Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

laptop wont boot - POST then blinking cursor


  • This topic is locked This topic is locked

#1
Emby

Emby

    New Member

  • Member
  • Pip
  • 5 posts
Happy T-Day to all. I'm a new member - this place looks great! Thanks to all for your service.

My daughter's laptop - a Dell Inspiron 8400 running WinXP-SP2, suddenly won't boot. It gets through the POST and then just shows a blinking cursor in upper-left corner ... and that's it. So I can't even get to the safe boot options - I never see the Windows logo.

I first suspected a hardware problem. This machine is pretty old, perhaps 7 years. I've replaced the hard drive twice and the video card twice over the years - it used to be *my* machine, now my daughter uses it at college.

I ran the complete Dell disk diagnostics (and a few others) - no problems detected.

I booted the recovery console (many times!) from the XP setup disk and ran CHKDSK /R on all drives (it has D and E logical drives). "problems" were detected on C. It said it was "trying to recover readable data" or some such. Took a LONG time, but after it finished tried rebooting (without CD) - no help, same problem.

Next I tried an "in-place update", that is, I tried to Recover XP from the setup disk menu. I know, I'll have to get all the Windows updatees again ... probably 100 or so ... It did its thing - no help, same problem.

Went back to the recovery console, tried FIXBOOT C: ... no help, same problem ... sounding kind-of monotonous, eh? :-)

So, after spending several hours trying to diagnos/fix what I thought was a hardware problem, my daughter says "oh yeah, the last time I shut down, it said something about a trojan horse being detected or something ..."

Thanks for that bit of belated information!!

So now I'm thinking it may be a virus or malware or something ?? She has an up-to-date version of McAfee (mandated by college) and MalwareBytes running (purchased after previous malware experiences).

I've looked through the forums here and elsewhere, and the closest thing I've found that seems to be the same problem I'm having is here:
similar post, but that topic never seems to have been resolved.

I would certainly appreciate some help - Thanks!

Emby
  • 0

Advertisements


#2
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi Emby,

Welcome to Geekstogo. My name is Salagubang and I'll be helping you with this problem.

I am still a trainee so all my posts will be checked by an Expert. It's your advantage that there are two people looking at your log but responses may be a little delayed so please be patient.

  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you
  • English is not my first language, so please do not use slang or idioms, as this makes it difficult to understand for me.

Ok lets try this

On a clean XP machine

  • Please do the following:
  • Go to Tools (drop-down menu at the top of the window)
  • Go down and click Folder Options
  • Click on the View tab
  • Find the Hidden Files and Folders, find "Hide extension for known file types" and uncheck it (if it's already checked)
  • Click Apply, and then Ok at the bottom.
  • Close the window

Next

  • Insert your USB Flash Drive (UFD).
  • Download hpusbfw.exe to your Desktop.
  • Double click "hpusbfw.exe" to run HP USB Disk Storage Format Tool 2.0.6.0.

    Posted Image

    • Choose your USB under "Device"
    • For "File system", choose "FAT"
    • Under "Volume label", type in the name "Bootloader"
    • Leave un-checked "Quick Format" and "Create a DOS startup disk"
    • Click "Start"
  • Copy these two files, from the root of the Windows drive (C:\) to the UFD:

    NTLDR
    Ntdetect.com

Next

  • Open Notepad (go to Start>All Programs>Accessories and click Notepad)
  • Copy the contents of the codebox below using CTRL+C (or selecting all the text in the box, and right clicking on it and selecting Copy)
    [boot loader]
    timeout=-1
    default=multi(0)disk(0)rdisk(1)partition(2)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Emergency Boot Loader" /fastdetect /NoExecute=OptOut
    multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Safe Mode" /safeboot:minimal /sos
  • Now return to Notepad and use CTRL + V (or rightclick on the whitespace and Paste) to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to the UFD as "boot.ini" using Save as Type: All files

Your Emergency Bootloader is now ready.

Booting using the Emergency Bootloader.
  • Insert the USB (UFD) to the ailing computer.
  • Reboot the system using the UFD Bootloader you just created.

Note : If you do not know how to set your computer to boot from USB follow the steps here


NEXT

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    netsvcs
    drivers32
    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

  • 0

#3
Emby

Emby

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Salagubang,

Thanks for responding ...

We're actually celebrating Thanksgiving with family today, so I'll take these steps as soon as I can and get back to you.

Cheers!
  • 0

#4
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Happy Thanksgiving :D
  • 0

#5
Emby

Emby

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Salagubang,

Thank you for your help.

You instruction says: Reboot the system using the UFD Bootloader you just created.

When I boot from the USB drive, I have 3 options:

1) Emergency Boot Loader
2) Windows Safe Mode
3) Windows (default)

You don't say which option to select, so I tried them all.

<edit>
Oh, I forgot to mention that there is also an option to press F8 to get to the Advanced Options menu - I've not tried anything on this menu
</edit>

When I use option 1, Emergency Boot Loader, Windows starts to boot, but then it shows a screen that looks like it is performing the original Windows setup, and it asks for the Windows setup disk to be inserted. This may be happening because before I posted to geekstogo, when I thought it might be a hardware issue and that maybe a Windows OS file became corrupt or unreadable, I tried the "restore windows" option from the Windows setup disk (also known as an "in-place upgrade"), as described in my first post. So I canceled this option.


When I try option 2, Safe Mode, the laptop starts to boot into safe mode, but then displays this message:
Windows XP Setup cannot continue under Safemode. Setup will now restart

And the machine reboots when I press any key.


When I try option 3, Windows (default), I get this message:
Windows could not start because the following file is missing
or corrupt:
<Windows root>\system32\hall.dll
Please re-install as copy of the above file

And the machine reboots when I press any key.


So, I'm not sure what I should do now. My guess is that it may be best to go back to option 1 (Emergency Boot Loader), insert the Windows CD and allow Windows Setup to complete.

What do you think?

Thanks,

Emby

Edited by Emby, 26 November 2010 - 09:30 AM.

  • 0

#6
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts

So, I'm not sure what I should do now. My guess is that it may be best to go back to option 1 (Emergency Boot Loader), insert the Windows CD and allow Windows Setup to complete.


As there is no other recourse, yes. :D
  • 0

#7
Emby

Emby

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK, thanks, I'll try that - I just thought you might direct me to one of the many options on the Advanced Options menu - sometimes it's better to ask first :D
  • 0

#8
Emby

Emby

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK, I am finally getting back to this. I think I've managed to remove the viruses, but the machine still won't boot on its own. It has the same symptom - POST then blinking cursor. It can boot, normally or safe mode, if the thumb drive is present. So my daughter has taken it - and the thumb drive - back to school.

The first time I ran OTL it took forever (perhaps an hour), because the "virus" or whatever was stealing about 98% of CPU time. Anything else only got a few seconds out of each minute.

So, using OTL output and some other tools, I think I got rid of all the problem files. The first OTL run produced 2 files as you mentioned. The other 3 times I ran it, no Extras file was produced. I've attached the 5 OTL output files: OTL-1.txt and Extras.txt are from the first run; OTL-2.txt from the second run, etc.

I know the machine still has a few odd looking items in the RUN registry keys, but these are of my doing and are not the problem. Specifically, these are:

O4 - HKLM..\Run: [SystemLch] File not found
O4 - HKLM..\Run: [WinSys] R:\Utils\SysMon\WinBssSessionMgrX.exe File not found

The things I got rid of are:
MOD - [2010/11/24 13:04:45 | 000,049,664 | -H-- | M] () -- C:\WINDOWS\system32\autofunc.dll
MOD - [2004/08/04 07:00:00 | 000,373,248 | ---- | M] () -- C:\WINDOWS\enufaner.dll
O4 - HKCU..\Run: [Bqiwubizebufisaw] C:\WINDOWS\MVBC4325.DLL File not found
O4 - HKLM..\Run: [Ofekoretubedid] C:\WINDOWS\enufaner.DLL ()
[2010/11/27 02:01:28 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\mguxkyue.job

So things are working - thank you for your help ... except I still have this boot issue.

What can I do to have the machine boot properly?

Thanks.

Attached Files


  • 0

#9
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi Emby,

Good. I am currently reviewing your logs, please be patient. Also, I am posting the OTL log in the topic - this way it'll be much easier for me to read. :D

OTL logfile created on: 11/27/2010 5:51:57 PM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = F:\
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): c:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 2.37 Gb Free Space | 12.11% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 10.42 Gb Free Space | 71.13% Space Free | Partition Type: NTFS
Drive E: | 14.65 Gb Total Space | 11.04 Gb Free Space | 75.35% Space Free | Partition Type: NTFS
Drive F: | 31.21 Mb Total Space | 30.25 Mb Free Space | 96.92% Space Free | Partition Type: FAT
Drive R: | 25.70 Gb Total Space | 17.76 Gb Free Space | 69.09% Space Free | Partition Type: NTFS

Computer Name: OLIVAW | User Name: Michelle | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/26 09:35:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2010/05/10 11:34:22 | 004,456,448 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PRC - [2010/05/10 11:33:42 | 000,110,592 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2010/05/10 11:32:36 | 001,858,048 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
PRC - [2010/05/10 11:32:06 | 000,482,304 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
PRC - [2010/04/29 14:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- D:\Utils\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 14:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- D:\Utils\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/09 15:32:40 | 001,459,568 | ---- | M] (RealVNC Ltd.) -- R:\Programs\VNC\winvnc4.exe
PRC - [2009/09/25 03:50:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/09/25 03:50:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/09/25 03:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/09/25 03:50:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\Common Framework\McTray.exe
PRC - [2009/04/29 19:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2009/04/29 19:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/04/29 19:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/04/29 19:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/04/29 19:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/04/29 19:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- R:\Programs\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2007/09/27 13:04:26 | 001,318,912 | ---- | M] ( ) -- R:\Utils\Netgear\WG511T\Utility\Gear511.exe
PRC - [2007/04/11 22:56:13 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/10/04 11:49:02 | 000,892,928 | ---- | M] (Diskeeper Corporation) -- R:\Programs\Diskeeper\DkService.exe
PRC - [2005/10/21 15:13:40 | 000,163,840 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
PRC - [2005/10/21 15:08:34 | 000,864,256 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
PRC - [2005/10/21 15:05:42 | 000,155,648 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
PRC - [2005/10/21 14:54:54 | 000,010,240 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
PRC - [2005/10/21 12:57:20 | 000,405,504 | ---- | M] (Sonic Solutions) -- R:\Programs\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
PRC - [2005/02/16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/10/07 00:25:36 | 000,320,472 | ---- | M] (VERITAS Software Corporation) -- C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
PRC - [2003/02/24 14:35:12 | 000,163,840 | ---- | M] () -- C:\WINDOWS\system32\pctspk.exe
PRC - [2002/04/11 13:47:52 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Mouse\point32.exe


========== Modules (SafeList) ==========

MOD - [2010/11/26 09:35:56 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- D:\SEP\SmcLU\Setup\smcinst.exe -- (Smcinst)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\NWDLS.exe -- (NWDLS)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/05/10 11:33:42 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2010/05/10 11:32:36 | 001,858,048 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe -- (WDFME)
SRV - [2010/05/10 11:32:06 | 000,482,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe -- (WDSC)
SRV - [2010/04/29 14:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- D:\Utils\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/04/09 15:32:40 | 001,459,568 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- R:\Programs\VNC\WinVNC4.exe -- (WinVNC4)
SRV - [2009/09/25 03:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- R:\Programs\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/04/29 19:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- R:\Programs\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2009/04/29 19:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/04/29 19:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- R:\Programs\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/04/29 19:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- R:\Programs\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/03/20 18:10:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2006/10/04 11:49:02 | 000,892,928 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- R:\Programs\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/10/21 15:09:44 | 000,229,376 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe -- (RoxLiveShare)
SRV - [2005/10/21 15:08:34 | 000,864,256 | ---- | M] (Sonic Solutions) [On_Demand | Running] -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe -- (RoxMediaDB)
SRV - [2005/10/21 15:05:42 | 000,155,648 | ---- | M] (Sonic Solutions) [On_Demand | Running] -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe -- (RoxWatch)
SRV - [2005/10/21 12:58:02 | 000,045,056 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe -- (RoxUPnPRenderer)
SRV - [2005/10/21 12:57:20 | 000,405,504 | ---- | M] (Sonic Solutions) [Auto | Running] -- R:\Programs\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe -- (RoxUpnpServer)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/10/07 00:25:36 | 000,320,472 | ---- | M] (VERITAS Software Corporation) [Auto | Running] -- C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe -- (BackupExecAgentAccelerator)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\FILEM.SYS -- (FILEMON)
DRV - [2010/08/03 09:32:20 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/04/29 14:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/04/09 15:21:28 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vncmirror.sys -- (vncmirror)
DRV - [2009/04/29 19:07:00 | 000,342,128 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/04/29 19:07:00 | 000,091,640 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/04/29 19:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/04/29 19:07:00 | 000,065,224 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/04/29 19:07:00 | 000,063,696 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/04/29 19:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/02/13 12:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2006/12/18 17:00:20 | 000,424,448 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/03/23 00:27:10 | 000,488,992 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wg511nd5.sys -- (NETGEAR_WG511_SERVICE)
DRV - [2006/02/25 15:01:12 | 000,016,194 | ---- | M] (AMBIT Microsystems Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\AWINDIS5.SYS -- (AWINDIS5)
DRV - [2005/10/21 13:34:30 | 000,050,176 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2005/10/20 07:05:00 | 000,311,680 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2005/10/20 07:05:00 | 000,119,168 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\Pwd_2k.sys -- (pwd_2k)
DRV - [2005/10/20 07:05:00 | 000,027,264 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2005/10/20 07:05:00 | 000,027,136 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2005/01/27 02:22:00 | 000,088,016 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/15 14:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003/07/29 13:13:00 | 000,587,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/05/30 17:45:16 | 000,477,403 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vpctcom.sys -- (Vpctcom)
DRV - [2003/05/30 16:50:46 | 000,690,973 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmodem.sys -- (Vmodem)
DRV - [2003/05/28 11:08:12 | 000,066,111 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vvoice.sys -- (Vvoice)
DRV - [2003/05/15 17:09:32 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/02/24 14:30:02 | 000,135,292 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)
DRV - [2002/04/11 13:47:52 | 000,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2000/11/20 17:55:18 | 000,035,204 | ---- | M] (Systems Internals) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\REGSYS.SYS -- (REGMON)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{E180C273-010D-404F-92D3-2156BFABB60A}: C:\Documents and Settings\michelle\Local Settings\Application Data\{E180C273-010D-404F-92D3-2156BFABB60A} [2010/11/27 01:21:41 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/10/18 19:42:34 | 000,000,021 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Utils\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - R:\Programs\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AS00_Gear511] R:\Utils\Netgear\WG511T\Utility.\Gear511.exe ( )
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [DiskeeperSystray] R:\Programs\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [DNS7reminder] D:\Utils\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] D:\Utils\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [McAfeeUpdaterUI] R:\Programs\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - HKLM..\Run: [POINTER] File not found
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe ()
O4 - HKLM..\Run: [ShStatEXE] R:\Programs\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SystemLch] File not found
O4 - HKLM..\Run: [WinSys] R:\Utils\SysMon\WinBssSessionMgrX.exe File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = R:\Utils\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O8 - Extra context menu item: E&xport to Microsoft Excel - R:\Programs\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - R:\Programs\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1257539323346 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1257554810762 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.92.226.12 24.92.226.173
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bss.com
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O21 - SSODL: SysNet - {2AB95A35-65F5-4A5B-AD67-43FEF5782BC7} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/11 15:09:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: compkrnl - (C:\WINDOWS\system32\autofunc.dll) - C:\WINDOWS\System32\autofunc.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivXNetworks)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/27 17:50:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Local Settings\Application Data\PCHealth
[2010/11/27 16:30:16 | 000,035,204 | ---- | C] (Systems Internals) -- C:\WINDOWS\System32\drivers\REGSYS.SYS
[2010/11/27 01:21:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Local Settings\Application Data\{E180C273-010D-404F-92D3-2156BFABB60A}
[2010/11/27 01:11:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/11/27 01:04:23 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2010/11/27 01:04:22 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2010/11/27 01:04:22 | 000,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2010/11/27 01:02:36 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2010/11/14 20:54:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/11/11 01:37:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Local Settings\Application Data\WDC
[2010/11/11 00:57:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2010/11/11 00:57:26 | 000,011,520 | ---- | C] (Western Digital Technologies) -- C:\WINDOWS\System32\drivers\wdcsam.sys
[2010/11/11 00:55:58 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital
[2010/11/11 00:55:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michelle\Local Settings\Application Data\Western Digital
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/27 18:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\mguxkyue.job
[2010/11/27 17:57:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/27 17:45:44 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/27 17:45:41 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/27 17:43:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/27 17:43:21 | 1341,435,904 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/27 16:34:32 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/11/27 16:27:27 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ogeyakevad.dat
[2010/11/27 06:05:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Itetahefoz.bin
[2010/11/27 01:26:54 | 000,436,526 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/27 01:26:54 | 000,069,256 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/27 01:10:38 | 000,311,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/27 01:06:41 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/11/27 01:01:14 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/11/27 01:01:13 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/11/27 01:01:13 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/11/27 01:00:53 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/27 00:57:18 | 000,022,764 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/27 00:46:50 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/11/24 12:56:48 | 000,572,590 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2010/11/22 07:50:31 | 000,000,846 | ---- | M] () -- C:\Documents and Settings\michelle\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/11/21 23:10:53 | 000,001,981 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/11/18 20:09:10 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/16 20:32:17 | 000,000,490 | ---- | M] () -- C:\WINDOWS\tasks\NatSpeak Periodic Language Model Optimization.job
[2010/11/16 20:01:40 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\NatSpeak Periodic Acoustic Optimization.job
[2010/11/11 00:57:52 | 000,000,145 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010/11/11 00:57:35 | 000,001,099 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
[2010/11/05 22:46:51 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\michelle\Desktop\http.doc
[2010/11/01 22:11:30 | 000,066,048 | ---- | M] () -- C:\Documents and Settings\michelle\Desktop\Sample Position Paper.doc
[2010/10/29 22:12:26 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\michelle\Desktop\essay 1 hist.doc
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/27 06:05:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Itetahefoz.bin
[2010/11/27 06:05:29 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ogeyakevad.dat
[2010/11/27 06:03:36 | 1341,435,904 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/27 01:04:12 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2010/11/27 01:03:38 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2010/11/27 01:03:26 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2010/11/27 01:03:25 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2010/11/27 01:03:23 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2010/11/27 01:03:13 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2010/11/27 01:03:04 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2010/11/27 01:02:57 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fpencode.dll
[2010/11/27 01:02:39 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2010/11/27 00:37:12 | 000,141,702 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2010/11/27 00:37:11 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2010/11/27 00:37:11 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2010/11/27 00:37:11 | 000,110,116 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2010/11/27 00:37:11 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2010/11/27 00:37:11 | 000,031,965 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2010/11/27 00:37:11 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2010/11/27 00:37:11 | 000,024,209 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2010/11/27 00:37:11 | 000,013,753 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2010/11/27 00:37:11 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2010/11/27 00:37:11 | 000,011,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2010/11/27 00:37:11 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2010/11/27 00:37:11 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2010/11/27 00:37:11 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2010/11/27 00:37:11 | 000,007,245 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2010/11/27 00:37:10 | 002,012,670 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2010/11/27 00:37:10 | 001,042,903 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2010/11/27 00:37:10 | 000,502,724 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2010/11/11 01:51:58 | 000,353,392 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/11/11 00:57:52 | 000,000,145 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010/11/11 00:57:35 | 000,001,099 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
[2010/11/05 22:46:50 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\michelle\Desktop\http.doc
[2010/11/01 22:11:34 | 000,066,048 | ---- | C] () -- C:\Documents and Settings\michelle\Desktop\Sample Position Paper.doc
[2010/09/04 14:04:41 | 000,002,867 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2010/05/10 07:43:04 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\VNCpm.dll
[2010/04/02 23:07:39 | 000,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/01/14 21:33:13 | 000,000,397 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
[2010/01/04 22:17:48 | 000,002,234 | ---- | C] () -- C:\Documents and Settings\Michelle\Application Data\SAS7_000.DAT
[2009/11/06 21:53:17 | 000,000,043 | ---- | C] () -- C:\WINDOWS\INSTALL.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/01/15 21:07:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\rx_image.Cache
[2009/01/15 21:07:05 | 000,002,108 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\rx_audio.Cache
[2008/11/05 18:46:14 | 000,019,813 | ---- | C] () -- C:\WINDOWS\zawakubyle.sys
[2008/11/05 18:46:14 | 000,014,271 | ---- | C] () -- C:\Documents and Settings\Michelle\Application Data\zifepo.dl
[2008/11/05 18:46:14 | 000,012,775 | ---- | C] () -- C:\Documents and Settings\Michelle\Application Data\uxepob.vbs
[2008/11/05 18:46:14 | 000,011,606 | ---- | C] () -- C:\Program Files\Common Files\mafum.lib
[2008/11/05 18:46:14 | 000,011,275 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\usec.dl
[2008/11/05 18:46:14 | 000,010,843 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\qupenexyru.ban
[2008/11/05 18:46:14 | 000,010,342 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mohy.inf
[2008/09/10 20:10:53 | 000,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/08/19 13:21:51 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\kill.dll
[2008/02/17 20:33:00 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2008/02/17 20:26:49 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2007/07/15 13:14:52 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/13 14:00:59 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/04/13 13:53:32 | 000,003,957 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/04/13 12:58:36 | 000,000,075 | ---- | C] () -- C:\WINDOWS\AARCADE.INI
[2007/04/13 12:55:01 | 000,000,413 | ---- | C] () -- C:\WINDOWS\ENTPACK.INI
[2007/04/13 09:11:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/04/13 08:23:30 | 000,000,098 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/04/12 21:33:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/12 17:44:49 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/04/12 17:44:46 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/04/11 22:24:17 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2007/04/11 10:51:04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/10/24 19:35:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/10/21 13:07:14 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/10/19 15:56:36 | 003,596,288 | R--- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/07/15 13:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 13:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/11/30 03:10:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2004/08/04 07:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 07:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/10/02 00:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2003/02/13 16:40:08 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\mdmmoh.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/04/11 13:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
[1997/06/13 19:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== LOP Check ==========

[2007/06/27 21:59:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010/01/04 21:33:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2010/01/04 21:34:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2007/04/12 21:01:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sierra Imaging
[2010/11/16 20:30:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/11/11 00:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2009/09/10 19:20:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/24 15:06:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/04 21:40:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Nuance
[2010/11/27 18:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\mguxkyue.job
[2010/11/16 20:01:40 | 000,000,466 | ---- | M] () -- C:\WINDOWS\Tasks\NatSpeak Periodic Acoustic Optimization.job
[2010/11/16 20:32:17 | 000,000,490 | ---- | M] () -- C:\WINDOWS\Tasks\NatSpeak Periodic Language Model Optimization.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe
[2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2004/08/04 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe

< %SYSTEMDRIVE%\*.* >
[2007/04/11 15:09:26 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/11/27 00:46:50 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2007/04/11 15:09:26 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/11/27 17:43:21 | 1341,435,904 | -HS- | M] () -- C:\hiberfil.sys
[2007/04/11 15:09:26 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/04/11 15:09:26 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 07:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/11/27 17:43:20 | 2013,265,920 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/11/24 17:32:23 | 000,786,432 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/11/24 13:05:37 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2010/11/24 17:32:23 | 030,932,992 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/11/24 17:32:22 | 008,650,752 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"RescheduleWaitTime" = 4
"NoAutoRebootWithLoggedOnUsers" = 0
"NoAutoUpdate" = 0
"AUOptions" = 4
"AUState" = 2
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 3
"UseWUServer" = 0

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-10-04 23:44:04

========== Alternate Data Streams ==========

@Alternate Data Stream - 222 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD

< End of report >
  • 0

#10
Salagubang

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi Emby,

Step One

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O21 - SSODL: SysNet - {2AB95A35-65F5-4A5B-AD67-43FEF5782BC7} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll File not found
    O36 - AppCertDlls: compkrnl - (C:\WINDOWS\system32\autofunc.dll) - C:\WINDOWS\System32\autofunc.dll File not found
    [2010/11/27 18:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\mguxkyue.job
    [2010/11/27 16:27:27 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ogeyakevad.dat
    [2010/11/27 06:05:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Itetahefoz.bin
    [2010/11/27 00:57:18 | 000,022,764 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2008/11/05 18:46:14 | 000,019,813 | ---- | C] () -- C:\WINDOWS\zawakubyle.sys
    [2008/11/05 18:46:14 | 000,014,271 | ---- | C] () -- C:\Documents and Settings\Michelle\Application Data\zifepo.dl
    [2008/11/05 18:46:14 | 000,012,775 | ---- | C] () -- C:\Documents and Settings\Michelle\Application Data\uxepob.vbs
    [2008/11/05 18:46:14 | 000,011,606 | ---- | C] () -- C:\Program Files\Common Files\mafum.lib
    [2008/11/05 18:46:14 | 000,011,275 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\usec.dl
    [2008/11/05 18:46:14 | 000,010,843 | ---- | C] () -- C:\Documents and Settings\Michelle\Local Settings\Application Data\qupenexyru.ban
    [2008/11/05 18:46:14 | 000,010,342 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mohy.inf
    @Alternate Data Stream - 222 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log it produces in your next reply.


Step Two

After booting, unplug the USB device before proceeding with the fix. After the fix, let the netboot boot on its own (without the USB).

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Step Three

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP