[ahboy123]

Hi guys,

i've a computer that can't connect to the internet. It also shuts down or restarts the computer without warning. This computer belongs to my friend and she didn't realise she has a malware/virus problem since her computer behaved this way. She said that this problem started about 3 months ago and she didn't remember how she got infected.

symptoms:
- System is able to detect wireless signals but is unable to connect to internet.
- Computer occasionally pops up an "End Program Now" message before shutting down or restarting Windows without user control.
- in task manager, i find weird processes such as repeated svchost.exe running on various memory usage ranging around 15 MB each (attached a picture "tskmgr" of all processes running)  tskmgr.bmp   934.62KB   299 downloads

attempts:
- used Norton Security Scan but found nothing after several full scans.
- i tried to use MalwareBytes by installing it recently but to no use as there is no internet to update the program.
- scanned the computer with OTS by Oldtimer recently. (The scanned log file is attached.)

please share with me what the problem is. thank you.


~ahboy123

The following is the OTS log:

OTS logfile created on: 11/18/2011 8:41:36 PM - Run 1
OTS by OldTimer - Version 3.1.41.4     Folder = C:\Documents and Settings\User\Desktop\KeyGenGuru Malware\OTS
Windows XP Professional Edition Service Pack 3, v.3311 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 105.10 Gb Total Space | 0.03 Gb Free Space | 0.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: USER-911D5E56BF
Current User Name: User
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
4027771412.exe -> C:\WINDOWS\3944082703:4027771412.exe -> File not found
svchost.exe -> C:\WINDOWS\update.5.0\svchost.exe -> [2011/11/15 23:23:56 | 000,351,744 | ---- | M] ()
sysdriver32.exe -> C:\WINDOWS\sysdriver32.exe -> [2011/11/02 08:33:17 | 000,262,656 | ---- | M] ()
svchost.exe -> C:\WINDOWS\update.2\svchost.exe -> [2011/11/01 14:51:27 | 001,945,088 | ---- | M] ()
svchostdriver.exe -> C:\WINDOWS\update.7.1\svchostdriver.exe -> [2011/08/19 21:32:24 | 000,386,560 | ---- | M] ()
hblitesa.exe -> C:\Program Files\HBLite\bin\12.0.2.0\HBLiteSA.exe -> [2011/08/18 00:24:30 | 000,814,592 | ---- | M] (Pinball Corporation.)
svchost.exe -> C:\WINDOWS\update.3\svchost.exe -> [2011/08/12 16:33:21 | 000,273,920 | ---- | M] ()
l1rezerv.exe -> C:\WINDOWS\l1rezerv.exe -> [2011/07/23 22:43:02 | 000,232,960 | ---- | M] ()
svchost.exe -> C:\WINDOWS\update.1\svchost.exe -> [2011/07/20 21:05:05 | 001,149,952 | -H-- | M] ()
svchost.exe -> C:\WINDOWS\update.tray-7-0\svchost.exe -> [2011/07/20 21:05:05 | 001,147,392 | -H-- | M] ()
applemobiledeviceservice.exe -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2011/05/25 14:06:20 | 000,037,664 | ---- | M] (Apple Inc.)
ots.exe -> C:\Documents and Settings\User\Desktop\KeyGenGuru Malware\OTS\OTS.exe -> [2011/02/20 01:14:48 | 000,642,560 | ---- | M] (OldTimer Tools)
nbservice.exe -> C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -> [2009/10/13 08:39:04 | 000,935,208 | ---- | M] (Nero AG)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/02/12 14:59:34 | 001,033,728 | ---- | M] (Microsoft Corporation)
evteng.exe -> C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -> [2007/10/08 14:27:02 | 000,794,624 | ---- | M] (Intel Corporation)
zcfgsvc.exe -> C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe -> [2007/10/08 14:18:04 | 000,995,328 | ---- | M] (Intel Corporation)
wlkeeper.exe -> C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -> [2007/10/08 14:15:50 | 000,356,352 | ---- | M] (Intel Corporation)
ifrmewrk.exe -> C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe -> [2007/10/08 14:13:36 | 001,101,824 | ---- | M] (Intel Corporation)
dot1xcfg.exe -> C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe -> [2007/10/08 14:09:26 | 000,659,456 | ---- | M] (Intel Corporation)
s24evmon.exe -> C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -> [2007/10/08 14:06:44 | 001,187,840 | ---- | M] (Intel Corporation )
regsrvc.exe -> C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -> [2007/10/08 14:01:54 | 000,487,424 | ---- | M] (Intel Corporation)
bttray.exe -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe -> [2006/05/24 18:28:28 | 000,622,653 | ---- | M] (Broadcom Corporation.)
btstac~1.exe -> C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe -> [2006/05/24 18:27:10 | 001,372,244 | ---- | M] (Broadcom Corporation.)
stsystra.exe -> C:\WINDOWS\stsystra.exe -> [2006/03/24 17:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.)
 
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\User\Desktop\KeyGenGuru Malware\OTS\OTS.exe -> [2011/02/20 01:14:48 | 000,642,560 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.3311_x-ww_d7cb0e02\comctl32.dll -> [2008/02/12 15:00:12 | 001,054,208 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(srvbtcclient) srvbtcclient [Auto | Running] -> C:\WINDOWS\update.5.0\svchost.exe -> [2011/11/15 23:23:56 | 000,351,744 | ---- | M] ()
(srvsysdriver32) srvsysdriver32 [Auto | Running] -> C:\WINDOWS\sysdriver32.exe -> [2011/11/02 08:33:17 | 000,262,656 | ---- | M] ()
(srviecheck) srviecheck [Auto | Running] -> C:\WINDOWS\update.2\svchost.exe -> [2011/11/01 14:51:27 | 001,945,088 | ---- | M] ()
(ddservice) ddservice [Auto | Running] -> C:\WINDOWS\update.7.1\svchostdriver.exe -> [2011/08/19 21:32:24 | 000,386,560 | ---- | M] ()
(wxpdrivers) wxpdrivers [Auto | Running] -> C:\WINDOWS\update.1\svchost.exe -> [2011/07/20 21:05:05 | 001,149,952 | -H-- | M] ()
(ScanQuery Service) ScanQuery Service [Auto | Stopped] -> C:\Documents and Settings\All Users\Application Data\ScanQuery\scanquery133.exe -> [2011/05/28 17:54:00 | 000,045,056 | ---- | M] ()
(Apple Mobile Device) Apple Mobile Device [Auto | Running] -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2011/05/25 14:06:20 | 000,037,664 | ---- | M] (Apple Inc.)
(Nero BackItUp Scheduler 4.0) Nero BackItUp Scheduler 4.0 [Auto | Running] -> C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -> [2009/10/13 08:39:04 | 000,935,208 | ---- | M] (Nero AG)
(EvtEng) Intel(R) PROSet/Wireless Event Log [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -> [2007/10/08 14:27:02 | 000,794,624 | ---- | M] (Intel Corporation)
(WLANKEEPER) Intel(R) PROSet/Wireless SSO Service [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -> [2007/10/08 14:15:50 | 000,356,352 | ---- | M] (Intel Corporation)
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -> [2007/10/08 14:06:44 | 001,187,840 | ---- | M] (Intel Corporation )
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -> [2007/10/08 14:01:54 | 000,487,424 | ---- | M] (Intel Corporation)
 
[Driver Services - Safe List]
(NETw4x32) Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\NETw4x32.sys -> [2007/09/26 06:01:32 | 002,236,032 | ---- | M] (Intel Corporation)
(s24trans) WLAN Transport [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\s24trans.sys -> [2007/08/27 11:10:36 | 000,012,288 | ---- | M] (Intel Corporation)
(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\bcm4sbxp.sys -> [2006/08/17 08:55:16 | 000,044,544 | R--- | M] (Broadcom Corporation)
(btaudio) Bluetooth Audio Device [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\btaudio.sys -> [2006/05/24 18:07:18 | 000,328,237 | ---- | M] (Broadcom Corporation.)
(BTSERIAL) Bluetooth Serial Driver [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\btserial.sys -> [2006/05/24 18:05:26 | 000,023,271 | ---- | M] (Broadcom Corporation.)
(BTKRNL) Bluetooth Bus Enumerator [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\btkrnl.sys -> [2006/05/24 18:04:04 | 000,851,434 | ---- | M] (Broadcom Corporation.)
(BTDriver) Bluetooth Virtual Communications Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\btport.sys -> [2006/05/24 18:01:34 | 000,030,427 | ---- | M] (Broadcom Corporation.)
(btwmodem) Bluetooth Modem [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\btwmodem.sys -> [2006/05/24 18:01:22 | 000,030,285 | ---- | M] (Broadcom Corporation.)
(BTWUSB) WIDCOMM USB Bluetooth Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\btwusb.sys -> [2006/05/24 18:00:50 | 000,066,488 | ---- | M] (Broadcom Corporation.)
(BTWDNDIS) Bluetooth LAN Access Server [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\btwdndis.sys -> [2006/05/24 17:58:18 | 000,148,900 | ---- | M] (Broadcom Corporation.)
(btwhid) btwhid [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\btwhid.sys -> [2006/05/24 17:57:00 | 000,045,683 | ---- | M] (Broadcom Corporation.)
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sthda.sys -> [2006/03/24 17:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\SynTP.sys -> [2006/03/08 12:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.)
(w39n51) Intel(R) PRO/Wireless 3945ABG Adapter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\w39n51.sys -> [2005/12/05 00:55:30 | 001,428,096 | ---- | M] (Intel® Corporation)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\HSX_DPV.sys -> [2005/12/01 01:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.)
(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\HSXHWAZL.sys -> [2005/12/01 01:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\HSX_CNXT.sys -> [2005/12/01 01:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.)
(rimmptsk) rimmptsk [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\rimmptsk.sys -> [2005/07/14 18:58:14 | 000,028,544 | ---- | M] (REDC)
(rismxdp) Ricoh xD-Picture Card Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\rixdptsk.sys -> [2005/07/14 17:28:38 | 000,307,968 | ---- | M] (REDC)
(rimsptsk) rimsptsk [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\rimsptsk.sys -> [2005/07/12 19:00:30 | 000,051,328 | ---- | M] (REDC)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\Hdaudbus.sys -> [2004/08/12 17:45:54 | 000,137,728 | ---- | M] (Windows (R) Server 2003 DDK provider)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.google.com/ie -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://www.google.com/ie -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.buzqo.com/?cfg=2-401-0-... -> 
HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache" -> http://malaysia.msn.com/?rd=1 -> 
HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache AcceptLangs" -> en-us -> 
HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache_TIMESTAMP" -> F6 6A FC 7B AB 34 CC 01  [binary data] -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\User\Application Data\Mozilla\FireFox\Profiles\56c1ek3m.default\prefs.js -> 
browser.search.defaultenginename -> "Yahoo" ->
browser.search.param.yahoo-fr -> "chr-greentree_ff&type=937811" ->
browser.search.selectedEngine -> "Yahoo" ->
browser.startup.homepage -> "http://www.buzqo.com/?cfg=2-401-0-..." ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 ->
extensions.enabledItems -> [email protected]:1.0 ->
extensions.enabledItems -> {DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64}:1.0 ->
extensions.enabledItems -> [email protected]:3.0.517.0 ->
extensions.enabledItems -> [email protected]:11.0.0.0 ->
keyword.URL -> "http://malaysia.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=" ->
network.proxy.type -> 0 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions ->  -> 
HKLM\software\mozilla\Firefox\extensions\\[email protected] -> C:\Program Files\ShopperReports3\bin\3.1.71.0\firefox\firefoxtoolbar\extensions [C:\PROGRAM FILES\SHOPPERREPORTS3\BIN\3.1.71.0\FIREFOX\FIREFOXTOOLBAR\EXTENSIONS] -> [2011/07/08 17:30:24 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\extensions\\[email protected] -> C:\Program Files\HBLite\bin\12.0.2.0\firefox\extensions [C:\PROGRAM FILES\HBLITE\BIN\12.0.2.0\FIREFOX\EXTENSIONS] -> [2011/08/19 21:24:54 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 5.0\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2011/07/07 12:41:47 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2011/06/27 18:16:35 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Documents and Settings\User\Application Data\Mozilla\Extensions -> [2011/03/24 17:50:39 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\56c1ek3m.default\extensions -> [2011/03/24 17:50:39 | 000,000,000 | ---D | M]
< FireFox SearchPlugins [User Folders] > -> 
 ask.uk.xml -> C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\56c1ek3m.default\searchplugins\ask.uk.xml -> [2011/07/11 16:52:29 | 000,001,735 | ---- | M] ()
< FireFox Extensions [Program Folders] > -> 
  -> C:\Program Files\Mozilla Firefox\extensions -> [2011/08/28 14:09:07 | 000,000,000 | ---D | M]
Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} -> [2011/03/21 22:09:20 | 000,000,000 | ---D | M]
ScanQuery   -> C:\Program Files\Mozilla Firefox\extensions\{DE9265D8-D55D-4286-9DC4-F8D8A0CA2F64} -> [2011/05/28 20:33:30 | 000,000,000 | ---D | M]
No name found ->  -> File not found
Java Quick Starter -> C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF -> [2011/03/21 22:09:11 | 000,000,000 | ---D | M]
ShopperReports -> C:\PROGRAM FILES\SHOPPERREPORTS3\BIN\3.1.71.0\FIREFOX\FIREFOXTOOLBAR\EXTENSIONS -> [2011/07/08 17:30:24 | 000,000,000 | ---D | M]
< FireFox Components [Program Folders] > -> 
 BrowserExtensionFF.dll -> C:\Program Files\ShopperReports3\bin\3.1.71.0\firefox\firefoxtoolbar\extensions\components\BrowserExtensionFF.dll -> [2011/06/28 04:41:32 | 000,215,552 | ---- | M] ()
< HOSTS File > ([2011/11/18 20:33:07 | 000,202,984 | -H-- | M] - 100098 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
First 25 entries...
Reset Hosts
127.0.0.1       localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
127.0.0.1 fr-fr.facebook.com
127.0.0.1 fy-nl.facebook.com
127.0.0.1 ga-ie.facebook.com
127.0.0.1 gl-es.facebook.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{100EB1FD-D03E-47fd-81F3-EE91287F9465} [HKLM] -> C:\Program Files\ShopperReports3\bin\3.1.71.0\ShopperReports.dll [ShopperReports] -> [2011/06/28 04:41:52 | 001,062,912 | ---- | M] (SmartShopper Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"2968649.exe" -> C:\WINDOWS\TEMP\2968649.exe ["C:\WINDOWS\TEMP\2968649.exe"] -> [2011/07/20 21:20:56 | 000,232,960 | ---- | M] ()
"354484.exe" -> C:\WINDOWS\TEMP\354484.exe ["C:\WINDOWS\TEMP\354484.exe"] -> [2011/11/01 14:51:27 | 001,942,528 | ---- | M] ()
"45127786-loader2.exe" -> C:\Documents and Settings\User\Local Settings\Temp\45127786-loader2.exe ["C:\DOCUME~1\User\LOCALS~1\Temp\45127786-loader2.exe"] -> [2011/07/22 14:26:57 | 000,249,344 | ---- | M] ()
"68260023-loader2.exe" -> C:\Documents and Settings\User\Local Settings\Temp\68260023-loader2.exe ["C:\DOCUME~1\User\LOCALS~1\Temp\68260023-loader2.exe"] -> [2011/07/21 23:21:23 | 000,245,760 | ---- | M] ()
"7295887.exe" -> C:\Documents and Settings\User\Local Settings\Temp\7295887.exe ["C:\DOCUME~1\User\LOCALS~1\Temp\7295887.exe"] -> [2011/07/20 21:20:47 | 000,232,960 | ---- | M] ()
"8862149.exe" -> C:\WINDOWS\TEMP\8862149.exe ["C:\WINDOWS\TEMP\8862149.exe"] -> [2011/11/02 09:14:41 | 000,257,024 | ---- | M] ()
"Adobe Reader Speed Launcher" -> C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"] -> [2010/11/10 12:49:36 | 000,035,736 | ---- | M] (Adobe Systems Incorporated)
"avast5" ->  ["C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui] -> File not found
"Google Pinyin 2 Autoupdater" -> C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe ["C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe"] -> [2011/03/21 23:35:34 | 001,214,520 | ---- | M] (Google Inc.)
"HBLiteSA" -> C:\Program Files\hblite\bin\12.0.2.0\HBLiteSA.exe ["C:\Program Files\hblite\bin\12.0.2.0\HBLiteSA.exe"] -> [2011/08/18 00:24:30 | 000,814,592 | ---- | M] (Pinball Corporation.)
"IMJPMIG8.1" -> C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE ["C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32] -> [2008/02/12 00:54:54 | 000,208,952 | ---- | M] (Microsoft Corporation)
"IntelWireless" -> C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe ["C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless] -> [2007/10/08 14:13:36 | 001,101,824 | ---- | M] (Intel Corporation)
"IntelZeroConfig" -> C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe ["C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"] -> [2007/10/08 14:18:04 | 000,995,328 | ---- | M] (Intel Corporation)
"KernelFaultCheck" ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
"l1rezerv.exe" -> C:\WINDOWS\l1rezerv.exe ["C:\WINDOWS\l1rezerv.exe"] -> [2011/07/23 22:43:02 | 000,232,960 | ---- | M] ()
"MSPY2002" -> C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe [C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC] -> [2008/02/12 00:54:40 | 000,059,392 | ---- | M] ()
"PHIME2002A" -> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName] -> [2008/02/12 00:54:52 | 000,455,168 | ---- | M] (Microsoft Corporation)
"PHIME2002ASync" -> C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC] -> [2008/02/12 00:54:52 | 000,455,168 | ---- | M] (Microsoft Corporation)
"SigmatelSysTrayApp" -> C:\WINDOWS\stsystra.exe [stsystra.exe] -> [2006/03/24 17:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.)
"sysdriver32.exe" -> C:\WINDOWS\sysdriver32.exe ["C:\WINDOWS\sysdriver32.exe" rezerv] -> [2011/11/02 08:33:17 | 000,262,656 | ---- | M] ()
"sysdriver32_.exe" -> C:\WINDOWS\sysdriver32_.exe ["C:\WINDOWS\sysdriver32_.exe" rezerv] -> [2011/11/02 08:33:17 | 000,257,024 | ---- | M] ()
"systemup" -> C:\WINDOWS\systemup.exe ["C:\WINDOWS\systemup.exe" stand] -> [2011/08/28 21:46:43 | 000,130,560 | ---- | M] ()
"tray_ico" ->  [] -> File not found
"tray_ico0" -> C:\WINDOWS\update.tray-7-0\svchost.exe [C:\WINDOWS\update.tray-7-0\svchost.exe] -> [2011/07/20 21:05:05 | 001,147,392 | -H-- | M] ()
"tray_ico1" ->  [] -> File not found
"tray_ico2" ->  [] -> File not found
"tray_ico3" ->  [] -> File not found
"tray_ico4" ->  [] -> File not found
"w_distrib.exe" -> C:\WINDOWS\update.3\svchost.exe ["C:\WINDOWS\update.3\svchost.exe" stand] -> [2011/08/12 16:33:21 | 000,273,920 | ---- | M] ()
"wxpdrv" -> C:\WINDOWS\services32.exe [C:\WINDOWS\services32.exe] -> [2011/07/20 21:05:05 | 001,147,392 | ---- | M] ()
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
"Malwarebytes' Anti-Malware" -> C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent] -> [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe -> [2006/05/24 18:28:28 | 000,622,653 | ---- | M] (Broadcom Corporation.)
< User Startup Folder > -> C:\Documents and Settings\User\Start Menu\Programs\Startup -> 
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"EnableLUA" ->  [0] -> File not found
\\"EnableSecureUIAPaths" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
Send to &Bluetooth Device... -> C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm [C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm] -> [2003/05/29 13:53:12 | 000,001,320 | ---- | M] ()
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{C5428486-50A0-4a02-9D20-520B59A9F9B2}:{C9CCBB35-D123-4a31-AFFC-9B2933132116} [HKLM] -> C:\Program Files\ShopperReports3\bin\3.1.71.0\ShopperReports.dll [Button: ShopperReports - Compare product prices] -> [2011/06/28 04:41:52 | 001,062,912 | ---- | M] (SmartShopper Inc.)
{C5428486-50A0-4a02-9D20-520B59A9F9B3}:{A16AD1E9-F69A-45af-9462-B1C286708842} [HKLM] -> C:\Program Files\ShopperReports3\bin\3.1.71.0\ShopperReports.dll [Button: ShopperReports - Compare travel rates] -> [2011/06/28 04:41:52 | 001,062,912 | ---- | M] (SmartShopper Inc.)
{CCA281CA-C863-46ef-9331-5C8D4460577F}:C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [HKLM] -> C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [Button: @btrez.dll,-4015] -> [2003/05/29 13:53:08 | 000,002,681 | ---- | M] ()
{CCA281CA-C863-46ef-9331-5C8D4460577F}:C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [HKLM] -> C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [Menu: @btrez.dll,-12650] -> [2003/05/29 13:53:08 | 000,002,681 | ---- | M] ()
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java Plug-in 1.6.0_22] -> 
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java Plug-in 1.6.0_22] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java Plug-in 1.6.0_22] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.2.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{66FAE452-5065-4F45-AA18-550CA2337596}\\DhcpNameServer -> 192.168.2.1   (Intel(R) PRO/Wireless 3945ABG Network Connection) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/02/12 14:59:34 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
C:\Documents and Settings\User\Local Settings\Application Data\0fed15eb\X ->  -> File not found
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> C:\WINDOWS\System32\igfxdev.dll -> [2005/12/13 17:40:12 | 000,139,264 | ---- | M] (Intel Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Documents and Settings\User\My Documents\Downloads\Flash-Player.exe" ->  [C:\Documents and Settings\User\My Documents\Downloads\Flash-Player.exe:*:Enabled:C:\Documents and Settings\User\My Documents\Downloads\Flash-Player.exe] -> File not found
"C:\Documents and Settings\User\My Documents\Downloads\utorrent.exe" ->  [C:\Documents and Settings\User\My Documents\Downloads\utorrent.exe:*:Enabled:µTorrent] -> File not found
"C:\Program Files\eMule\emule.exe" ->  [C:\Program Files\eMule\emule.exe:*:Enabled:eMule] -> File not found
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2011/06/07 17:51:08 | 009,776,936 | ---- | M] (Apple Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" -> C:\Program Files\uTorrent\uTorrent.exe [C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent] -> [2011/06/22 18:57:24 | 000,399,736 | ---- | M] (BitTorrent, Inc.)
"C:\WINDOWS\services32.exe" -> C:\WINDOWS\services32.exe [C:\WINDOWS\services32.exe:*:Enabled:C:\WINDOWS\services32.exe] -> [2011/07/20 21:05:05 | 001,147,392 | ---- | M] ()
"C:\WINDOWS\update.1\svchost.exe" -> C:\WINDOWS\update.1\svchost.exe [C:\WINDOWS\update.1\svchost.exe:*:Enabled:C:\WINDOWS\update.1\svchost.exe] -> [2011/07/20 21:05:05 | 001,149,952 | -H-- | M] ()
"C:\WINDOWS\update.2\5284.exe" -> C:\WINDOWS\update.2\5284.exe [C:\WINDOWS\update.2\5284.exe:*:Enabled:C:\WINDOWS\update.2\5284.exe] -> [2011/07/23 22:41:43 | 000,495,616 | ---- | M] ()
"C:\WINDOWS\update.2\svchost.exe" -> C:\WINDOWS\update.2\svchost.exe [C:\WINDOWS\update.2\svchost.exe:*:Enabled:C:\WINDOWS\update.2\svchost.exe] -> [2011/11/01 14:51:27 | 001,945,088 | ---- | M] ()
"C:\WINDOWS\update.3\svchost.exe" -> C:\WINDOWS\update.3\svchost.exe [C:\WINDOWS\update.3\svchost.exe:*:Enabled:C:\WINDOWS\update.3\svchost.exe] -> [2011/08/12 16:33:21 | 000,273,920 | ---- | M] ()
"C:\WINDOWS\update.tray-7-0\svchost.exe" -> C:\WINDOWS\update.tray-7-0\svchost.exe [C:\WINDOWS\update.tray-7-0\svchost.exe:*:Enabled:C:\WINDOWS\update.tray-7-0\svchost.exe] -> [2011/07/20 21:05:05 | 001,147,392 | -H-- | M] ()
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> services32.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2011/03/21 20:55:47 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
\{86ccda5b-cf89-11e0-a859-00197edc2505}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ccda5b-cf89-11e0-a859-00197edc2505}\Shell\AutoRun\command
\{86ccda5b-cf89-11e0-a859-00197edc2505}\Shell\AutoRun\command\\"" ->  [E:\installer.exe] -> File not found
\{86ccda5b-cf89-11e0-a859-00197edc2505}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ccda5b-cf89-11e0-a859-00197edc2505}\Shell\verb\command
\{86ccda5b-cf89-11e0-a859-00197edc2505}\Shell\verb\command\\"" ->  [E:\installer.exe] -> File not found
\{8ec13435-5619-11e0-a736-0015c57b9ca1}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ec13435-5619-11e0-a736-0015c57b9ca1}\Shell\AutoRun\command
\{8ec13435-5619-11e0-a736-0015c57b9ca1}\Shell\AutoRun\command\\"" ->  [F:\BestFoodJunction.html] -> File not found
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
 
[Files/Folders - Created Within 30 Days]
   -> C:\WINDOWS\  -> File not found
 KeyGenGuru Malware -> C:\Documents and Settings\User\Desktop\KeyGenGuru Malware -> [2011/11/18 20:39:07 | 000,000,000 | ---D | C]
 Malwarebytes -> C:\Documents and Settings\User\Application Data\Malwarebytes -> [2011/11/18 20:34:51 | 000,000,000 | ---D | C]
 Malwarebytes' Anti-Malware -> C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2011/11/18 20:34:43 | 000,000,000 | ---D | C]
 Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2011/11/18 20:34:42 | 000,000,000 | ---D | C]
 mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2011/11/18 20:34:39 | 000,022,216 | ---- | C] (Malwarebytes Corporation)
 Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2011/11/18 20:34:39 | 000,000,000 | ---D | C]
 MalwareBytes v1.2.1300 (NOT INSTALLED) -> C:\Documents and Settings\User\Desktop\MalwareBytes v1.2.1300 (NOT INSTALLED) -> [2011/11/18 20:33:37 | 000,000,000 | ---D | C]
 New Folder -> C:\Documents and Settings\User\Desktop\New Folder -> [2011/11/16 22:15:34 | 000,000,000 | ---D | C]
 Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2011/11/01 23:54:23 | 000,000,000 | ---D | C]
 Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2011/11/01 23:54:09 | 000,000,000 | ---D | C]
 0fed15eb -> C:\Documents and Settings\LocalService\Local Settings\Application Data\0fed15eb -> [2011/11/01 14:53:25 | 000,000,000 | -HSD | C]
 27 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 
[Files/Folders - Modified Within 30 Days]
   -> C:\WINDOWS\  -> File not found
 Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/11/18 20:34:43 | 000,000,784 | ---- | M] ()
 3944082703 -> C:\WINDOWS\3944082703 -> [2011/11/18 20:31:13 | 000,000,000 | ---- | M] ()
 bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2011/11/18 20:31:09 | 000,002,048 | --S- | M] ()
 default.rss -> C:\Documents and Settings\User\Application Data\default.rss -> [2011/11/18 19:39:59 | 000,000,240 | ---- | M] ()
 NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2011/11/18 18:50:30 | 000,000,069 | ---- | M] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2011/11/18 16:40:34 | 000,122,368 | ---- | M] ()
 info1 -> C:\WINDOWS\info1 -> [2011/11/15 23:28:43 | 000,000,268 | ---- | M] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2011/11/10 20:51:28 | 000,002,206 | ---- | M] ()
 AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2011/11/02 09:50:00 | 000,000,284 | ---- | M] ()
 sysdriver32.exe -> C:\WINDOWS\sysdriver32.exe -> [2011/11/02 08:33:17 | 000,262,656 | ---- | M] ()
 sysdriver32_.exe -> C:\WINDOWS\sysdriver32_.exe -> [2011/11/02 08:33:17 | 000,257,024 | ---- | M] ()
 Norton Security Scan for User.job -> C:\WINDOWS\tasks\Norton Security Scan for User.job -> [2011/10/26 17:55:32 | 000,000,400 | -H-- | M] ()
 3 C:\Documents and Settings\User\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\User\Local Settings\Temp\*.tmp -> 
 3 C:\Documents and Settings\User\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\User\Local Settings\Temp\*.tmp -> 
 27 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 2 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
 2 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 
[Files - No Company Name]
 Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/11/18 20:34:43 | 000,000,784 | ---- | C] ()
 3944082703 -> C:\WINDOWS\3944082703 -> [2011/11/01 14:53:26 | 000,000,000 | ---- | C] ()
 downloads.m3u -> C:\Documents and Settings\User\Application Data\downloads.m3u -> [2011/03/24 22:57:01 | 000,000,000 | ---- | C] ()
 default.rss -> C:\Documents and Settings\User\Application Data\default.rss -> [2011/03/24 21:42:25 | 000,000,240 | ---- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2011/03/24 21:42:15 | 000,122,368 | ---- | C] ()
 NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2011/03/24 21:23:07 | 000,000,069 | ---- | C] ()
 ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2011/03/22 04:17:06 | 000,004,161 | ---- | C] ()
 FontCache3.0.0.0.dat -> C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat -> [2011/03/22 00:39:18 | 000,176,376 | ---- | C] ()
 cpwmon2k.dll -> C:\WINDOWS\System32\cpwmon2k.dll -> [2011/03/21 22:08:26 | 000,087,552 | ---- | C] ()
 unrar.dll -> C:\WINDOWS\System32\unrar.dll -> [2011/03/21 22:03:32 | 000,165,376 | ---- | C] ()
 avisplitter.ini -> C:\WINDOWS\avisplitter.ini -> [2011/03/21 22:03:31 | 000,000,038 | ---- | C] ()
 xvidcore.dll -> C:\WINDOWS\System32\xvidcore.dll -> [2011/03/21 22:03:28 | 000,810,496 | ---- | C] ()
 xvidvfw.dll -> C:\WINDOWS\System32\xvidvfw.dll -> [2011/03/21 22:03:28 | 000,183,808 | ---- | C] ()
 ff_vfw.dll -> C:\WINDOWS\System32\ff_vfw.dll -> [2011/03/21 22:03:27 | 000,080,896 | ---- | C] ()
 rixdicon.dll -> C:\WINDOWS\System32\rixdicon.dll -> [2011/03/21 21:37:09 | 000,016,480 | ---- | C] ()
 btprn2k.dll -> C:\WINDOWS\System32\btprn2k.dll -> [2006/05/24 18:16:22 | 000,090,112 | ---- | C] ()
 lcppn21.dll -> C:\WINDOWS\System32\lcppn21.dll -> [2001/11/14 13:56:00 | 001,802,240 | ---- | C] ()
 
[Files/Folders - Unicode - All]
C:\Documents and Settings\All Users\Start Menu\Programs\?? -> C:\Documents and Settings\All Users\Start Menu\Programs\有道 -> 
 
[Alternate Data Streams]
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3944082703:4027771412.exe
< End of report >

[Advertisements]

This looks like Zero Access and a lot more. Your best bet is to get Combofix and since you can't get on line you will also need the XP2 files so Combofix can create the recovery console.

Download and Save Combofix to a good PC
from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe



Download Windows XP Service Pack 2 (SP2) (Professional) and Save to a Good PC from:

http://www.microsoft...&displaylang=en

Also get TDSSKiller:
http://support.kaspe.../tdsskiller.exe

OTL:
http://www.geekstogo...timers-list-it/

aswMBR:
http://public.avast....erek/aswMBR.exe

Malwarebytes' Anti-Malware Bytes:
http://www.malwarebytes.org/mbam.php

Copy all of these to a CD or USB drive.

Reboot the sick PC into Safe Mode.

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode. Login with your usual login.)

If possible pause or disable the anti-virus on the sick PC.

Copy all of the files from the CD or USB to the desktop of the sick PC.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Follow the procedure for a manual install of the recovery console:

http://www.bleepingc...manual_recovery

After the console is installed Combofix will run. It may complain because it can't check for an update but should still run.




* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Double click on Malwarebytes' Anti-Malware and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

If you still can't get on line then copy the logs to a USB drive and just attach them to your next reply.

Ron

[RKinner]

This looks like Zero Access and a lot more. Your best bet is to get Combofix and since you can't get on line you will also need the XP2 files so Combofix can create the recovery console.

Download and Save Combofix to a good PC
from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe



Download Windows XP Service Pack 2 (SP2) (Professional) and Save to a Good PC from:

http://www.microsoft...&displaylang=en

Also get TDSSKiller:
http://support.kaspe.../tdsskiller.exe

OTL:
http://www.geekstogo...timers-list-it/

aswMBR:
http://public.avast....erek/aswMBR.exe

Malwarebytes' Anti-Malware Bytes:
http://www.malwarebytes.org/mbam.php

Copy all of these to a CD or USB drive.

Reboot the sick PC into Safe Mode.

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode. Login with your usual login.)

If possible pause or disable the anti-virus on the sick PC.

Copy all of the files from the CD or USB to the desktop of the sick PC.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Follow the procedure for a manual install of the recovery console:

http://www.bleepingc...manual_recovery

After the console is installed Combofix will run. It may complain because it can't check for an update but should still run.




* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Double click on Malwarebytes' Anti-Malware and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

If you still can't get on line then copy the logs to a USB drive and just attach them to your next reply.

Ron

[ahboy123]

Sorry for my tardy reply. I was out of town for a while.

I downloaded the 6 files you instructed. And here goes booting the sick pc.

Oh no, the sick computer won't boot Safe Mode. After tapping F8, there is an option to boot into Safe Mode and then an option for Windows XP after that. A lot of lines of ".sys" files appears for a while, and then the computer freezes to reboot itself. It just won't boot. What can we do now?

[RKinner]

If none of the safe mode options will work then you will need to boot from a CD or USB drive (if your PC is new enough that that is an option). I would try Hiren's boot CD.

http://www.hirensboo...BootCD.15.1.zip

Download, save and then right click on it and Extract All. Click on BurnToCD.cmd and follow the instructions to burn the CD. Then move the CD to the sick PC and boot off the CD. (You may need to change the boot order so the CD drive comes before the hard drive. See: http://www.hirensboo...-order-in-bios/ )
Select the miniXP option. See if you can run combofix from it. There are also several antivirus scans you can run from miniXP.

[ahboy123]

Booted Mini Windows XP using HBCD. The desktop has a blue and green wallpaper.

3. Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.

Dragged and dropped the Windows XP ".exe" file you gave me onto ComboFix. However, there was no prompt saying "Windows Recovery Console is installed". Neither is there any Disclaimers. Did it work?

[RKinner]

Doesn't sound like it did. Can you run Combofix by itself? See if you can run some of the other programs like TDSSKiller, MBAM, aswMBR or some of the anti-virus scans that come with Hiren's.

[ahboy123]

I re-installed Hiren's and it seems that the antivirus of the good computer identified some files as Trojans, and hinders to complete the installation.

Downloaded all 6 programs on Mini Windows XP Desktop.

- Manually install recovery console:
Dragged and dropped the Windows XP ".exe" file onto ComboFix, and this time ComboFix ran successfully. However, it stops at the blue command prompt window at the line "Attempting to create a new System Restore point" and 2 pop-ups saying "Error! No registry files found to save for the selected options" and "Error! Boot Partition cannot be enumerated correctly". I clicked "OK" for both pop-ups.

A third pop-up appeared to request for a scan. I clicked "OK". Soon afterthat, there was 2 loud beeps. ComboFix detected Rootkit and requires a reboot. I rebooted the computer and repeated the process from the start. Apparently, the Rootkit never goes away. As a result, ComboFix could not be completed.

- TDSS Killer
No threats detected. Log file is as follows:

15:57:46.0421 1832	TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
15:57:46.0437 1832	============================================================
15:57:46.0437 1832	Current date / time: 2011/12/21 15:57:46.0437
15:57:46.0437 1832	SystemInfo:
15:57:46.0437 1832	
15:57:46.0437 1832	OS Version: 5.1.2600 ServicePack: 0.0
15:57:46.0437 1832	Product type: Workstation
15:57:46.0437 1832	ComputerName: MiniXP
15:57:46.0437 1832	UserName: SYSTEM
15:57:46.0437 1832	Windows directory: X:\i386
15:57:46.0437 1832	System windows directory: X:\i386
15:57:46.0437 1832	Processor architecture: Intel x86
15:57:46.0437 1832	Number of processors: 1
15:57:46.0437 1832	Page size: 0x1000
15:57:46.0437 1832	Boot type: Normal boot
15:57:46.0437 1832	============================================================
15:57:46.0812 1832	Initialize success
15:57:49.0781 1852	============================================================
15:57:49.0781 1852	Scan started
15:57:49.0781 1852	Mode: Manual; 
15:57:49.0781 1852	============================================================
15:57:50.0328 1852	MBR (0x1B8)     (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:57:50.0609 1852	\Device\Harddisk0\DR0 - ok
15:57:50.0625 1852	MBR (0x1B8)     (08b26729634452d0c2889c002b1bb97c) \Device\Harddisk1\DR1
15:57:51.0375 1852	\Device\Harddisk1\DR1 - ok
15:57:51.0390 1852	MBR (0x1B8)     (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk2\DR7
15:57:51.0578 1852	\Device\Harddisk2\DR7 - ok
15:57:51.0593 1852	Boot (0x1200)   (8f2393ccdd3701f45a56344d576c4bad) \Device\Harddisk0\DR0\Partition0
15:57:51.0593 1852	\Device\Harddisk0\DR0\Partition0 - ok
15:57:51.0593 1852	Boot (0x1200)   (240b87f0acbd4bcf9c3ec5733c871e59) \Device\Harddisk1\DR1\Partition0
15:57:51.0593 1852	\Device\Harddisk1\DR1\Partition0 - ok
15:57:51.0609 1852	Boot (0x1200)   (41823d285d00c45bae9a1818fe55d961) \Device\Harddisk2\DR7\Partition0
15:57:51.0609 1852	\Device\Harddisk2\DR7\Partition0 - ok
15:57:51.0609 1852	============================================================
15:57:51.0609 1852	Scan finished
15:57:51.0609 1852	============================================================
15:57:51.0625 1844	Detected object count: 0
15:57:51.0625 1844	Actual detected object count: 0
15:58:44.0875 1912	============================================================
15:58:44.0875 1912	Scan started
15:58:44.0875 1912	Mode: Manual; 
15:58:44.0875 1912	============================================================
15:58:45.0546 1912	MBR (0x1B8)     (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:58:45.0781 1912	\Device\Harddisk0\DR0 - ok
15:58:45.0796 1912	MBR (0x1B8)     (08b26729634452d0c2889c002b1bb97c) \Device\Harddisk1\DR1
15:58:46.0593 1912	\Device\Harddisk1\DR1 - ok
15:58:46.0609 1912	MBR (0x1B8)     (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk2\DR7
15:58:46.0796 1912	\Device\Harddisk2\DR7 - ok
15:58:46.0796 1912	Boot (0x1200)   (8f2393ccdd3701f45a56344d576c4bad) \Device\Harddisk0\DR0\Partition0
15:58:46.0796 1912	\Device\Harddisk0\DR0\Partition0 - ok
15:58:46.0812 1912	Boot (0x1200)   (240b87f0acbd4bcf9c3ec5733c871e59) \Device\Harddisk1\DR1\Partition0
15:58:46.0812 1912	\Device\Harddisk1\DR1\Partition0 - ok
15:58:46.0812 1912	Boot (0x1200)   (41823d285d00c45bae9a1818fe55d961) \Device\Harddisk2\DR7\Partition0
15:58:46.0812 1912	\Device\Harddisk2\DR7\Partition0 - ok
15:58:46.0812 1912	============================================================
15:58:46.0812 1912	Scan finished
15:58:46.0812 1912	============================================================
15:58:46.0828 1904	Detected object count: 0
15:58:46.0828 1904	Actual detected object count: 0

- aswMBR.exe
"Fix" button remain disabled. Log file is as follows:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-21 16:00:04
-----------------------------
16:00:04.156    OS Version: Windows 5.1.2600 
16:00:04.156    Number of processors: 1 586 0xF02
16:00:04.156    ComputerName: MiniXP  UserName: SYSTEM
16:00:04.156    Initialze error 1 Incorrect function.
16:00:39.390    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:00:39.390    Disk 0 Vendor: ST9120822AS 3.CDD Size: 114473MB BusType: 3
16:00:39.593    Disk 0 MBR read successfully
16:00:39.593    Disk 0 MBR scan
16:00:39.593    Disk 0 Windows XP default MBR code
16:00:39.609    Disk 0 scanning sectors +234436545
16:00:39.671    Disk 0 scanning X:\i386\system32\drivers
16:00:39.671    Service scanning
16:00:40.171    Modules scanning
16:00:40.406    Scan finished successfully
16:01:21.125    Disk 0 MBR has been saved successfully to "F:\MBR.dat"
16:01:22.734    The log file has been saved successfully to "F:\aswMBR log.txt"

- Malwarebytes' Anti-Malware
Installed the program in the sick computer, but it does not open as I double clicked it.

- OTL
Similar to Malwarebytes', it does not open as I double clicked it.

[RKinner]

Some anti-viruses (most often it's McAfee) will attack our tools so I'm not surprised that you are getting hits when you download and burn it. Probably best to turn off the anti-virus while you download and burn Hiren's.

I expect Combofix is getting a bit confused because of Hiren's.
Look and see if combofix has created a log c:\combofix.txt or C:\combofix\combofix.txt



Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.



Delete the following files and folders:

C:\WINDOWS\3944082703
C:\WINDOWS\update.5.0
C:\WINDOWS\sysdriver32.exe
C:\WINDOWS\update.2
C:\WINDOWS\update.7.1
C:\WINDOWS\update.3
C:\WINDOWS\l1rezerv.exe
C:\WINDOWS\update.1
C:\WINDOWS\update.tray-7-0
C:\WINDOWS\TEMP\2968649.exe
C:\WINDOWS\TEMP\354484.exe
C:\Documents and Settings\User\Local Settings\Temp\45127786-loader2.exe
C:\Documents and Settings\User\Local Settings\Temp\68260023-loader2.exe
C:\Documents and Settings\User\Local Settings\Temp\7295887.exe
C:\WINDOWS\TEMP\8862149.exe
(And any other .exe files you see in C:\Windows\temp)

See if you can get into the Services window:

Start, Run, services.msc, OK

Find each of these:

(srvbtcclient)
(srvsysdriver32)
(srviecheck)
(ddservice)
(wxpdrivers)
(ScanQuery Service)

For each of the above: Right click and select Properties then change the Startup type to Disabled. Apply.

If that doesn't work you can try from a command prompt:

Start, Run, cmd, OK

sc config srvbtcclient start= disabled /c

sc config srvsysdriver32 start= disabled /c

sc config srviecheck start= disabled /c

sc config ddservice start= disabled /c

sc config wxpdrivers start= disabled /c

sc config srvbtcclient start= disabled /c

sc config "ScanQuery Service" start= disabled /c

Hiren's has several anti-virus scans. It wouldn't hurt to run some of them.

[ahboy123]

Firstly, Merry Christmas Ron! I hope you had fun and may your wishes come true!

I ran Hiren's on the sick computer again.

- ComboFix

I dropped the Windows XP file onto ComboFix and ran the program. ComboFix asks me about update and I said run without update as the computer has no internet connection. ComboFix continued running and a blue blank pop-up appeared only briefly and the program seemed to end abruptly. I waited for more than half an hour but there was no sign. So I continued treating the computer with TDSS Killer.

- TDSS Killer

Added the extra parameters. The log file is following:

23:32:50.0562 0308	TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
23:32:50.0578 0308	============================================================
23:32:50.0578 0308	Current date / time: 2011/12/26 23:32:50.0578
23:32:50.0578 0308	SystemInfo:
23:32:50.0578 0308	
23:32:50.0578 0308	OS Version: 5.1.2600 ServicePack: 0.0
23:32:50.0578 0308	Product type: Workstation
23:32:50.0578 0308	ComputerName: MiniXP
23:32:50.0578 0308	UserName: SYSTEM
23:32:50.0578 0308	Windows directory: X:\i386
23:32:50.0578 0308	System windows directory: X:\i386
23:32:50.0578 0308	Processor architecture: Intel x86
23:32:50.0578 0308	Number of processors: 1
23:32:50.0578 0308	Page size: 0x1000
23:32:50.0578 0308	Boot type: Normal boot
23:32:50.0578 0308	============================================================
23:32:50.0906 0308	Initialize success
23:32:58.0859 0256	============================================================
23:32:58.0859 0256	Scan started
23:32:58.0859 0256	Mode: Manual; SigCheck; TDLFS; 
23:32:58.0859 0256	============================================================
23:32:59.0531 0256	MBR (0x1B8)     (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
23:33:00.0015 0256	\Device\Harddisk0\DR0 - ok
23:33:00.0031 0256	MBR (0x1B8)     (08b26729634452d0c2889c002b1bb97c) \Device\Harddisk1\DR1
23:33:01.0484 0256	\Device\Harddisk1\DR1 - ok
23:33:01.0500 0256	MBR (0x1B8)     (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk2\DR7
23:33:04.0781 0256	\Device\Harddisk2\DR7 - ok
23:33:04.0796 0256	Boot (0x1200)   (8f2393ccdd3701f45a56344d576c4bad) \Device\Harddisk0\DR0\Partition0
23:33:04.0796 0256	\Device\Harddisk0\DR0\Partition0 - ok
23:33:04.0796 0256	Boot (0x1200)   (240b87f0acbd4bcf9c3ec5733c871e59) \Device\Harddisk1\DR1\Partition0
23:33:04.0796 0256	\Device\Harddisk1\DR1\Partition0 - ok
23:33:04.0812 0256	Boot (0x1200)   (3e103fa48eb8bb8d64347f569c22c66b) \Device\Harddisk2\DR7\Partition0
23:33:04.0812 0256	\Device\Harddisk2\DR7\Partition0 - ok
23:33:04.0812 0256	============================================================
23:33:04.0812 0256	Scan finished
23:33:04.0812 0256	============================================================
23:33:04.0828 0472	Detected object count: 0
23:33:04.0828 0472	Actual detected object count: 0

- Delete files and folders in C:\WINDOWS

I tried searching for the files and folders under the Start button but there is no result. I also tried opening C Drive under "My Computer" but a pop-up says "C:\ is not accessible. The file or directory is corrupted and unreadable."

- Services Window

Pop-up said "Windows cannot find 'services.msc'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I opened Command Prompt and typed out the lines you instructed. Each time I pressed "Enter" for the next line, Command Prompt says "Modifies a service entry in the registry and Service Database. SYNTAX: sc <server> config [service name] <option 1> <option 2>... CONFIG OPTIONS: NOTE: The option name includes the equal sign." There are more lines about "type=" and "password=" but they are too long to be typed here.

- AntiVirus in Hiren's

I would love to run them but please tell which files are the antivirus. The names are not very obvious to me.

[RKinner]

Anti-virus programs on Hiren's are:

Avira AntiVir Personal (07-12-2011) Free anti-virus and anti-spyware on-demand scanner, detects and removes more than 50000 viruses and trojans.
ClamWin Free Antivirus 0.97.3 (07-12-2011) A free antivirus, GNU GPL Open Source Virus Scanner.
Dr.Web CureIt! Antivirus

but in light of:

C:\ is not accessible. The file or directory is corrupted and unreadable.

They probably won't be able to do anything.

This is bad. We are going to have to address this before anything else is going to work. Hopefully the drive has not failed.

Hiren's has several programs for checking harddrives. Supposedly the easiest is HD Tune. Once you run it you can click on the Error Scan tab and tell it to check the disk.

It is possible the that MBR is infected and that is causing part of the problem.

There are several tools for working with the MBR on Hiren's but they are all command line programs. I think you can access them from the minXP, All Programs menu. Try MBRWizard.

MBRWiz  /List

Will show you which partitions are on the drive. I think it should say which partition is active and bootable. This should be the largest one which is about 105 GB. If the drive is defective you may not even see it. In that case your best chance is to run the drive maker's test program. (Don't bother with the Western Digital program. It doesn't work. The idiots have put a license program on it and it is not set up right even if you download it from their website.)

[ahboy123]

- Antivirus Programs in Hiren's

I tried running all 3 antivirus you suggested, but all results are the same. C:\ drive can't be accessed.

Here's a snapshot of me running Avira Antivirus:

- HD Tune

It seems that C:\ drive is detectable and it's still working. Thank goodness.



- MBR Wizard

I ran the program and here's a snapshot of the result:

Hopefully there is still hope for this computer.

[RKinner]

The mbrwiz output looks like it should so I would guess it's the MBR that is sick. Unfortunately the mbr is dell proprietary so unless you have another dell lying around we can't really replace it. I found a neat little tool for looking at dells called dsrfix. http://www.goodells....ore/fixes.shtml
Of course it needs to boot from DOS - don't know if it will run from Hiren's but it might. Otherwise you will have to find a bootable DOS disk or usb.

You can use MBRWizard to back up the MBR before you do anything else:

MBRWiz /Save=d:\MyMBR.dat

(Change the d:\ to be the same as the letter used by the Kingston USB drive.)

Once it does that you can try using MBRWizard to restore it to a standard mbr and see if you get lucky.

MBRWiz /Repair=1 /Disk=0

Then try and boot normally.

To put back the old MBR if it still won't boot you do:

MBRWiz /Restore=d:\MyMbr.dat

(Change the d:\ to be the same as the letter used by the Kingston USB drive.)

[ahboy123]

I downloaded DSRFix from the link you gave, and pasted the file DSRFix.com into the Kingston USB drive. I used USBFormat and Grub4DOS from Hiren's Boot USB method to set up a bootable USB drive. And it works for Hiren's. But the computer doesn't boot with it. After I pressed F12 at the Dell Start-up Page and selected USB Drive as boot option, there are messages as follows


I tried to open DSRFix.com in Hiren, but there is a a very quick pop-up saying some sortof Fatal Error. The message disappeared too quickly for me to take a snap shot.

I ran MBRWizard from Hiren's and tried backing up MBR as you instructed. d: is the Kinston Pen Drive Hiren is booting from. But it didnt work and showed a message:

[RKinner]

Can you get

MBRWiz  /List

to work?

[ahboy123]

Yes. MBRWiz /List works. Here is the result:

Edited by ahboy123, 08 January 2012 - 04:56 AM.