Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan horse Generic13.ATPH, Win32/Cryptor, windowsclick, Spyware Prot

Started by MrX3 , Jun 15 2009 04:10 PM

This topic is locked

#1
MrX3

Posted 15 June 2009 - 04:10 PM

Member

Member
11 posts

Hello Kind Geeks,

Wife's netbook, Dell Mini 9, SS drive 16GB, XP Home has serious virus infections. AVG scan finds 24 instances, mostly "Trojan horse Generic13.ATPH" with a few "Win32/Cryptor". AVG says it moves 15 to vault, leaving 9 still infecting. Rescanning after reboot again finds 24 viruses. Initial symptoms were windowsclick redirects. Later, things seemed to get worse, and the fake Spyware Protect screens started popping up. Also was getting unsolicited bluetooth radio/commercial streams.

Preperation Steps:

1) TFC goes to blue screen every time I try to run it.
2) SystemRestorePoint.exe shows error saying "Restore Point Creation Failed!"
3) ERUNT seems to work. Registry backup created.
4) MalwareBytes' Anti-Malware won't run.
5) Windows update worked, after finally getting to the MS site. Installed one patch for MS Office.

6 & 7) Rooter.ext and OTListIt logs follow below.

Thanks in advance for any helpful tips!

Rooter_1.txt:
Rooter.exe (v1.0) by Eric_71
¨
Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3
32_bits - x86 Family 6 Model 28 Stepping 2, GenuineIntel
¨
C:\ [Fixed-NTFS] .. ( Total:14 Go - Free:5 Go )
¨
Scan : 14:53.07
Path : C:\Documents and Settings\MrX3\Desktop\MALWARE_TOOLS\Rooter.exe
User : MrX3 ( Administrator -> YES )
¨
----------------------\\ Processes
¨
Locked [System Process] (0)
______ System (4)
______ \??\C:\WINDOWS\system32\csrss.exe (652)
______ \??\C:\WINDOWS\system32\winlogon.exe (676)
______ C:\WINDOWS\system32\services.exe (724)
______ C:\WINDOWS\system32\lsass.exe (736)
______ C:\WINDOWS\system32\svchost.exe (904)
______ C:\WINDOWS\system32\svchost.exe (1008)
______ C:\WINDOWS\System32\svchost.exe (1076)
______ C:\WINDOWS\system32\svchost.exe (1176)
______ C:\WINDOWS\system32\svchost.exe (1252)
______ C:\WINDOWS\system32\spoolsv.exe (1320)
______ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (1428)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1464)
______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (1528)
______ C:\PROGRA~1\AVG\AVG8\avgrsx.exe (1628)
______ C:\PROGRA~1\AVG\AVG8\avgnsx.exe (1636)
______ C:\WINDOWS\system32\svchost.exe (1680)
______ C:\PROGRA~1\AVG\AVG8\avgemc.exe (1772)
______ C:\Program Files\AVG\AVG8\avgcsrvx.exe (1860)
______ C:\Program Files\AVG\AVG8\avgcsrvx.exe (364)
______ C:\WINDOWS\Explorer.EXE (1508)
______ C:\WINDOWS\System32\alg.exe (2068)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2504)
______ C:\WINDOWS\RTHDCPL.EXE (2596)
______ C:\WINDOWS\system32\igfxpers.exe (2612)
______ C:\Program Files\Battery Meter\BTMeter.exe (2620)
______ C:\Program Files\Wireless Select Switch\WLSS.exe (2644)
______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (2688)
______ C:\WINDOWS\system32\igfxsrvc.exe (2704)
______ C:\PROGRA~1\AVG\AVG8\avgtray.exe (2764)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2776)
______ C:\WINDOWS\system32\ctfmon.exe (2808)
______ C:\WINDOWS\System32\svchost.exe (3964)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2104)
______ C:\WINDOWS\system32\NOTEPAD.EXE (3892)
______ C:\Program Files\Internet Explorer\Iexplore.exe (3448)
______ C:\Program Files\Internet Explorer\Iexplore.exe (3208)
______ C:\Documents and Settings\MrX3\Desktop\MALWARE_TOOLS\Rooter.exe (252)
¨
----------------------\\ Device\Harddisk0\
¨
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
¨
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:41126400 | Length:15365871104)
¨
----------------------\\ Scheduled Tasks
¨
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{A8D7AE51-7F82-4FCF-856D-6031391897B2}.job
C:\WINDOWS\Tasks\WECPUpdate.job
¨
----------------------\\ Registry
¨
¨
----------------------\\ Files & Folders
¨
----------------------\\ Scan completed at 14:53.09
¨
C:\Rooter$\Rooter_1.txt - (15/06/2009 | 14:53.09)

OTL

OTL logfile created on: 6/15/2009 2:56:53 PM - Run 3
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\MrX3\Desktop\MALWARE_TOOLS
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.76% Memory free
2.04 Gb Paging File | 1.52 Gb Available in Paging File | 74.43% Paging File free
Paging file location(s): C:\pagefile.sys 200 200 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.31 Gb Total Space | 5.65 Gb Free Space | 39.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: INTLLIFE-MINI9
Current User Name: MrX3
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
PRC - C:\Program Files\Battery Meter\BTMeter.exe (Dell)
PRC - C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Internet Explorer\Iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\Iexplore.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\MrX3\Desktop\MALWARE_TOOLS\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8emc [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (GoToAssist [On_Demand | Stopped]) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (sprtsvc_dellsupportcenter [Auto | Running]) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AliIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (asc [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (BCM43XX [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom Corporation)
DRV - (BTWUSB [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\btwusb.sys (Broadcom Corporation.)
DRV - (CmdIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (EMSC [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\EMSC.SYS ()
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys (Intel Corporation)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (JMCR [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\jmcr.sys (JMicron Technology Corp.)
DRV - (mraid35x [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (OA004Afx [On_Demand | Running]) -- C:\WINDOWS\system32\Drivers\OA004Afx.sys (Creative Technology Ltd.)
DRV - (OA004Ufd [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\OA004Ufd.sys (Creative Technology Ltd.)
DRV - (OA004Vid [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\OA004Vid.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (RTLE8023xp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sisagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Sparrow [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (symc810 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (SynTP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (ultra [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
IE - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\S-1-5-21-3436034942-565223664-3386438656-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://nyt.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/05/01 18:48:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/03/31 22:19:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/12/27 17:07:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/06/14 10:58:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/06/14 10:58:55 | 00,000,000 | ---D | M]

[2009/05/23 12:27:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MrX3\Application Data\mozilla\Extensions
[2009/05/23 12:27:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MrX3\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/23 12:27:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MrX3\Application Data\mozilla\Firefox\Profiles\pmenvbl5.default\extensions
[2009/06/13 19:01:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/14 10:58:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/12/27 17:08:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/05/22 22:18:46 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/06/14 10:58:36 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/14 10:58:37 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/19 12:33:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/02/19 12:33:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/02/19 12:33:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/02/19 12:33:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/02/19 12:33:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/02/19 12:33:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/02/19 12:33:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (149 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 antispyware.microsoft.com
O1 - Hosts: 209.44.111.57 2009antivirpro.com
O1 - Hosts: 209.44.111.57 www.2009antivirpro.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BHO) - {26070AD0-CF3E-49be-8C83-85A63BFD36D5} - C:\WINDOWS\system32\iehelper.dll File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (796525 Class) - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" ( )
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - HKU\S-1-5-21-3436034942-565223664-3386438656-1006..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot File not found
O4 - HKU\S-1-5-21-3436034942-565223664-3386438656-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3436034942-565223664-3386438656-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm File not found
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\lsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\lsp.dll ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe [FILE handle not seen by OS]
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 18:45:49 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/15 14:52:01 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[2009/06/15 14:53:09 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/06/15 14:51:52 | 00,170,029 | ---- | C] (Eric_71) -- C:\Documents and Settings\MrX3\Desktop\Rooter.exe
[2009/06/15 13:16:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/06/15 13:15:47 | 00,000,613 | ---- | C] () -- C:\Documents and Settings\MrX3\Desktop\NTREGOPT.lnk
[2009/06/15 13:15:47 | 00,000,594 | ---- | C] () -- C:\Documents and Settings\MrX3\Desktop\ERUNT.lnk
[2009/06/15 13:15:46 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/06/15 13:11:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Desktop\MALWARE_TOOLS
[2009/06/15 12:38:26 | 00,005,574 | ---- | C] () -- C:\Documents and Settings\MrX3\Desktop\AVG_Scan_20090615.csv
[2009/06/15 10:55:46 | 00,000,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/15 10:55:42 | 00,040,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/15 10:55:40 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/15 10:55:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/15 09:54:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/06/15 01:54:51 | 03,371,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\MrX3\Desktop\getup.exe
[2009/06/15 01:50:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\MalwareRemovalBot
[2009/06/14 22:40:51 | 00,183,296 | ---- | C] () -- C:\WINDOWS\System32\lsp.dll
[2009/06/14 22:40:48 | 00,096,768 | ---- | C] () -- C:\WINDOWS\syssvc.exe
[2009/06/14 22:05:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\796525
[2009/06/14 16:25:13 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/14 16:23:54 | 03,371,384 | ---- | C] (Malwarebytes Corporation ) -- C:\zzz-setup.exe
[2009/06/10 12:11:40 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/06/10 12:11:40 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/06/08 00:11:59 | 00,000,000 | R--D | C] -- C:\Documents and Settings\MrX3\My Documents\My Videos
[2009/06/08 00:09:21 | 00,000,471 | ---- | C] () -- C:\Documents and Settings\MrX3\Desktop\Shortcut to BELEZA on I-life-25-11-06.lnk
[2009/06/08 00:08:32 | 00,000,281 | ---- | C] () -- C:\Shortcut to OS ©.lnk
[2009/05/29 22:30:32 | 00,000,000 | ---D | C] -- C:\$WIN_NT$.~BT
[2009/05/29 22:18:17 | 00,000,254 | RHS- | C] () -- C:\BOOT.BAK
[2009/05/29 22:18:12 | 00,458,092 | R--- | C] () -- C:\txtsetup.sif
[2009/05/29 22:18:12 | 00,260,288 | R--- | C] () -- C:\$LDR$
[2009/05/29 22:17:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2009/05/27 20:07:54 | 21,374,44352 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/23 12:27:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\Mozilla
[2009/05/23 12:26:12 | 00,001,616 | ---- | C] () -- C:\Documents and Settings\MrX3\Desktop\Mozilla Firefox.lnk
[2009/05/23 01:37:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\Macromedia
[2009/05/23 01:37:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\Adobe
[2009/05/23 01:34:43 | 00,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2009/05/23 01:34:08 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\MrX3\Application Data\desktop.ini
[2009/05/23 01:34:06 | 00,000,089 | -HS- | C] () -- C:\Documents and Settings\MrX3\My Documents\desktop.ini
[2009/05/23 01:34:06 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\MrX3\Local Settings\desktop.ini
[2009/05/23 01:34:04 | 00,000,084 | -HS- | C] () -- C:\Documents and Settings\MrX3\Start Menu\Programs\Startup\desktop.ini
[2009/05/23 01:34:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\InstallShield
[2009/05/23 01:34:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\Identities
[2009/05/23 01:34:03 | 00,000,000 | --SD | C] -- C:\Documents and Settings\MrX3\Application Data\Microsoft
[2009/05/23 01:34:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Application Data\Sun
[2009/05/23 01:34:02 | 00,000,000 | R--D | C] -- C:\Documents and Settings\MrX3\My Documents\My Pictures
[2009/05/23 01:34:02 | 00,000,000 | R--D | C] -- C:\Documents and Settings\MrX3\My Documents\My Music
[2009/05/23 01:34:02 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\MrX3\Local Settings\Temporary Internet Files
[2009/05/23 01:34:02 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\MrX3\Local Settings\History
[2009/05/23 01:34:02 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\MrX3\Local Settings\Application Data
[2009/05/23 01:34:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\My Documents\My Google Gadgets
[2009/05/23 01:34:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\My Documents\Dell WebCam Central
[2009/05/23 01:34:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\My Documents\Bluetooth Exchange Folder
[2009/05/23 01:34:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\MrX3\Local Settings\Temp
[2009/01/09 12:00:47 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/12/03 10:05:36 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/12/03 10:03:09 | 00,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/12/03 09:34:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/03 08:58:42 | 00,266,240 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2008/12/03 08:58:42 | 00,009,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\EMSC.sys
[2008/04/25 18:42:57 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 13:33:23 | 00,000,507 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/04/25 13:33:22 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[2009/06/15 13:54:15 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\MrX3\Local Settings\desktop.ini
[2009/06/15 13:53:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/15 13:53:52 | 21,374,44352 | -HS- | M] () -- C:\hiberfil.sys
[2009/06/15 13:53:52 | 00,224,816 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/15 13:15:47 | 00,000,613 | ---- | M] () -- C:\Documents and Settings\MrX3\Desktop\NTREGOPT.lnk
[2009/06/15 13:15:47 | 00,000,594 | ---- | M] () -- C:\Documents and Settings\MrX3\Desktop\ERUNT.lnk
[2009/06/15 12:38:26 | 00,005,574 | ---- | M] () -- C:\Documents and Settings\MrX3\Desktop\AVG_Scan_20090615.csv
[2009/06/15 12:37:32 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/15 12:24:38 | 00,170,029 | ---- | M] (Eric_71) -- C:\Documents and Settings\MrX3\Desktop\Rooter.exe
[2009/06/15 10:55:46 | 00,000,698 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/15 09:43:32 | 37,123,328 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/06/15 09:43:32 | 00,077,480 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/06/15 01:55:04 | 03,371,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\MrX3\Desktop\getup.exe
[2009/06/14 22:40:51 | 00,183,296 | ---- | M] () -- C:\WINDOWS\System32\lsp.dll
[2009/06/14 22:40:49 | 00,096,768 | ---- | M] () -- C:\WINDOWS\syssvc.exe
[2009/06/14 16:15:31 | 03,371,384 | ---- | M] (Malwarebytes Corporation ) -- C:\zzz-setup.exe
[2009/06/12 08:07:44 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/08 00:09:21 | 00,000,471 | ---- | M] () -- C:\Documents and Settings\MrX3\Desktop\Shortcut to BELEZA on I-life-25-11-06.lnk
[2009/06/08 00:08:32 | 00,000,281 | ---- | M] () -- C:\Shortcut to OS ©.lnk
[2009/06/07 18:02:35 | 00,000,269 | RHS- | M] () -- C:\boot.ini
[2009/06/01 09:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/29 22:18:17 | 00,000,254 | RHS- | M] () -- C:\BOOT.BAK
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/23 01:35:21 | 00,000,089 | -HS- | M] () -- C:\Documents and Settings\MrX3\My Documents\desktop.ini
< End of report >

#2
CatByte

Posted 21 June 2009 - 12:39 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Please do the following:

Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: if the renamed ComboFix will not run in normal mode - please try it in safe mode:

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY repeatedly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
go into your usual account

#3
MrX3

Posted 21 June 2009 - 03:56 PM

Member

Topic Starter
Member
11 posts

Hi CatByte,

Successfully ran combo-fix in safe mode. During first pass in regular mode combo-fix gave a warning that it might be unsafe to proceed, as I might be infected with "virus patching software 'viruit'". I switched to safe mode and the only other complaint combo-fix gave was that Window Recovery Module was not installed, so it couldn't delete some files. But I continued with scan and it did end up deleting files, as listed in the log file below.

My temptation is to run it again in non-safe mode so it can continue with use of the Windows Recovery Module. But I will post this message and pause to wait for your input. At this point I haven't re-boot the infected machine to see it's state, but I suspect it will be much better, if not completely cured (fingers crossed).

Thanks again,
X3

ComboFix.txt:
-------------------------------------------------------------

ComboFix 09-06-20.04 - Administrator 06/21/2009 13:48.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1800 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\UACoewfsaxthwbuwiv.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\UACfamwqmulnylufdr.log
c:\windows\system32\UACftxjxpdwykricpp.dll
c:\windows\system32\UACfxvvkvthrqeqrpb.dll
c:\windows\system32\UACnimuolyxposimvp.db
c:\windows\system32\UACptnkmpbitlessif.dll
c:\windows\system32\UACrkbmqpqxpvuesqk.dll
c:\windows\system32\UACskveihlvfghuxnl.log
c:\windows\system32\UACspufwfmodcqtklh.log
c:\windows\system32\UACxlvfygxjqwmipda.dll
c:\windows\system32\UACxtjwufjbswucbxu.dat
c:\windows\system32\UACyxwcjwgovtqojpr.dll
c:\documents and settings\DECCHECK\eula.txt
c:\windows\system32\drivers\UACoewfsaxthwbuwiv.sys
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\lsp.dll
c:\windows\system32\UACfamwqmulnylufdr.log
c:\windows\system32\UACftxjxpdwykricpp.dll
c:\windows\system32\UACfxvvkvthrqeqrpb.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnimuolyxposimvp.db
c:\windows\system32\UACptnkmpbitlessif.dll
c:\windows\system32\UACrkbmqpqxpvuesqk.dll
c:\windows\system32\UACskveihlvfghuxnl.log
c:\windows\system32\UACspufwfmodcqtklh.log
c:\windows\system32\uactmp.db
c:\windows\system32\UACxlvfygxjqwmipda.dll
c:\windows\system32\UACxtjwufjbswucbxu.dat
c:\windows\system32\UACyxwcjwgovtqojpr.dll
c:\windows\system32\wbem\proquota.exe

----- BITS: Possible infected sites -----

hxxp://downloadsoftwareserver.com
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-12-28 00:08 . 2009-03-09 12:19 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-21 20:02 . 2009-06-21 20:02 -------- dc----w- c:\windows\LastGood.Tmp
2009-06-15 21:53 . 2009-06-15 21:53 -------- dc----w- C:\Rooter$
2009-06-15 20:15 . 2009-06-15 20:15 -------- dc----w- c:\program files\ERUNT
2009-06-15 19:28 . 2009-06-15 19:28 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Apple
2009-06-15 17:55 . 2009-05-26 20:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:55 . 2009-06-15 17:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 17:55 . 2009-05-26 20:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 08:50 . 2009-06-15 08:50 -------- dc----w- c:\documents and settings\Christopher Harris\Application Data\MalwareRemovalBot
2009-06-15 05:05 . 2009-06-15 06:47 -------- dc----w- c:\windows\system32\796525
2009-06-14 23:25 . 2009-06-15 17:55 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 23:23 . 2009-06-14 23:15 3371384 -c--a-w- C:\zzz-setup.exe
2009-06-10 19:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 19:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 04:19 . 2009-06-09 04:19 -------- dcsh--w- c:\documents and settings\Christopher Harris\IECompatCache
2009-06-08 01:22 . 2009-06-08 01:22 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\IECompatCache
2009-05-30 05:30 . 2009-05-30 05:30 -------- dc----w- C:\$WIN_NT$.~BT
2009-05-30 04:43 . 2009-06-15 20:13 55424 -c--a-w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 17:50 . 2009-05-27 17:50 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\PrivacIE
2009-05-23 19:27 . 2009-05-23 19:27 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Mozilla
2009-05-23 08:37 . 2009-05-23 08:37 -------- dcsh--w- c:\documents and settings\Christopher Harris\PrivacIE
2009-05-23 08:35 . 2009-05-23 08:35 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\SupportSoft
2009-05-23 05:14 . 2009-05-23 05:14 152576 -c--a-w- c:\documents and settings\Rosemeire Harris\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 19:55 . 2009-02-13 19:00 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-15 20:07 . 2009-03-13 06:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 15:16 . 2008-12-03 16:18 -------- dc----w- c:\program files\Microsoft Works
2009-05-29 21:40 . 2009-05-29 21:40 4257280 -c-h--w- c:\documents and settings\Rosemeire Harris\Application Data\BIT65.tmp
2009-05-23 05:21 . 2008-12-03 15:51 -------- dc----w- c:\program files\Java
2009-05-13 05:15 . 2008-04-25 20:33 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-04-25 20:33 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-01 21:41 . 2009-03-14 05:02 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-05-01 21:40 . 2009-03-14 05:01 325896 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-01 21:40 . 2009-03-14 05:01 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 21:37 . 2009-03-14 05:02 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 -c--a-w- c:\windows\system32\GPhotos.scr
2009-04-17 12:26 . 2008-04-25 20:33 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 20:33 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2008-12-03 16:26 . 2008-12-03 16:26 75 -csh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-07-11 537896]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-07-11 492840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-07-13 16876032]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2008-07-13 1826816]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-07-13 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2008-07-13 2808832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-03 16:27 10536 -c--a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 21:41 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1145:UDP"= 1145:UDP:Windows Media Format SDK (firefox.exe)
"1144:UDP"= 1144:UDP:Windows Media Format SDK (firefox.exe)
"1150:UDP"= 1150:UDP:Windows Media Format SDK (firefox.exe)

S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/3/2008 8:58 AM 9856]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/13/2009 10:01 PM 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/13/2009 10:02 PM 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/13/2009 10:00 PM 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/13/2009 10:00 PM 298776]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [12/3/2008 10:04 AM 93968]
S3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [12/3/2008 10:05 AM 148056]
S3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [12/3/2008 10:05 AM 144672]
S3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [12/3/2008 10:05 AM 269760]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{A8D7AE51-7F82-4FCF-856D-6031391897B2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2009-03-28 c:\windows\Tasks\WECPUpdate.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{26070AD0-CF3E-49be-8C83-85A63BFD36D5} - c:\windows\system32\iehelper.dll
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-SightSpeed - c:\program files\Dell Video Chat\DellVideoChat.exe

.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 14:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3436034942-565223664-3386438656-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,42,10,74,fb,f1,6c,49,9e,77,27,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,42,10,74,fb,f1,6c,49,9e,77,27,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(208)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-06-21 14:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 21:09

Pre-Run: 8,484,458,496 bytes free
Post-Run: 8,821,219,328 bytes free

200 --- E O F --- 2009-06-14 20:03

#4
CatByte

Posted 21 June 2009 - 04:14 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Yes, please delete that copy from your desktop.

Download a fresh copy without renaming it this time, from one of these links:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

Allow ComboFix to download Recovery Console and run.

#5
MrX3

Posted 21 June 2009 - 04:28 PM

Member

Topic Starter
Member
11 posts

Hi CatByte,

Downloaded new version of combofix from links you provided and ran it.

Log below.

Thanks,
X3

combofix.txt
------------------------------------
ComboFix 09-06-20.04 - Christopher Harris 06/21/2009 15:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1455 [GMT -7:00]
Running from: c:\documents and settings\Christopher Harris\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-12-28 00:08 . 2009-03-09 12:19 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-21 22:11 . 2009-06-21 22:11 -------- dc----w- c:\documents and settings\Christopher Harris\Application Data\Malwarebytes
2009-06-15 21:53 . 2009-06-15 21:53 -------- dc----w- C:\Rooter$
2009-06-15 20:15 . 2009-06-15 20:15 -------- dc----w- c:\program files\ERUNT
2009-06-15 19:28 . 2009-06-15 19:28 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Apple
2009-06-15 17:55 . 2009-05-26 20:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:55 . 2009-06-15 17:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 17:55 . 2009-05-26 20:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 08:50 . 2009-06-15 08:50 -------- dc----w- c:\documents and settings\Christopher Harris\Application Data\MalwareRemovalBot
2009-06-15 05:05 . 2009-06-15 06:47 -------- dc----w- c:\windows\system32\796525
2009-06-14 23:25 . 2009-06-15 17:55 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 23:23 . 2009-06-14 23:15 3371384 -c--a-w- C:\zzz-setup.exe
2009-06-10 19:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 19:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 04:19 . 2009-06-09 04:19 -------- dcsh--w- c:\documents and settings\Christopher Harris\IECompatCache
2009-06-08 01:22 . 2009-06-08 01:22 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\IECompatCache
2009-05-30 05:30 . 2009-05-30 05:30 -------- dc----w- C:\$WIN_NT$.~BT
2009-05-30 04:43 . 2009-06-15 20:13 55424 -c--a-w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 17:50 . 2009-05-27 17:50 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\PrivacIE
2009-05-23 19:27 . 2009-05-23 19:27 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Mozilla
2009-05-23 08:37 . 2009-05-23 08:37 -------- dcsh--w- c:\documents and settings\Christopher Harris\PrivacIE
2009-05-23 08:35 . 2009-05-23 08:35 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\SupportSoft
2009-05-23 05:14 . 2009-05-23 05:14 152576 -c--a-w- c:\documents and settings\Rosemeire Harris\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 19:55 . 2009-02-13 19:00 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-15 20:07 . 2009-03-13 06:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 15:16 . 2008-12-03 16:18 -------- dc----w- c:\program files\Microsoft Works
2009-05-29 21:40 . 2009-05-29 21:40 4257280 -c-h--w- c:\documents and settings\Rosemeire Harris\Application Data\BIT65.tmp
2009-05-23 05:21 . 2008-12-03 15:51 -------- dc----w- c:\program files\Java
2009-05-13 05:15 . 2008-04-25 20:33 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-04-25 20:33 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-01 21:41 . 2009-03-14 05:02 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-05-01 21:40 . 2009-03-14 05:01 325896 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-01 21:40 . 2009-03-14 05:01 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 21:37 . 2009-03-14 05:02 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 -c--a-w- c:\windows\system32\GPhotos.scr
2009-04-17 12:26 . 2008-04-25 20:33 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 20:33 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2008-12-03 16:26 . 2008-12-03 16:26 75 -csh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-06-21_21.03.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-21 21:57 . 2009-06-21 21:57 16384 c:\windows\temp\Perflib_Perfdata_76c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [BU]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-07-11 537896]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-07-11 492840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-03 16:27 10536 -c--a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 21:41 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1145:UDP"= 1145:UDP:Windows Media Format SDK (firefox.exe)
"1144:UDP"= 1144:UDP:Windows Media Format SDK (firefox.exe)
"1150:UDP"= 1150:UDP:Windows Media Format SDK (firefox.exe)

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/3/2008 8:58 AM 9856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/13/2009 10:01 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/13/2009 10:02 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/13/2009 10:00 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/13/2009 10:00 PM 298776]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [12/3/2008 10:04 AM 93968]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [12/3/2008 10:05 AM 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [12/3/2008 10:05 AM 269760]
S3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [12/3/2008 10:05 AM 148056]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{A8D7AE51-7F82-4FCF-856D-6031391897B2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2009-03-28 c:\windows\Tasks\WECPUpdate.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{26070AD0-CF3E-49be-8C83-85A63BFD36D5} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 15:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1668)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-21 15:24
ComboFix-quarantined-files.txt 2009-06-21 22:24
ComboFix2.txt 2009-06-21 22:07
ComboFix3.txt 2009-06-21 21:09

Pre-Run: 6,620,704,768 bytes free
Post-Run: 6,599,602,176 bytes free

156 --- E O F --- 2009-06-14 20:03

#6
CatByte

Posted 21 June 2009 - 04:49 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt
A Notepad file will open.
Post the contents of Log.txt in your next reply.

NEXT

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
c:\documents and settings\Rosemeire Harris\Application Data\BIT65.tmp

Folder::
c:\windows\system32\796525

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#7
MrX3

Posted 21 June 2009 - 05:11 PM

Member

Topic Starter
Member
11 posts

First log:

-------------------

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

ComboFix Log:

---------------------------
ComboFix 09-06-20.04 - Christopher Harris 06/21/2009 16:03.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1576 [GMT -7:00]
Running from: c:\documents and settings\Christopher Harris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christopher Harris\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\documents and settings\Rosemeire Harris\Application Data\BIT65.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\796525
c:\documents and settings\Rosemeire Harris\Application Data\BIT65.tmp

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-12-28 00:08 . 2009-03-09 12:19 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-21 22:37 . 2009-06-21 22:37 -------- dc----w- c:\windows\LastGood
2009-06-21 22:11 . 2009-06-21 22:11 -------- dc----w- c:\documents and settings\Christopher Harris\Application Data\Malwarebytes
2009-06-15 21:53 . 2009-06-15 21:53 -------- dc----w- C:\Rooter$
2009-06-15 20:15 . 2009-06-15 20:15 -------- dc----w- c:\program files\ERUNT
2009-06-15 19:28 . 2009-06-15 19:28 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Apple
2009-06-15 17:55 . 2009-05-26 20:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:55 . 2009-06-15 17:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 17:55 . 2009-05-26 20:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 08:50 . 2009-06-15 08:50 -------- dc----w- c:\documents and settings\Christopher Harris\Application Data\MalwareRemovalBot
2009-06-14 23:25 . 2009-06-15 17:55 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 23:23 . 2009-06-14 23:15 3371384 -c--a-w- C:\zzz-setup.exe
2009-06-10 19:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 19:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 04:19 . 2009-06-09 04:19 -------- dcsh--w- c:\documents and settings\Christopher Harris\IECompatCache
2009-06-08 01:22 . 2009-06-08 01:22 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\IECompatCache
2009-05-30 05:30 . 2009-05-30 05:30 -------- dc----w- C:\$WIN_NT$.~BT
2009-05-30 04:43 . 2009-06-15 20:13 55424 -c--a-w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 17:50 . 2009-05-27 17:50 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\PrivacIE
2009-05-23 19:27 . 2009-05-23 19:27 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Mozilla
2009-05-23 08:37 . 2009-05-23 08:37 -------- dcsh--w- c:\documents and settings\Christopher Harris\PrivacIE
2009-05-23 08:35 . 2009-05-23 08:35 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\SupportSoft
2009-05-23 05:14 . 2009-05-23 05:14 152576 -c--a-w- c:\documents and settings\Rosemeire Harris\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 19:55 . 2009-02-13 19:00 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-15 20:07 . 2009-03-13 06:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 15:16 . 2008-12-03 16:18 -------- dc----w- c:\program files\Microsoft Works
2009-05-23 05:21 . 2008-12-03 15:51 -------- dc----w- c:\program files\Java
2009-05-13 05:15 . 2008-04-25 20:33 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-04-25 20:33 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-01 21:41 . 2009-03-14 05:02 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-05-01 21:40 . 2009-03-14 05:01 325896 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-01 21:40 . 2009-03-14 05:01 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 21:37 . 2009-03-14 05:02 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 -c--a-w- c:\windows\system32\GPhotos.scr
2009-04-17 12:26 . 2008-04-25 20:33 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 20:33 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2008-12-03 16:26 . 2008-12-03 16:26 75 -csh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-06-21_21.03.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-21 22:37 . 2009-06-21 22:37 16384 c:\windows\temp\Perflib_Perfdata_6b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [BU]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-07-11 537896]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-07-11 492840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-07-13 16876032]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2008-07-13 1826816]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-07-13 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2008-07-13 2808832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-03 16:27 10536 -c--a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 21:41 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1145:UDP"= 1145:UDP:Windows Media Format SDK (firefox.exe)
"1144:UDP"= 1144:UDP:Windows Media Format SDK (firefox.exe)
"1150:UDP"= 1150:UDP:Windows Media Format SDK (firefox.exe)

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/3/2008 8:58 AM 9856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/13/2009 10:01 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/13/2009 10:02 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/13/2009 10:00 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/13/2009 10:00 PM 298776]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [12/3/2008 10:04 AM 93968]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [12/3/2008 10:05 AM 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [12/3/2008 10:05 AM 269760]
S3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [12/3/2008 10:05 AM 148056]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{A8D7AE51-7F82-4FCF-856D-6031391897B2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2009-03-28 c:\windows\Tasks\WECPUpdate.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{26070AD0-CF3E-49be-8C83-85A63BFD36D5} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081203
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 16:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-06-21 16:08
ComboFix-quarantined-files.txt 2009-06-21 23:08
ComboFix2.txt 2009-06-21 22:24
ComboFix3.txt 2009-06-21 22:07
ComboFix4.txt 2009-06-21 21:09

Pre-Run: 6,634,737,664 bytes free
Post-Run: 6,612,353,024 bytes free

159 --- E O F --- 2009-06-14 20:03

#8
CatByte

Posted 21 June 2009 - 06:41 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi

you are missing an important file from your system

so we need to try and find one:

please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
*proquota*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

NEXT

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Quotebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the quote box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

SRPeek::
c:\windows\system32\proquota.exe
SkipFix::

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#9
MrX3

Posted 21 June 2009 - 07:00 PM

Member

Topic Starter
Member
11 posts

SystemLook.txt
-----------------------------
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 17:45 on 21/06/2009 by Rosemeire Harris (Administrator - Elevation successful)

========== filefind ==========

Searching for "*proquota*"
C:\I386\PROQUOTA.EX_ --a--c 26415 bytes [20:29 25/04/2008] [12:00 14/04/2008] BB8E621D8749056853A593FA8A762469
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir --a--c 35328 bytes [20:33 25/04/2008] [12:00 14/04/2008] 2C56A56F352E6073E94C42CC8BC70068

-=End Of File=-

comboFix.txt
-----------------------------
ComboFix 09-06-20.04 - Rosemeire Harris 06/21/2009 17:52.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1565 [GMT -7:00]
Running from: c:\documents and settings\Rosemeire Harris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rosemeire Harris\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-12-28 00:08 . 2009-03-09 12:19 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-22 00:39 . 2009-06-22 00:39 -------- dc----w- c:\documents and settings\Rosemeire Harris\Application Data\Malwarebytes
2009-06-21 22:11 . 2009-06-21 22:11 -------- dc----w- c:\documents and settings\Christopher Harris\Application Data\Malwarebytes
2009-06-15 21:53 . 2009-06-15 21:53 -------- dc----w- C:\Rooter$
2009-06-15 20:15 . 2009-06-15 20:15 -------- dc----w- c:\program files\ERUNT
2009-06-15 19:28 . 2009-06-15 19:28 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Apple
2009-06-15 17:55 . 2009-05-26 20:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:55 . 2009-06-15 17:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 17:55 . 2009-05-26 20:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 23:25 . 2009-06-15 17:55 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 23:23 . 2009-06-14 23:15 3371384 -c--a-w- C:\zzz-setup.exe
2009-06-10 19:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 19:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 04:19 . 2009-06-09 04:19 -------- dcsh--w- c:\documents and settings\Christopher Harris\IECompatCache
2009-06-08 01:22 . 2009-06-08 01:22 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\IECompatCache
2009-05-30 05:30 . 2009-05-30 05:30 -------- dc----w- C:\$WIN_NT$.~BT
2009-05-30 04:43 . 2009-06-15 20:13 55424 -c--a-w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-28 03:03 . 2009-05-28 03:03 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 17:50 . 2009-05-27 17:50 -------- dcsh--w- c:\documents and settings\Rosemeire Harris\PrivacIE
2009-05-23 19:27 . 2009-05-23 19:27 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\Mozilla
2009-05-23 08:37 . 2009-05-23 08:37 -------- dcsh--w- c:\documents and settings\Christopher Harris\PrivacIE
2009-05-23 08:35 . 2009-05-23 08:35 -------- dc----w- c:\documents and settings\Christopher Harris\Local Settings\Application Data\SupportSoft
2009-05-23 05:14 . 2009-05-23 05:14 152576 -c--a-w- c:\documents and settings\Rosemeire Harris\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 19:55 . 2009-02-13 19:00 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-15 20:07 . 2009-03-13 06:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 15:16 . 2008-12-03 16:18 -------- dc----w- c:\program files\Microsoft Works
2009-05-23 05:21 . 2008-12-03 15:51 -------- dc----w- c:\program files\Java
2009-05-13 05:15 . 2008-04-25 20:33 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2008-04-25 20:33 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-01 21:41 . 2009-03-14 05:02 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-05-01 21:40 . 2009-03-14 05:01 325896 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-01 21:40 . 2009-03-14 05:01 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 21:37 . 2009-03-14 05:02 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 -c--a-w- c:\windows\system32\GPhotos.scr
2009-04-17 12:26 . 2008-04-25 20:33 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-25 20:33 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2008-12-03 16:26 . 2008-12-03 16:26 75 -csh--r- c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\wbem\proquota.exe [x]
[-] 2C56A56F352E6073E94C42CC8BC70068 35328 \RP2\A0001034.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-21_21.03.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 00:39 . 2009-06-22 00:39 16384 c:\windows\temp\Perflib_Perfdata_758.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [BU]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-14 1343488]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-07-11 537896]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-07-11 492840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-07-13 16876032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-03 16:27 10536 -c--a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 21:41 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1145:UDP"= 1145:UDP:Windows Media Format SDK (firefox.exe)
"1144:UDP"= 1144:UDP:Windows Media Format SDK (firefox.exe)
"1150:UDP"= 1150:UDP:Windows Media Format SDK (firefox.exe)

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/3/2008 8:58 AM 9856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/13/2009 10:01 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/13/2009 10:02 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/13/2009 10:00 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/13/2009 10:00 PM 298776]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [12/3/2008 10:04 AM 93968]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [12/3/2008 10:05 AM 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [12/3/2008 10:05 AM 269760]
S3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [12/3/2008 10:05 AM 148056]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{A8D7AE51-7F82-4FCF-856D-6031391897B2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2009-03-28 c:\windows\Tasks\WECPUpdate.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2009-02-25 14:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{26070AD0-CF3E-49be-8C83-85A63BFD36D5} - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-22 17:55
ComboFix-quarantined-files.txt 2009-06-22 00:55
ComboFix2.txt 2009-06-21 23:08
ComboFix3.txt 2009-06-21 22:24
ComboFix4.txt 2009-06-21 22:07
ComboFix5.txt 2009-06-22 00:49

Pre-Run: 6,674,485,248 bytes free
Post-Run: 6,663,131,136 bytes free

162 --- E O F --- 2009-06-14 20:03

#10
CatByte

Posted 21 June 2009 - 07:11 PM

GeekU Teacher

GeekU Moderator
2,705 posts

Hi,

do you have your installation disk handy?

#11
MrX3

Posted 21 June 2009 - 07:13 PM

Member

Topic Starter
Member
11 posts

Yes, generic Windows XP that came with netbook from Dell.

#12
CatByte

Posted 21 June 2009 - 07:18 PM

GeekU Teacher

GeekU Moderator
2,705 posts

You will need to go into the Recovery Console. To do this, follow these steps:

Insert your Windows XP CD into your CD drive.
Shutdown your computer.
Turn on your computer, and immediately press f12
Keep on rapidly pressing f12. You should get a one time boot screen. Use the arrow keys and choose your CD rom drive.
- Note: If you get to the windows login screen, you have gone too far. Shut the computer down and try again.
You should then get a box that says: press any key to boot to the cd...
Make sure you press a key quickly!
You should now get a blue screen with white text. Allow the CD to load. This may take some time.
You will then be presented with the recovery console.
You should see this text:
Press the "R" button to enter Recovery Console.

If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console. When prompted, type the Administrator password. (If there is no administrator password, just press the enter key)

You should now be at the prompt.

You will need to enter the following text in bold exactly as it is. (d being the letter assigned to your CDROM. If it's different on your system, make the necessary adjustment):

expand d:\i386\proquota.ex_ c:\windows\system32\proquota.exe

and press Enter. If it asks you if you want to overwrite, click "y" to replace it.

Next, type exit to exit the command prompt and restart your computer.

Let me know if the file copies over successfully.

#13
CatByte

Posted 21 June 2009 - 07:19 PM

GeekU Teacher

GeekU Moderator
2,705 posts

I have to apologize, I can't stay on line any longer...I'll be back tomorrow evening to pick this up again.

#14
MrX3

Posted 21 June 2009 - 07:23 PM

Member

Topic Starter
Member
11 posts

I will follow your last steps and see how it goes. Will post my results and check back tomorrow evening.

Thanks very much for your help!

#15
MrX3

Posted 22 June 2009 - 02:18 PM

Member

Topic Starter
Member
11 posts

Hi,

Ok, things did not go quite as smoothly this time, perhaps because I was not patient.

Attached CD drive with generic XP OS disk provided by vendor. When I booted up, I saw Windows Recovery Console as one of the boot partitions of the machine, next to the Windows partition. I knew you said to boot from CD, but I tried booting into this Recovery Console, as I had not seen it before. It gave me the following error:
"NTLDR is compressed. Press CNTR-ALT-DEL to continue"

Press cntr-alt-delete which rebooted machine. Tried one more time to get into recovery console on the machine, same error.

Next I booted into the CD. But there was not a Recovery Console Option, perhaps because during the days after my original post, I had started to install windows, but had stopped. As I remember the 3 options I saw last night were: 1) continue with previous windows installation, 2) start new windows installation, or 3) quit.

There was not recovery console option shown when I booted from the OS CD.

So, I continued with my already started installation, thinking that it would replace all the OS files (including proquota.exe).

After installing Windows, I booted it up and got a message saying "This copy of Windows must be activated with Microsoft before you can log on. Do you want to activate now?"

I say yes, and it goes to a blank desktop, with only the background screen and sits there, doing nothing. Multiple attempts give the same results.

Suspect I should not have reinstalled windows without finishing the process of removing the viruses completely.

Is there any way to recover now?

Thanks,
X3