Help. I am pretty much computer illiterate. Luckily, I was refered to this site from The Gardenweb Computer Site. Hopefully, I can find some guidance here.
Yesterday morning we woke up to a System Check Virus. All Programs and Icons seem to be gone. When rebooting, the screen quickly fills with MANY System Check windows.
When opening in Safe Mode to try a System Restore to an earlier date, the System Restore window opens but the machine doesn't Restore.
We have;
Dell
Windows XP
Home Edition
Version 2002
Service Pack 3
MacAfee
Any help would be appreciated. Thank you.
Maddielee
Hi, Maddielee. Welcome to LandzDown Forum.
We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. With this infection it is extremely important that you do
not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.
(Topic at GW: http://ths.gardenweb.com/forums/load/comphelp/msg0215444018262.html?4)
If you have questions regarding any of the instructions or problems running any tools, please let us know.
1. Please restart the computer in
Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)
2. Please download rkill from one of the following links and save to your Desktop:
One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)
- Double-click rkill to run.
- A command window will open then disappear upon completion, this is normal.
- Please leave rkill on the Desktop until otherwise advised.
- Do NOT restart your computer after running rkill as the malware program(s) will start again.
Note: If you you receive security warnings about rkill, please ignore and allow the download to continue.
3. Please download the
TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) by Kaspersky... save it to your Desktop.
<-Important!!!- Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista - W7 users: Right-click and select "Run As Administrator".
If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
If you don't see file extensions, please see: How to change the file extension (http://www.mediacollege.com/microsoft/windows/extension-change.html).
- Click the Start Scan button. Do not use the computer during the scan!
- If the scan completes with nothing found, click Close to exit.
- If malicious objects are found, they will show in the "Scan results - Select action for found objects[/b]" and offer 3 options.
- Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
- A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
- Copy and paste the contents of that file in your next reply.
4. Please download
Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware - Click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, be sure Quick scan is selected, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253) - Click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Please post contents of that file in your next reply.
** Note **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click
OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
5. There are infections that will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop: Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe)
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.
This program will remove the +H, or hidden, attribute from all the files on your hard drives. It is important to note that if there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
6. Download
DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
- Double-Click dds.scr and a command window will appear. This is normal
- Shortly after two logs will appear, DDS.txt & Attach.txt
- A window will open instructing you save & post the logs
- Save the logs to a convenient place such as your desktop
- Copy the contents of both logs & post in your next reply
5. Download
Security Check by screen317 from
here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or
here (http://screen317.changelog.fr/SecurityCheck.exe).
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Requested logs:
TDSSKiller
Malwarebytes
Both DDS.txt and Attach.txt
checkup.txt
Note: Due to the number of logs requested, it will be necessary to post your logs in more than one reply. Check after posting to see that the log(s) were not cut off by the forum software.
Thanks, I got as far as clicking on the CURE in TDSSKiller. I get a
Windows -No Disk message
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c
With options to Cancel Try Again or Continue
I did Try Again, get the same Windows box.
for some reason, the Try Again finally worked???
log:
10:57:18.0593 3960 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
10:57:19.0796 3960 ============================================================
10:57:19.0796 3960 Current date / time: 2012/02/23 10:57:19.0796
10:57:19.0796 3960 SystemInfo:
10:57:19.0796 3960
10:57:19.0796 3960 OS Version: 5.1.2600 ServicePack: 3.0
10:57:19.0796 3960 Product type: Workstation
10:57:19.0796 3960 ComputerName: CATHY
10:57:19.0796 3960 UserName: Administrator
10:57:19.0796 3960 Windows directory: C:\WINDOWS
10:57:19.0796 3960 System windows directory: C:\WINDOWS
10:57:19.0796 3960 Processor architecture: Intel x86
10:57:19.0796 3960 Number of processors: 2
10:57:19.0796 3960 Page size: 0x1000
10:57:19.0796 3960 Boot type: Safe boot with network
10:57:19.0796 3960 ============================================================
10:57:21.0671 3960 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000 (37.25 Gb), SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:57:21.0671 3960 \Device\Harddisk0\DR0:
10:57:21.0671 3960 MBR used
10:57:21.0671 3960 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x4406358
10:57:22.0046 3960 Initialize success
10:57:22.0046 3960 ============================================================
10:57:27.0703 4092 ============================================================
10:57:27.0703 4092 Scan started
10:57:27.0703 4092 Mode: Manual;
10:57:27.0703 4092 ============================================================
10:57:28.0921 4092 Abiosdsk - ok
10:57:29.0000 4092 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
10:57:29.0000 4092 abp480n5 - ok
10:57:29.0125 4092 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:57:29.0125 4092 ACPI - ok
10:57:29.0218 4092 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:57:29.0218 4092 ACPIEC - ok
10:57:29.0343 4092 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
10:57:29.0359 4092 adpu160m - ok
10:57:29.0500 4092 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
10:57:29.0500 4092 aeaudio - ok
10:57:29.0671 4092 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:57:29.0671 4092 aec - ok
10:57:29.0765 4092 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:57:29.0765 4092 AFD - ok
10:57:29.0859 4092 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:57:29.0859 4092 agp440 - ok
10:57:30.0000 4092 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
10:57:30.0000 4092 agpCPQ - ok
10:57:30.0046 4092 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
10:57:30.0046 4092 Aha154x - ok
10:57:30.0171 4092 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
10:57:30.0171 4092 aic78u2 - ok
10:57:30.0265 4092 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
10:57:30.0265 4092 aic78xx - ok
10:57:30.0421 4092 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
10:57:30.0421 4092 AliIde - ok
10:57:30.0515 4092 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
10:57:30.0515 4092 alim1541 - ok
10:57:30.0687 4092 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
10:57:30.0687 4092 amdagp - ok
10:57:30.0750 4092 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
10:57:30.0750 4092 amsint - ok
10:57:30.0921 4092 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
10:57:30.0921 4092 asc - ok
10:57:30.0984 4092 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
10:57:31.0000 4092 asc3350p - ok
10:57:31.0109 4092 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
10:57:31.0109 4092 asc3550 - ok
10:57:31.0234 4092 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
10:57:31.0234 4092 ASCTRM - ok
10:57:31.0390 4092 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:57:31.0390 4092 AsyncMac - ok
10:57:31.0500 4092 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:57:31.0500 4092 atapi - ok
10:57:31.0640 4092 Atdisk - ok
10:57:31.0734 4092 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:57:31.0750 4092 Atmarpc - ok
10:57:31.0875 4092 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:57:31.0875 4092 audstub - ok
10:57:31.0953 4092 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:57:31.0968 4092 Beep - ok
10:57:32.0093 4092 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
10:57:32.0093 4092 cbidf - ok
10:57:32.0171 4092 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:57:32.0171 4092 cbidf2k - ok
10:57:32.0296 4092 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
10:57:32.0296 4092 cd20xrnt - ok
10:57:32.0437 4092 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:57:32.0437 4092 Cdaudio - ok
10:57:32.0500 4092 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:57:32.0500 4092 Cdfs - ok
10:57:32.0640 4092 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:57:32.0640 4092 Cdrom - ok
10:57:32.0734 4092 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys
10:57:32.0734 4092 cfwids - ok
10:57:32.0812 4092 Changer - ok
10:57:32.0953 4092 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
10:57:32.0953 4092 CmdIde - ok
10:57:33.0109 4092 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
10:57:33.0109 4092 Cpqarray - ok
10:57:33.0203 4092 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
10:57:33.0203 4092 dac2w2k - ok
10:57:33.0328 4092 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
10:57:33.0328 4092 dac960nt - ok
10:57:33.0437 4092 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:57:33.0437 4092 Disk - ok
10:57:33.0593 4092 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:57:33.0625 4092 dmboot - ok
10:57:33.0750 4092 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:57:33.0765 4092 dmio - ok
10:57:33.0828 4092 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:57:33.0828 4092 dmload - ok
10:57:33.0984 4092 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:57:33.0984 4092 DMusic - ok
10:57:34.0078 4092 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
10:57:34.0078 4092 dpti2o - ok
10:57:34.0218 4092 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:57:34.0218 4092 drmkaud - ok
10:57:34.0312 4092 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
10:57:34.0312 4092 drvmcdb - ok
10:57:34.0421 4092 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
10:57:34.0421 4092 drvnddm - ok
10:57:34.0609 4092 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
10:57:34.0609 4092 DSproct - ok
10:57:34.0703 4092 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
10:57:34.0703 4092 dsunidrv - ok
10:57:34.0843 4092 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
10:57:34.0843 4092 E100B - ok
10:57:35.0000 4092 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:57:35.0000 4092 Fastfat - ok
10:57:35.0093 4092 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:57:35.0093 4092 Fdc - ok
10:57:35.0234 4092 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:57:35.0250 4092 Fips - ok
10:57:35.0328 4092 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:57:35.0343 4092 Flpydisk - ok
10:57:35.0421 4092 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:57:35.0437 4092 FltMgr - ok
10:57:35.0562 4092 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:57:35.0562 4092 Fs_Rec - ok
10:57:35.0765 4092 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:57:35.0765 4092 Ftdisk - ok
10:57:35.0843 4092 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
10:57:35.0859 4092 GEARAspiWDM - ok
10:57:35.0953 4092 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:57:35.0953 4092 Gpc - ok
10:57:36.0125 4092 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:57:36.0125 4092 HidUsb - ok
10:57:36.0203 4092 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
10:57:36.0203 4092 hpn - ok
10:57:36.0328 4092 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:57:36.0359 4092 HTTP - ok
10:57:36.0500 4092 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:57:36.0500 4092 i2omgmt - ok
10:57:36.0656 4092 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
10:57:36.0656 4092 i2omp - ok
10:57:36.0734 4092 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:57:36.0734 4092 i8042prt - ok
10:57:36.0859 4092 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
10:57:36.0890 4092 ialm - ok
10:57:37.0062 4092 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:57:37.0062 4092 Imapi - ok
10:57:37.0187 4092 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
10:57:37.0187 4092 ini910u - ok
10:57:37.0296 4092 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:57:37.0296 4092 IntelIde - ok
10:57:37.0390 4092 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:57:37.0390 4092 intelppm - ok
10:57:37.0500 4092 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:57:37.0500 4092 Ip6Fw - ok
10:57:37.0625 4092 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:57:37.0640 4092 IpFilterDriver - ok
10:57:37.0781 4092 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:57:37.0781 4092 IpInIp - ok
10:57:37.0859 4092 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:57:37.0859 4092 IpNat - ok
10:57:38.0000 4092 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:57:38.0000 4092 IPSec - ok
10:57:38.0093 4092 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:57:38.0093 4092 IRENUM - ok
10:57:38.0203 4092 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:57:38.0218 4092 isapnp - ok
10:57:38.0296 4092 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:57:38.0312 4092 Kbdclass - ok
10:57:38.0406 4092 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:57:38.0421 4092 kmixer - ok
10:57:38.0515 4092 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:57:38.0515 4092 KSecDD - ok
10:57:38.0640 4092 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
10:57:38.0640 4092 L8042pr2 - ok
10:57:38.0718 4092 lbrtfdc - ok
10:57:38.0875 4092 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
10:57:38.0875 4092 LMouFlt2 - ok
10:57:39.0140 4092 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys
10:57:39.0156 4092 mfeapfk - ok
10:57:39.0234 4092 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys
10:57:39.0250 4092 mfeavfk - ok
10:57:39.0375 4092 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys
10:57:39.0375 4092 mfebopk - ok
10:57:39.0500 4092 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys
10:57:39.0500 4092 mfefirek - ok
10:57:39.0625 4092 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys
10:57:39.0656 4092 mfehidk - ok
10:57:39.0781 4092 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
10:57:39.0781 4092 mfendisk - ok
10:57:39.0796 4092 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
10:57:39.0796 4092 mfendiskmp - ok
10:57:39.0875 4092 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys
10:57:39.0890 4092 mferkdet - ok
10:57:39.0984 4092 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
10:57:39.0984 4092 mferkdk - ok
10:57:40.0093 4092 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
10:57:40.0093 4092 mfesmfk - ok
10:57:40.0171 4092 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys
10:57:40.0171 4092 mfetdi2k - ok
10:57:40.0296 4092 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:57:40.0296 4092 mnmdd - ok
10:57:40.0390 4092 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:57:40.0390 4092 Modem - ok
10:57:40.0515 4092 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:57:40.0515 4092 Mouclass - ok
10:57:40.0640 4092 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:57:40.0656 4092 MountMgr - ok
10:57:40.0765 4092 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
10:57:40.0765 4092 mraid35x - ok
10:57:40.0859 4092 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:57:40.0875 4092 MRxDAV - ok
10:57:41.0000 4092 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:57:41.0015 4092 MRxSmb - ok
10:57:41.0156 4092 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:57:41.0156 4092 Msfs - ok
10:57:41.0281 4092 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:57:41.0281 4092 MSKSSRV - ok
10:57:41.0390 4092 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:57:41.0390 4092 MSPCLOCK - ok
10:57:41.0484 4092 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:57:41.0484 4092 MSPQM - ok
10:57:41.0671 4092 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:57:41.0671 4092 mssmbios - ok
10:57:41.0750 4092 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:57:41.0750 4092 Mup - ok
10:57:41.0906 4092 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:57:41.0906 4092 NDIS - ok
10:57:41.0984 4092 ndisrd (1359b200974395679b092f1d5f63cfa9) C:\WINDOWS\system32\DRIVERS\ndisrd.sys
10:57:41.0984 4092 ndisrd - ok
10:57:42.0093 4092 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:57:42.0093 4092 NdisTapi - ok
10:57:42.0171 4092 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:57:42.0171 4092 Ndisuio - ok
10:57:42.0250 4092 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:57:42.0265 4092 NdisWan - ok
10:57:42.0343 4092 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:57:42.0343 4092 NDProxy - ok
10:57:42.0453 4092 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:57:42.0453 4092 NetBIOS - ok
10:57:42.0562 4092 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:57:42.0562 4092 NetBT - ok
10:57:42.0765 4092 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:57:42.0781 4092 Npfs - ok
10:57:42.0875 4092 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:57:42.0906 4092 Ntfs - ok
10:57:43.0046 4092 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:57:43.0046 4092 Null - ok
10:57:43.0171 4092 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:57:43.0234 4092 nv - ok
10:57:43.0359 4092 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:57:43.0359 4092 NwlnkFlt - ok
10:57:43.0453 4092 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:57:43.0453 4092 NwlnkFwd - ok
10:57:43.0640 4092 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
10:57:43.0640 4092 omci - ok
10:57:43.0734 4092 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:57:43.0734 4092 Parport - ok
10:57:43.0843 4092 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:57:43.0843 4092 PartMgr - ok
10:57:43.0937 4092 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:57:43.0937 4092 ParVdm - ok
10:57:44.0046 4092 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:57:44.0046 4092 PCI - ok
10:57:44.0093 4092 PCIDump - ok
10:57:44.0218 4092 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:57:44.0234 4092 PCIIde - ok
10:57:44.0359 4092 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:57:44.0359 4092 Pcmcia - ok
10:57:44.0437 4092 PDCOMP - ok
10:57:44.0546 4092 PDFRAME - ok
10:57:44.0656 4092 PDRELI - ok
10:57:44.0703 4092 PDRFRAME - ok
10:57:44.0796 4092 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
10:57:44.0812 4092 perc2 - ok
10:57:44.0937 4092 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
10:57:44.0937 4092 perc2hib - ok
10:57:45.0140 4092 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:57:45.0140 4092 PptpMiniport - ok
10:57:45.0187 4092 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:57:45.0203 4092 PSched - ok
10:57:45.0312 4092 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:57:45.0312 4092 Ptilink - ok
10:57:45.0375 4092 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:57:45.0375 4092 PxHelp20 - ok
10:57:45.0500 4092 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
10:57:45.0500 4092 ql1080 - ok
10:57:45.0703 4092 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
10:57:45.0703 4092 Ql10wnt - ok
10:57:45.0765 4092 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
10:57:45.0781 4092 ql12160 - ok
10:57:45.0921 4092 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
10:57:45.0921 4092 ql1240 - ok
10:57:45.0984 4092 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
10:57:45.0984 4092 ql1280 - ok
10:57:46.0078 4092 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:57:46.0078 4092 RasAcd - ok
10:57:46.0187 4092 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:57:46.0187 4092 Rasl2tp - ok
10:57:46.0296 4092 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:57:46.0312 4092 RasPppoe - ok
10:57:46.0390 4092 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:57:46.0390 4092 Raspti - ok
10:57:46.0500 4092 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:57:46.0500 4092 Rdbss - ok
10:57:46.0562 4092 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:57:46.0578 4092 RDPCDD - ok
10:57:46.0687 4092 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:57:46.0703 4092 rdpdr - ok
10:57:46.0796 4092 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:57:46.0812 4092 RDPWD - ok
10:57:46.0937 4092 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:57:46.0937 4092 redbook - ok
10:57:47.0171 4092 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:57:47.0171 4092 Secdrv - ok
10:57:47.0265 4092 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:57:47.0265 4092 serenum - ok
10:57:47.0421 4092 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:57:47.0421 4092 Serial - ok
10:57:47.0593 4092 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:57:47.0593 4092 Sfloppy - ok
10:57:47.0671 4092 Simbad - ok
10:57:47.0765 4092 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
10:57:47.0765 4092 sisagp - ok
10:57:47.0937 4092 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
10:57:47.0953 4092 smwdm - ok
10:57:48.0078 4092 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
10:57:48.0078 4092 SONYPVU1 - ok
10:57:48.0156 4092 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
10:57:48.0156 4092 Sparrow - ok
10:57:48.0281 4092 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:57:48.0281 4092 splitter - ok
10:57:48.0359 4092 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:57:48.0359 4092 sr - ok
10:57:48.0500 4092 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:57:48.0515 4092 Srv - ok
10:57:48.0640 4092 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
10:57:48.0640 4092 sscdbhk5 - ok
10:57:48.0718 4092 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
10:57:48.0718 4092 ssrtln - ok
10:57:48.0859 4092 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:57:48.0859 4092 swenum - ok
10:57:48.0906 4092 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:57:48.0906 4092 swmidi - ok
10:57:49.0078 4092 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
10:57:49.0078 4092 symc810 - ok
10:57:49.0125 4092 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
10:57:49.0125 4092 symc8xx - ok
10:57:49.0250 4092 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
10:57:49.0265 4092 sym_hi - ok
10:57:49.0328 4092 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
10:57:49.0328 4092 sym_u3 - ok
10:57:49.0421 4092 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:57:49.0437 4092 sysaudio - ok
10:57:49.0546 4092 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:57:49.0562 4092 Tcpip - ok
10:57:49.0703 4092 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:57:49.0718 4092 TDPIPE - ok
10:57:49.0765 4092 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:57:49.0781 4092 TDTCP - ok
10:57:49.0921 4092 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:57:49.0921 4092 TermDD - ok
10:57:49.0984 4092 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
10:57:49.0984 4092 tfsnboio - ok
10:57:50.0093 4092 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
10:57:50.0093 4092 tfsncofs - ok
10:57:50.0156 4092 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
10:57:50.0156 4092 tfsndrct - ok
10:57:50.0234 4092 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
10:57:50.0234 4092 tfsndres - ok
10:57:50.0312 4092 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
10:57:50.0312 4092 tfsnifs - ok
10:57:50.0390 4092 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
10:57:50.0390 4092 tfsnopio - ok
10:57:50.0468 4092 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
10:57:50.0468 4092 tfsnpool - ok
10:57:50.0546 4092 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
10:57:50.0562 4092 tfsnudf - ok
10:57:50.0625 4092 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
10:57:50.0625 4092 tfsnudfa - ok
10:57:50.0750 4092 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
10:57:50.0750 4092 TosIde - ok
10:57:50.0875 4092 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:57:50.0875 4092 Udfs - ok
10:57:50.0984 4092 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
10:57:50.0984 4092 ultra - ok
10:57:51.0078 4092 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:57:51.0109 4092 Update - ok
10:57:51.0281 4092 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:57:51.0281 4092 USBAAPL - ok
10:57:51.0375 4092 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:57:51.0375 4092 usbccgp - ok
10:57:51.0500 4092 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:57:51.0500 4092 usbehci - ok
10:57:51.0593 4092 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:57:51.0593 4092 usbhub - ok
10:57:51.0687 4092 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:57:51.0687 4092 usbprint - ok
10:57:51.0734 4092 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:57:51.0734 4092 usbscan - ok
10:57:51.0859 4092 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:57:51.0859 4092 USBSTOR - ok
10:57:51.0984 4092 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:57:51.0984 4092 usbuhci - ok
10:57:52.0031 4092 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:57:52.0031 4092 VgaSave - ok
10:57:52.0125 4092 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
10:57:52.0125 4092 viaagp - ok
10:57:52.0234 4092 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:57:52.0234 4092 ViaIde - ok
10:57:52.0328 4092 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:57:52.0328 4092 VolSnap - ok
10:57:52.0468 4092 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:57:52.0468 4092 Wanarp - ok
10:57:52.0546 4092 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
10:57:52.0546 4092 wanatw - ok
10:57:52.0640 4092 WDICA - ok
10:57:52.0734 4092 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:57:52.0734 4092 wdmaud - ok
10:57:53.0046 4092 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:57:53.0046 4092 WudfPf - ok
10:57:53.0125 4092 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:57:53.0125 4092 WudfRd - ok
10:57:53.0203 4092 MBR (0x1B8) (b16a2359f4962b0c622d81a1c1f4b703) \Device\Harddisk0\DR0
10:57:53.0234 4092 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
10:57:53.0234 4092 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
10:57:53.0265 4092 Boot (0x1200) (9d71c6d16701d347ef680ac0761ab9cf) \Device\Harddisk0\DR0\Partition0
10:57:53.0265 4092 \Device\Harddisk0\DR0\Partition0 - ok
10:57:53.0265 4092 ============================================================
10:57:53.0265 4092 Scan finished
10:57:53.0265 4092 ============================================================
10:57:53.0328 4084 Detected object count: 1
10:57:53.0328 4084 Actual detected object count: 1
10:58:23.0734 4084 \Device\Harddisk0\DR0\# - copied to quarantine
10:58:23.0734 4084 \Device\Harddisk0\DR0 - copied to quarantine
10:58:23.0765 4084 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
10:58:23.0796 4084 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
10:58:23.0796 4084 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
10:58:23.0796 4084 \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
10:58:23.0812 4084 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
10:58:23.0812 4084 \Device\Harddisk0\DR0 - ok
11:27:19.0062 4084 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
11:28:24.0703 3956 Deinitialize success
I try to download Malwarebytes' Anti-Malware and was taken to 'Bleeping Computer' site. Do I pay them the $25.00 for the Download?
No, that fee is for the Pro version. Click on the green Download Now button, not the Buy Now one.
Sorry for being so stupid, but I click on the Free Download and am taken to Bleeping Computer....where the only option I see is to buy it???
I don't mind paying for something that will work, but I don't know if Bleeping Computer is a scam or not?
Maddielee
Try this link
http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1
Thanks.
But during the Install, a pop-up came up saying "Access Denied". When I clicked on 'OK", it told me to correct the problem (or something like that).
Hmmmm, that link doesn't take me to Bleeping Computer ...
Please try this link then ... http://www.malwarebytes.org/products/malwarebytes_free
Did your computer reboot after you ran TDSSKiller?
http://www.malwarebytes.org/products/malwarebytes_free
also took me to Bleeping Computer.
And the one (http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1) MikeW posted took me to "Registry Booster" . But I think I downloaded the correct program.
and Yes I rebooted after running tdsskiller.
what I meant to write was that those links take me to what looks like the Malwarebytes site, but when I clicked on the Download Now button, I redirected to Bleeping Computer and Registry Booster sites.
Hi, Maddielee.
What you are seeing are advertisements, not downloads for Registry Booster. The free version of MBAM is redirected to several random download sites. (By hosting the download at those sites, vendors receive a small fee per download from those sites, which helps support providing the free version of their software.)
This direct link from FileForum should work: http://fileforum.betanews.com/download/Malwarebytes-AntiMalware/1186760019/1
I get a Acess Denied box (Setup) during the Malaware bytes Install.
Double-click RKill on your desktop and try again.
rkill log (don't know if you need this)
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 02/23/2012 at 15:40:44.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
Rkill completed on 02/23/2012 at 15:40:49.
Now see if you can install MBAM.
Access Denied during Set Up after running rkill again.
Hi, Maddielee.
Based on the findings of TDSSKiller, I don't have a lot of hope for your computer. However, let's give this a try.
Please follow these instructions carefully.Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
!!! IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).
Now, please run ComboFix:
- Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
- Double-click ComboFix.exe on your desktop and follow the prompts.
- As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
- When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)
- After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)
- Click "Yes" to continue scanning for malware.
- When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.
ComboFix log:
ComboFix 12-02-23.01 - Administrator 02/23/2012 16:36:25.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.699 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~2t8ZlHyKXRG0EX
c:\documents and settings\All Users\Application Data\~2t8ZlHyKXRG0EXr
c:\documents and settings\All Users\Application Data\2t8ZlHyKXRG0EX
c:\documents and settings\All Users\Application Data\2t8ZlHyKXRG0EX.exe
c:\documents and settings\All Users\Application Data\DvhhCCFbLujqW.exe
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\Catherine\GoToAssistDownloadHelper.exe
c:\documents and settings\Catherine\WINDOWS
c:\windows\system32\setb7.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 15:58 . 2012-02-23 15:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-22 20:48 . 2012-02-23 15:50 -------- d-----w- c:\documents and settings\Administrator
2012-02-15 10:41 . 2012-01-11 19:06 3072 ---h--w- c:\windows\system32\iacenc.dll
2012-02-15 10:41 . 2012-01-11 19:06 3072 ---h--w- c:\windows\system32\dllcache\iacenc.dll
2012-01-31 16:59 . 2012-01-31 16:59 -------- d--h--w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-04 10:00 1859968 ---ha-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 10:00 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 10:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 10:00 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 10:00 385024 ---ha-w- c:\windows\system32\html.iec
2011-12-14 20:23 . 2011-07-20 13:42 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2009-01-19 13:31 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 10:00 293376 ---ha-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ---ha-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b80f591e-fe9a-46cf-a13e-180377240586}]
2010-12-09 17:51 3911776 ---ha-w- c:\program files\Elf_1.13\tbElf_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b80f591e-fe9a-46cf-a13e-180377240586}"= "c:\program files\Elf_1.13\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{b80f591e-fe9a-46cf-a13e-180377240586}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 11776]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"HostManager"="c:\program files\Common Files\AOL\1129765693\ee\AOLSoftware.exe" [2010-03-08 41800]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2010-07-13 70720]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-12 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-09-11 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ---ha-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-04-05 01:21 26112 -c-ha-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 -c-ha-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129765693\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129765693\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [9/14/2010 7:42 AM 82952]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/14/2010 7:42 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [9/14/2010 7:42 AM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [9/14/2010 7:42 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [9/14/2010 7:42 AM 88480]
R3 ndisrd;WinpkFilter Service;c:\windows\SYSTEM32\DRIVERS\ndisrd.sys [8/8/2010 3:50 PM 20480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:24 PM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [9/14/2010 7:42 AM 55456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:24 PM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [9/14/2010 7:42 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [9/14/2010 7:42 AM 83496]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\CA\PCPitstopScheduleService.exe [4/3/2010 7:44 AM 90296]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-13 12:15]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:23]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DvhhCCFbLujqW.exe - c:\documents and settings\All Users\Application Data\DvhhCCFbLujqW.exe
SafeBoot-klmdb.sys
SafeBoot-ykciilw32
MSConfigStartUp-PicasaNet - c:\program files\Hello\Hello.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 16:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,6c,b0,89,d9,9f,7c,4d,95,fc,47,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,6c,b0,89,d9,9f,7c,4d,95,fc,47,\
.
Completion time: 2012-02-23 16:51:01
ComboFix-quarantined-files.txt 2012-02-23 21:50
.
Pre-Run: 5,195,309,056 bytes free
Post-Run: 5,760,417,792 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D748431D7C6F62ABF2863CEF06AD1551
See if MBAM will install now ...
Yeah! MBAM installed...here's the log:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.23.03
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: CATHY [administrator]
2/23/2012 5:25:51 PM
mbam-log-2012-02-23 (17-25-51).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199773
Time elapsed: 3 minute(s), 21 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Great! Next, please follow the instructions in Log Posting Instructions (http://www.landzdown.com/analysis-and-malware-removal/log-posting-instructions/) so we can see what else is on the computer and let us know how your computer is now.
DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 18:08:22 on 2012-02-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.728 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100914084238.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program files\elf_1.13\tbElf_.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Elf 1.13 Toolbar: {b80f591e-fe9a-46cf-a13e-180377240586} - c:\program files\elf_1.13\tbElf_.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [HostManager] c:\program files\common files\aol\1129765693\ee\AOLSoftware.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 8\PostUpdate.exe" 1014021
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{34F54E58-544B-4B14-81A9-61E53117F259} : DhcpNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-9-14 82952]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-14 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-9-14 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-14 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-9-14 88480]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-8-8 20480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 271480]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-14 170144]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-14 55456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-22 152320]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-22 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-9-14 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-14 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-8-11 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-8-11 40552]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\ca\PCPitstopScheduleService.exe [2010-4-3 90296]
.
=============== Created Last 30 ================
.
2012-02-23 22:23:15 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-02-23 21:31:27 -------- d-sha-r- C:\cmdcons
2012-02-23 21:29:08 98816 ----a-w- c:\windows\sed.exe
2012-02-23 21:29:08 518144 ----a-w- c:\windows\SWREG.exe
2012-02-23 21:29:08 256000 ----a-w- c:\windows\PEV.exe
2012-02-23 21:29:08 208896 ----a-w- c:\windows\MBR.exe
2012-02-23 15:58:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-23 15:50:36 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2012-02-23 15:49:40 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2012-02-22 20:49:38 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-02-15 10:41:02 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-15 10:41:02 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-01-31 16:59:49 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-12-14 20:23:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 18:09:43.57 ===============
attach log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/11/2005 10:17:13 AM
System Uptime: 2/23/2012 6:05:01 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 5.394 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP490: 1/12/2012 3:00:21 AM - Software Distribution Service 3.0
RP491: 1/13/2012 3:20:39 AM - System Checkpoint
RP492: 1/14/2012 3:56:39 AM - System Checkpoint
RP493: 1/15/2012 5:32:57 AM - System Checkpoint
RP494: 1/16/2012 6:31:56 AM - System Checkpoint
RP495: 1/17/2012 3:00:20 AM - Software Distribution Service 3.0
RP496: 1/17/2012 10:40:07 AM - Removed iTunes
RP497: 1/17/2012 10:52:02 AM - Installed iTunes
RP498: 1/18/2012 11:22:55 AM - System Checkpoint
RP499: 1/19/2012 1:07:05 PM - System Checkpoint
RP500: 1/20/2012 1:08:10 PM - System Checkpoint
RP501: 1/21/2012 4:42:35 PM - System Checkpoint
RP502: 1/22/2012 5:41:21 PM - System Checkpoint
RP503: 1/23/2012 6:19:30 PM - System Checkpoint
RP504: 1/24/2012 9:38:39 PM - System Checkpoint
RP505: 1/25/2012 10:29:14 PM - System Checkpoint
RP506: 1/26/2012 11:02:00 PM - System Checkpoint
RP507: 1/27/2012 11:40:39 PM - System Checkpoint
RP508: 1/29/2012 12:00:44 AM - System Checkpoint
RP509: 1/30/2012 12:35:39 AM - System Checkpoint
RP510: 1/31/2012 9:25:18 AM - System Checkpoint
RP511: 2/1/2012 10:40:52 AM - System Checkpoint
RP512: 2/2/2012 11:20:43 AM - System Checkpoint
RP513: 2/3/2012 11:37:46 AM - System Checkpoint
RP514: 2/4/2012 11:47:03 AM - System Checkpoint
RP515: 2/5/2012 12:10:22 PM - System Checkpoint
RP516: 2/6/2012 1:01:41 PM - System Checkpoint
RP517: 2/7/2012 1:12:19 PM - System Checkpoint
RP518: 2/8/2012 3:58:10 PM - System Checkpoint
RP519: 2/9/2012 6:07:35 PM - System Checkpoint
RP520: 2/10/2012 8:05:04 PM - System Checkpoint
RP521: 2/11/2012 9:29:05 PM - System Checkpoint
RP522: 2/13/2012 3:05:36 PM - System Checkpoint
RP523: 2/14/2012 4:17:29 PM - System Checkpoint
RP524: 2/15/2012 5:52:54 PM - System Checkpoint
RP525: 2/16/2012 3:00:17 AM - Software Distribution Service 3.0
RP526: 2/17/2012 5:22:53 AM - System Checkpoint
RP527: 2/18/2012 6:24:25 AM - System Checkpoint
RP528: 2/19/2012 8:42:50 AM - System Checkpoint
RP529: 2/20/2012 9:03:43 AM - System Checkpoint
RP530: 2/21/2012 9:37:36 AM - System Checkpoint
RP531: 2/22/2012 12:14:11 PM - Restore Operation
RP532: 2/22/2012 12:47:06 PM - Restore Operation
RP533: 2/22/2012 1:17:46 PM - Restore Operation
RP534: 2/22/2012 2:26:05 PM - Restore Operation
RP535: 2/22/2012 2:57:58 PM - Restore Operation
RP536: 2/22/2012 3:23:11 PM - Restore Operation
RP537: 2/23/2012 2:23:30 PM - Restore Operation
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader 7.0.9
AnswerWorks 4.0 Runtime - English
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CA PC Tune-Up 2.0.0.8
Conduit Engine
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo AIO Printer 942
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Picture Studio v3.0
Dell System Restore
DellSupport
Download Updater (AOL LLC)
Elf 1.13 Toolbar
Family Tree Maker
Google Gmail Notifier
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LabelCreator Pro
Logitech MouseWare 9.79.1
Macromedia Flash Player
Malwarebytes Anti-Malware version 1.60.1.1000
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft VC9 runtime libraries
Microsoft Web Publishing Wizard 1.52
MobileMe Control Panel
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
My Way Search Assistant
Photobucket Uploader
Picasa 3
PowerDVD 5.3
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
The Print Shop
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB955759)
Update for Windows XP (KB971029)
Verizon FiOS Activation
Verizon Online DSL
Viewpoint Media Player
WebFldrs XP
WexTech AnswerWorks
Windows Driver Package - Intel Corporation (ialm) Display (03/23/2006 6.14.10.4543)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
.
==== Event Viewer Messages From Past Week ========
.
2/23/2012 11:41:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/23/2012 10:53:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/22/2012 8:23:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
2/22/2012 8:23:33 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:23:33 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/22/2012 8:22:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/22/2012 3:49:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/22/2012 1:09:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
.
==== End Of File ===========================
Hi, Maddielee.
I expect I can explain how you got infected in the first place -- from the old and vulnerable versions of Adobe Reader and even older and more highly vulnerable versions of Java on your computer.
1. Please go to Add/Remove programs and uninstall the following. Follow the uninstall with a shutdown/restart.
Adobe Reader 7.0.9
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Macromedia Flash Player2. I also suggest you consider uninstalling the Conduit and the Elf Toolbar they are reputed to have a certain trackware functionality. The My Way Search Assistant is reputed to anonymously report your surfing activity when on a myway or myway affiliated site.
Conduit Engine
Elf 1.13 Toolbar
My Way Search Assistant
3. Next, either download the current version of Adobe Reader or switch to an alternate PDF reader. I don't need to access PDF files all that frequently and have found Sumatra PDF (http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html) to be a nice alternative. Another alternate is Nitro Reader (http://www.nitropdf.com/free/index.htm).
To continue using Adobe Reader, the direct download link: ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe
4. Go to http://www.oracle.com/technetwork/java/javase/downloads/jre-7u3-download-1501631.html to download the latest version of Java. Tick the box to Accept License Agreement and select the following:
Windows x86 Offline 19.38 MB jre-7u3-windows-i586.exeNote: Pay attention when installing Adobe and Java. If offered any toolbars or other add-ons by either, be sure to uncheck any offers as they are not necessary to install the update.
5. Personally, I would not allow any programs in the Trusted Zone. After all, even well known sites can be the victim of an SQL injection, hidden scripts, and more.If you elect to remove the entry from the Trusted Zone, please do the following:
- Launch Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
- Click Trusted Sites, and then click Sites.
- Click musicmatch.com\online, and then click Remove.
6. After you have completed all of the above (whew!) please do the following:
Custom CFScript
Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
RegLock::
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-500\Software\Microsoft\Internet Explorer\User Preferences]
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers.
- Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Please advise how your computer is now.
Thank you Corrine....While in Safe Mode I can access the Control Panel, but receive the following pop-up when I try to Remove the programs you listed.
"the windows installer could not be accessed. his can occur if you are running Windows in safe mode, or the Windows installer is not correctly installed. contact your support personnel for assistance."
When I opened Windows (NOT IN safe mode) there is nothing in the box that I usually see the Control Panel in. NOTHING. Only 'programs' seem to be there????
Hi, Maddielee.
Sorry, I forgot to include the instructions to run Unhide.exe. This was the type of infection that will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:
Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe)
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.
This program will remove the +H, or hidden, attribute from all the files on your hard drives. It is important to note that if there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Good morning. I have run the 'unhide' a couple times (with MacAfee disarmed, I thin) and I still don't seem to have any Files???
Hi, Maddielee.
Please run Microsoft Fix it 50542. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard: http://go.microsoft.com/?linkid=9750246 (If you save the file to your computer, double-click the downloaded file to run.)
Window Installer box pop-up:
"The system administrator has set policies to prevent this installation"
Hi, Maddielee.
Are you logged on to the Administrator account or as a "Limited User"?
Try running the Microsoft Fix it solution in Safe Mode.
Thank you for your patience....even in Safe Mode (as Administrator or limited user) I receive the same massage about 'admin has set policies to prevent installation', when trying to install the Fix it 50542.
There is nothing on my screen in regular windows. The Start menu only shows MacAfee. NO documents, pictures, My computer links...etc. When I go to Programs, and click on one, they are Empty. When in Safe Mode the Program folders also show 'empty'.
For kicks I opened, in Safe Mode, Control Panel and tried to open Administrator Tools. Nothing.
Hi, Maddielee.
Let's try the following:
A. Restore Default Start Menu:
1) Download the following to restore the default Start Menu: http://download.bleepingcomputer.com/grinler/fakehdd/winxp-pro-32bit-sm-reset.exe
2) If any menu items are still missing, right-click on the Start menu, select properties, click on the Start Menu tab, click customize, and then the advanced tab. You should be able to enable all the missing start menu items on that page.
B. Reset Permissions:
1) Download and install Subinacl.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en) from Microsoft.
2) Copy the text in bold below to Notepad and save to your desktop as fix_permissions.bat:
cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
3) Go to Start > Run > and type in "cmd" (without the quotes) and press Enter. In the black window that opens, type in the complete path to the fix_permissions.bat file (including the filename) and press Enter repair the registry permissions.
The normal path to the desktop is c:\documents and settings\(username)\desktop. Thus, use c:\documents and settings\Administrator\Desktop\fix_permissions.bat
in the \Windows\system32\cmd.exe box, I got::
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>c:\documents and settings\Administrato
Desktop\fix_permissions.bat
'c:\documents' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\Administrator>\Desktop\fix_permissions.bat
The system cannot find the path specified.
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>\desktop\fix_permissions.bat
The system cannot find the path specified.
C:\Documents and Settings\Administrator>desktop\fix_permissions.bat
C:\Documents and Settings\Administrator>cd /d "C:\Program Files\Windows Resour
Kits\Tools"
The system cannot find the path specified.
C:\Documents and Settings\Administrator>subinacl /subkeyreg HKEY_LOCAL_MACHINE
grant=administrators=f /grant=system=f
'subinacl' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\Administrator>subinacl /subkeyreg HKEY_CURRENT_USER
rant=administrators=f /grant=system=f
'subinacl' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\Administrator>subinacl /subkeyreg HKEY_CLASSES_ROOT
rant=administrators=f /grant=system=f
'subinacl' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\Administrator>subinacl /subdirectories C: /grant=adm
istrators=f /grant=system=f
'subinacl' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\Administrator>subinacl /subdirectories C:\WINDOWS\*.
/grant=administrators=f /grant=system=f
'subinacl' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\Administrator>
This has one less permission included but may work for you. Download reset.zip (http://www.winhelponline.com/blog/wp-content/uploads/reset.zip) unzip and run the reset.cmd file.
Did the "Restore Default Start Menu" make a difference?
""This has one less permission included but may work for you. Download reset.zip unzip and run the reset.cmd file.
Did the "Restore Default Start Menu" make a difference?""
I'm sorry, you lost me. I 'think' I unzipped and ran the rezip program, nothing happened. What is the reset.cmd file? Should it have come up?
Yes, the Restore Default Menu did add some things to the Start Menu.
The reset.cmd file is what you will find in the reset zipped file you downloaded. The object is to restore the messed up permissions.
brain dead here. I'll try in the morning.
Thanks for hanging in with me.
Its been a hectic evening and my brain isn't doing all that great either so no worries!
another day, good morning.
I think I unzipped and ran the reset program. Although nothing seemed to have happened. I honestly don't know if it ran or not, should something have happened?
By the way, I found our Dell Reinstallation CD for Windows XP. I don't know if it could be helpful??
Hi, Maddielee.
Sorry for the delay in getting back to you today. A repair install of Windows XP may be the route to go. Since that isn't something I've ever had to do (knock on wood/laminate...), I have been looking for a good tutorial for you if we find that it necessary. There is something else we can try first though.
Please download
SystemLook from one of the links below and save it to your
Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:dir
%Temp%\smtmp /s
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled
SystemLook.txt
When I clicked 'Look' in System Look I got a pop-up: "Script Required"
You need to copy the information from the Code box in the instructions into the main text field.
the systemlook box is empty.
Is SystemLook.txt on your desktop? If so, please post a copy. Also re-run SystemLook, pasting the following code in the box when you launch SystemLook:
:dir
C:\Documents and Settings\All Users\Start Menu\Programs
systemlook log (1st code)
SystemLook 30.07.11 by jpshortstuff
Log created at 13:39 on 26/02/2012 by Administrator
Administrator - Elevation successful
========== dir ==========
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smtmp - Unable to find folder.
-= EOF =-
sytemlook log (2nd code)
SystemLook 30.07.11 by jpshortstuff
Log created at 13:41 on 26/02/2012 by Administrator
Administrator - Elevation successful
========== dir ==========
C:\Documents and Settings\All Users\Start Menu\Programs - Parameters: "(none)"
---Files---
desktop.ini --ahs-- 150 bytes [20:34 24/02/2012] [14:54 22/05/2009]
MSN.lnk --a---- 1986 bytes [20:34 24/02/2012] [14:54 22/05/2009]
Windows Messenger.lnk --a---- 609 bytes [20:34 24/02/2012] [14:54 22/05/2009]
Windows Movie Maker.lnk --a---- 786 bytes [20:34 24/02/2012] [14:54 22/05/2009]
---Folders---
Accessories d-a---- [00:47 05/04/2005]
Administrative Tools d-a---- [00:47 05/04/2005]
Adobe d------ [20:54 28/12/2007]
America Online d------ [01:20 05/04/2005]
AOL d------ [18:14 18/01/2009]
Better Homes and Gardens d------ [20:16 08/03/2008]
CA d------ [12:44 03/04/2010]
Dell Accessories d------ [01:13 05/04/2005]
Dell Picture Studio 3 d------ [01:17 05/04/2005]
Dell Printers d------ [15:07 13/04/2005]
Family Tree Maker d------ [21:51 11/04/2005]
Games d-a---- [00:47 05/04/2005]
Google Updater d------ [16:31 12/04/2008]
Intel Network Adapters d------ [01:13 05/04/2005]
InterActual d------ [00:22 06/01/2008]
iPod d------ [18:49 25/12/2005]
iTunes d------ [17:01 31/01/2012]
LabelCreator Pro d------ [18:33 10/09/2011]
Logitech d------ [15:14 11/04/2005]
McAfee d------ [14:29 25/02/2012]
Musicmatch d------ [21:01 21/06/2005]
Photobucket d------ [17:05 26/06/2006]
Picasa 3 d------ [15:03 01/12/2008]
QuickBooks d------ [01:24 05/04/2005]
QuickTime d------ [17:30 26/12/2011]
QuickTime for Windows d------ [17:53 08/03/2008]
Real d------ [01:21 05/04/2005]
Sierra d------ [17:52 08/03/2008]
Sonic d------ [01:16 05/04/2005]
Startup d-a---- [00:47 05/04/2005]
The Print Shop d------ [20:46 11/04/2005]
WordPerfect Office 12 d------ [01:14 05/04/2005]
-= EOF =-
See if you can run Fix #154, right pane (Remove "All Programs" from Start Menu - Undo) at http://www.kellys-korner-xp.com/xp_tweaks.htm (Direct link: http://www.kellys-korner-xp.com/regs_edits/allprogramsdisable.reg)
Save the REG File to your hard disk. Double-click it and answer yes to the import prompt.
I think I have the allprogramsdisable saved on my harddrive. When I double click it, I get RUN, and then a box asking if I'm sure I want to add it to the Registry. When I click YES I get a box saying its been added successfully.
Good. What do you get now when you click Start? Can you access your programs, Control Panel, etc. now?
I AM able to send this post using Windows, not in Safe Mode.
Some programs still read 'empty'.
I can not find the Control Panel.
My START menu lists: Internet, E-mail____mcAfee, Internet Explorer -----My Documents, My Pictures, My Computer
(I am getting excited)
Since the last fix from Kelly's Korner was successful, let's see what this one does. As before, save the REG File and double-click it to run. When asked if you want to add to your registry, answer yes to the import prompt.
Show Control Panel on the Start Menu (http://www.kellys-korner-xp.com/regs_edits/showcontrolpanel.reg)
Let me know the results.
Yes! Control Panel is back!
Now what?
Can you get to Add/Remove programs to follow the instructions here (http://www.landzdown.com/analysis-and-malware-removal/system-check-virus-can%27t-system-restore-even-in-safe-mode/msg151122/#msg151122)?
At this point, I think you'll need to manually restore programs to the Programs button but will research further.
OK. I was able to uninstall the list of programs.
BUT, when I tried to uninstall My Way Search Assistant I get a RUNDLL box....Error loading c;\PROGRA~1\MYWAY (etc)
The Specified module could not be found.
AND I couldn't find ELF 1.13 Toolbar or Conduit Engine on the list.
We've made a lot of progress! I really was thinking I'd have to send you to a tutorial to do a repair install and hope you had success.
It could be MBAM took care of the My Way Search Assistant. Let's take care of ELF and Conduit with ComboFix and then see what else needs to be done. It has been a few days since you last used ComboFix so you will probably be prompted to update it. Please allow any offered update to ComboFix.
Custom CFScript
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b80f591e-fe9a-46cf-a13e-180377240586}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_CLASSES_ROOT\clsid\{b80f591e-fe9a-46cf-a13e-180377240586}]
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
Folder::
c:\program files\elf_1.13
c:\program files\conduitengine
RegLock::
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-500\Software\Microsoft\Internet Explorer\User Preferences]
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Good day! The ComboFix has been running for about 75 minutes.
(the screen says that it usually takes 10, however scan times for badly infected machines may easily double)
Completed Stage_1
Completed Stage_2
Then a blinking cursor
????
ComboFix log:
ComboFix 12-02-23.01 - Administrator 02/28/2012 10:43:56.3.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.718 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))
.
.
2012-02-26 21:46 . 2012-02-26 21:46 163 ----a-w- C:\allprogramsdisable.reg
2012-02-23 15:58 . 2012-02-23 15:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-22 20:48 . 2012-02-23 15:50 -------- d-----w- c:\documents and settings\Administrator
2012-02-15 10:41 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-15 10:41 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-01-31 16:59 . 2012-01-31 16:59 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-04 10:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 10:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 10:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-12-14 20:23 . 2011-07-20 13:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_21.43.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-04-11 14:10 . 2012-02-28 11:28 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-11 14:10 . 2012-02-22 08:12 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-02-27 15:34 . 2012-02-28 11:28 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856]
"AOL Fast Start"="c:\program files\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"HostManager"="c:\program files\Common Files\AOL\1129765693\ee\AOLSoftware.exe" [2010-03-08 41800]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2010-07-13 70720]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-09-11 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-04-05 01:21 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 -c--a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129765693\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129765693\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [9/14/2010 7:42 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/14/2010 7:42 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [9/14/2010 7:42 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [9/14/2010 7:42 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [9/14/2010 7:42 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [9/14/2010 7:42 AM 88480]
R3 ndisrd;WinpkFilter Service;c:\windows\SYSTEM32\DRIVERS\ndisrd.sys [8/8/2010 3:50 PM 20480]
S2 0014401330386081mcinstcleanup;McAfee Application Installer Cleanup (0014401330386081);c:\windows\TEMP\001440~1.EXE -cleanup -nolog --> c:\windows\TEMP\001440~1.EXE -cleanup -nolog [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:24 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:24 PM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [9/14/2010 7:42 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [9/14/2010 7:42 AM 83496]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\CA\PCPitstopScheduleService.exe [4/3/2010 7:44 AM 90296]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-02-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-13 12:15]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:23]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b80f591e-fe9a-46cf-a13e-180377240586} - (no file)
WebBrowser-{B80F591E-FE9A-46CF-A13E-180377240586} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKCU-Run-SFP - c:\program files\Common Files\Verizon Online\SFP\vzSFPWin.EXE
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-28 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-1006\� �*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-1006\� �*\Preferences]
"Use Hardware Scroll"=dword:00000001
"UITransitions"=dword:00000001
"Debug Blt"=dword:00000000
"ShowHidden"=dword:00000000
"Show only big images"=dword:00000001
"BigPictureThreshold"=dword:0000ea60
"ResampleFilter2"=dword:00000006
"SizeDots"=dword:00000000
"Hide filtered albums"=dword:00000001
"ShowAlbumThumbnails"=dword:00000001
"Thumbscale"=dword:00000200
"CaptionState"=dword:00000001
"ytHLocal::lang"=dword:00000000
"EnablePrefetch"=dword:00000001
"ShowTooltips"=dword:00000001
"mainwinismax"=dword:00000001
"mainwinpos"="rect(0 0 1024 742)"
"Do unreasonably slow consistency checks"=dword:00000000
"WriteDirscannerCSV"=dword:00000000
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-1006\� �*\Runtime\LoadImageCheck]
"468"=""
"19c"=""
"7c0"=""
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\AOL Desktop 9.6\waol.exe
c:\program files\common files\aol\1129765693\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AOL Desktop 9.6\shellmon.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
.
**************************************************************************
.
Completion time: 2012-02-28 12:16:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-28 17:16
ComboFix2.txt 2012-02-23 21:51
.
Pre-Run: 6,258,491,392 bytes free
Post-Run: 5,160,374,272 bytes free
.
- - End Of File - - 319D5311267DD6CB58A5B517797A2B75
Hi, Maddielee.
ComboFix likely took extra long due to removing the folders, although over an hour is excessive and not normal. However, looking at the before and after "bytes free", there was a lot removed.
How is your computer now?
Some of my programs (like Family Tree Maker) still read 'empty'...but, I have most important data on back-up discs.
I am missing some Icons on the desktop, but I don't think that is too awful.
Everything else seems to be ok, if I can remember how it was before correctly.
Is it safe to use?
How can I thank you for all your help? Because you have been wonderful and patient.
Hi, Maddielee.
I'll address the missing shortcuts and desktop items in a separate reply.
Please do the following to implement cleanup procedures and also to reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).
You can also delete RKill and the registry fixes I had you download.
Is your McAfee antivirus software updating?
To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) or, alternatively, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
- Detects insecure versions of applications installed
- Verifies that all Microsoft patches are applied
- Assists you in updating your system and applications
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html
My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html. If you have questions about WinPatrol, we have a forum here at LzD: WinPatrol Help & Information (http://www.landzdown.com/winpatrol-help-information/).
Now on to optional steps to restore any missing menu items or shortcuts.
For missing desktop shortcuts, this tutorial illustrates how to do it much easier than I can explain it! See Computer Tutorials - Create desktop shortcuts in Windows XP (http://www.qwertytutorials.com/software_tutorials/windows_xp/create_shortcuts_xp.php).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You have the Program Files menu back but I don't know if you have Accessories and Administrative tools. If not, you can do the following to restore the defaults for the Start Menu, Accessories and Administrative Tools as follows.
Note: This information and the below illustrated example was created by
Broni from Bleeping Computer and his website, Smartest Computing (http://www.smartestcomputing.us.com/index.php?app=uportal). For ease of readability, I've reproduced his example for Avast without the "quote" tag
but all credit goes to Broni, who has helped many people:
- Restore Accessories Program Files Menu with accrestore.zip for XP (http://www.winxptutor.com/download/accrestore.zip)
- Extract (unzip) the tool, double-click on it to run and ensure that the following check boxes are checked (as shown below):
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi844.photobucket.com%2Falbums%2Fab4%2FSweetSweetTech%2Frestore-start-menu-accessories-folder.png&hash=f606a74ce1ce3ce455f61d9a9c454e6da5ec0a35)
- Then click on the Restore button.
It gets more complicated for the missing program shortcuts.
- Download App Paths (http://"http://sourceforge.net/projects/apppaths/files/AppPaths.exe/download")
- Double click on AppPaths.exe to run the program.
- Keep the program open.
- Go Start>All Programs.
- Right click on Avast entry, click "Properties".
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2F209.85.48.8%2F228%2F109%2Fupload%2Fp4481214.gif&hash=8c4bf1f0f27886e405810846e449c858afe28db7)
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2F209.85.48.8%2F228%2F109%2Fupload%2Fp4481211.gif&hash=66a23c04c984314c3b672e55636401b2e9c0fb5f)
Due to the damage caused by the infection, you'll find "Target" box empty.
- Go back to AppPaths window and find Avast entry.
- Right click on Avast line, click "Edit".
- A pop-up window will open:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2F209.85.48.8%2F228%2F109%2Fupload%2Fp4481212.gif&hash=a55affc263368a6c029c20a620735fb6f324b062)
- Highlight everything in "Path" box, right click on it, click "Copy"
- Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
- IMPORTANT! Add quotation marks at the beginning of the path and at the end
- Click OK and you're done.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2F209.85.48.8%2F228%2F109%2Fupload%2Fp4481213.gif&hash=43e8169a73c48b2a0be6600a95594f4b4ccb27c4)
You would follow that process for missing program entries like Family Tree Maker.
I'm sorry. I am completely lost...I don't have a program listed named - Avast.
Hi, Maddielee.
Using Avast was merely an example of how to add links for missing programs such as Family Tree Maker back to the list using App Paths.
Oh! I get it now! Duh! Thanks, again.
You're welcome. Although a bit overwhelming, the instructions are nicely illustrated.
We are good to go! (I think)....Again, thank you for all your help.
I sent a little something through paypal....hope the right people receive it. It shows a donation to Combofix???
That was very nice of you, Maddielee, thank you!
Yes, the donation went to sUBs, the creator of ComboFix. He devotes many hours not only to the development and maintenance of ComboFix, DDS and other tools but also, behind the scenes, sharing his wealth of knowledge with trained analysts. Without his extraordinary efforts, we would have a much, much more difficult time not only knowing what is on the computer but also helping people clean their computers.