Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Your pc is locked! [Solved]

Started by DrkMachine , Nov 17 2014 07:03 PM

  • This topic is locked This topic is locked

#1
DrkMachine
Posted 17 November 2014 - 07:03 PM

DrkMachine

    Member

  • Member
  • PipPipPip
  • 126 posts

When I boot the computer I have a full screen ad with all this legal looking info, siting that I am in violation of laws etc, etc. and it will not allow me to do anything without paying 300.00 (*cough* not happening *cough*). And moments later it shuts my system down. Any how, here is the OTL.

 

 

OTL:

 

OTL logfile created on: 11/17/2014 6:31:59 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
958.48 Mb Total Physical Memory | 233.11 Mb Available Physical Memory | 24.32% Memory free
2.26 Gb Paging File | 1.60 Gb Available in Paging File | 71.02% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 224.68 Gb Total Space | 161.12 Gb Free Space | 71.71% Space Free | Partition Type: NTFS
Drive D: | 8.18 Gb Total Space | 0.53 Gb Free Space | 6.47% Space Free | Partition Type: FAT32
 
Computer Name: PIGOTT1 | User Name: Compaq_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/11/17 18:31:34 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\OTL(1).exe
PRC - [2014/10/11 18:28:05 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2014/07/11 15:14:20 | 000,118,272 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2014/07/11 14:58:08 | 007,241,728 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2013/12/03 10:53:04 | 000,771,344 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\System Mechanic Professional\ioloGovernor.exe
PRC - [2013/12/03 09:59:32 | 001,168,960 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2013/04/26 16:32:00 | 001,815,248 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
PRC - [2013/04/25 00:30:16 | 004,443,912 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2013/04/25 00:29:50 | 009,478,352 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cis.exe
PRC - [2013/04/15 17:38:18 | 003,012,816 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
PRC - [2012/01/18 05:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
PRC - [2010/05/18 14:13:58 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2010/05/07 17:35:22 | 000,165,208 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
PRC - [2010/04/02 09:18:54 | 001,185,112 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
PRC - [2010/03/24 20:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/10/28 16:11:32 | 000,117,288 | R--- | M] (Authentium, Inc) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 01:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/08/02 17:19:16 | 000,077,312 | ---- | M] (Microsoft) -- C:\WINDOWS\arpwrmsg.exe
PRC - [2005/08/02 17:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/10/11 18:27:35 | 003,715,184 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2014/02/01 12:30:46 | 000,861,184 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\platforms\qwindows.dll
MOD - [2010/05/07 17:37:40 | 000,126,808 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll
MOD - [2010/05/07 17:37:40 | 000,027,480 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll
MOD - [2010/05/07 17:36:54 | 000,340,824 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll
MOD - [2010/05/07 17:36:20 | 000,921,944 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QtNetwork4.dll
MOD - [2010/05/07 17:35:56 | 007,954,776 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll
MOD - [2010/05/07 17:35:44 | 002,143,576 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll
MOD - [2010/03/19 09:45:36 | 007,745,536 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
MOD - [2010/03/19 09:45:36 | 002,121,728 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll
MOD - [2010/03/19 09:45:36 | 000,135,168 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
MOD - [2010/02/09 16:05:50 | 000,034,816 | ---- | M] () -- C:\Program Files\iolo\Common\Lib\Aquarius.dll
MOD - [2005/08/02 17:19:16 | 000,050,176 | ---- | M] () -- C:\WINDOWS\armcex.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2014/10/11 18:27:37 | 000,114,288 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/07/11 14:58:08 | 007,241,728 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2013/12/14 09:34:35 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/12/03 09:59:32 | 001,168,960 | ---- | M] (iolo technologies, LLC) [Auto | Stopped] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2013/12/03 09:59:32 | 001,168,960 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloFileInfoList)
SRV - [2013/10/08 07:48:23 | 000,182,696 | ---- | M] (Oracle Corporation) [Disabled | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/04/25 00:30:16 | 004,443,912 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2013/04/15 17:38:20 | 000,127,184 | ---- | M] (COMODO) [On_Demand | Stopped] -- C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe -- (cmdvirth)
SRV - [2012/01/18 05:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2010/05/18 14:13:58 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2010/05/07 17:47:32 | 000,162,648 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009/10/28 16:11:34 | 000,113,192 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe -- (vseqrts)
SRV - [2009/10/28 16:11:32 | 000,117,288 | R--- | M] (Authentium, Inc) [Auto | Running] -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe -- (vsedsps)
SRV - [2009/10/28 16:11:26 | 000,092,712 | R--- | M] (Authentium, Inc) [Auto | Stopped] -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe -- (vseamps)
SRV - [2009/03/27 21:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Disabled | Stopped] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/08/09 01:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/08/02 17:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Boot | Stopped] -- system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2013/04/25 10:05:22 | 000,099,392 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\inspect.sys -- (Inspect)
DRV - [2013/04/15 17:39:00 | 000,592,384 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2013/04/15 17:39:00 | 000,032,816 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2013/04/15 17:39:00 | 000,018,528 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmderd.sys -- (cmderd)
DRV - [2012/07/26 09:01:28 | 000,068,464 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PDFsFilter.sys -- (PDFsFilter)
DRV - [2012/01/18 05:44:52 | 004,332,960 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2012/01/18 05:44:28 | 000,312,096 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2010/07/27 02:15:20 | 000,023,904 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2010/05/07 17:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/10/28 16:25:42 | 000,122,408 | R--- | M] (Authentium, Inc) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\amp.sys -- (AMP)
DRV - [2009/10/28 16:25:40 | 001,117,224 | R--- | M] (Authentium, Inc) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ampse.sys -- (AMPSE)
DRV - [2009/09/23 09:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/08/13 14:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/02/11 11:40:40 | 005,028,352 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2008/04/17 10:45:38 | 000,009,341 | ---- | M] (iolo technologies, LLC (based on original work by Bo Brantén)) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\filedisk.sys -- (FileDisk)
DRV - [2008/04/17 10:36:02 | 000,039,424 | ---- | M] (iolo technologies, LLC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\xpacket.sys -- (XPacket)
DRV - [2006/03/03 08:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 08:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/12/12 16:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/03/09 08:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/03 08:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2004/06/26 13:22:00 | 000,006,016 | ---- | M] (RDV Soft) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vnccom.SYS -- (vnccom)
DRV - [2004/06/26 13:22:00 | 000,004,736 | ---- | M] (RDV Soft) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vncdrv.sys -- (vncdrv)
DRV - [2004/04/01 16:30:46 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ARIO&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ARIO&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\..\SearchScopes,DefaultScope = {F0DD6273-8CF6-461A-B104-A9E954EDB7D4}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{F0DD6273-8CF6-461A-B104-A9E954EDB7D4}: "URL" = http://www.google.co...1I7HPIC_enUS316
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:32.0.3
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2321: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2379: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1483: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 32.0.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 32.0.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2014/10/11 18:26:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2007/08/02 14:50:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2008/09/14 17:19:38 | 000,000,000 | ---D | M]
 
[2008/11/21 21:02:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Extensions
[2014/07/29 18:27:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\tiys9hen.default\extensions
[2013/12/31 21:44:52 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\tiys9hen.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2014/10/11 18:25:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/10/11 18:28:13 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.95\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.95\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.95\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 7 U25 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.250.17 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit)  (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - Extension: YouTube = C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2010/03/24 15:23:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe (COMODO)
O4 - HKLM..\Run: [DISCover] C:\Program Files\DISC\discover.exe ()
O4 - HKLM..\Run: [ioloGovernor] C:\Program Files\iolo\System Mechanic Professional\ioloGovernor.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\nerocheck.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKCU..\Run: [ChromeUpdate] C:\Documents and Settings\Compaq_Administrator\Application Data\ChromeUpdate.exe (NirSoft)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\iolo\Common\Firewall\iFW_Xfilter.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\iolo\Common\Firewall\iFW_Xfilter.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by139fd.bay13...es/MsnPUpld.cab (Reg Error: Key error.)
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} https://www.kidsvisi...s/KiddieCam.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Reg Error: Key error.)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/...he.cab79352.cab (MSN Games – Texas Holdem Poker)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...k.cab102118.cab (MSN Games - Installer)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220 208.67.222.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{29A24016-B1E5-4806-BF69-2EE4B39B86CD}: DhcpNameServer = 208.67.222.222 208.67.220.220 208.67.222.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\All Users\Application Data\3V6agga3\3V6agga3.exe -sm) -  File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/30 15:02:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{56937a7b-35ad-11e2-8e58-001731e00ade}\Shell - "" = AutoRun
O33 - MountPoints2\{56937a7b-35ad-11e2-8e58-001731e00ade}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{56937a7b-35ad-11e2-8e58-001731e00ade}\Shell\AutoRun\command - "" = J:\setup.exe -a
O34 - HKLM BootExecute: (ጳ렘չ)
O34 - HKLM BootExecute: (䚰ć)
O34 - HKLM BootExecute: ()
O34 - HKLM BootExecute: (穌љ䚰ć)
O34 - HKLM BootExecute: ()
O34 - HKLM BootExecute: (篌љ䚰ć)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/10/21 05:04:33 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Report
[2014/08/30 06:30:41 | 000,600,576 | ---- | C] (NirSoft) -- C:\Documents and Settings\Compaq_Administrator\Application Data\ChromeUpdate.exe
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/11/17 18:39:00 | 000,000,452 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{349D8EE6-C55F-4E3C-8111-E70966654159}.job
[2014/11/17 18:29:36 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
[2014/11/17 18:29:02 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/11/17 18:25:53 | 000,043,531 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2014/11/17 18:25:19 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1ce42fd1f257752.job
[2014/11/17 18:25:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/11/17 18:24:59 | 1005,113,344 | -HS- | M] () -- C:\hiberfil.sys
[2014/11/17 15:13:53 | 000,000,018 | -H-- | M] () -- C:\SYSREST
[2014/10/22 05:24:40 | 000,000,448 | ---- | M] () -- C:\WINDOWS\System32\iolo.ini
[2014/10/22 05:22:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2014/10/21 06:13:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/10/21 06:04:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/11/17 15:13:53 | 000,000,018 | -H-- | C] () -- C:\SYSREST
[2014/07/25 08:55:35 | 000,000,448 | ---- | C] () -- C:\WINDOWS\System32\iolo.ini
[2013/11/04 22:04:48 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\default.rss
[2013/07/13 09:10:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\4jebdje.dat
[2013/06/18 21:38:24 | 000,003,048 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\lbrt.js
[2013/06/18 21:38:22 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\lbrt.pad
[2013/04/29 15:09:40 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\skype.ini
[2011/06/23 19:14:46 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/23 19:07:09 | 000,000,143 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\fusioncache.dat
[2008/12/12 17:48:42 | 000,000,172 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
[2008/01/27 05:44:02 | 000,000,167 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\default.pls
[2007/03/28 19:40:31 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Compaq_Administrator\Application Data\$_hpcst$.hpc
 
========== ZeroAccess Check ==========
 
[2005/08/30 14:58:26 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 18:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2013/12/30 21:38:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\3V6agga3
[2008/01/19 18:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Audible
[2011/08/10 19:33:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/08/10 20:15:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonEPP
[2013/01/06 18:57:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2013/12/08 16:27:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX
[2011/08/10 20:15:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX2
[2011/08/10 19:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMSetup
[2011/08/10 20:15:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2014/11/17 13:18:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2011/10/16 08:19:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2011/08/10 20:15:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenuEX
[2011/08/10 19:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
[2006/05/04 21:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
[2007/02/26 16:30:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Global Software Publishing
[2013/05/07 21:09:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2013/12/30 22:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2013/12/30 21:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ioloGovernor
[2012/12/25 12:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2008/08/03 16:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2007/01/01 21:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2013/05/08 18:40:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Shared Space
[2013/12/08 16:32:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Canon
[2012/12/14 17:05:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Canon Easy-WebPrint EX
[2006/08/28 22:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\funkitron
[2013/12/08 16:21:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Image Zone Express
[2008/11/15 18:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\iolo
[2013/12/30 21:50:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\ioloGovernor
[2007/09/23 17:05:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Leadertech
[2006/08/30 16:50:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\MSNInstaller
[2007/08/02 14:50:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Netscape
[2008/12/12 17:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Template
[2007/01/27 19:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Trevoli
[2008/05/17 12:42:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\WinBatch
[2013/12/31 18:37:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Administrator\Application Data\Windows Desktop Search
 
========== Purity Check ==========
 
 

< End of report >
 


  • 0

Advertisements

#2
Teima
Posted 18 November 2014 - 02:05 AM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Hello DrkMachine, 
 
My name is Teima and I'll be happy to assist you with this issue. Before we commence I'd like to ask that you take into careful thought of the points which I've listed below as they will beneficial to the guidance as to which I'll present yourself with here on Geekstogo. :)
 
Notes before we commence:
  • It's important that you reply within four days. If you haven't replied within that time, the thread will be closed.
  • As the process of malware removal is often challenging at times I'd like you to take into consideration that it may take multiple replies in order to resolve the issue/issues present.
  • If you are uncertain about any of the steps as to which I present yourself with. Please feel free to ask myself for further clarification.
  • It's important that you don't use tools which have been recommended for other users of the forum, failure to follow these guidelines will most likely result in an unbootable machine.
  • These steps only apply for the user "DrkMachine". If you're reading this thread and you're requiring assistance, then read this thread and follow the listed steps carefully.
  • The absence of symptoms does not necessarily mean that your system is clean. Please stick with me until I state that your system is clean.
  • If It's been a total of three days and you've yet to receive a response from myself. Please send myself a reminder by clicking here and attaching the appropriate thread link where I can respond.
Extra
 
Please be patient with me as I am currently in training, and all of my responses to you have to be reviewed by my instructor before I post them. Just keep in mind that you get the advantage as you have two people examining your issue. Thanks for your consideration. :thumbsup:
  • 0

#3
Teima
Posted 18 November 2014 - 11:17 PM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Hello DrkMachine. Thanks for your patience. Your machine appears to have a variant of a piece of malware called ransomware! Not to worry. I'll do my best to assist here. :) Also. Top work for noting that this is indeed not legitimate and not following through with their instructions.
  • Step One
    • Re-run OTL by right clicking and choosing Run as administrator;
    • Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').

      :Commands
      [createrestorepoint]

      :OTL
      O4 - HKCU..\Run: [ChromeUpdate] C:\Documents and Settings\Compaq_Administrator\Application Data\ChromeUpdate.exe (NirSoft)
      O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\All Users\Application Data\3V6agga3\3V6agga3.exe -sm) - File not found
      O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
      O33 - MountPoints2\{56937a7b-35ad-11e2-8e58-001731e00ade}\Shell - "" = AutoRun
      O33 - MountPoints2\{56937a7b-35ad-11e2-8e58-001731e00ade}\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\{56937a7b-35ad-11e2-8e58-001731e00ade}\Shell\AutoRun\command - "" = J:\setup.exe -a
      O34 - HKLM BootExecute: (ጳ렘չ)
      O34 - HKLM BootExecute: (䚰ć)
      O34 - HKLM BootExecute: ()
      O34 - HKLM BootExecute: (穌љ䚰ć)
      O34 - HKLM BootExecute: ()
      O34 - HKLM BootExecute: (篌љ䚰ć)
      [2013/12/30 21:38:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\3V6agga3

      :Commands
      [EMPTYTEMP]

    • Click on "Run Fix" and let the program run unhindered;
    • Your PC will reboot automatically and a log will be opened;
    • Please post it in your next reply.
  • Step Two
    • Please download Farbar Recovery Scan Tool by Farbar to your Desktop from the link below.
      Download link for 32 bit system
      Download link for 64 bit system
    • Right-click on the program and choose Run as administrator;
    • Put tick-mark on all boxes under Whitelist and Optional Scan;
    • Click on Scan;
    • After the scan two notepad files will be opened --
      • FRST.txt;
      • Addition.txt
    • Copy and Paste the contents of the logs in your next reply.
  • Step Three
    IDToolbyNathan.png Scan with IDTool

    Please download IDTool by Nathan and save the file to the desktop.
    It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
    • Enter the IDTool directory, right-click on IDToolbyNathan.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    • IDTool needs Microsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
    • Wait patiently until the tool will collect necessary data.
    • Once the main console is loaded, please press Rescan Computer and Generate a New Report
    • When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
    • Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience
    Please include that contents in your next reply.

  • 0

#4
Teima
Posted 20 November 2014 - 03:05 AM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Hello. Just checking to see if you require any assistance with the instructions as to which I have listed? :)
  • 0

#5
DrkMachine
Posted 20 November 2014 - 07:39 AM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Sorry for the delay in my response. I was waiting for OTL to finish running but it seems to have hung up at

 

034 - HKLM BootExecute: ()

 

should I reboot and try again?


  • 0

#6
Teima
Posted 21 November 2014 - 11:15 PM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Hi mate. Thanks for the response. Would you be able to attempt to run the fix a second time round? I would recommend waiting 30 minutes. If that doesn't fix it please let me know. :)
  • 0

#7
DrkMachine
Posted 23 November 2014 - 06:38 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

well it didn't work the second time either, and now it will not let me boot into safe mode. When I try it just reboots the system around the point that the loading windows screen should come up.


  • 0

#8
Teima
Posted 25 November 2014 - 02:58 AM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
well it didn't work the second time either, and now it will not let me boot into safe mode. When I try it just reboots the system around the point that the loading windows screen should come up.

 

 

Hello DrkMachine. Not to worry. I have another alternative as to which we can attempt here. It appears as though the ransomware is wanting to put forward a fight. :)

Step One

  • Scan with Farbar Recovery Scan Tool

    Prerequisites:
    • A clean PC or an accessible user account; and
    • A flash-drive with at least 1GB storage.
    First Part: Second Part:
    • Connect the flash-drive to the infected PC;
    • Restart your PC;
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears;
    • Use the arrow keys to select Repair your computer;
    • From the language setting choose US and click Next;
    • Select the operating system you want repair and click Next;
    • Select your user-account and click Next;
    • You will enter into the System Recovery and will be presented the following options --
      • Startup Repair
      • System Restore
      • Windows Complete PC Restore
      • Windows Memory Diagnostic Tool
      • Command Prompt
    • Select Command Prompt
    Third Part:
    • In the Command Prompt window type notepad and press Enter;
    • When the Notepad opens, go to File>Open>My Computer and take a mental note of the flash-drive letter;
    • In the Command Prompt window type e:\frst.exe(for 64-bit system type e:\frst64.exe)
      • Note: Replace e with the drive letter of your flash-drive
    • When the program starts, click on Scan;
    • A log named frst.txt will be created after the scan and will be saved in your flash-drive;
    • Copy and Paste the contents of the log in your next reply

  • 0

#9
DrkMachine
Posted 25 November 2014 - 11:45 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

unfortunately this is windows xp media center edition, so there is no repair your computer option in the advanced options menu, I can however select return to OS Choices Menu and select Microsoft Windows Recovery Console, which gives me a command prompt. But when I run E:\frst.exe it tells me that it is not a recognized command. I did however get it to boot into a live cd with a minixp installed on it and got frst to run from there. Here is the contents of the file

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2014
Ran by SYSTEM on MiniXP on 25-11-2014 23:33:06
Running from D:\
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.[/b]

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [18085888 2009-02-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] ()
HKLM\...\Run: [Monitor] => C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [118272 2014-07-11] (LeapFrog Enterprises, Inc.)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [165208 2010-05-07] (Logitech Inc.)
HKLM\...\Run: [ehTray] => C:\WINDOWS\ehome\ehtray.exe [64512 2005-08-05] (Microsoft Corporation)
HKLM\...\Run: [DISCover] => C:\Program Files\DISC\DISCover.exe [1077248 2006-03-16] ()
HKLM\...\Run: [CanonSolutionMenuEx] => C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2516296 2010-03-25] (CANON INC.)
HKLM\...\Run: [AlwaysReady Power Message APP] => C:\Windows\ARPWRMSG.EXE [77312 2005-08-02] (Microsoft)
HKLM\...\Run: [Alcmtr] => C:\Windows\ALCMTR.EXE [57344 2008-06-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [3012816 2013-04-15] (COMODO)
HKLM\...\Run: [ioloGovernor] => C:\Program Files\iolo\System Mechanic Professional\ioloGovernor.exe [771344 2013-12-03] (iolo technologies, LLC)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Compaq_Administrator\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2010-03-19] (Hewlett-Packard Company)
HKU\Compaq_Administrator\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\Default User\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk
ShortcutTarget: Pin.lnk -> C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
BootExecute: 䚰ć##穌љ䚰ć##篌љ䚰ć#

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-28] (LSI Corporation)
S2 ARSVC; C:\WINDOWS\arservice.exe [58880 2005-08-02] (Microsoft)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4443912 2013-04-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [127184 2013-04-15] (COMODO)
S2 HidServ; C:\Windows\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S2 ioloFileInfoList; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1168960 2013-12-03] (iolo technologies, LLC)
S2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1168960 2013-12-03] (iolo technologies, LLC)
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-10-08] (Oracle Corporation)
S2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S2 vseamps; C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [92712 2009-10-28] (Authentium, Inc)
S2 vsedsps; C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [117288 2009-10-28] (Authentium, Inc)
S3 vseqrts; C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [113192 2009-10-28] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36352 2005-03-09] (Advanced Micro Devices)
S2 AMP; C:\Windows\System32\DRIVERS\amp.sys [122408 2009-10-28] (Authentium, Inc)
S2 AMPSE; C:\Windows\System32\DRIVERS\ampse.sys [1117224 2009-10-28] (Authentium, Inc)
S3 aracpi; C:\Windows\System32\DRIVERS\aracpi.sys [22784 2005-08-02] (Microsoft Corporation)
S3 arhidfltr; C:\Windows\System32\DRIVERS\arhidfltr.sys [19200 2005-08-02] (Microsoft Corporation)
S3 arkbcfltr; C:\Windows\System32\DRIVERS\arkbcfltr.sys [5376 2005-08-02] (Microsoft Corporation)
S3 armoucfltr; C:\Windows\System32\DRIVERS\armoucfltr.sys [4992 2005-08-02] (Microsoft Corporation)
S3 ARPolicy; C:\Windows\System32\DRIVERS\arpolicy.sys [10112 2005-08-02] (Microsoft Corporation)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [18528 2013-04-15] (COMODO)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [592384 2013-04-15] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [32816 2013-04-15] (COMODO)
S1 FileDisk; C:\Windows\System32\Drivers\FileDisk.sys [9341 2008-04-17] (iolo technologies, LLC (based on original work by Bo Brantén))
S3 FilterService; C:\Windows\System32\DRIVERS\lvuvcflt.sys [23904 2010-07-27] (Logitech Inc.)
S3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-09-23] (LogMeIn, Inc.)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [51120 2005-03-08] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-03-08] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21744 2005-03-08] (HP)
S0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [99392 2013-04-25] (COMODO)
S3 LVPr2Mon; C:\Windows\System32\Drivers\LVPr2Mon.sys [25824 2010-05-07] ()
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [34176 2006-03-03] (NVIDIA Corporation)
S3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [13056 2006-03-03] (NVIDIA Corporation)
S2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-07-26] (Raxco Software, Inc.)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
S2 vnccom; C:\Windows\System32\Drivers\vnccom.SYS [6016 2004-06-26] (RDV Soft)
S3 vncdrv; C:\Windows\System32\DRIVERS\vncdrv.sys [4736 2004-06-26] (RDV Soft)
S3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
S0 XPacket; C:\Windows\System32\xpacket.sys [39424 2008-04-17] (iolo technologies, LLC)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S0 ftsata2; system32\DRIVERS\ftsata2.sys [X]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-25 23:32 - 2014-11-25 23:32 - 00000000 ____D () C:\FRST
2014-11-19 23:12 - 2014-11-19 23:12 - 00000000 ____D () C:\_OTL
2014-11-18 00:31 - 2014-11-18 00:31 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Compaq_Administrator\Desktop\OTL(1).exe
2014-11-18 00:18 - 2014-11-18 00:18 - 00000075 _____ () C:\Windows\setupact.log
2014-11-18 00:18 - 2014-11-18 00:18 - 00000000 _____ () C:\Windows\setuperr.log
2014-11-17 21:13 - 2014-11-17 21:13 - 00000018 ____H () C:\SYSREST
2014-11-17 19:19 - 2014-11-18 00:18 - 00006837 _____ () C:\Windows\setupapi.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-24 00:34 - 2011-05-08 00:40 - 01048576 _____ () C:\Windows\System32\config\iolo App.evt
2014-11-24 00:34 - 2010-03-24 21:22 - 00000000 ____D () C:\Documents and Settings\Compaq_Administrator\Local Settings\temp
2014-11-24 00:34 - 2010-03-22 23:43 - 00000216 _____ () C:\Windows\wiadebug.log
2014-11-24 00:34 - 2010-03-22 23:43 - 00000050 _____ () C:\Windows\wiaservc.log
2014-11-24 00:34 - 2010-03-22 23:42 - 00032306 _____ () C:\Windows\SchedLgU.Txt
2014-11-24 00:34 - 2010-03-22 22:27 - 01954157 _____ () C:\Windows\WindowsUpdate.log
2014-11-24 00:34 - 2006-08-29 03:04 - 00000178 ___SH () C:\Documents and Settings\Compaq_Administrator\ntuser.ini
2014-11-24 00:33 - 2010-03-25 03:44 - 00000429 _____ () C:\Windows\System32\iolo.ini.txt
2014-11-24 00:33 - 2005-08-30 21:06 - 00001158 _____ () C:\Windows\System32\wpa.dbl
2014-11-24 00:31 - 2006-05-05 02:59 - 00043531 _____ () C:\Windows\System32\nvapps.xml
2014-11-22 20:27 - 2005-11-14 18:58 - 00000000 ____D () C:\Windows\Registration
2014-11-22 09:07 - 2006-08-30 06:43 - 100445232 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-11-18 00:28 - 2014-01-01 03:44 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-18 00:26 - 2014-10-22 11:22 - 00087200 _____ () C:\Documents and Settings\All Users\Application Data\wrnhoah.tmp
2014-11-18 00:17 - 2005-11-14 19:17 - 00000000 ____D () C:\Windows\System32\Restore
2014-11-17 19:18 - 2011-08-11 02:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\CanonIJPLM

Files to move or delete:
====================
C:\Documents and Settings\Compaq_Administrator\Application Data\skype.ini


Some content of TEMP:
====================
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-09 21:00] - [2014-03-12 10:48] - 0613376 ____A (Microsoft Corporation) e29264387e7387b977b9af9171b12df9 # ##

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points (XP) =====================

RP: -> 2014-11-22 09:04 - 028672 _restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4 

RP: -> 2014-11-20 01:25 - 028672 _restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3 

RP: -> 2014-11-19 00:43 - 028672 _restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2 

RP: -> 2014-11-18 00:18 - 028672 _restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1 


==================== Memory info =========================== 

Percentage of memory in use: 28%
Total physical RAM: 958.49 MB
Available physical RAM: 680.97 MB
Total Pagefile: 799.28 MB
Available Pagefile: 473.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 2007.44 MB

==================== Drives ================================

Drive b: (RamDrive) (Fixed) (Total:0.24 GB) (Free:0.23 GB) NTFS
Drive c: (PRESARIO) (Fixed) (Total:224.68 GB) (Free:162.24 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Removable) (Total:0.06 GB) (Free:0.05 GB) FAT
Drive i: (PRESARIO_RP) (Fixed) (Total:8.18 GB) (Free:0.53 GB) FAT32 ==>[Drive with boot components (Windows XP)]
Drive j: (HBCD 15.2) (CDROM) (Total:0.58 GB) (Free:0 GB) CDFS
Drive x: (Mini Xp) (Fixed) (Total:0.23 GB) (Free:0.23 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: CAB10BEE)
Partition 1: (Active) - (Size=224.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8.2 GB) - (Type=0C)

========================================================
Disk: 5 (Size: 62.8 MB) (Disk ID: EA6168C2)
Partition 1: (Active) - (Size=63 MB) - (Type=06)

==================== End Of Log ============================

I know, not quite the instructions you gave. I hope this helps tho.


  • 0

#10
Teima
Posted 28 November 2014 - 02:50 AM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts

Hello. Apologies about the delay! I'm preparing a fix as we speak. :)


  • 0

Advertisements

#11
Teima
Posted 28 November 2014 - 07:05 PM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Step One
 
Fix with FRST
 
This section of the fix has two parts. For the first part please peruse the following --
 
Make sure that you have access to a clean PC or a functioning user account and still have FRST.exe in your flash drive. If you do not have it, download the suitable version from here to your flash-drive.
  • Open Notepad.exe. Do not use any other text editor software;
  • Copy and Paste the contents inside the code-box to your Notepad --
Start
BootExecute: 䚰ć##穌љ䚰ć##篌љ䚰ć#
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
File: C:\Windows\System32\User32.dll
End
  • Click on File > Save as...
  • Inside the File Name box type fixlist.txt
  • From the Save as type drop down list, choose All Files
  • Copy and Paste fixlist.txt to your flash drive.
You are ready to move on to the second part. Please peruse --
  • Connect your flash drive to the infected PC;
  • Please run FRST.exe a second time via minixp like before. Should you have issues with this please let me know;
  • Click on Fix;
  • After the fix a log will be created in the flash drive named FixLog.txt;
  • Copy and Paste the contents of the log in your next reply;
  • Try to boot into Normal Mode.

  • 0

#12
DrkMachine
Posted 28 November 2014 - 09:03 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

Here is the Requested log

 

FRSTfix:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-11-2014
Ran by SYSTEM at 2014-11-28 20:54:16 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Start
BootExecute: ?c##???c##???c#
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
File: C:\Windows\System32\User32.dll
End
*****************

HKLM\System\ControlSet001\Control\Session Manager\\BootExecute => Value was restored successfully.
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe => Moved successfully.

========================= File: C:\Windows\System32\User32.dll ========================

MD5: e29264387e7387b977b9af9171b12df9     
Creation and modification date: 2004-08-09 21:00 - 2014-03-12 10:48
Size: 0613376
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: user32
Original Name: user32
Product Name: Microsoft® Windows® Operating System
Description: Windows XP USER API Client DLL
File Version: 5.1.2600.5512 (xpsp.080413-2105)
Product Version: 5.1.2600.5512
Copyright: © Microsoft Corporation. All rights reserved.

====== End Of File: ======


==== End of Fixlog ====

 

 

I did get it to boot into normal mode but a window pops up right away

 

svchost.exe - Application Error

 

The exception Privileged instruction.

(0x0000096) occurred in the application at location 0x7ffa160f.

 

ok to terminate

cacel to debug

 

I have left it open


  • 0

#13
Teima
Posted 01 December 2014 - 03:36 PM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts
Thanks for your patience. I'm glad we can now boot within normal mode! :) We'll do some further checks now on a file to ensure it's not patched by the ransomware within this instance. Thanks for sticking with me.  :thumbsup:
 
I'll fix the issue with svchost afterwards. :)

Step One
  • Fix with OTL
    • Re-run OTL by right clicking and choosing Run as administrator;
    • Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').

      /md5start
      User32.*
      /md5stop

    • Click on "Run Fix" and let the program run unhindered;
    • Your PC will reboot automatically and a log will be opened;
    • Please post it in your next reply.
Step Two

IDToolbyNathan.png Scan with IDTool

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
  • Enter the IDTool directory, right-click on IDToolbyNathan.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • IDTool needs Microsoft .NET Framework environment to work properly, so if prompted to download & install it please agree
  • Wait patiently until the tool will collect necessary data.
  • Once the main console is loaded, please press Rescan Computer and Generate a New Report
  • When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
  • Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience
Please include that contents in your next response.
  • 0

#14
DrkMachine
Posted 02 December 2014 - 02:33 PM

DrkMachine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts

here are the requested logs

 

OTL:

 

Error: Unable to interpret </md5start> in the current context!
Error: Unable to interpret <User32.*> in the current context!
Error: Unable to interpret </md5stop> in the current context!
 
OTL by OldTimer - Version 3.2.69.0 log created on 12022014_134604
 

 

IDTool:

 

Infection Detection Tool v1.6 - Nathan Scott
--------------------------------------------
Date/Time: 12/2/2014 2:31:46 PM
Operating System: Windows XP
Service Pack: Service Pack 3
Version Number: 5.1
Product Type: Workstation
--------------------------------------------
[Detected Flags]
 


  • 0

#15
Teima
Posted 02 December 2014 - 07:47 PM

Teima

    Member

  • Member
  • PipPipPip
  • 833 posts

Ooops. My mistake. There was a typo within my instructions. This will fix it. :)

Step One

  • Fix with OTL
    • Re-run OTL by right clicking and choosing Run as administrator;
    • Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').

      /md5start
      User32.*
      /md5stop

    • Click on the button called "None" and then click "Run Scan" and let the program run unhindered;
    • Your PC will reboot automatically and a log will be opened;
    • Please post it in your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP