Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

FBI Green Dot Moneypak Virus has locked my computer [Closed]


  • This topic is locked This topic is locked

#1
Aluckett

Aluckett

    Member

  • Member
  • PipPip
  • 14 posts
I have an E-Machines T5048 running Windows XP SP3. Last evening, I acquired the Green Dot Moneypak Virus from a web site. The "FBI" screen took over and I wasn't able to do anything. I've turned the computer on and off several times since then, so the "last known" configuration is no good anymore.

When the computer first starts, a brief (20 seconds?)time is available when the "Start" button functionality is available before the virus is called in (from the registry?). During one of these early efforts, I was able to call in Malwarebytes, scan, and attempt to fix. Several items were removed, and I thought I had sufficiently cured the problem. However, when I restarted the virus was still aboard and seized the computer. I cannot access the file quickly enough now when I restart, or call in the restore function to get to an earlier state. Attempting to start in safe mode doesn't work; the computer loops back and starts over instead of loading up safe mode functionality. When I shut down (using the power button), I can see the task manager screen briefly but all too brief to do anything before the computer turns off. If I could somehow stop the startup process before the virus loads I feel I could do something, but I'm at a loss what. I don't know how I could run otl.exe under the current operation of the system. I can call in some Windows utilities (c:\ prompt) from the safe mode functionality but I don't really know what to do. I have run chkdsk but do not seem to have significant problems with the drive per se. The computer has PC Angel, but I'm hesitant to use it as I had significant problems with it in an earlier effort (though the underlying problem in that instance may have been a hard drive failure mixing up file indexes).

I hope you can help. Thanks, Al

This topic was addressed a few months ago in Geekstogo, but the person posting has a Sony computer and the helper cautioned that the solution would be unique to the machine. I was confused about the first step suggested, which involved loading a routine on a thumb drive and getting it to run on the infected computer.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there this is a set of instructions for a CD, if you wish to use a USB drive instead then let me know

Please print these instruction out so that you know what you are doing

  • Download OTLPENet.exe to your desktop
  • Download Farbar Recovery Scan Tool and save it to a flash drive.
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Insert the flash drive with FRST on it
  • Locate the flash drive and run FSRT
  • The tool will start to run.
    Posted Image
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • 0

#3
Aluckett

Aluckett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I had to pack the computer up and put it in the car for a road trip yesterday, right after I posted, so thanks for getting back so fast. I'm now set up again; I have a flash drive but no blank CD's. Going to run out for blank CD's and will get right on this (unless you're right there and can instantly reply on how to get this going from a flash drive).

Here is the output from the scan. As a result of a hard drive failure a year ago, extra partitions and some duplicated directories were set up as part of the (reasonably successful) recovery effort. However, I haven't made much progress cleaning them up. The C:\ drive is the one in use. I believe late Wednesday night the (11/21 11:35 p.m.) entries are the time the virus took over.

Can the system possibly just be restored to a state before that time? Thanks, Al

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2012
Ran by SYSTEM at 23-11-2012 20:38:12
Running from J:\
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet004

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Task Scheduler] "C:\Documents and Settings\AL\Application Data\Task Scheduler\Task Scheduler.exe" [119184 2012-11-21] ()
HKU\AL\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\AL\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-01-13] (Google Inc.)
HKU\AL\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [1695232 2008-04-14] (Microsoft Corporation)
HKU\AL\...\Run: [Task Scheduler] "C:\Documents and Settings\AL\Application Data\Task Scheduler\Task Scheduler.exe" [119184 2012-11-21] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 71.252.0.12
Startup: C:\Documents and Settings\AL\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\Default User\Application Data\Dropbox\bin\Dropbox.exe (No File)
Startup: C:\Documents and Settings\AL\Start Menu\Programs\Startup\Task Scheduler.lnk
ShortcutTarget: Task Scheduler.lnk -> C:\Documents and Settings\Default User\Application Data\Task Scheduler\Task Scheduler.exe (No File)

==================== Services (Whitelisted) ===================

2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
2 IHA_MessageCenter; "C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe" [352248 2012-08-03] (Verizon)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115168 2012-10-24] (Mozilla Foundation)
2 Web Assistant Updater; C:\Program Files\Web Assistant\ExtensionUpdaterService.exe [188760 2012-08-20] ()
2 WebOptimizer; C:\Windows\System32\dmwu.exe [1006448 2012-09-13] ()
4 HidServ; C:\Windows\System32\hidserv.dll [x]
2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [1035008 2005-07-22] (Conexant Systems, Inc.)
3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
4 Abiosdsk; [x]
4 abp480n5; [x]
4 adpu160m; [x]
4 Aha154x; [x]
4 aic78u2; [x]
4 aic78xx; [x]
4 AliIde; [x]
4 amsint; [x]
4 asc; [x]
4 asc3350p; [x]
4 asc3550; [x]
4 Atdisk; [x]
3 catchme; \??\C:\DOCUME~1\ADMINI~1.AL-\LOCALS~1\Temp\catchme.sys [x]
4 cd20xrnt; [x]
1 Changer; [x]
4 CmdIde; [x]
4 Cpqarray; [x]
4 dac2w2k; [x]
4 dac960nt; [x]
4 dpti2o; [x]
4 hpn; [x]
1 i2omgmt; [x]
4 i2omp; [x]
4 ini910u; [x]
4 IntelIde; [x]
1 lbrtfdc; [x]
4 mraid35x; [x]
1 PCIDump; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
4 perc2; [x]
4 perc2hib; [x]
4 ql1080; [x]
4 Ql10wnt; [x]
4 ql12160; [x]
4 ql1240; [x]
4 ql1280; [x]
4 Simbad; [x]
4 Sparrow; [x]
4 symc810; [x]
4 symc8xx; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TosIde; [x]
4 ultra; [x]
4 ViaIde; [x]
3 WDICA; [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-23 20:38 - 2012-11-23 20:38 - 00000000 ____D C:\FRST
2012-11-21 23:35 - 2012-11-21 23:35 - 00000000 ____D C:\Documents and Settings\AL\Application Data\Task Scheduler
2012-11-16 07:35 - 2012-11-16 07:35 - 00000000 __HDC C:\Windows\$NtUninstallKB2761226$
2012-11-16 07:35 - 2012-11-16 07:35 - 00000000 __HDC C:\Windows\$NtUninstallKB2727528$
2012-11-16 05:49 - 2012-11-16 07:35 - 00012486 ____A C:\Windows\KB2761226.log
2012-11-16 05:49 - 2012-11-16 07:35 - 00011238 ____A C:\Windows\KB2727528.log
2012-11-15 05:36 - 2012-11-15 05:34 - 00144817 ____A C:\Documents and Settings\AL\My Documents\Robo Jacob's friend Ray photo
2012-11-12 10:55 - 2012-11-12 10:56 - 00000000 ____D C:\Documents and Settings\AL\Application Data\Mozilla
2012-11-12 10:55 - 2012-11-12 10:55 - 00000724 ____A C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2012-11-12 10:55 - 2012-11-12 10:55 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-11-12 10:55 - 2012-11-12 10:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Mozilla
2012-11-12 10:55 - 2012-11-12 10:55 - 00000000 ____D C:\Documents and Settings\AL\Local Settings\Application Data\Mozilla

==================== One Month Modified Files and Folders ========

2012-11-23 20:24 - 2011-11-15 13:13 - 01975810 ____A C:\Windows\WindowsUpdate.log
2012-11-23 20:24 - 2011-11-15 11:07 - 00000178 __ASH C:\Documents and Settings\AL\ntuser.ini
2012-11-23 20:24 - 2011-11-15 11:02 - 00032628 ____A C:\Windows\SchedLgU.Txt
2012-11-23 20:24 - 2011-11-15 10:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-23 20:21 - 2012-01-13 23:51 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-23 18:14 - 2011-11-27 18:41 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-11-23 17:21 - 2012-01-13 23:51 - 00000874 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-23 17:18 - 2012-07-02 21:47 - 00000000 ____D C:\Documents and Settings\AL\Application Data\Dropbox
2012-11-23 17:18 - 2011-11-15 14:42 - 00000000 ____D C:\Windows\System32\Lang
2012-11-23 17:18 - 2011-11-15 11:07 - 00000062 __ASH C:\Documents and Settings\AL\Local Settings\desktop.ini
2012-11-23 17:18 - 2011-11-15 11:02 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-11-23 17:18 - 2011-11-15 11:02 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-11-23 17:10 - 2003-03-31 07:00 - 00013646 ____A C:\Windows\System32\wpa.dbl
2012-11-22 02:06 - 2012-07-02 21:51 - 00000000 ___RD C:\Documents and Settings\AL\My Documents\Dropbox
2012-11-22 00:45 - 2011-11-15 14:33 - 00000000 ___DC C:\Windows\$NtUninstallKB982132$
2012-11-21 23:35 - 2012-11-21 23:35 - 00000000 ____D C:\Documents and Settings\AL\Application Data\Task Scheduler
2012-11-20 23:13 - 2011-12-06 16:05 - 00000284 ____A C:\Windows\Tasks\AppleSoftwareUpdate.job
2012-11-16 08:04 - 2011-11-15 04:45 - 00192184 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-16 07:39 - 2011-11-15 16:35 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2012-11-16 07:37 - 2011-11-15 14:27 - 64010424 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-11-16 07:35 - 2012-11-16 07:35 - 00000000 __HDC C:\Windows\$NtUninstallKB2761226$
2012-11-16 07:35 - 2012-11-16 07:35 - 00000000 __HDC C:\Windows\$NtUninstallKB2727528$
2012-11-16 07:35 - 2012-11-16 05:49 - 00012486 ____A C:\Windows\KB2761226.log
2012-11-16 07:35 - 2012-11-16 05:49 - 00011238 ____A C:\Windows\KB2727528.log
2012-11-16 07:35 - 2011-11-15 04:46 - 01229249 ____A C:\Windows\iis6.log
2012-11-16 07:35 - 2011-11-15 04:46 - 01073658 ____A C:\Windows\FaxSetup.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00532485 ____A C:\Windows\ocgen.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00497050 ____A C:\Windows\tsoc.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00368609 ____A C:\Windows\comsetup.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00344278 ____A C:\Windows\msmqinst.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00222452 ____A C:\Windows\ntdtcsetup.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00188735 ____A C:\Windows\netfxocm.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00075506 ____A C:\Windows\MedCtrOC.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00059779 ____A C:\Windows\ocmsn.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00054694 ____A C:\Windows\tabletoc.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00054222 ____A C:\Windows\msgsocm.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00001393 ____A C:\Windows\imsins.log
2012-11-16 07:35 - 2011-11-15 04:46 - 00001393 ____A C:\Windows\imsins.BAK
2012-11-16 07:34 - 2003-03-31 07:00 - 00000562 ____A C:\Windows\win.ini
2012-11-16 05:49 - 2011-11-15 13:34 - 00000000 ____D C:\Windows\$hf_mig$
2012-11-15 13:21 - 2011-12-11 22:20 - 00000000 ____D C:\Documents and Settings\AL\My Documents\Clara's Work
2012-11-15 12:17 - 2012-01-20 21:12 - 00000000 ____D C:\Documents and Settings\AL\My Documents\Christina's Work
2012-11-15 05:34 - 2012-11-15 05:36 - 00144817 ____A C:\Documents and Settings\AL\My Documents\Robo Jacob's friend Ray photo
2012-11-14 17:23 - 2012-07-07 10:09 - 00000000 ____D C:\Windows\Microsoft.NET
2012-11-14 09:29 - 2011-11-15 04:46 - 00521470 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-14 09:26 - 2011-12-11 22:12 - 00000000 ____D C:\Documents and Settings\AL\My Documents\Personal Business
2012-11-12 10:56 - 2012-11-12 10:55 - 00000000 ____D C:\Documents and Settings\AL\Application Data\Mozilla
2012-11-12 10:55 - 2012-11-12 10:55 - 00000724 ____A C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2012-11-12 10:55 - 2012-11-12 10:55 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-11-12 10:55 - 2012-11-12 10:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Mozilla
2012-11-12 10:55 - 2012-11-12 10:55 - 00000000 ____D C:\Documents and Settings\AL\Local Settings\Application Data\Mozilla
2012-11-12 10:55 - 2012-06-15 03:48 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-11-11 22:09 - 2011-11-15 04:49 - 00000216 ____A C:\Windows\wiadebug.log
2012-11-11 16:36 - 2011-11-15 04:45 - 00248439 ____A C:\Windows\setupapi.log
2012-11-11 09:05 - 2011-11-15 04:49 - 00000050 ____A C:\Windows\wiaservc.log
2012-11-11 09:00 - 2012-04-15 21:32 - 00000000 ____D C:\Documents and Settings\AL\My Documents\Aly's Work
2012-11-07 21:28 - 2012-02-06 17:18 - 00001813 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2012-11-07 06:52 - 2011-11-27 05:42 - 00015872 ____A C:\Documents and Settings\AL\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-10-29 16:48 - 2012-04-07 07:40 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-29 16:48 - 2011-11-29 00:19 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2012-11-23 17:36 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP343

RP: -> 2012-11-21 08:38 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP342

RP: -> 2012-11-20 06:57 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP341

RP: -> 2012-11-19 06:31 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP340

RP: -> 2012-11-17 16:30 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP339

RP: -> 2012-11-16 07:34 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP338

RP: -> 2012-11-15 09:53 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP337

RP: -> 2012-11-14 09:26 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP336

RP: -> 2012-11-13 21:37 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP335

RP: -> 2012-11-12 19:14 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP334

RP: -> 2012-11-11 19:09 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP333

RP: -> 2012-11-10 19:06 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP332

RP: -> 2012-11-09 19:04 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP331

RP: -> 2012-11-08 14:08 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP330

RP: -> 2012-11-07 13:18 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP329

RP: -> 2012-11-06 11:12 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP328

RP: -> 2012-11-05 09:44 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP327

RP: -> 2012-11-04 08:53 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP326

RP: -> 2012-11-03 08:02 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP325

RP: -> 2012-11-02 06:04 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP324

RP: -> 2012-11-01 05:53 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP323

RP: -> 2012-10-30 19:15 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP322

RP: -> 2012-10-29 18:49 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP321

RP: -> 2012-10-28 18:11 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP320

RP: -> 2012-10-27 17:28 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP319

RP: -> 2012-10-26 17:16 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP318

RP: -> 2012-10-25 16:52 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP317

RP: -> 2012-10-24 16:41 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP316

RP: -> 2012-10-23 16:26 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP315

RP: -> 2012-10-22 09:15 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP314

RP: -> 2012-10-21 08:58 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP313

RP: -> 2012-10-20 18:25 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP312

RP: -> 2012-10-19 18:18 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP311

RP: -> 2012-10-18 17:23 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP310

RP: -> 2012-10-17 17:09 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP309

RP: -> 2012-10-16 16:29 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP308

RP: -> 2012-10-15 12:11 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP307

RP: -> 2012-10-14 08:02 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP306

RP: -> 2012-10-12 18:16 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP305

RP: -> 2012-10-11 15:37 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP304

RP: -> 2012-10-10 10:04 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP303

RP: -> 2012-10-09 18:46 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP302

RP: -> 2012-10-08 17:58 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP301

RP: -> 2012-10-07 17:41 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP300

RP: -> 2012-10-06 17:15 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP299

RP: -> 2012-10-05 16:36 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP298

RP: -> 2012-10-04 16:34 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP297

RP: -> 2012-10-03 16:08 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP296

RP: -> 2012-10-02 15:08 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP295

RP: -> 2012-10-01 09:26 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP294

RP: -> 2012-09-30 09:09 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP293

RP: -> 2012-09-29 06:32 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP292

RP: -> 2012-09-27 21:17 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP291

RP: -> 2012-09-26 20:59 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP290

RP: -> 2012-09-25 16:18 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP289

RP: -> 2012-09-24 06:31 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP288

RP: -> 2012-09-22 20:59 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP287

RP: -> 2012-09-21 20:51 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP286

RP: -> 2012-09-20 20:43 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP285

RP: -> 2012-09-19 19:50 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP284

RP: -> 2012-09-18 16:08 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP283

RP: -> 2012-09-17 15:26 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP282

RP: -> 2012-09-16 15:09 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP281

RP: -> 2012-09-14 16:20 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP280

RP: -> 2012-09-13 09:50 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP279

RP: -> 2012-09-12 09:38 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP278

RP: -> 2012-09-12 05:57 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP277

RP: -> 2012-09-10 17:15 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP276

RP: -> 2012-09-09 08:25 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP275

RP: -> 2012-09-07 22:05 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP274

RP: -> 2012-09-06 17:23 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP273

RP: -> 2012-09-05 16:43 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP272

RP: -> 2012-09-04 15:38 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP271

RP: -> 2012-09-03 09:16 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP270

RP: -> 2012-09-02 07:35 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP269

RP: -> 2012-08-31 20:42 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP268

RP: -> 2012-08-30 20:13 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP267

RP: -> 2012-08-29 12:31 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP266

RP: -> 2012-08-28 12:25 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP265

RP: -> 2012-08-27 10:54 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP264

RP: -> 2012-08-26 09:57 - 024576 _restore{224FF002-5670-48D9-B229-D1A2CF90B909}\RP263


==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 893.59 MB
Available physical RAM: 683.86 MB
Total Pagefile: 805.18 MB
Available Pagefile: 704.08 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.54 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: () (Fixed) (Total:74.52 GB) (Free:49.61 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: () (Fixed) (Total:143.75 GB) (Free:98.62 GB) NTFS ==>[Drive with boot components (Windows XP)]
8 Drive i: (RECOVERY) (Fixed) (Total:5.28 GB) (Free:2.24 GB) FAT32
9 Drive j: (CRM_O365) (Removable) (Total:0.97 GB) (Free:0.64 GB) FAT32
10 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B
Disk 1 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 75 GB 32 KB
=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 75 GB Healthy
=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 5420 MB 32 KB
Partition 2 Primary 144 GB 5420 MB
=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 I RECOVERY FAT32 Partition 5420 MB Healthy
=========================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 144 GB Healthy
=========================================================
==================== End Of Log ============================

Edited by Aluckett, 23 November 2012 - 08:06 PM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try a restore point from the 19th

Restart the Reatogo desktop
Download fixlist.txt to the same location as FRST

Start FRST and press Fix
Once the fix has completed reboot to normal windows and run OTL


Download OTL to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    winsock.*
    /md5stop
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#5
Aluckett

Aluckett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I've rerun the OTL scan after rebooting with the c:\ drive. I didn't see an "extras" file. I have attached the OTL.txt file.

However, I'm quite concerned about other observations I'm having. To boot Windows XP, I had to access the boot menu on startup. I don't recall this feature being prominent before, but there seem to be too many potential boot sources. The top choice is marked "WDC WD800JB-00JJA0" so that is the default from which the system will boot if no action is taken. The second is ST3160212A, which I thought was my hard drive when I selected the boot media. It booted successfully, with no indication of the process being diverted, but the desktop looks different from what I had before FBI Greendot, and many program choices are different from what I had before (even the prior choices were still screwed up from the aborted session we had in the summer). So, I went back in and booted from "WDC WD800JB-00JJA0". Currently the computer isn't connected to the internet. This boot process hangs up with a message that the system cannot access the internet. I believe the boot process off of "WDC WD800JB-00JJA0" is the one that is hijacked. What can I do so you can get a better look at what is going on there? I don't think our current OTL scan would have noted this (at least not much detail), as we concentrated on the drive from which we had loaded, yes? Recall I had mentioned before that due to prior disk failure and other tussles with viruses, I had a recovery disk and I believe another partition on the hard drive, and, unfortunately, a lot of garbage that hasn't been cleaned up. The OTL.txt indicates hard drives C:\, D:\ (recovery), and F:\. I can't see better identification of these drives in my efforts to explore, but I'm pretty sure that C:\ is ST3160212A and F:\ is "WDC WD800JB-00JJA0". The F:\ drive, unfortunately, does have many valuable data files, so I'll need to proceed very "surgically" with its contents when we try to clean it up.

I hope you can bear with me on this circus. Thanks, Al

Edited by Aluckett, 24 November 2012 - 08:22 PM.

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There is a way around this.. Boot to the Reatogo desktop from the CD

  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Drag and drop this attached scan.txt into the Custom scans and fixes box
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#7
Aluckett

Aluckett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK, I've tried to progress through the latest instructions.

Under Reatogo, the drive options displayed were C:\ and D:\. D:\ appears to be the one where I fear much virus still resides.

I did not get the "Do you wish to load the remote registry?" prompt. The queries went straight to remote user, where about 5 profiles were presented. I selected all.

This time around, I did get an "Extras" file. Both the OTL and the Extras are attached, file names appended with today's date.

Your last note, you're suggesting I should back up as much of D:\ as I think I need to keep? I hope we can get most program functionality back. I'm leery of having to re-install programs. If I have two Microsoft Offices but don't know which one loaded on which computer, can you help me retrieve product key or do other magic to be able to re-install?

Thanks much, and please advise next steps. Al

Attached Files


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You can use this small programme to recover your MS license keys http://www.nirsoft.n...key_viewer.html

Could you load windows on the boot that works then go to Start > Run
Type in the following command :
diskmgmt.msc

Then extend the window so all drives are present and then determine which drive is the one with all data on.
The Reatogo desktop opened the C drive as the main windows drive
  • 0

#9
Aluckett

Aluckett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The diskmgmt.msc utility shows a C:\ drive, capacity 143.75 GB, 97.94 GB free space. Status says "Healthy (system)" A D:\ (recovery) drive has 5.28 GB with 2.24 GB free (Healthy). A drive marked F:\ has 74.52 GB with 49.63 GB free, and is described as "Healthy (active). The Reatogo desktop seems to indicate different letters.

The F:\ drive had a lot of the applications and files that I was most recently using. In trying to help me recover from the earlier problems, I think the IT guy at my work loaded the company version of Microsoft Office there and made it a bootable partition, and I have many data files in this drive that still appear to be intact, and I don't want to lose. If I try to go into the program files and run programs from there, they will not run. Excel brings up an error dialog that says "The operating system is not configured to run this application" Malwarebytes brings up a "data type mismatch" error (maybe this happens because the programs are in F:\ and I am running an operating system from C:\? I hope it's that "simple"

In the current C:\, which loads properly, the only items in the desktop are Mozilla Firefox (it works, as I am on that computer accessing Geekstogo to send this to you), Windows Media Player, and OTL and some of the data files we have worked with. When I try to access the Microsoft Office (2003) applications, it wants me to go through an initial install. These may be the trial versions bundled with the computer.

I went into the BIOS of this computer and changed the boot order of the hard drives so that ST3160212A is the first drive in the boot sequence and WDC WD800JB-00JJA0 is second. At least now if I'm not thinking about it I'll boot to something slightly usable.

Sorry, man, I feel like I'm spinning wheels here. How can I get you into this F:\ drive so we can get on with it? Thanks, Al

P.S. A couple of new notes from several hours later. I somehow have apparently managed to get into Safe Mode, from the infected drive. That routine I mentioned above to access Excel now does pull up the program. However, I can't really figure out what else to do. I'm trying to poke around the registry a little bit and look for files that another post is suggesting might be associated with FBI virus, but not getting anything. Also, I'm not sure that my changing the boot order of the two systems on the hard disk in the Bios, worked. It seems the bad drive is on top of the list again.

Edited by Aluckett, 26 November 2012 - 04:51 AM.

  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK from safe mode on the infected partition do the following
Once all infections are cleared would you like assistance to organise the drives ?

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    winsock.*
    /md5stop
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

Advertisements


#11
Aluckett

Aluckett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK, here is hoping I did everything all right. I don't know well enough what I'm looking at but some of the entries in the OTL text look ominous. I hope I'm wrong.... I have attached three RK files (though only two items showing, all in the Registry tab) and the OTL log.

It seems a bit much to ask, but, yes, I think some help on cleanup, eventually, would be a good idea. Thanks for your patience. Al

OTL logfile created on: 11/27/2012 12:51:13 AM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator.AL-PC\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

893.59 Mb Total Physical Memory | 695.91 Mb Available Physical Memory | 77.88% Memory free
2.12 Gb Paging File | 1.99 Gb Available in Paging File | 93.82% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 49.36 Gb Free Space | 66.24% Space Free | Partition Type: NTFS
Drive E: | 143.75 Gb Total Space | 99.22 Gb Free Space | 69.02% Space Free | Partition Type: NTFS
Drive F: | 5.28 Gb Total Space | 2.24 Gb Free Space | 42.44% Space Free | Partition Type: FAT32
Drive K: | 998.00 Mb Total Space | 652.25 Mb Free Space | 65.36% Space Free | Partition Type: FAT32

Computer Name: AL-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/27 00:48:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.AL-PC\Desktop\OTL.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/10/24 12:50:38 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/13 08:26:52 | 001,006,448 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\dmwu.exe -- (WebOptimizer)
SRV - [2012/08/20 10:09:06 | 000,188,760 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater)
SRV - [2012/08/03 15:22:18 | 000,352,248 | ---- | M] (Verizon) [Auto | Stopped] -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe -- (IHA_MessageCenter)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1.AL-\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2008/04/13 22:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2005/07/22 11:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 11:01:10 | 000,231,168 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/07/22 11:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {35CE37D6-BD17-4CD9-8B38-10991C734297}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{35CE37D6-BD17-4CD9-8B38-10991C734297}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-1482476501-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-299502267-1482476501-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-299502267-1482476501-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 68 EA 5F 80 CB CD 01 [binary data]
IE - HKU\S-1-5-21-299502267-1482476501-839522115-500\..\SearchScopes,DefaultScope = {35CE37D6-BD17-4CD9-8B38-10991C734297}
IE - HKU\S-1-5-21-299502267-1482476501-839522115-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-299502267-1482476501-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012/08/22 12:45:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/11/12 10:55:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/11/25 21:32:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.AL-PC\Application Data\Mozilla\Extensions
[2012/11/12 10:55:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/24 12:50:58 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/24 12:50:17 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/24 12:50:17 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.64\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.64\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.64\pdf.dll
CHR - plugin: Injovo Extension Plugin (Enabled) = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd\2.0.0.478_0\npbrowserext.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Google Drive = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\
CHR - Extension: Google Drive = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Web Assistant = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd\2.0.0.478_0\
CHR - Extension: Gmail = C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/07/11 23:55:30 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - Startup: C:\Documents and Settings\AL\Start Menu\Programs\Startup\Dropbox.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-1482476501-839522115-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-299502267-1482476501-839522115-500\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-299502267-1482476501-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-299502267-1482476501-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-299502267-1482476501-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5BBE297A-591D-4E6C-8592-DC87B2EEA02F}: DhcpNameServer = 192.168.1.1 71.252.0.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/15 10:58:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/06/17 04:41:16 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 10

========== Files/Folders - Created Within 30 Days ==========

[2012/11/27 00:35:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\Desktop\RK_Quarantine
[2012/11/27 00:11:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\My Documents\Downloads
[2012/11/26 13:16:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Google
[2012/11/26 07:43:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Temp
[2012/11/25 21:32:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\Local Settings\Application Data\Mozilla
[2012/11/25 21:32:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\Application Data\Mozilla
[2012/11/25 20:45:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.AL-PC\Application Data\Windows Search
[2012/11/23 20:38:03 | 000,000,000 | ---D | C] -- C:\FRST
[2012/11/12 10:55:32 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/11/12 10:55:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla

========== Files - Modified Within 30 Days ==========

[2012/11/27 00:48:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.AL-PC\Desktop\OTL.exe
[2012/11/27 00:26:41 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/27 00:11:34 | 000,752,128 | ---- | M] () -- C:\Documents and Settings\Administrator.AL-PC\Desktop\RogueKiller.exe
[2012/11/26 13:16:09 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/11/26 09:01:45 | 000,000,746 | ---- | M] () -- C:\Documents and Settings\Administrator.AL-PC\Desktop\Shortcut to WINWORD.lnk
[2012/11/25 20:43:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/25 19:17:24 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/23 20:21:10 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/20 23:13:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/11/16 08:04:45 | 000,192,184 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/11/16 07:35:19 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/11/14 09:29:22 | 000,456,342 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/14 09:29:22 | 000,075,248 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/12 10:55:34 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/11/07 21:28:29 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/10/29 16:48:04 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/10/29 16:48:04 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/11/27 00:11:33 | 000,752,128 | ---- | C] () -- C:\Documents and Settings\Administrator.AL-PC\Desktop\RogueKiller.exe
[2012/11/26 09:01:45 | 000,000,746 | ---- | C] () -- C:\Documents and Settings\Administrator.AL-PC\Desktop\Shortcut to WINWORD.lnk
[2012/11/12 10:55:34 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/11/12 10:55:34 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/08/22 12:45:28 | 001,006,448 | ---- | C] () -- C:\WINDOWS\System32\dmwu.exe
[2012/08/22 12:45:28 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\ImHttpComm.dll
[2012/06/16 19:16:58 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/06/16 19:16:58 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/06/16 19:16:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/06/16 19:16:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/06/16 19:16:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/06/15 04:02:49 | 000,767,928 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll0616.old
[2012/03/31 11:30:10 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2012/02/15 08:11:58 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/14 03:05:32 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/12/08 21:08:32 | 000,032,768 | ---- | C] () -- C:\WINDOWS\unvise32.dll
[2011/11/27 18:41:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/15 11:01:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/11/15 10:55:54 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/11/15 04:46:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/11/15 04:45:20 | 000,192,184 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2012/07/07 10:10:45 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/09/05 08:56:22 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
SRV - [2008/04/14 05:42:14 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/14 05:42:12 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 05:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 08:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 05:41:52 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 05:41:52 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 12:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 05:41:54 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/27 18:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 05:42:10 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2008/04/14 05:42:24 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 05:41:54 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 05:42:18 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 05:42:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 05:42:02 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 08:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 05:42:04 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 05:42:04 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 07:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/14 05:42:04 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 05:42:06 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 05:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/14 05:42:12 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2010/08/27 00:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/27 18:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 05:42:08 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 05:42:06 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 05:41:58 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 05:42:08 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 05:42:08 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/27 18:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 05:42:40 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 05:41:52 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/14 05:41:56 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess)
SRV - [2008/04/14 05:42:10 | 000,333,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/14 05:42:30 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 05:42:10 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2009/02/09 07:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/14 05:41:54 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 05:42:12 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 01:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< %SYSTEMDRIVE%\*.exe >
[2012/06/15 04:58:06 | 002,127,448 | ---- | M] (Kaspersky Lab ZAO) -- C:\TDSSKiller.exe

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2003/03/31 07:00:00 | 001,004,032 | ---- | M] (Microsoft Corporation) MD5=A82B28BFC2E4455FE43022A498C0EF0A -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SERVICES >
[2003/03/31 07:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.CFG >
[2012/07/27 15:51:34 | 000,586,083 | ---- | M] () MD5=6DE4EA437EC1FE6DB27CADB0A7EA8DC2 -- C:\Program Files\Adobe\Reader 10.0\Reader\Services\Services.cfg
[2011/06/06 11:55:30 | 000,584,045 | R--- | M] () MD5=B82DD53FA8C260DDD7FDC42182DB816E -- C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\services.cfg

< MD5 for: SERVICES.EXE >
[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\erdnt\cache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2003/03/31 07:00:00 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=E3DF4A0252D287C44606EE55355E1623 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SERVICES.MSC >
[2003/03/31 07:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2003/03/31 07:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\erdnt\cache\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2012/09/29 18:54:26 | 000,218,184 | ---- | M] () MD5=8846E87210AD131CF71E3E2E49F647B0 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\erdnt\cache\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe
[2003/03/31 07:00:00 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=E931E0A2B8BF0019DB902E98D03662CB -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

< MD5 for: WINLOGON.EXE >
[2003/03/31 07:00:00 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=2246D8D8F4714A2CEDB21AB9B1849ABB -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/09/29 18:54:26 | 000,218,184 | ---- | M] () MD5=8846E87210AD131CF71E3E2E49F647B0 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINSOCK.DLL >
[2003/03/31 07:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\WINDOWS\system32\dllcache\winsock.dll
[2003/03/31 07:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\WINDOWS\system32\winsock.dll

< End of report >

Attached Files


  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
After this has run could you try to go to normal windows on the affected drive and let me know the result, if a blue screen appears could you make a quick note of the driver referenced

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image
:OTL
SRV - [2012/09/13 08:26:52 | 001,006,448 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\dmwu.exe -- (WebOptimizer)
SRV - [2012/08/20 10:09:06 | 000,188,760 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater)
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

:Files
C:\Program Files\Web Assistant

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
User returned
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP