Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

computer will not run correctly after removing malware

Started by amayzzing , Jul 10 2012 10:22 AM

  • Please log in to reply

#16
amayzzing
Posted 11 July 2012 - 07:50 AM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I should clarify that it did not crash when the asus application was enabled, it simply ran an error message.
  • 0

Advertisements

#17
RKinner
Posted 11 July 2012 - 08:58 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
The idea was also to do 1/2 of services then reboot and see if it was in that half. There are several ways to access msconfig without the command prompt. Right click on the start button and select Open Windows Explorer then navigate to C:\Windows\System32\ find msconfig.exe and right click on it and Run As Admin.

Speaking of Services, I tried to replace the services.exe file which appeared infected but don't see the log so can't tell if it worked. Let's verify:

Copy the text in the code box:


/md5start
services.exe
/md5stop
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Copy and paste the log into a reply.

When you boot into Safe Mode are you using the same login as you usually do or are you logging in as Administrator?
  • 0

#18
amayzzing
Posted 11 July 2012 - 02:55 PM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
when I'm booting in safe mode, i am using the usual login.

Here is the OTL LOG



OTL logfile created on: 7/11/2012 4:50:26 PM - Run 4
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Lawrence & Lindsay S\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.75 Gb Total Physical Memory | 3.17 Gb Available Physical Memory | 84.65% Memory free
7.50 Gb Paging File | 6.95 Gb Available in Paging File | 92.69% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921.72 Gb Total Space | 873.42 Gb Free Space | 94.76% Space Free | Partition Type: NTFS

Computer Name: ASUS | User Name: Lawrence & Lindsay S | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/10 16:57:25 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Lawrence & Lindsay S\Desktop\OTL.exe
PRC - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/04/20 02:04:20 | 000,203,776 | ---- | M] (AMD) [Auto | Stopped] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/09/22 22:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/06/23 11:16:55 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/01/03 05:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/11/12 12:21:58 | 006,141,792 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2011/03/02 01:23:36 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 14:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/23 17:59:22 | 000,203,392 | ---- | M] (ASUSTeK Computer Inc.) [Auto | Stopped] -- C:\Windows\SysWOW64\AsHookDevice.exe -- (Device Handle Service)
SRV - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/09/17 18:37:56 | 003,197,256 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/09/17 17:22:16 | 000,411,976 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE -- (SNAC)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/11/12 12:18:12 | 000,040,320 | ---- | M] (Belcarra Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btblan.sys -- (Leapfrog-USBLAN)
DRV:64bit: - [2011/10/24 23:04:36 | 000,172,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/20 01:22:34 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/01 15:41:12 | 001,349,232 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV:64bit: - [2010/09/29 06:01:46 | 000,695,400 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL8192su.sys -- (RTL8192su)
DRV:64bit: - [2010/09/23 04:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/01/27 21:33:38 | 000,116,736 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/12/22 06:26:36 | 000,038,456 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2009/11/10 12:11:32 | 000,234,040 | ---- | M] (Advanced Micro Devices, Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ahcix64s.sys -- (ahcix64s)
DRV:64bit: - [2009/10/07 11:13:34 | 000,070,200 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/10/07 11:13:34 | 000,028,728 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/08/25 20:05:48 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2009/08/25 20:05:46 | 000,481,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\srtspl64.sys -- (SRTSPL)
DRV:64bit: - [2009/08/25 20:05:44 | 000,443,952 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2009/07/16 07:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:09:50 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/20 01:48:42 | 000,702,976 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/05/18 04:47:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/04 21:00:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV - [2012/05/31 04:00:00 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2012/05/31 04:00:00 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/15 04:00:00 | 002,068,600 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120702.002\ex64.sys -- (NAVEX15)
DRV - [2012/05/15 04:00:00 | 000,120,440 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120702.002\eng64.sys -- (NAVENG)
DRV - [2009/08/25 20:05:48 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)
DRV - [2009/08/25 20:05:46 | 000,481,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)
DRV - [2009/08/25 20:05:44 | 000,443,952 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2008/01/04 17:34:48 | 000,011,832 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\AsInsHelp64.sys -- (ASInsHelp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@unity3d.com/UnityPlayer: C:\Program Files (x86)\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Lawrence & Lindsay S\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Lawrence & Lindsay S\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Lawrence & Lindsay S\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Lawrence & Lindsay S\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)



O1 HOSTS File: ([2012/06/17 18:33:28 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.5.1)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.5.1)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C0BBF70D-E2BB-4874-A628-204BBFB34A15}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 1084

========== Files/Folders - Created Within 30 Days ==========

[2012/07/10 20:58:37 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe
[2012/07/10 20:58:29 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/07/10 19:42:46 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Lawrence & Lindsay S\Desktop\dds.com
[2012/07/10 17:45:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/10 17:45:40 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/10 17:45:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/07/10 17:45:08 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Lawrence & Lindsay S\Desktop\mbam-setup-1.61.0.1400.exe
[2012/07/10 17:39:07 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Lawrence & Lindsay S\Desktop\tdsskiller.exe
[2012/07/10 17:32:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/10 17:32:27 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/07/10 17:31:37 | 004,575,265 | R--- | C] (Swearware) -- C:\Users\Lawrence & Lindsay S\Desktop\ComboFix.exe
[2012/07/10 17:21:00 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Lawrence & Lindsay S\Desktop\aswMBR.exe
[2012/07/10 16:58:37 | 000,000,000 | ---D | C] -- C:\Windows\SysNative
[2012/07/10 16:58:35 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/10 16:57:19 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Lawrence & Lindsay S\Desktop\OTL.exe
[2012/07/10 12:00:54 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2012/07/10 12:00:54 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2012/07/10 10:43:37 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/07/10 10:10:59 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Local\CrashDumps
[2012/07/02 18:49:36 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Local\TomTom
[2012/07/02 18:49:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TomTom International B.V
[2012/07/02 11:29:55 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Roaming\Mozilla
[2012/06/23 11:18:51 | 002,622,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
[2012/06/23 11:18:51 | 000,057,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
[2012/06/23 11:18:51 | 000,044,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll
[2012/06/23 11:18:42 | 000,701,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
[2012/06/23 11:18:42 | 000,099,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
[2012/06/23 11:18:42 | 000,038,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
[2012/06/23 11:18:21 | 000,186,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
[2012/06/23 11:18:21 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
[2012/06/22 17:54:52 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\Documents\My Kindle Content
[2012/06/22 17:54:37 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
[2012/06/22 17:54:29 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Local\Amazon
[2012/06/17 19:11:54 | 000,514,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\qdvd.dll
[2012/06/17 19:11:54 | 000,366,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\qdvd.dll
[2012/06/17 19:04:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/06/17 19:04:12 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/06/17 19:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/06/17 19:04:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012/06/17 18:52:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileHippo.com
[2012/06/17 18:47:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/06/17 18:46:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Oracle
[2012/06/17 18:46:12 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/06/17 18:46:12 | 000,227,720 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012/06/17 18:45:56 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012/06/17 18:45:56 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012/06/17 09:02:21 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Roaming\Malwarebytes
[2012/06/17 09:02:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/06/16 12:57:47 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/06/16 11:05:45 | 000,034,152 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys
[2012/06/16 11:03:15 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2012/06/16 10:52:59 | 000,027,256 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\FixZeroAccess.sys
[2012/06/16 10:49:10 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
[2012/06/16 10:03:10 | 000,000,000 | ---D | C] -- C:\Users\Lawrence & Lindsay S\AppData\Local\NPE
[2012/06/16 10:03:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2012/06/13 03:01:14 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/06/13 03:01:14 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/06/13 03:01:14 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/06/13 03:01:14 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/06/13 03:01:12 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/06/13 03:01:12 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/06/13 03:01:12 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/06/13 03:01:12 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/06/13 03:01:06 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/06/13 03:01:06 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/06/13 03:01:03 | 002,311,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/06/13 03:01:03 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/06/13 03:01:02 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/06/12 16:11:46 | 000,149,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorekmts.dll
[2012/06/12 16:11:46 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpwsx.dll
[2012/06/12 16:11:46 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdrmemptylst.exe
[2012/06/12 16:11:37 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2012/06/12 16:11:36 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2012/06/12 16:11:36 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2012/06/12 16:11:35 | 003,216,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msi.dll
[2012/06/12 16:11:22 | 001,462,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2012/06/12 16:11:21 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll

========== Files - Modified Within 30 Days ==========

[2012/07/11 10:54:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/11 10:54:52 | 374,001,525 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/07/11 10:54:51 | 3019,247,616 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/11 09:40:38 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/11 09:40:38 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/11 09:31:03 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\HP Photo Creations Communicator.job
[2012/07/10 19:42:46 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Lawrence & Lindsay S\Desktop\dds.com
[2012/07/10 18:29:43 | 000,061,440 | ---- | M] ( ) -- C:\Users\Lawrence & Lindsay S\Desktop\VEW.exe
[2012/07/10 18:15:01 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe
[2012/07/10 17:45:41 | 000,001,077 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/10 17:45:08 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Lawrence & Lindsay S\Desktop\mbam-setup-1.61.0.1400.exe
[2012/07/10 17:39:16 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Lawrence & Lindsay S\Desktop\tdsskiller.exe
[2012/07/10 17:32:25 | 004,575,265 | R--- | M] (Swearware) -- C:\Users\Lawrence & Lindsay S\Desktop\ComboFix.exe
[2012/07/10 17:23:14 | 000,000,512 | ---- | M] () -- C:\Users\Lawrence & Lindsay S\Desktop\MBR.dat
[2012/07/10 17:21:41 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Lawrence & Lindsay S\Desktop\aswMBR.exe
[2012/07/10 16:57:25 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Lawrence & Lindsay S\Desktop\OTL.exe
[2012/07/10 11:04:18 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2877543418-1109118880-3015442541-1000Core.job
[2012/07/09 15:55:32 | 000,000,968 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2877543418-1109118880-3015442541-1000UA.job
[2012/07/09 15:55:32 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/07/02 18:56:19 | 000,741,740 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/07/02 18:56:19 | 000,635,538 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/07/02 18:56:19 | 000,110,254 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/23 11:16:55 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/06/23 11:16:55 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/06/22 17:54:38 | 000,002,306 | ---- | M] () -- C:\Users\Lawrence & Lindsay S\Desktop\Kindle.lnk
[2012/06/17 19:04:47 | 000,001,787 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/06/17 18:52:48 | 000,001,977 | ---- | M] () -- C:\Users\Lawrence & Lindsay S\Desktop\Update Checker.lnk
[2012/06/17 18:45:42 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012/06/17 18:45:42 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012/06/17 18:33:28 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2012/06/16 12:47:58 | 000,027,256 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\FixZeroAccess.sys
[2012/06/14 21:07:31 | 001,264,101 | ---- | M] () -- C:\Users\Lawrence & Lindsay S\Documents\hxwva1906to1982.pdf
[2012/06/13 03:31:05 | 000,414,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/07/10 18:29:43 | 000,061,440 | ---- | C] ( ) -- C:\Users\Lawrence & Lindsay S\Desktop\VEW.exe
[2012/07/10 17:45:41 | 000,001,077 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/10 17:23:14 | 000,000,512 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Desktop\MBR.dat
[2012/07/10 11:05:52 | 374,001,525 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/07/02 11:29:24 | 000,000,968 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2877543418-1109118880-3015442541-1000UA.job
[2012/07/02 11:29:23 | 000,000,916 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2877543418-1109118880-3015442541-1000Core.job
[2012/07/02 11:24:34 | 000,002,178 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Desktop\Start Caillou Ready to Read - Copy.lnk
[2012/06/22 17:54:38 | 000,002,306 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Desktop\Kindle.lnk
[2012/06/17 19:04:47 | 000,001,787 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/06/17 18:52:48 | 000,002,007 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update Checker.lnk
[2012/06/17 18:52:48 | 000,001,977 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Desktop\Update Checker.lnk
[2012/06/14 21:07:30 | 001,264,101 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Documents\hxwva1906to1982.pdf
[2012/04/02 18:52:04 | 000,000,218 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\AppData\Local\recently-used.xbel
[2012/04/02 18:40:13 | 000,003,984 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\HomeCleanhome.gnucash
[2012/02/07 23:23:19 | 000,005,651 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Accounts info.gnucash.20120207222319.gnucash
[2012/02/07 23:18:46 | 000,006,504 | ---- | C] () -- C:\Users\Lawrence & Lindsay S\Accounts info.gnucash
[2011/12/15 20:01:17 | 000,000,286 | ---- | C] () -- C:\Windows\reimage.ini
[2011/10/30 11:09:45 | 000,000,068 | ---- | C] () -- C:\Windows\ka.ini
[2011/04/21 21:15:03 | 000,013,368 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsUpIO.sys
[2011/04/21 21:14:34 | 000,221,184 | ---- | C] () -- C:\Windows\SysWow64\drivers\ServiceHelp.dll
[2011/04/21 21:11:13 | 000,013,931 | ---- | C] () -- C:\Windows\SysWow64\RaCoInst.dat
[2011/04/21 21:10:57 | 000,013,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2011/04/21 21:10:56 | 000,011,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2011/04/21 21:10:56 | 000,010,216 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2011/04/21 21:07:31 | 000,024,078 | ---- | C] () -- C:\Windows\Ascd_log.ini
[2011/04/21 21:07:30 | 000,017,302 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2011/04/21 21:07:30 | 000,010,296 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS
[2011/04/21 21:07:30 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2011/04/21 21:05:58 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/03/17 17:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

========== Custom Scans ==========

< MD5 for: SERVICES.EXE >
[2012/07/10 18:15:01 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
[2012/07/10 18:15:01 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
[2009/07/13 21:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysWOW64\services.exe
[2012/07/10 18:15:01 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >




I will continue the trial and error.
  • 0

#19
amayzzing
Posted 11 July 2012 - 08:55 PM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I think that I got it narrowed down to a program running under the services column named "Symantec Endpoint Protection". Everything in the column is enabled except for this item, when this item is enabled it crashes.
  • 0

#20
RKinner
Posted 11 July 2012 - 09:46 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
"Symantec Endpoint Protection" is your Norton Anti-virus. You can uninstall it, Download and save the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
and run the norton removal tool. (Save the license key in case you want to reinstall it. https://www-secure.s...g=english&ct=us)

Then I think I would install the free version of Avast:

http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
  • 0

#21
amayzzing
Posted 12 July 2012 - 07:06 AM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Ok, I loaded windows normally AND I loaded in safe mode. Both times when i tried to uninstall Symantec, there was an error saying "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance".

Also, I cannot access the internet to download Avast or use any of the links you provided.
  • 0

#22
RKinner
Posted 12 July 2012 - 08:44 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Method 1: Reregister the Windows Installer
To reregister the Windows Installer, verify the location of the Msiexec.exe file on your hard disk and in the Windows Registry, and then reregister the Windows Installer. To do this, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

Determine the location of the Msiexec.exe file on your hard disk. To do this, follow these steps:
Click Start, click Run, type %windir%\system32, and then click OK.

Note This step will open the folder where the Msiexec.exe file is located.
Make a note of the location of the Msiexec.exe file. The location of the Msiexec.exe file will be a combination of the value in the Address text box and the Msiexec.exe file name itself.

For example if the Address text box contains a value of C:\Windows\system32, the location of the Msiexec.exe file will be C:\Windows\system32\Msiexec.exe.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Make sure that the location of the Msiexec.exe file in Registry Editor is correct. To do this, follow these steps:
Click Start, click Run, type regedit in the Open text box, and then click OK.
Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, and then click MSIServer.
In the right pane, right-click ImagePath, and then click Modify.
In the Value data text box, type the location of the Msiexec.exe file that you determined in step 1, followed by the value of /V, and then click OK.

For example, if the location of the Msiexec.exe file is C:\Windows\system32\Msiexec.exe, type the following text in the Value data text box:
C:\WINDOWS\System32\msiexec.exe /V
Click OK to close the Edit String dialog box.
Click the File menu, and then click Exit to close Registry Editor.
Start your computer in safe mode, and then register the Msiexec.exe file. To do this, follow these steps:
Click Start, and then click Turn off computer or Shut Down.
Select the Restart option, and then click OK, or click Restart.
Press F8 before the Windows splash screen appears.
On the Windows Advanced Option menu, use the arrow keys to select the Safe Mode option, and then press ENTER.
If you use a dual-boot or multiple-boot computer, select the appropriate operating system from the list that is displayed, and then press ENTER.
Log on to the computer.
Click Start, click Run, type msiexec /regserver in the Open text box, and then click OK.

Note For 64-bit operating systems, you also have to reregister the 64-bit MSI installer. To do this, click Start, click Run, type %windir%\Syswow64\Msiexec /regserver in the Open text box, and then click OK.

On 64-bit editions of the Windows operating system, 32-bit binaries are located in %systemroot%\SysWow64 folder. The 64-bit binaries are located in the %systemroot%\System32 folder.
Click Start, and then click Turn off computer or Shut Down.
Select the Restart option, and then click OK, or click Restart.

If the issue persists, and you still receive the error message that is mentioned in the "Symptoms" section, follow the steps in Method 2.

Boot back into regular mode and try to uninstall Norton.
Above from: http://support.microsoft.com/kb/315346

You can manually turn off all Symantec Servers and Drivers and see if that helps with the Internet Access:

Copy the following:

sc config "Symantec AntiVirus" start= disabled
sc config SmcService start= disabled
sc config SNAC start= disabled
sc config LiveUpdate start= disabled
sc config ccSetMgr start= disabled
sc config ccEvtMgr start= disabled
sc config SymEvent start= disabled
sc config SRTSPX start= disabled
sc config SRTSPL start= disabled
sc config SRTSP start= disabled
sc config eeCtrl start= disabled
sc config EraserUtilRebootDrv start= disabled
sc config NAVEX15 start= disabled
sc config NAVENG start= disabled
sc config SRTSPX start= disabled
sc config SRTSPL start= disabled
sc config SRTSP start= disabled



Start, Run, cmd, OK then right click and Paste or Edit then Paste and the copied lines should appear. Hit Enter. (You can retype them if you can't copy and paste)
  • 0

#23
amayzzing
Posted 12 July 2012 - 10:37 AM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I have no idea what i'm doing and im totally frustrated with this computer.

I did method 1 and it did not work. I went on to method 2. At step 3, "attrib -r -s -h dllcache" i get a message saying "file not found - dllcache".

at step 4 "ren msi.dll msi.old" I get a message saying 'access denied'.

I get the same access denied message for all the rest of the steps.



I followed the steps to manually turn off Symantec.
  • 0

#24
RKinner
Posted 13 July 2012 - 12:57 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Wasn't aware you didn't have internet. I assume you have tried Safe mode with Networking?

Start, (All) Programs, Accessories then right click on Command Prompt and select Run As Admin.

Type with an Enter after each line:

net  start  bfe

net start dhcp

net start tcpip

net start netbt

net start mpssvc

(We want each to say
"The requested service has already been started

More help is available by typing NET HELPMSG 2182" Report any that don't.)
  • 0

#25
amayzzing
Posted 13 July 2012 - 02:10 PM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I had a hard time with the first one--"net start dhcp" It said "system error 1058 has occured. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


The rest were fine except for the last one,"net start mpssvc" The message read "The service name is invalid. More help is available by ty[ing NET HELPMSG 2185.
  • 0

Advertisements

#26
RKinner
Posted 13 July 2012 - 03:54 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Try 

net  start  afd

net  start  nsi

Do both say they have already started?

then 

sc  qc  dhcp

Following is from my Win7 PC. Check where the arrows ( <= ) are. 

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: dhcp
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START   <= Should be 2.  Is it?
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
        LOAD_ORDER_GROUP   : TDI
        TAG                : 0
        DISPLAY_NAME       : DHCP Client
        DEPENDENCIES       : NSI  <= Do you have these three dependencies?
                           : Tdx
                           : Afd
        SERVICE_START_NAME : NT Authority\LocalService

  • 0

#27
amayzzing
Posted 13 July 2012 - 04:44 PM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ok, first one was already started.
Second one said "system error 1058 has occurred. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


For the second step, Mine reads "START_TYPE :4 DISABLED


The dependencies has 3 like you said, NSI, Tdx and Afd
  • 0

#28
RKinner
Posted 13 July 2012 - 04:48 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Right click on Computer and select Manage. Continue. Services and Application then Services. Find DHCP Client and right click on it and select Properties then change the Startup Type from Disabled to Automatic. Apply. Now see if

net start dhcp

will start it.
  • 0

#29
amayzzing
Posted 13 July 2012 - 04:55 PM

amayzzing

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
It says "System error 1068 has occurred. The dependency serice or group failed to start."
  • 0

#30
RKinner
Posted 13 July 2012 - 04:58 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
It's probably tdx which we haven't checked yet but do all three just to be sure:
net  start  nsi

net  start  tdx
              
net  start  afd

  • 0
Back to Computer Won't Boot - Malware Related · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Computer Won't Boot - Malware Related

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP