[Inactive] ransomware
Page 1 of 4 123 ... LastLast
Results 1 to 15 of 47

Thread: [Inactive] ransomware

  1. June 17th, 2013, 04:14 PM #1
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107

    [Inactive] ransomware

    hi I was infected with what I've read to be ransomware - supposedly the FBI has locked the computer and dead payment. I've read this is nting more than a virus. I was able to open up my user page, but now it just gives me the choice of starting in safe mode or normally then a brief flash of a blue screen then back to startup
    Reply With Quote Reply With Quote
  2. June 17th, 2013, 05:19 PM #2
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107

    fat fingers

    sorry - i am typing on my wife's laptop and have truble typing on it.....what i meant to say was the ransomware demands payment to unlock the computer. after more research it appears this is a nasty virus. for clarity sake: when i start the computer it gives me the screen to start in safe mode, safe mode with command, etc. It doesn't matter what selection i chose, it loops me from this page back to the same page. thanks....
    Reply With Quote Reply With Quote
  3. June 17th, 2013, 09:47 PM #3
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Please, observe following rules:

    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.



    =================================

    What Windows version is it?
    My Home Page
    Reply With Quote Reply With Quote
  4. June 18th, 2013, 09:35 AM #4
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107
    windows xp it is a Dell computer....4300 series. rather ancient, still has a place to insert a diskette.
    Reply With Quote Reply With Quote
  6. June 18th, 2013, 07:57 PM #5
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)


    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.

      • Note : If you do not know how to set your computer to boot from CD follow the steps here

    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
    My Home Page
    Reply With Quote Reply With Quote
  7. June 19th, 2013, 09:06 AM #6
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107

    excellent instructions

    thank you, here are the results:


    OTL logfile created on: 6/19/2013 6:54:42 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    511.00 Mb Total Physical Memory | 322.00 Mb Available Physical Memory | 63.00% Memory free
    459.00 Mb Paging File | 339.00 Mb Available in Paging File | 74.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 26.00 Gb Free Space | 69.78% Space Free | Partition Type: NTFS
    Drive D: | 13.99 Gb Total Space | 10.98 Gb Free Space | 78.50% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - File not found [On_Demand] -- -- (AppMgmt)
    SRV - [2013/06/17 13:15:16 | 000,155,136 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Documents and Settings\All Users\Application Data\9l33.dat -- (winmgmt)
    SRV - [2012/09/09 10:39:41 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
    SRV - [2011/06/28 09:14:33 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2011/04/29 16:52:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2011/08/03 22:11:12 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2011/08/03 22:11:12 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2011/06/28 09:14:37 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/06/17 18:27:24 | 000,022,360 | ---- | M] (Avira GmbH) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgntmgr.sys -- (avgntmgr)
    DRV - [2010/06/17 18:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/05/23 15:37:57 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/03/21 11:03:27 | 000,055,216 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
    DRV - [2010/03/21 11:03:27 | 000,022,713 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
    DRV - [2009/02/13 16:17:49 | 000,045,416 | ---- | M] (Avira GmbH) [File_System | System] -- C:\WINDOWS\system32\drivers\avgntdd.sys -- (avgntdd)
    DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2001/09/10 13:43:46 | 000,205,824 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
    DRV - [2001/09/04 19:37:08 | 000,233,344 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
    DRV - [2001/09/04 18:39:50 | 000,017,990 | ---- | M] (Roxio) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
    DRV - [2001/09/04 18:39:40 | 000,019,702 | ---- | M] (Roxio) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
    DRV - [2001/09/04 18:39:28 | 000,078,454 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)
    DRV - [2001/08/20 14:59:38 | 000,025,472 | ---- | M] (Roxio Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\imapiRox.sys -- (Imapi)
    DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
    DRV - [2001/08/17 08:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
    DRV - [2001/08/17 08:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
    DRV - [2001/08/17 08:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
    DRV - [2001/08/17 08:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
    DRV - [2001/08/17 08:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
    DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Kat_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/appma...rtal/vzcentral
    IE - HKU\Kat_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Kevin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Kevin_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKU\Kevin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2011/11/29 08:44:11 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2010/05/23 14:14:43 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKU\Kat_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKU\Kat_ON_C..\Run: [ctfmon32.exe] C:\Documents and Settings\All Users\Application Data\9l33.dat (Microsoft Corporation)
    O4 - HKU\Kevin_ON_C..\Run: [] File not found
    O4 - HKU\Kevin_ON_C..\Run: [ctfmon32.exe] C:\Documents and Settings\All Users\Application Data\9l33.dat (Microsoft Corporation)
    O4 - HKU\Kevin_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe (TLC Productivity Properties LLC)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Kat_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Kevin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Kevin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Kevin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...4/wmsp9dmo.CAB (Reg Error: Key error.)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...22/wmv9VCM.CAB (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab (DDRevision Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub...sh/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\Hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 0
    O32 - AutoRun File - [2009/11/01 15:00:37 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/06/17 14:54:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2013/06/17 13:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kat\Application Data\SUPERAntiSpyware.com
    [2013/06/17 13:15:16 | 000,155,136 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\9l33.dat
    [2013/06/17 13:15:16 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe
    [2013/06/17 12:17:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Kevin\Recent
    [2013/06/03 12:31:12 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kevin\IECompatCache
    [2013/04/16 13:24:27 | 004,316,280 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup400.exe
    [2013/03/25 11:17:30 | 004,190,272 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup328.exe
    [2013/01/16 15:56:03 | 004,178,040 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup326.exe
    [2012/10/18 14:50:03 | 003,941,312 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup323.exe
    [2012/09/17 11:08:48 | 003,927,560 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup322.exe
    [2012/07/16 16:24:18 | 038,808,920 | ---- | C] (Microsoft Corporation) -- C:\Program Files\FileFormatConverters.exe
    [2012/07/05 17:33:20 | 003,889,704 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup320.exe
    [2012/06/15 11:57:37 | 003,862,112 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup319.exe
    [2012/05/10 14:20:20 | 003,654,896 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup318.exe
    [2012/02/27 13:26:01 | 003,628,016 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup316.exe
    [2012/02/16 15:51:24 | 003,587,688 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup315.exe
    [2012/01/16 15:18:49 | 003,562,624 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup314.exe
    [2011/11/23 11:12:14 | 003,511,776 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup312.exe
    [2011/10/08 13:55:51 | 003,496,848 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup311.exe
    [2011/08/31 23:28:51 | 003,480,352 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup310.exe
    [2011/03/04 12:14:59 | 003,033,192 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup304.exe
    [2 C:\Documents and Settings\Kevin\My Documents\*.tmp files -> C:\Documents and Settings\Kevin\My Documents\*.tmp -> ]
    [1 C:\Documents and Settings\Kevin\Desktop\*.tmp files -> C:\Documents and Settings\Kevin\Desktop\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/06/17 14:55:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2013/06/17 14:55:42 | 000,000,344 | RHS- | M] () -- C:\boot.ini
    [2013/06/17 14:51:20 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
    [2013/06/17 14:34:44 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk
    [2013/06/17 14:34:43 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\33l9.pad
    [2013/06/17 13:16:51 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk
    [2013/06/17 13:16:30 | 000,003,046 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\33l9.js
    [2013/06/17 13:15:16 | 000,155,136 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\9l33.dat
    [2013/06/17 13:15:16 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe
    [2013/06/17 08:25:06 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2013/06/12 14:54:23 | 000,199,178 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque Wruck.pdf
    [2013/06/12 14:49:20 | 000,190,630 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\NAU Lead Tracking Form_distributed.pdf
    [2013/06/12 14:48:19 | 000,025,658 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Admissions Advisor Evaluation.pdf
    [2013/06/11 14:00:02 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Microsoft Word (2).lnk
    [2013/06/10 13:25:03 | 000,234,330 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque West Wruck 20130606.pdf
    [2013/05/31 13:19:17 | 001,731,054 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Jemez_map_lg2.bmp
    [2013/05/24 14:52:28 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2013/05/23 13:27:15 | 000,068,846 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
    [2 C:\Documents and Settings\Kevin\My Documents\*.tmp files -> C:\Documents and Settings\Kevin\My Documents\*.tmp -> ]
    [1 C:\Documents and Settings\Kevin\Desktop\*.tmp files -> C:\Documents and Settings\Kevin\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/06/17 14:34:43 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk
    [2013/06/17 13:16:51 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk
    [2013/06/17 13:16:30 | 000,003,046 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\33l9.js
    [2013/06/17 13:15:29 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\33l9.pad
    [2013/06/12 14:54:22 | 000,199,178 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque Wruck.pdf
    [2013/06/12 14:49:18 | 000,190,630 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\NAU Lead Tracking Form_distributed.pdf
    [2013/06/12 14:48:17 | 000,025,658 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Admissions Advisor Evaluation.pdf
    [2013/06/06 09:20:48 | 000,234,330 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque West Wruck 20130606.pdf
    [2013/05/31 13:19:17 | 001,731,054 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Jemez_map_lg2.bmp
    [2012/11/19 11:21:52 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netdislw.pad
    [2012/01/18 18:51:25 | 001,926,184 | ---- | C] () -- C:\Program Files\OpenPDFFiles.exe
    [2011/11/29 08:36:30 | 000,166,436 | ---- | C] () -- C:\WINDOWS\hpoins28.dat
    [2011/11/29 08:36:29 | 000,000,796 | ---- | C] () -- C:\WINDOWS\hpomdl28.dat
    [2010/03/21 11:03:28 | 000,040,960 | ---- | C] () -- C:\WINDOWS\uneng.exe
    [2009/11/13 20:14:55 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2009/11/12 11:01:03 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Kat\Local Settings\Application Data\fusioncache.dat
    [2009/11/04 21:43:53 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\fusioncache.dat
    [2009/11/04 21:40:41 | 000,000,453 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/11/04 21:30:41 | 000,104,217 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
    [2009/11/04 21:30:41 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
    [2009/11/02 19:09:42 | 000,086,016 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/11/01 15:40:23 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
    [2009/11/01 15:40:23 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
    [2009/11/01 15:25:21 | 000,068,846 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2009/11/01 15:03:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009/11/01 14:57:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009/11/01 06:28:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/11/01 06:27:26 | 000,233,576 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2001/08/23 08:00:00 | 000,380,350 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2001/08/23 08:00:00 | 000,052,764 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2001/08/23 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2001/08/23 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2001/08/10 16:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll

    ========== LOP Check ==========

    [2010/02/09 20:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kat\Application Data\FreeAudioPack
    [2010/02/09 20:26:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kat\Application Data\FreeCDRipper
    [2010/05/06 19:14:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Amazon
    [2011/08/03 22:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\!SASCORE

    ========== Purity Check ==========


    < End of report >
    Reply With Quote Reply With Quote
  8. June 19th, 2013, 07:37 PM #7
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
SRV - File not found [Disabled] -- -- (HidServ)
SRV - File not found [On_Demand] -- -- (AppMgmt)
SRV - [2013/06/17 13:15:16 | 000,155,136 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Documents and Settings\All Users\Application Data\9l33.dat -- (winmgmt)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3 - HKU\Kat_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKU\Kat_ON_C..\Run: [ctfmon32.exe] C:\Documents and Settings\All Users\Application Data\9l33.dat (Microsoft Corporation)
O4 - HKU\Kevin_ON_C..\Run: [] File not found
O4 - HKU\Kevin_ON_C..\Run: [ctfmon32.exe] C:\Documents and Settings\All Users\Application Data\9l33.dat (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...4/wmsp9dmo.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...22/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2013/06/17 13:15:16 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe
[2013/06/17 14:34:44 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk
[2013/06/17 14:34:43 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\33l9.pad
[2013/06/17 13:16:51 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk
[2013/06/17 13:16:30 | 000,003,046 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\33l9.js
[2013/06/17 13:15:16 | 000,155,136 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\9l33.dat
[2013/06/17 13:15:16 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\rundll32.exe


:Services

:Reg

:Files
C:\Documents and Settings\All Users\Application Data\9l33.dat

:Commands
[purity]
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE


    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.


      • (The content of Fix.txt should appear in the box)


    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
    My Home Page
    Reply With Quote Reply With Quote
  9. June 20th, 2013, 12:09 PM #8
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HidServ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmgmt deleted successfully.
    C:\Documents and Settings\All Users\Application Data\9l33.dat moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WDICA deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDRFRAME deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDRELI deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDFRAME deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PDCOMP deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCIDump deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lbrtfdc deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i2omgmt deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Changer deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
    Registry value HKEY_USERS\Kat_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry value HKEY_USERS\Kat_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon32.exe deleted successfully.
    File C:\Documents and Settings\All Users\Application Data\9l33.dat not found.
    Registry value HKEY_USERS\Kevin_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_USERS\Kevin_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmon32.exe deleted successfully.
    File C:\Documents and Settings\All Users\Application Data\9l33.dat not found.
    C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk moved successfully.
    File move failed. X:\I386\SYSTEM32\RUNDLL32.EXE scheduled to be moved on reboot.
    C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk moved successfully.
    File move failed. X:\I386\SYSTEM32\RUNDLL32.EXE scheduled to be moved on reboot.
    Starting removal of ActiveX control {0000000A-9980-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\wmsp9dmo.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0000000A-9980-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\Kat_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\Kevin_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
    Starting removal of ActiveX control {33564D57-0000-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\Kat_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\Kevin_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\Kat_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\Kevin_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\Documents and Settings\All Users\Application Data\rundll32.exe moved successfully.
    File C:\Documents and Settings\Kat\Start Menu\Programs\Startup\regmonstd.lnk not found.
    C:\Documents and Settings\All Users\Application Data\33l9.pad moved successfully.
    File C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\regmonstd.lnk not found.
    C:\Documents and Settings\All Users\Application Data\33l9.js moved successfully.
    File C:\Documents and Settings\All Users\Application Data\9l33.dat not found.
    File C:\Documents and Settings\All Users\Application Data\rundll32.exe not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File\Folder C:\Documents and Settings\All Users\Application Data\9l33.dat not found.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 06202013_105204

    Files\Folders moved on Reboot...
    File move failed. X:\I386\SYSTEM32\RUNDLL32.EXE scheduled to be moved on reboot.

    Registry entries deleted on Reboot...






    Upon trying to reboot normally i get the screen w/options normally, safe mode, etc....then brief blue screen flash and back to same screen as previous
    Reply With Quote Reply With Quote
  11. June 20th, 2013, 08:24 PM #9
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Post fresh OTLPE log.
    My Home Page
    Reply With Quote Reply With Quote
  12. June 21st, 2013, 10:34 AM #10
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107
    OTL logfile created on: 6/21/2013 11:25:57 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    511.00 Mb Total Physical Memory | 321.00 Mb Available Physical Memory | 63.00% Memory free
    459.00 Mb Paging File | 339.00 Mb Available in Paging File | 74.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 26.00 Gb Free Space | 69.78% Space Free | Partition Type: NTFS
    Drive D: | 13.99 Gb Total Space | 10.98 Gb Free Space | 78.50% Space Free | Partition Type: NTFS
    Drive E: | 7.45 Gb Total Space | 7.45 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/09/09 10:39:41 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
    SRV - [2011/06/28 09:14:33 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2011/04/29 16:52:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/08/03 22:11:12 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2011/08/03 22:11:12 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2011/06/28 09:14:37 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/06/17 18:27:24 | 000,022,360 | ---- | M] (Avira GmbH) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgntmgr.sys -- (avgntmgr)
    DRV - [2010/06/17 18:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/05/23 15:37:57 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/03/21 11:03:27 | 000,055,216 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
    DRV - [2010/03/21 11:03:27 | 000,022,713 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
    DRV - [2009/02/13 16:17:49 | 000,045,416 | ---- | M] (Avira GmbH) [File_System | System] -- C:\WINDOWS\system32\drivers\avgntdd.sys -- (avgntdd)
    DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2001/09/10 13:43:46 | 000,205,824 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
    DRV - [2001/09/04 19:37:08 | 000,233,344 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
    DRV - [2001/09/04 18:39:50 | 000,017,990 | ---- | M] (Roxio) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
    DRV - [2001/09/04 18:39:40 | 000,019,702 | ---- | M] (Roxio) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
    DRV - [2001/09/04 18:39:28 | 000,078,454 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)
    DRV - [2001/08/20 14:59:38 | 000,025,472 | ---- | M] (Roxio Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\imapiRox.sys -- (Imapi)
    DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
    DRV - [2001/08/17 08:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
    DRV - [2001/08/17 08:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
    DRV - [2001/08/17 08:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
    DRV - [2001/08/17 08:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
    DRV - [2001/08/17 08:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
    DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Kat_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/appma...rtal/vzcentral
    IE - HKU\Kat_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Kevin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Kevin_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKU\Kevin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2011/11/29 08:44:11 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2010/05/23 14:14:43 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKU\Kevin_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe (TLC Productivity Properties LLC)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Kat_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Kevin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Kevin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Kevin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab (DDRevision Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub...sh/swflash.cab (Shockwave Flash Object)
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\Hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 0
    O32 - AutoRun File - [2009/11/01 15:00:37 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/06/20 10:52:12 | 002,237,440 | R--- | C] (OldTimer Tools) -- C:\OTLPE.exe
    [2013/06/20 10:52:04 | 000,000,000 | ---D | C] -- C:\_OTL
    [2013/06/17 14:54:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2013/06/17 13:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kat\Application Data\SUPERAntiSpyware.com
    [2013/06/17 12:17:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Kevin\Recent
    [2013/06/03 12:31:12 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kevin\IECompatCache
    [2013/04/16 13:24:27 | 004,316,280 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup400.exe
    [2013/03/25 11:17:30 | 004,190,272 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup328.exe
    [2013/01/16 15:56:03 | 004,178,040 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup326.exe
    [2012/10/18 14:50:03 | 003,941,312 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup323.exe
    [2012/09/17 11:08:48 | 003,927,560 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup322.exe
    [2012/07/16 16:24:18 | 038,808,920 | ---- | C] (Microsoft Corporation) -- C:\Program Files\FileFormatConverters.exe
    [2012/07/05 17:33:20 | 003,889,704 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup320.exe
    [2012/06/15 11:57:37 | 003,862,112 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup319.exe
    [2012/05/10 14:20:20 | 003,654,896 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup318.exe
    [2012/02/27 13:26:01 | 003,628,016 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup316.exe
    [2012/02/16 15:51:24 | 003,587,688 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup315.exe
    [2012/01/16 15:18:49 | 003,562,624 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup314.exe
    [2011/11/23 11:12:14 | 003,511,776 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup312.exe
    [2011/10/08 13:55:51 | 003,496,848 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup311.exe
    [2011/08/31 23:28:51 | 003,480,352 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup310.exe
    [2011/03/04 12:14:59 | 003,033,192 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup304.exe
    [2 C:\Documents and Settings\Kevin\My Documents\*.tmp files -> C:\Documents and Settings\Kevin\My Documents\*.tmp -> ]
    [1 C:\Documents and Settings\Kevin\Desktop\*.tmp files -> C:\Documents and Settings\Kevin\Desktop\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/06/17 14:55:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2013/06/17 14:55:42 | 000,000,344 | RHS- | M] () -- C:\boot.ini
    [2013/06/17 14:51:20 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
    [2013/06/17 08:25:06 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2013/06/12 14:54:23 | 000,199,178 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque Wruck.pdf
    [2013/06/12 14:49:20 | 000,190,630 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\NAU Lead Tracking Form_distributed.pdf
    [2013/06/12 14:48:19 | 000,025,658 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Admissions Advisor Evaluation.pdf
    [2013/06/11 14:00:02 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Microsoft Word (2).lnk
    [2013/06/10 13:25:03 | 000,234,330 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque West Wruck 20130606.pdf
    [2013/05/31 13:19:17 | 001,731,054 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Jemez_map_lg2.bmp
    [2013/05/24 14:52:28 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2013/05/23 13:27:15 | 000,068,846 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
    [2 C:\Documents and Settings\Kevin\My Documents\*.tmp files -> C:\Documents and Settings\Kevin\My Documents\*.tmp -> ]
    [1 C:\Documents and Settings\Kevin\Desktop\*.tmp files -> C:\Documents and Settings\Kevin\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/06/12 14:54:22 | 000,199,178 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque Wruck.pdf
    [2013/06/12 14:49:18 | 000,190,630 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\NAU Lead Tracking Form_distributed.pdf
    [2013/06/12 14:48:17 | 000,025,658 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Admissions Advisor Evaluation.pdf
    [2013/06/06 09:20:48 | 000,234,330 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\NAU Albuquerque West Wruck 20130606.pdf
    [2013/05/31 13:19:17 | 001,731,054 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Jemez_map_lg2.bmp
    [2012/11/19 11:21:52 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netdislw.pad
    [2012/01/18 18:51:25 | 001,926,184 | ---- | C] () -- C:\Program Files\OpenPDFFiles.exe
    [2011/11/29 08:36:30 | 000,166,436 | ---- | C] () -- C:\WINDOWS\hpoins28.dat
    [2011/11/29 08:36:29 | 000,000,796 | ---- | C] () -- C:\WINDOWS\hpomdl28.dat
    [2010/03/21 11:03:28 | 000,040,960 | ---- | C] () -- C:\WINDOWS\uneng.exe
    [2009/11/13 20:14:55 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2009/11/12 11:01:03 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Kat\Local Settings\Application Data\fusioncache.dat
    [2009/11/04 21:43:53 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\fusioncache.dat
    [2009/11/04 21:40:41 | 000,000,453 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/11/04 21:30:41 | 000,104,217 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
    [2009/11/04 21:30:41 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
    [2009/11/02 19:09:42 | 000,086,016 | ---- | C] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/11/01 15:40:23 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
    [2009/11/01 15:40:23 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
    [2009/11/01 15:25:21 | 000,068,846 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2009/11/01 15:03:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009/11/01 14:57:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009/11/01 06:28:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/11/01 06:27:26 | 000,233,576 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2001/08/23 08:00:00 | 000,380,350 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2001/08/23 08:00:00 | 000,052,764 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2001/08/23 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2001/08/23 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2001/08/10 16:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll

    ========== LOP Check ==========

    [2010/02/09 20:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kat\Application Data\FreeAudioPack
    [2010/02/09 20:26:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kat\Application Data\FreeCDRipper
    [2010/05/06 19:14:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin\Application Data\Amazon
    [2011/08/03 22:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\!SASCORE

    ========== Purity Check ==========


    < End of report >
    Reply With Quote Reply With Quote
  13. June 21st, 2013, 06:00 PM #11
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Nothing malicious there anymore.

    Do you remember at what approximate date your computer booted fine for the last time?

    ===================================

    You will need a USB flash drive.

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Next download rst.sh to your USB flash drive
    • Remove the USB & CD and insert it in the sick computer
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • Gently tap F12 and choose to boot from the CD
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see rst.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash rst.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named enum.log
    • Remove the USB drive and insert it back in your working computer and navigate to enum.log

      Please note - all text entries are case sensitive


    Copy and paste the enum.log for my review
    My Home Page
    Reply With Quote Reply With Quote
  14. June 23rd, 2013, 01:40 PM #12
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107
    The last good boot was the moring of the 17th - the day of infection.....log:

    20.0M Jun 21 15:35 /mnt/sda1/WINDOWS/system32/config/software
    6.3M Jun 20 14:53 /mnt/sda1/WINDOWS/system32/config/system

    19.8M Apr 19 17:20 /sda1/~/RP520/~SOFTWARE
    19.8M Apr 22 17:32 /sda1/~/RP521/~SOFTWARE
    19.8M Apr 24 20:32 /sda1/~/RP522/~SOFTWARE
    19.8M Apr 26 22:21 /sda1/~/RP523/~SOFTWARE
    19.8M Apr 29 17:26 /sda1/~/RP524/~SOFTWARE
    19.8M May 1 16:55 /sda1/~/RP525/~SOFTWARE
    19.8M May 2 17:05 /sda1/~/RP526/~SOFTWARE
    19.8M May 3 20:24 /sda1/~/RP527/~SOFTWARE
    19.8M May 7 15:16 /sda1/~/RP528/~SOFTWARE
    19.8M May 9 15:43 /sda1/~/RP529/~SOFTWARE
    19.8M May 10 16:39 /sda1/~/RP530/~SOFTWARE
    19.8M May 14 16:19 /sda1/~/RP531/~SOFTWARE
    19.8M May 15 16:24 /sda1/~/RP532/~SOFTWARE
    19.8M May 18 13:28 /sda1/~/RP533/~SOFTWARE
    19.8M May 21 15:20 /sda1/~/RP534/~SOFTWARE
    19.8M May 22 18:24 /sda1/~/RP535/~SOFTWARE
    19.8M May 24 14:55 /sda1/~/RP536/~SOFTWARE
    19.8M May 28 16:32 /sda1/~/RP537/~SOFTWARE
    19.8M May 31 15:46 /sda1/~/RP538/~SOFTWARE
    19.9M Jun 1 15:56 /sda1/~/RP539/~SOFTWARE
    19.8M Jun 2 20:42 /sda1/~/RP540/~SOFTWARE
    19.8M Jun 3 21:01 /sda1/~/RP541/~SOFTWARE
    19.8M Jun 5 21:44 /sda1/~/RP542/~SOFTWARE
    19.8M Jun 7 13:12 /sda1/~/RP543/~SOFTWARE
    19.8M Jun 9 14:45 /sda1/~/RP544/~SOFTWARE
    19.8M Jun 10 16:42 /sda1/~/RP545/~SOFTWARE
    19.8M Jun 12 12:25 /sda1/~/RP546/~SOFTWARE
    19.8M Jun 13 18:25 /sda1/~/RP547/~SOFTWARE
    19.8M Jun 17 18:02 /sda1/~/RP548/~SOFTWARE
    19.8M Mar 15 00:37 /sda1/~/RP507/~SOFTWARE
    19.8M Mar 19 18:50 /sda1/~/RP508/~SOFTWARE
    19.8M Mar 20 22:36 /sda1/~/RP509/~SOFTWARE
    19.8M Mar 27 15:49 /sda1/~/RP510/~SOFTWARE
    19.8M Mar 28 16:22 /sda1/~/RP511/~SOFTWARE
    19.8M Apr 1 14:32 /sda1/~/RP512/~SOFTWARE
    19.8M Apr 4 16:52 /sda1/~/RP513/~SOFTWARE
    19.8M Apr 9 17:39 /sda1/~/RP514/~SOFTWARE
    19.8M Apr 12 14:16 /sda1/~/RP515/~SOFTWARE
    19.8M Apr 15 13:32 /sda1/~/RP516/~SOFTWARE
    19.8M Apr 16 16:17 /sda1/~/RP517/~SOFTWARE
    19.8M Apr 17 17:02 /sda1/~/RP518/~SOFTWARE
    19.8M Apr 18 17:06 /sda1/~/RP519/~SOFTWARE
    6.1M Apr 19 17:20 /sda1/~/RP520/~SYSTEM
    6.1M Apr 22 17:32 /sda1/~/RP521/~SYSTEM
    6.1M Apr 24 20:32 /sda1/~/RP522/~SYSTEM
    6.1M Apr 26 22:21 /sda1/~/RP523/~SYSTEM
    6.1M Apr 29 17:26 /sda1/~/RP524/~SYSTEM
    6.1M May 1 16:55 /sda1/~/RP525/~SYSTEM
    6.1M May 2 17:05 /sda1/~/RP526/~SYSTEM
    6.1M May 3 20:24 /sda1/~/RP527/~SYSTEM
    6.1M May 7 15:16 /sda1/~/RP528/~SYSTEM
    6.1M May 9 15:43 /sda1/~/RP529/~SYSTEM
    6.1M May 10 16:39 /sda1/~/RP530/~SYSTEM
    6.1M May 14 16:19 /sda1/~/RP531/~SYSTEM
    6.1M May 15 16:24 /sda1/~/RP532/~SYSTEM
    6.1M May 18 13:28 /sda1/~/RP533/~SYSTEM
    6.1M May 21 15:20 /sda1/~/RP534/~SYSTEM
    6.1M May 22 18:24 /sda1/~/RP535/~SYSTEM
    6.1M May 24 14:55 /sda1/~/RP536/~SYSTEM
    6.1M May 28 16:32 /sda1/~/RP537/~SYSTEM
    6.1M May 31 15:46 /sda1/~/RP538/~SYSTEM
    6.1M Jun 1 15:56 /sda1/~/RP539/~SYSTEM
    6.1M Jun 2 20:42 /sda1/~/RP540/~SYSTEM
    6.1M Jun 3 21:01 /sda1/~/RP541/~SYSTEM
    6.1M Jun 5 21:44 /sda1/~/RP542/~SYSTEM
    6.1M Jun 7 13:12 /sda1/~/RP543/~SYSTEM
    6.1M Jun 9 14:45 /sda1/~/RP544/~SYSTEM
    6.1M Jun 10 16:42 /sda1/~/RP545/~SYSTEM
    6.1M Jun 12 12:25 /sda1/~/RP546/~SYSTEM
    6.1M Jun 13 18:25 /sda1/~/RP547/~SYSTEM
    6.1M Jun 17 18:02 /sda1/~/RP548/~SYSTEM
    6.1M Mar 15 00:37 /sda1/~/RP507/~SYSTEM
    6.1M Mar 19 18:50 /sda1/~/RP508/~SYSTEM
    6.1M Mar 20 22:36 /sda1/~/RP509/~SYSTEM
    6.1M Mar 27 15:49 /sda1/~/RP510/~SYSTEM
    6.1M Mar 28 16:22 /sda1/~/RP511/~SYSTEM
    6.1M Apr 1 14:32 /sda1/~/RP512/~SYSTEM
    6.1M Apr 4 16:52 /sda1/~/RP513/~SYSTEM
    6.1M Apr 9 17:39 /sda1/~/RP514/~SYSTEM
    6.1M Apr 12 14:16 /sda1/~/RP515/~SYSTEM
    6.1M Apr 15 13:32 /sda1/~/RP516/~SYSTEM
    6.1M Apr 16 16:17 /sda1/~/RP517/~SYSTEM
    6.1M Apr 17 17:02 /sda1/~/RP518/~SYSTEM
    6.1M Apr 18 17:07 /sda1/~/RP519/~SYSTEM
    Reply With Quote Reply With Quote
  15. June 23rd, 2013, 02:44 PM #13
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Please open the terminal again from your USB device and type:

    bash rst.sh -r

    Press Enter

    Type 547 and press Enter.

    When done restart your computer normally and see if you can successfully log on now.
    My Home Page
    Reply With Quote Reply With Quote
  16. June 24th, 2013, 10:43 AM #14
    Ned Ludd
    Ned Ludd is offline Virtual Intern
    Join Date
    Aug 2009
    Posts
    107
    Quote Originally Posted by Broni View Post
    Please open the terminal again from your USB device and type:

    bash rst.sh -r

    Press Enter

    Type 547 and press Enter.

    When done restart your computer normally and see if you can successfully log on now.

    it does not appear that i can open from the usb when i press F12 my choices are: 1-Normal, 2- Diskette Drive, 3- MBA UNDI (Bus 2 Slot9), 4-Hard Disc Drive C, 5-IDE CD-Rom

    when i turn on the terminal i get no screen that allows me to tpe anything......continues to loop between chosing the start up, blue screen flash and choosing start up
    Reply With Quote Reply With Quote
  17. June 24th, 2013, 07:46 PM #15
    Broni's Avatar
    Broni
    Broni is offline Friend of Site Staff
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    You were able to produce GETxPUD log so I'm not sure why you're not able to get back there now.
    My Home Page
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules