[celsius001]

1. It takes a long time to start/boot, usually about 20-30 before even login screen to sign onto windows. (during this time it is only a black screen with the cursor) Once I sign in, it takes an additional 15min to boot everything up to the desktop.
2. I cannot get any internet connection; hardwire or wireless.
3. My CD drive no longer opens when the button is pushed; It does make the attempt however quickly retracts.
4. When inserting a flash drive or external hard drive; nothing is recognized. Both drives function completely on other machines and have previously worked on this machine before.
5. I cannot drag and drop any files of any type at all, even on the desktop.
6. At certain points when trying to explore the c: drive the computer freezes up.
7. I cannot access msconfig, even as an administrator.
8. The Device Manager window is empty; no devices are listed.
9. Can not connect to any Network, even tho it is hardwired in.
10. I tried a crossover cable, but It will not work.

Once the PC is loaded, everything seems to run fine, I can open files and look through my documents but beyond that is nothing.

Also, I cannot access the internet (I'm using a seperate laptop to write this) and therefore I'm unable to post any logs or download any scans. My main concern is retriving important files from the machine. Please any help would be GREATLY APPRECIATED.

[Advertisements]

Hello celsius001, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:

• Please post your logs, don't attach them unless stated.
• Please read my posts carefully and if you have any questions ask.
• Stay with this topic until I tell you that your system is clean. Malware can still be on your system even if you don't notice it.

Sorry for the delay.

Because your system is so unstable, I think it would be easier to make a bootable CD that you can run malware tools off of. This requires a blank CD, please tell me if you do not have one.

Please print these instruction out so that you know what you are doing

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

• Download OTLPENet.exe to your desktop on your clean computer.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created on your infected computer.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

Also to prevent a flash drive infection please use this tool.

On your clean computer download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.
  
  Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

[mitch8]

Hello celsius001, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:

• Please post your logs, don't attach them unless stated.
• Please read my posts carefully and if you have any questions ask.
• Stay with this topic until I tell you that your system is clean. Malware can still be on your system even if you don't notice it.

Sorry for the delay.

Because your system is so unstable, I think it would be easier to make a bootable CD that you can run malware tools off of. This requires a blank CD, please tell me if you do not have one.

Please print these instruction out so that you know what you are doing

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

• Download OTLPENet.exe to your desktop on your clean computer.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created on your infected computer.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

Also to prevent a flash drive infection please use this tool.

On your clean computer download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.
  
  Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

[celsius001]

Hi Mitch8!

Thank you for responding to me; I truly appreciate your help.

So - I followed all directions and here is the OTL.txt post as follows...

OTL logfile created on: 12/12/2010 1:05:36 PM - Run
OTLPE by OldTimer - Version 3.1.43.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 561.00 Mb Available Physical Memory | 73.00% Memory free
706.00 Mb Paging File | 591.00 Mb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.08 Gb Free Space | 59.24% Space Free | Partition Type: NTFS
Drive X: | 434.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (Smcssantcir)
SRV - File not found [Auto] -- C:\WINDOWS\System32\services.exe -- (PlugPlay)
SRV - File not found [On_Demand] -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper)
SRV - File not found [Auto] -- C:\WINDOWS\System32\services.exe -- (Eventlog)
SRV - File not found [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - File not found [Disabled] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [On_Demand] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
SRV - [2009/03/31 15:06:22 | 000,161,048 | ---- | M] (Avanquest North America, Inc.) [Auto] -- C:\Program Files\Avanquest\Fix-It\mxtask.exe -- (Fix-It Task Manager)
SRV - [2008/10/28 15:28:10 | 000,886,056 | ---- | M] (Sunbelt Software) [Auto] -- C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe -- (SBAMSvc)
SRV - [2008/01/25 00:38:12 | 002,458,128 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/01/09 15:50:22 | 000,767,976 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2007/12/05 09:04:10 | 000,695,624 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2007/11/07 08:35:40 | 000,378,184 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2007/08/15 11:36:04 | 000,359,248 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2007/07/24 11:02:14 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2007/07/18 14:54:42 | 000,856,864 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/10/23 07:50:35 | 000,046,640 | ---- | M] (AOL LLC) [Auto] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2004/10/15 15:54:14 | 000,100,016 | ---- | M] (America Online, Inc) [Auto] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)
SRV - [2002/04/12 00:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)
SRV - [2001/11/12 14:31:48 | 000,020,480 | ---- | M] (X10) [Auto] -- C:\Program Files\Common Files\X10\Common\X10nets.exe -- (x10nets)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | Auto] -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\Pcouffin.sys -- (Pcouffin)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2008/04/13 13:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 13:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2007/12/02 11:51:42 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2007/11/22 05:44:08 | 000,201,320 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007/11/22 05:44:08 | 000,079,304 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2007/11/22 05:44:08 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2007/11/22 05:44:04 | 000,033,832 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2007/07/13 05:20:24 | 000,113,952 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2007/01/17 14:02:04 | 000,156,928 | ---- | M] (Trident Multimedia Technologies Co.,Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\TridVid.sys -- (TridVid)
DRV - [2006/04/10 15:28:19 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/05/19 16:52:58 | 000,017,792 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\x10ufx2.sys -- (XUIF)
DRV - [2003/01/10 15:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/12/17 13:41:36 | 000,042,368 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/10/09 12:50:52 | 000,170,499 | ---- | M] (Conexant Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2002/10/09 12:50:16 | 001,175,536 | ---- | M] (Conexant Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002/10/09 12:44:10 | 000,604,240 | ---- | M] (Conexant Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2001/08/22 10:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 14:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 12:12:22 | 000,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 12:12:20 | 000,060,416 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BrSerWdm.sys -- (BrSerWDM)
DRV - [2001/08/17 12:12:20 | 000,011,008 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2001/08/17 12:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Guest_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Owner_ON_C\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (AOL LLC)
IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.14\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/30 19:44:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.14\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/08 14:45:45 | 000,000,000 | ---D | M]

[2008/11/06 20:38:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/04/16 21:03:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2008/04/16 21:03:23 | 000,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2008/04/16 21:03:24 | 000,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/04/16 21:03:24 | 000,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2008/04/16 21:03:24 | 000,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2008/04/16 21:03:24 | 000,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2005/04/27 15:10:49 | 000,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2003/07/16 15:29:34 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYB#0Q_\SDHelper.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (AOL LLC)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (AOL LLC)
O3 - HKU\Guest_ON_C\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (AOL LLC)
O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKU\Owner_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\Owner_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Guest_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYB#0Q_\SDHelper.dll File not found
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} http://i.dell.com/im.../SYSSCANNER.cab (Scanner.SysScanner)
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgall..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O21 - SSODL: SvcLauncher - {70716E29-321D-F87D-718A-F063987FCA19} - C:\Program Files\WebWatcherV5\Director.dll File not found
O22 - SharedTaskScheduler: {70716E29-321D-F87D-718A-F063987FCA19} - SvcLauncher - C:\Program Files\WebWatcherV5\Director.dll File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/10 15:59:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/09 11:26:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142000}
[2010/12/09 11:03:59 | 000,000,000 | ---D | C] -- C:\Program Files\Webroot
[2010/12/08 16:29:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/12/08 16:29:27 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/12/08 13:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
[2010/12/07 12:23:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPToolsLicenseComponent
[2010/12/07 11:39:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2010/12/01 18:38:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Quicken
[2010/12/01 18:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Intuit
[2010/11/23 07:08:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Avanquest
[2008/03/16 17:29:18 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/11 23:45:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/11 18:00:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/08 14:45:45 | 000,003,975 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/12/08 13:26:12 | 000,187,392 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/08 10:56:30 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/08 10:56:30 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
[2010/12/07 11:39:44 | 000,003,869 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/01 21:36:08 | 000,000,945 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/12/01 18:20:51 | 000,001,716 | -H-- | M] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/11/24 13:09:36 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.bak
[2010/11/24 07:40:39 | 000,251,880 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/01 21:36:08 | 000,000,945 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/12/01 18:26:46 | 000,088,039 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\FASTWiz.log
[2010/12/01 18:17:24 | 000,001,716 | -H-- | C] () -- C:\Documents and Settings\Administrator\My Documents\Default.rdp
[2010/11/24 13:32:05 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\PathsToScan.txt
[2010/11/22 18:38:39 | 000,087,922 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.log
[2010/07/23 17:02:30 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\00000000.LOG
[2010/07/21 15:10:31 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DFG.LOG
[2010/02/09 16:55:51 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\VendorCmdRW.dll
[2010/02/08 21:24:24 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\PrimoApimonnt.dll
[2010/02/08 21:24:20 | 000,000,311 | ---- | C] () -- C:\WINDOWS\primoapi.ini
[2009/07/30 22:24:36 | 000,003,975 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/25 14:17:46 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/03/28 17:09:00 | 000,009,849 | ---- | C] () -- C:\WINDOWS\System32\mswunootem.dll
[2008/02/04 17:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/10/27 11:54:42 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\mscocuobd.dll
[2007/10/27 08:44:45 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\msmucootdm.dll
[2007/07/27 22:14:24 | 000,002,554 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2006/12/05 14:01:59 | 000,009,847 | ---- | C] () -- C:\WINDOWS\System32\mswonuobe.dll
[2006/06/16 07:29:57 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/06/15 20:46:44 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/04/21 17:35:52 | 000,000,379 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/04/21 16:56:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\dm.ini
[2006/04/11 17:24:29 | 000,000,454 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2006/04/11 17:24:29 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2006/04/11 17:24:29 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2006/04/11 17:23:40 | 000,002,651 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2006/04/11 01:22:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/04/10 23:09:21 | 000,187,392 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/04/10 22:43:28 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2006/04/10 16:06:11 | 005,242,880 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.bak
[2006/04/10 15:23:02 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/04/07 10:41:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1765/05/20 03:49:30 | 000,004,263 | -HS- | C] () -- C:\WINDOWS\windllreg1c.sys

========== LOP Check ==========

[2010/05/20 06:39:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2010/03/29 10:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Avanquest
[2010/02/08 21:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FEP
[2010/04/16 14:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2006/05/09 20:20:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2006/12/02 15:32:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Kontiki
[2006/12/14 14:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PlayFirst
[2010/04/16 12:15:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SmartDraw
[2010/05/18 11:13:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\The Master Genealogist v7
[2010/07/19 13:18:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\UB
[2007/01/22 19:01:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2006/10/31 21:11:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Walgreens
[2006/08/27 01:05:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Wildfire
[2010/11/23 07:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Avanquest
[2009/03/28 19:01:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\acccore
[2007/09/18 17:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Viewpoint
[2010/02/09 17:03:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\X10 Commander
[2009/11/15 01:50:22 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/08/01 00:00:15 | 000,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========


< End of report >

PS - I was able to get all of my files and docments off the infected machine. Thank you so much.

[mitch8]

Hi,

This may be more of a OS issue than malware. Lets find out if it is malware or not.

Copy the following text in the code box to notepad. Save it as fix.txt to a USB.

:OTL
SRV - File not found [Disabled] -- -- (Smcssantcir)

:Commands
[emptytemp]
[EMPTYFLASH]

Download the tools to a flash drive:

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.

***************************************************


Start OTLPE as you did previously from CD

• Insert your USB drive with fix.txt on it
• Start OTLPE
• Drag and drop fix.txt into the Custom scans and fixes box
• If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
• Then click the Run Fix button at the top

Now we will continue to use your computer without the CD. Try to boot into Last Known Good Configuration. To do this press the "F8" when the OS starts to boot until the Windows Advanced Options Menu appears. Use your arrow keys to move to "Last Known Good Configuration" and press your Enter key.

---------------------------------------------------------------------

Transfer ComboFix and the Recovery Console, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[mitch8]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.