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 14 May 2013 - 12:34 PM

Elise, OTL reports below as per your request:

 

OTL logfile created on: 5/14/2013 12:23:32 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = J:\
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.99 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.82% Memory free
8.15 Gb Paging File | 6.89 Gb Available in Paging File | 84.57% Paging File free
Paging file location(s): ?:\pagefile.sys
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.11 Gb Total Space | 472.85 Gb Free Space | 81.37% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 7.70 Gb Free Space | 51.35% Space Free | Partition Type: NTFS
Drive J: | 7.47 Gb Total Space | 4.53 Gb Free Space | 60.67% Space Free | Partition Type: FAT32
 
Computer Name: TRISH-PC | User Name: Trish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/05/14 12:18:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- J:\OTL.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013/02/26 00:32:22 | 001,260,320 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2013/01/18 08:14:20 | 000,383,264 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2012/12/11 04:52:44 | 003,147,384 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgui.exe
PRC - [2012/11/16 00:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
PRC - [2012/10/22 14:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
PRC - [2011/10/21 16:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
PRC - [2011/10/13 18:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
PRC - [2008/09/23 22:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2009/01/28 11:32:18 | 000,949,248 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\Windows\SysNative\Ati2evxx.exe -- (Ati External Event Utility)
SRV:64bit: - [2008/12/22 02:37:34 | 000,088,576 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2008/09/23 22:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2013/02/26 00:32:22 | 001,260,320 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2013/01/18 08:14:20 | 000,383,264 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012/11/16 00:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/10/22 14:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe -- (avgwd)
SRV - [2011/11/16 11:23:44 | 000,377,344 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2011/10/21 16:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/10/13 18:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/11/16 00:33:24 | 000,111,968 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\avgmfx64.sys -- (Avgmfx64)
DRV:64bit: - [2012/10/22 14:02:44 | 000,154,464 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\avgidsdrivera.sys -- (AVGIDSDriver)
DRV:64bit: - [2012/10/15 04:48:50 | 000,063,328 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\avgidsha.sys -- (AVGIDSHA)
DRV:64bit: - [2012/10/02 04:30:38 | 000,185,696 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\avgldx64.sys -- (Avgldx64)
DRV:64bit: - [2012/09/21 04:46:04 | 000,200,032 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\avgtdia.sys -- (Avgtdia)
DRV:64bit: - [2012/09/21 04:46:00 | 000,225,120 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\avgloga.sys -- (Avgloga)
DRV:64bit: - [2012/09/14 04:05:18 | 000,040,800 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\avgrkx64.sys -- (Avgrkx64)
DRV:64bit: - [2012/02/29 08:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/01/28 12:52:06 | 005,171,200 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)
DRV:64bit: - [2009/01/28 12:52:06 | 005,171,200 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2008/12/22 02:37:14 | 000,185,248 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2008/09/28 07:46:48 | 000,316,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\e1y60x64.sys -- (e1yexpress)
DRV:64bit: - [2008/09/28 03:22:14 | 000,402,456 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)
DRV:64bit: - [2008/05/23 16:54:38 | 000,033,888 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\iqvw64e.sys -- (NAL)
DRV:64bit: - [2008/01/20 21:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express)
DRV:64bit: - [2007/11/14 03:00:00 | 000,053,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {AFA2C889-EC71-406C-A229-8B96FEB12238}
IE:64bit: - HKLM\..\SearchScopes\{AFA2C889-EC71-406C-A229-8B96FEB12238}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\InprocServer32 File not found
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-637409185-3216912708-104265191-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll File not found
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKU\S-1-5-21-637409185-3216912708-104265191-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [AVG_UI] C:\Program Files (x86)\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-637409185-3216912708-104265191-1000..\Run: [PlayNC Launcher]  File not found
O4 - HKU\S-1-5-21-637409185-3216912708-104265191-1001..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O4 - Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O9 - Extra Button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files (x86)\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files (x86)\ICQ7.5\ICQ.exe (ICQ, LLC.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{54A0BFD3-A9AA-4F4A-9596-5D15FBF9BB9F}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\cozi - No CLSID value found
O18:64bit: - Protocol\Handler\linkscanner - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\cozi {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
O18 - Protocol\Handler\linkscanner - No CLSID value found
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-637409185-3216912708-104265191-1000 Winlogon: Shell - (cmd.exe) - cmd.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img23.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img23.jpg
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0b50d13a-7685-11e1-a7fd-00219b2b4306}\Shell - "" = AutoRun
O33 - MountPoints2\{0b50d13a-7685-11e1-a7fd-00219b2b4306}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/05/14 01:36:58 | 000,000,000 | ---D | C] -- C:\Users\Trish\Desktop\RK_Quarantine
[2013/05/14 00:43:26 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/05/14 00:43:05 | 000,000,000 | ---D | C] -- C:\JRT
[2013/05/14 00:24:35 | 002,412,520 | ---- | C] (Trend Micro Inc.) -- C:\Users\Trish\Desktop\HousecallLauncher64.exe
[2013/05/14 00:12:54 | 000,000,000 | ---D | C] -- C:\Users\Trish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2013/05/14 00:12:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2013/05/14 00:03:33 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\Trish\Desktop\JRT.exe
[2013/05/13 23:52:35 | 000,000,000 | ---D | C] -- C:\Users\Trish\Desktop\FileASSASSIN
[2013/05/13 23:52:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
[2013/05/13 23:03:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
[2013/05/13 23:03:02 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/05/13 22:14:12 | 000,000,000 | ---D | C] -- C:\Users\Trish\Desktop\rkill
[2013/05/13 22:14:01 | 001,761,408 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Trish\Desktop\rkill.exe
[2013/05/13 21:58:16 | 000,000,000 | ---D | C] -- C:\Users\Trish\Desktop\mbar
[2013/05/13 20:04:51 | 000,000,000 | ---D | C] -- C:\Users\Trish\AppData\Roaming\Malwarebytes
[2013/05/13 20:04:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/05/13 20:04:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/05/13 20:04:37 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/05/13 20:04:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/05/13 18:55:23 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/04/17 02:19:38 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/04/17 02:19:38 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/04/17 02:19:37 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/04/17 02:19:37 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/04/17 02:19:37 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/04/17 02:19:37 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/04/17 02:19:36 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/04/17 02:19:36 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013/04/17 02:19:35 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/04/17 02:19:35 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/04/17 02:19:35 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/04/17 02:19:35 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/04/17 02:19:34 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/04/17 02:19:34 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/04/17 02:19:34 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/05/14 12:20:45 | 000,003,744 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/05/14 12:20:45 | 000,003,744 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/05/14 12:20:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/05/14 00:33:48 | 000,804,540 | ---- | M] () -- C:\Users\Trish\AppData\Local\census.cache
[2013/05/14 00:33:18 | 000,246,546 | ---- | M] () -- C:\Users\Trish\AppData\Local\ars.cache
[2013/05/14 00:30:13 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\nvwgf2um.dll
[2013/05/14 00:30:13 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\MFC100ENU.DLL
[2013/05/14 00:24:48 | 000,000,036 | ---- | M] () -- C:\Users\Trish\AppData\Local\housecall.guid.cache
[2013/05/14 00:24:35 | 002,412,520 | ---- | M] (Trend Micro Inc.) -- C:\Users\Trish\Desktop\HousecallLauncher64.exe
[2013/05/14 00:13:06 | 000,002,559 | ---- | M] () -- C:\Users\Trish\Desktop\HiJackThis.lnk
[2013/05/14 00:08:32 | 000,816,128 | ---- | M] () -- C:\Users\Trish\Desktop\RogueKiller.exe
[2013/05/14 00:03:33 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\Trish\Desktop\JRT.exe
[2013/05/13 23:52:35 | 000,000,645 | ---- | M] () -- C:\Users\Public\Desktop\FileASSASSIN.lnk
[2013/05/13 23:03:02 | 000,001,734 | ---- | M] () -- C:\Users\Public\Desktop\HitmanPro.lnk
[2013/05/13 22:14:06 | 001,761,408 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Trish\Desktop\rkill.exe
[2013/05/13 21:36:54 | 000,053,966 | ---- | M] () -- C:\Users\Trish\Documents\cc_20130513_213631.reg
[2013/05/13 21:32:19 | 000,703,516 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/05/13 21:32:19 | 000,604,502 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/05/13 21:32:19 | 000,104,202 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/05/13 21:30:36 | 000,000,772 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/05/13 20:04:38 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/13 19:53:39 | 000,890,825 | ---- | M] () -- C:\Users\Trish\Desktop\SecurityCheck.exe
[2013/05/13 19:09:01 | 000,004,304 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2013/05/12 10:43:53 | 000,174,410 | ---- | M] () -- C:\ProgramData\2433f433
[2013/05/12 10:43:53 | 000,174,376 | ---- | M] () -- C:\Users\Trish\AppData\Roaming\2433f433
[2013/05/12 10:43:53 | 000,174,351 | ---- | M] () -- C:\Users\Trish\AppData\Local\2433f433
[2013/04/17 14:31:49 | 000,001,919 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013/04/17 14:24:40 | 000,280,704 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/05/14 00:33:48 | 000,804,540 | ---- | C] () -- C:\Users\Trish\AppData\Local\census.cache
[2013/05/14 00:33:18 | 000,246,546 | ---- | C] () -- C:\Users\Trish\AppData\Local\ars.cache
[2013/05/14 00:30:13 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\nvwgf2um.dll
[2013/05/14 00:30:13 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\MFC100ENU.DLL
[2013/05/14 00:24:48 | 000,000,036 | ---- | C] () -- C:\Users\Trish\AppData\Local\housecall.guid.cache
[2013/05/14 00:12:54 | 000,002,559 | ---- | C] () -- C:\Users\Trish\Desktop\HiJackThis.lnk
[2013/05/14 00:08:32 | 000,816,128 | ---- | C] () -- C:\Users\Trish\Desktop\RogueKiller.exe
[2013/05/13 23:52:35 | 000,000,645 | ---- | C] () -- C:\Users\Public\Desktop\FileASSASSIN.lnk
[2013/05/13 23:03:02 | 000,001,734 | ---- | C] () -- C:\Users\Public\Desktop\HitmanPro.lnk
[2013/05/13 21:36:39 | 000,053,966 | ---- | C] () -- C:\Users\Trish\Documents\cc_20130513_213631.reg
[2013/05/13 20:04:38 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/13 19:53:15 | 000,890,825 | ---- | C] () -- C:\Users\Trish\Desktop\SecurityCheck.exe
[2013/05/13 19:09:01 | 000,004,304 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2013/05/12 10:43:53 | 000,174,410 | ---- | C] () -- C:\ProgramData\2433f433
[2013/05/12 10:43:53 | 000,174,376 | ---- | C] () -- C:\Users\Trish\AppData\Roaming\2433f433
[2013/05/12 10:43:53 | 000,174,351 | ---- | C] () -- C:\Users\Trish\AppData\Local\2433f433
[2009/06/17 14:18:44 | 000,001,806 | ---- | C] () -- C:\Users\Trish\AppData\Roaming\wklnhst.dat
[2009/05/17 10:48:51 | 000,007,168 | ---- | C] () -- C:\Users\Trish\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006/11/02 10:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 12:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 02:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 21:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

 

 

 

OTL Extras logfile created on: 5/14/2013 12:23:32 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = J:\
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.99 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 69.82% Memory free
8.15 Gb Paging File | 6.89 Gb Available in Paging File | 84.57% Paging File free
Paging file location(s): ?:\pagefile.sys
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.11 Gb Total Space | 472.85 Gb Free Space | 81.37% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 7.70 Gb Free Space | 51.35% Space Free | Partition Type: NTFS
Drive J: | 7.47 Gb Total Space | 4.53 Gb Free Space | 60.67% Space Free | Partition Type: FAT32
 
Computer Name: TRISH-PC | User Name: Trish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AutoUpdateDisableNotify" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01  [binary data]
"VistaSp2" = 99 B7 DC A5 B2 37 CA 01  [binary data]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-637409185-3216912708-104265191-1000]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{35BA3A60-41A4-4456-9999-3071CEE89360}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D147A76A-2DA8-4BE4-9048-73F920263658}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{11D89DBE-CE5A-4A68-A63A-804A09E980F9}" = protocol=6 | dir=in | app=c:\program files (x86)\ventrilo\ventrilo.exe |
"{17A15834-7CFC-4D46-9C73-F8872AE0C52C}" = protocol=6 | dir=in | app=c:\mythic\isles\camelot.exe |
"{1EAB14A0-96E7-46AE-B23C-B9B633F2DC1B}" = protocol=17 | dir=in | app=c:\mythic\catacombs\camelot.exe |
"{28B15929-C99B-47E3-9099-A912BB646377}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2013\avgnsa.exe |
"{2F29749A-167C-41A0-A811-BEE727CBD45E}" = protocol=6 | dir=in | app=c:\program files (x86)\icq7.5\icq.exe |
"{346D6007-FFE3-4F6F-BB00-4AAC2385D07B}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2013\avgmfapx.exe |
"{34ECD833-8EFF-4679-B514-30FD4697C5C9}" = protocol=6 | dir=in | app=c:\program files (x86)\icq7.5\icq.exe |
"{3DFFD6D5-F1D2-49C2-826A-FE32CBE6DCB2}" = protocol=6 | dir=in | app=c:\mythic\catacombs\camelot.exe |
"{3F50A1AA-8D3E-484E-85B3-5D68F6165AEE}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2013\avgemca.exe |
"{4B274488-2609-48FE-BEB7-9E9C0F95B9E1}" = protocol=17 | dir=in | app=c:\program files (x86)\ventrilo\ventrilo.exe |
"{58072263-62CE-4C53-9424-9F018568F25A}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2013\avgemca.exe |
"{6005ACAF-89AF-457A-8D2F-CA8901383C40}" = protocol=6 | dir=in | app=c:\program files (x86)\firaxis games\sid meier's civilization 4\civilization4.exe |
"{6FCD465E-E819-49C6-B47D-315348DDFE56}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{76691FEF-F20B-4711-BA23-F849D041D8A6}" = protocol=6 | dir=in | app=c:\program files (x86)\icq7.5\icq.exe |
"{7C6D3E67-6FAE-4807-8ACB-0117F3ECB67C}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2013\avgnsa.exe |
"{84CBE5C9-5C89-465B-977A-E4EA802E4F7F}" = protocol=6 | dir=in | app=c:\mythic\atlantis\camelot.exe |
"{8C225888-DDF9-485D-8D67-0050F3F51F72}" = protocol=17 | dir=in | app=c:\program files (x86)\firaxis games\sid meier's civilization 4\civilization4.exe |
"{8FBD5C87-0494-4C0D-85D7-5F770A9CAB59}" = protocol=6 | dir=in | app=c:\mythic\darkness\camelot.exe |
"{93D74FE9-7B1C-40A4-935C-16B357B67104}" = protocol=17 | dir=in | app=c:\mythic\isles\camelot.exe |
"{9A701B05-8D1C-41DB-AAA5-350EFBD47C8A}" = protocol=17 | dir=in | app=c:\program files (x86)\icq7.5\icq.exe |
"{A35C81D7-BF0D-47D5-B62A-328CCA7F35D7}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
"{A446300D-F008-45D2-9674-40F6034DF8A2}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2013\avgmfapx.exe |
"{A73AE923-B57E-41D2-8FA8-DFED20DD5DE5}" = protocol=6 | dir=in | app=c:\program files\electronic arts\labyrinth\camelot.exe |
"{A8C8DD01-FFC6-4F8A-B9EB-2B851E0FD2E9}" = protocol=17 | dir=in | app=c:\program files (x86)\icq7.5\icq.exe |
"{A91DE000-0B07-4C42-9158-729A93DB4420}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
"{AB0E27B3-BBC4-4D2E-BAB8-16EEA71B7922}" = protocol=17 | dir=in | app=c:\program files\electronic arts\labyrinth\camelot.exe |
"{C2591CDF-14E9-47C7-B257-400683F60375}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2013\avgdiagex.exe |
"{CB62C13F-5F64-4DB6-AB97-7F29642EADF2}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2013\avgdiagex.exe |
"{DD49C581-555C-41E9-9E5D-407BFD4C9E6D}" = protocol=17 | dir=in | app=c:\mythic\darkness\camelot.exe |
"{F3833795-758C-47AB-8938-F5276E47CD20}" = protocol=17 | dir=in | app=c:\mythic\atlantis\camelot.exe |
"{F8C396FD-B22C-4596-BBBF-0F3307BBC3AA}" = protocol=17 | dir=in | app=c:\program files (x86)\icq7.5\icq.exe |
"TCP Query User{AA8DD7D2-250D-4011-8D93-08D046AA87B9}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"TCP Query User{C07A513D-E007-43F0-AE82-8BD5364B7421}C:\program files (x86)\electronic arts\ultima online classic\client.exe" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\ultima online classic\client.exe |
"TCP Query User{C4AE01F9-6020-413F-BA8F-B96816008B82}C:\program files (x86)\electronic arts\ultima online classic\client.exe" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\ultima online classic\client.exe |
"UDP Query User{7034DC48-91C4-422B-9082-1978690AE3D4}C:\program files (x86)\electronic arts\ultima online classic\client.exe" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\ultima online classic\client.exe |
"UDP Query User{815C2192-311D-4EA2-BF8C-CE84EA166AB7}C:\program files (x86)\electronic arts\ultima online classic\client.exe" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\ultima online classic\client.exe |
"UDP Query User{A17693CB-87DB-4DBA-A6E6-8B44D24DC448}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{21B133D6-5979-47F0-BE1C-F6A6B304693F}" = Visual Studio 2010 x64 Redistributables
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{AD27BE4B-A261-4F0A-AB5A-476C83EDAED2}" = AVG 2013
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 311.06
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 311.06
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 311.06
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.11.3
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DDD076BF-C5C3-468C-AA1B-F9A7E47446FE}" = Intel® Network Connections 13.1.33.0
"{EA0F68A4-CC52-D061-C239-CC54377E9B79}" = ccc-utility64
"{F5AA006A-1ABE-4F16-B6E1-FEE1F7D38102}" = AVG 2013
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"AVG" = AVG 2013
"CCleaner" = CCleaner
"HitmanPro37" = HitmanPro 3.7
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"PROSetDX" = Intel® Network Connections 13.1.33.0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{04FDC8D5-704E-D6FF-6C0F-F243EB1EA544}" = Catalyst Control Center InstallProxy
"{06A82E70-97F4-3BA9-65DB-692632659387}" = Catalyst Control Center InstallProxy
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0DF30031-F15F-FD36-D9F8-EBC23B901894}" = Catalyst Control Center Graphics Light
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 10
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3921564E-11A7-27AC-8D6F-D5FCA33DD083}" = Skins
"{3E9016D4-5AD8-3A77-5A75-8C89C68992CD}" = Catalyst Control Center Graphics Previews Vista
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{5F8825AD-CD41-40EB-9286-C1308B1CF45F}" = Aion
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{7456BBA3-642F-4E59-9F89-7639977D7C39}" = Cozi
"{7578ADEA-D65F-4C89-A249-B1C88B6FFC20}" = ICQ7.5
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8D8024F1-2945-49A5-9B78-5AB7B11D7942}_is1" = Auslogics Registry Cleaner
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A8589680-35C1-4732-ACCA-09B78921ECE3}" = Sid Meier's Civilization 4
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.4
"{B4089055-D468-45A4-A6BA-5A138DD715FC}" = Bing Bar
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B88A3C98-CB4D-E3C2-DE49-EDAF1DC55CC1}" = CCC Help English
"{B9C73F69-63B7-552D-72D8-3C22B6B1A3E7}" = Catalyst Control Center Graphics Full New
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C9FB868B-2086-4EE2-BD4F-BFBA36B131F4}" = NCsoft Launcher
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{CFC1C90B-E9A4-F656-BCA2-2A71ECCBD8F5}" = Catalyst Control Center Graphics Full Existing
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{E01A8BFE-96AB-FEA3-4A3B-EEF9849D1E24}" = Catalyst Control Center Graphics Previews Common
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F569596C-049F-BF15-E0A9-B7605D9B181E}" = Catalyst Control Center Core Implementation
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dark Age of Camelot - Catacombs_is1" = Dark Age of Camelot - Catacombs
"Dark Age of Camelot - Darkness Rising_is1" = Dark Age of Camelot - Darkness Rising
"Dark Age of Camelot - Labyrinth of the Minotaur_is1" = Dark Age of Camelot - Labyrinth of the Minotaur
"Dark Age of Camelot - Shrouded Isles_is1" = Dark Age of Camelot - Shrouded Isles
"Dark Age of Camelot - Trials of Atlantis_is1" = Dark Age of Camelot - Trials of Atlantis
"ESET Online Scanner" = ESET Online Scanner v3
"FileASSASSIN" = FileASSASSIN
"Hide and Secret 2" = Hide and Secret 2
"ICQToolbar" = ICQ Toolbar
"Magic Encyclopedia - Moon Light" = Magic Encyclopedia - Moon Light
"Magic Encyclopedia. First Story" = Magic Encyclopedia. First Story
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Mystery Cookbook" = Mystery Cookbook
"Natalie Brooks - Secrets of Treasure House" = Natalie Brooks - Secrets of Treasure House
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Save Our Spirit" = Save Our Spirit
"Sprill - The Mystery of The Bermuda Triangle" = Sprill - The Mystery of The Bermuda Triangle
"ST6UNST #1" = DAoC Character Chat Fixer
"The Treasures Of Montezuma" = The Treasures Of Montezuma
"The Treasures Of Mystery Island" = The Treasures Of Mystery Island
"Treasure Masters, Inc." = Treasure Masters, Inc.
"Ultima Online Classic" = Ultima Online Classic Client
"Wild West Quest" = Wild West Quest
"WinLiveSuite_Wave3" = Windows Live Essentials
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-637409185-3216912708-104265191-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 5/14/2013 2:04:18 AM | Computer Name = Trish-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 5/14/2013 2:44:20 AM | Computer Name = Trish-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 5/14/2013 10:44:35 AM | Computer Name = Trish-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 5/14/2013 10:52:28 AM | Computer Name = Trish-PC | Source = WinMgmt | ID = 10
Description =
 
Error - 5/14/2013 1:22:14 PM | Computer Name = Trish-PC | Source = WinMgmt | ID = 10
Description =
 
[ System Events ]
Error - 5/14/2013 2:01:43 AM | Computer Name = Trish-PC | Source = Service Control Manager | ID = 7006
Description =
 
Error - 5/14/2013 2:04:18 AM | Computer Name = Trish-PC | Source = Service Control Manager | ID = 7006
Description =
 
Error - 5/14/2013 2:41:48 AM | Computer Name = Trish-PC | Source = Service Control Manager | ID = 7006
Description =
 
Error - 5/14/2013 10:41:58 AM | Computer Name = Trish-PC | Source = Service Control Manager | ID = 7006
Description =
 
Error - 5/14/2013 10:49:56 AM | Computer Name = Trish-PC | Source = Service Control Manager | ID = 7006
Description =
 
Error - 5/14/2013 1:19:44 PM | Computer Name = Trish-PC | Source = Service Control Manager | ID = 7006
Description =
 
 
< End of report >
 

Thank you again for your assistance.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 14 May 2013 - 02:57 PM

Before continuing, can you try the following: at the command prompt type explorer and press enter. Does this load the desktop.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Steg

Steg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 14 May 2013 - 03:51 PM

Elise,

 

Yes it does.  I thought I put that in my earlier post.  Sorry about the confusion. 

It seems as though something is missing? or corrupted? in the boot instructions.

 

Thank you again for your assistance.

 

*EDIT* Spelling


Edited by Steg, 14 May 2013 - 03:54 PM.


#10 OmegaIQ

OmegaIQ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 14 May 2013 - 06:25 PM

Sorry about that, moved it.


Edited by OmegaIQ, 15 May 2013 - 07:52 AM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 15 May 2013 - 02:09 AM

@ OmegaIQ, please start your own topic about this problem, do not hijack other member's topics, this only causes confusion.
 
@ Steg, lets see if the following helps.

We need to run an OTL Fix
  • Please reopen otlicon.png on your desktop.
  • Copy and Paste the following code into the customscanfix.png textbox.
    :otl
    O20 - HKU\S-1-5-21-637409185-3216912708-104265191-1000 Winlogon: Shell - (cmd.exe) - cmd.exe (Microsoft Corporation)
    
    :commands
    [reboot]
  • Push runfix.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Steg

Steg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 15 May 2013 - 12:01 PM

Elise,

OTL Fix complete.  Upon reboot after it ran cmd prompt did not open.

 

========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-637409185-3216912708-104265191-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:cmd.exe deleted successfully.
File move failed. cmd.exe scheduled to be moved on reboot.
========== COMMANDS ==========
 
OTL by OldTimer - Version 3.2.69.0 log created on 05152013_115640

Files\Folders moved on Reboot...
File move failed. cmd.exe scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

Thank you.



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 15 May 2013 - 01:26 PM

At this point what happens when you start the computer?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Steg

Steg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 15 May 2013 - 02:00 PM

It now restarts correctly. It appears as though all is back to normal. Just running another virus scan now before turning back over to my wife.

Please let me know if there is anything else I should do before we are done. Thank you again for your assistance correcting this mess.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,244 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:44 PM

Posted 15 May 2013 - 03:46 PM

It is possible the cmd.exe file was removed, in which case we'd need to restore it. :) I'd rather be sure it is in place just to avoid any problem in the future.

 

To verify this, press Windows key + R, type cmd and press enter. If a black command window opens its okay, if not, let me know.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users