Back To Microsoft Windows Forum

XP recovery console hangs. {resolved}

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post September 28th, 2009, 10:21 am

This is a new one on me. Looking for ideas.

Have a Dell PC that BSOD'd this morning with unmountable_boot_volume
Same error trying to boot to safe mode.

Got into RC once and did a fixmbr which normally works just fine.
This time it didn't, so I'm trying to get back to recovery console to run a chkdsk and perhaps fixmbr again, but now RC hangs at "Examining 252587 MB Disk 0 at Id 0 on bus 0 on iastor..."

Seen many posts from people with the same problem on searches, but haven't found any with a resolution or potential reason.

Any thoughts on resolving this?

(I can get to the repair XP installation option, but I'm saving a repair installation as a last option.)

The drive is SATA if that helps
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post September 28th, 2009, 10:21 am

  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post September 28th, 2009, 10:28 am

Look at the boot CD. It could be damaged or just dirty. Clean it, see what happens.
How do you know when a politician is lying? His mouth is moving.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post September 29th, 2009, 6:28 am

Thanks for the tip Don, but the CD was clean and just fine.

This gets interesting. I've been seeing a lot more of this lately (in fact 6 times in the last two months). I used an old "trick" I remembered and unplugged the machine, pulled out the CMOS battery and let it sit for a half hour to discharge the capacitors. Put it back in and booted to setup to test the hardware. Ran a four hour system diagnostic and all tests passed so I ruled out hardware failure.

Afterward was able to boot to recovery console.
Ran a chkdsk and fixmbr and got it to boot.

Here's the interesting part. Since I've already seen this happen several times in the last month, I immediately ran combofix (it's still running) and it's finding all kinds of nasties. In a nutshell, my best guess is there's at least several viruses / malware out there now that seem to like rewriting the MBR.

And I do know how he got it. He did a google search for a legit Nuclear Regulatory Commission page, and clicked the link that looked exactly like what he was searching for. Unfortunately he didn't look at the hyperlink closely when he clicked it, and BAM! (Even symantec enterprise couldn't stop it). I looked at several of the dll's Combofix has found already and everyone of them are resistant to interrogation by security products.

Guess it's an example of no matter how safely you surf, you can still get nailed.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post September 29th, 2009, 6:52 am

How are you so sure that the cause was that link?
How do you know when a politician is lying? His mouth is moving.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post September 29th, 2009, 7:19 am

I had cleaned up his computer a week ago because it had some rogue antivirus.

He showed me the link he clicked. At that point the computer hadn't been rebooted. It was rebooted over the weekend, and that's when everything really became really active I guess (you'll see it in a lot of the startup entries).

In addition one entry in the log shows me that one of the nasties disabled antivirus monitoring on Symantec.

Quote:
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001


The other thing it did was infect ntvdm.exe which is a core system file that allows 16-bit applications to run on 32-bit machines.

Quote:
# Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
# Restored copy from - c:\windows\system32\dllcache\ntvdm.exe


For those familiar with this kind of stuff, the log is pretty interesting. You'll recognize all kinds of bad stuff on here.

Code: [ Select ]
ComboFix 09-09-28.01 - Administrator 09/29/2009 9:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\collins\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\faulkp\Application Data\alot\products\products.xml
c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\millerm\Application Data\alot
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
c:\documents and settings\millerm\Start Menu\Programs\Total Security
c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\documents and settings\noravitz\Application Data\alot
c:\windows\Installer\325a8.msi
c:\windows\Installer\472b3a1.msp
c:\windows\Installer\472b3a7.msp
c:\windows\system32\_003209_.tmp.dll
c:\windows\system32\_003210_.tmp.dll
c:\windows\system32\_003211_.tmp.dll
c:\windows\system32\_003212_.tmp.dll
c:\windows\system32\_003219_.tmp.dll
c:\windows\system32\_003220_.tmp.dll
c:\windows\system32\_003221_.tmp.dll
c:\windows\system32\_003223_.tmp.dll
c:\windows\system32\_003224_.tmp.dll
c:\windows\system32\_003227_.tmp.dll
c:\windows\system32\_003228_.tmp.dll
c:\windows\system32\_003231_.tmp.dll
c:\windows\system32\_003232_.tmp.dll
c:\windows\system32\_003234_.tmp.dll
c:\windows\system32\_003237_.tmp.dll
c:\windows\system32\_003238_.tmp.dll
c:\windows\system32\_003243_.tmp.dll
c:\windows\system32\_003245_.tmp.dll
c:\windows\system32\_003248_.tmp.dll
c:\windows\system32\_003250_.tmp.dll
c:\windows\system32\_003251_.tmp.dll
c:\windows\system32\_003252_.tmp.dll
c:\windows\system32\_003253_.tmp.dll
c:\windows\system32\_003256_.tmp.dll
c:\windows\system32\_003257_.tmp.dll
c:\windows\system32\_003258_.tmp.dll
c:\windows\system32\_003259_.tmp.dll
c:\windows\system32\_003260_.tmp.dll
c:\windows\system32\_003265_.tmp.dll
c:\windows\system32\_003267_.tmp.dll
c:\windows\system32\bikuhagu.dll
c:\windows\system32\diwunawo.dll
c:\windows\system32\dumenebi.dll
c:\windows\system32\fugudipi.dll
c:\windows\system32\gurutipa.exe
c:\windows\system32\jaduzumi.dll
c:\windows\system32\jisiponu.dll
c:\windows\system32\jugopive.dll
c:\windows\system32\lahesumo.dll
c:\windows\system32\lozetasa.exe
c:\windows\system32\mipasowu.dll
c:\windows\system32\nigobani.dll
c:\windows\system32\nubayiri.dll
c:\windows\system32\pavebade.exe
c:\windows\system32\sarefojo.exe
c:\windows\system32\sibidapi.dll
c:\windows\system32\tahemehu.dll
c:\windows\system32\tijojepe.exe
c:\windows\system32\tizabedi.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\vizaleso.dll
c:\windows\system32\wazonaya.dll
c:\windows\system32\werohage.dll
c:\windows\system32\yavipomu.dll
c:\windows\system32\zurasujo.dll

Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntvdm.exe

.
(((((((((((((((((((((((((  Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-29 12:58 . 2009-09-29 13:00    --------    d-----w-    C:\Combo-Fix
2009-09-29 12:50 . 2009-09-29 12:50    --------    d-----w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
2009-09-29 12:49 . 2009-09-29 12:49    --------    d-sh--w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
2009-09-21 13:03 . 2009-09-21 13:03    --------    d--h--w-    c:\windows\PIF
2009-09-21 12:34 . 2009-09-21 12:34    --------    d-----w-    c:\documents and settings\millerm\Application Data\Malwarebytes
2009-09-18 14:36 . 2009-09-21 11:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\15920314
2009-09-16 11:53 . 2009-09-16 11:53    --------    d-----w-    c:\documents and settings\millerm\Application Data\Juniper Networks

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 13:28 . 2009-06-24 14:28    256    ----a-w-    c:\windows\system32\pool.bin
2009-09-29 13:14 . 2009-06-08 16:55    --------    d-----w-    c:\program files\Symantec AntiVirus
2009-09-29 12:37 . 2009-06-29 12:37    91136    ----a-w-    c:\windows\system32\pomijowu.dll.vir
2009-09-29 12:36 . 2009-06-29 12:36    87552    ----a-w-    c:\windows\system32\dataheme.dll.vir
2009-09-28 02:22 . 2009-06-28 02:22    87552    ----a-w-    c:\windows\system32\fowibiya.dll.vir
2009-09-27 14:22 . 2009-06-27 14:22    88064    --sha-w-    c:\windows\system32\hifibugo.dll
2009-09-27 02:22 . 2009-06-27 02:22    88064    --sha-w-    c:\windows\system32\fodadowa.dll
2009-09-26 14:22 . 2009-06-26 14:22    87552    --sha-w-    c:\windows\system32\zowiyari.dll
2009-09-26 02:22 . 2009-06-26 02:22    49664    --sha-w-    c:\windows\system32\bojapume.dll
2009-09-23 14:21 . 2009-06-23 14:21    88576    ----a-w-    c:\windows\system32\bunofalo.dll.vir
2009-09-23 02:20 . 2009-06-23 02:20    87552    --sha-w-    c:\windows\system32\reporelo.dll
2009-09-22 14:20 . 2009-06-22 14:20    88064    --sha-w-    c:\windows\system32\niwazuba.dll
2009-09-22 02:22 . 2009-06-22 02:22    88064    --sha-w-    c:\windows\system32\dusuvivu.dll
2009-09-21 14:20 . 2009-06-21 14:20    88576    --sha-w-    c:\windows\system32\sesotoja.dll
2009-09-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\peluloge.dll
2009-09-21 14:13 . 2009-06-21 14:13    88576    --sha-w-    c:\windows\system32\gijiyeli.dll
2009-09-21 13:48 . 2009-08-24 13:05    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-08-24 16:49 . 2009-08-24 16:49    --------    d-----w-    c:\program files\CPUID
2009-08-24 16:47 . 2009-08-24 16:47    --------    d-----w-    c:\documents and settings\collins\Application Data\Xerox
2009-08-24 13:22 . 2009-08-24 13:05    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:06 . 2009-08-24 13:06    --------    d-----w-    c:\documents and settings\collins\Application Data\Malwarebytes
2009-08-24 12:57 . 2009-08-24 12:57    --------    d-----w-    c:\documents and settings\collins\Application Data\Research In Motion
2009-08-24 12:57 . 2008-06-12 20:05    115128    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 12:56 . 2008-11-11 18:59    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
2009-08-24 12:51 . 2008-06-23 17:07    --------    d-----w-    c:\program files\Microsoft Silverlight
2009-08-24 12:43 . 2008-06-12 19:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 13:14 . 2008-10-20 17:46    115128    ----a-w-    c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 12:58 . 2009-06-24 14:08    --------    d-----w-    c:\program files\Common Files\Roxio Shared
2009-08-12 12:57 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Roxio
2009-08-12 12:56 . 2009-06-24 14:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\Roxio
2009-08-12 12:56 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Common Files\Sonic Shared
2009-08-12 12:51 . 2009-08-12 12:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\Research In Motion
2009-08-12 12:51 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Research In Motion
2009-08-12 12:49 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Common Files\Research In Motion
2009-08-06 05:28 . 2008-06-12 20:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-05 09:01 . 2004-08-11 21:00    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-11 21:00    119808    ----a-w-    c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-11 21:00    81920    ----a-w-    c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-11 21:00    58880    ----a-w-    c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 21:00    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
2009-07-10 13:13 . 2009-07-10 13:13    94208    ----a-w-    c:\windows\system32\msstkprp.dll
2009-07-10 13:13 . 2009-07-10 13:13    43160    ----a-w-    c:\windows\system32\AcSignIcon.dll
2009-07-10 13:13 . 2009-07-10 13:13    429720    ----a-w-    c:\windows\system32\AcSignOpt.exe
2009-07-10 13:13 . 2009-07-10 13:13    29848    ----a-w-    c:\windows\system32\AcSignExt.dll
2009-07-10 13:13 . 2009-07-10 13:13    14488    ----a-w-    c:\windows\system32\AcSignExtRes.dll
2009-07-03 17:09 . 2004-08-11 21:00    915456    ----a-w-    c:\windows\system32\wininet.dll
2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\kofirawa.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\koyagahu.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\likepuzu.dll.tmp
2009-06-26 14:22 . 2009-06-26 14:22    521216    --sha-w-    c:\windows\system32\lizimobu.exe
2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\tiyeyoma.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\velajoya.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\wiseyiwi.dll.tmp
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

c:\documents and settings\millerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ      hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 09:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\system32\hccutils.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-09-29 9:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 13:43

Pre-Run: 130,088,759,296 bytes free
Post-Run: 131,111,776,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

386    --- E O F ---    2009-06-29 15:02
  1. ComboFix 09-09-28.01 - Administrator 09/29/2009 9:05.1.2 - NTFSx86
  2. Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
  3. Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
  4. AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
  5. * Created a new restore point
  6. .
  8. (((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
  9. .
  11. c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
  12. c:\documents and settings\All Users\Microsoft Private Data
  13. c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
  14. c:\documents and settings\collins\Application Data\alot
  15. c:\documents and settings\faulkp\Application Data\alot
  16. c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
  17. c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
  18. c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
  19. c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
  20. c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
  21. c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
  22. c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
  23. c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
  24. c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
  25. c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
  26. c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
  27. c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
  28. c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
  29. c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
  30. c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
  31. c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
  32. c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
  33. c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
  34. c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
  35. c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
  36. c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
  37. c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
  38. c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
  39. c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
  40. c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
  41. c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
  42. c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
  43. c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
  44. c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
  45. c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
  46. c:\documents and settings\faulkp\Application Data\alot\products\products.xml
  47. c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
  48. c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
  49. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
  50. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
  51. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
  52. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
  53. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
  54. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
  55. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
  56. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
  57. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
  58. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
  59. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
  60. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
  61. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
  62. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
  63. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
  64. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
  65. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
  66. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
  67. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
  68. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
  69. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
  70. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
  71. c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
  72. c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
  73. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
  74. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
  75. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
  76. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
  77. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
  78. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
  79. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
  80. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
  81. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
  82. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
  83. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
  84. c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
  85. c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
  86. c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
  87. c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
  88. c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
  89. c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
  90. c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
  91. c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
  92. c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
  93. c:\documents and settings\millerm\Application Data\alot
  94. c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
  95. c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
  96. c:\documents and settings\millerm\Start Menu\Programs\Total Security
  97. c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
  98. c:\documents and settings\noravitz\Application Data\alot
  99. c:\windows\Installer\325a8.msi
  100. c:\windows\Installer\472b3a1.msp
  101. c:\windows\Installer\472b3a7.msp
  102. c:\windows\system32\_003209_.tmp.dll
  103. c:\windows\system32\_003210_.tmp.dll
  104. c:\windows\system32\_003211_.tmp.dll
  105. c:\windows\system32\_003212_.tmp.dll
  106. c:\windows\system32\_003219_.tmp.dll
  107. c:\windows\system32\_003220_.tmp.dll
  108. c:\windows\system32\_003221_.tmp.dll
  109. c:\windows\system32\_003223_.tmp.dll
  110. c:\windows\system32\_003224_.tmp.dll
  111. c:\windows\system32\_003227_.tmp.dll
  112. c:\windows\system32\_003228_.tmp.dll
  113. c:\windows\system32\_003231_.tmp.dll
  114. c:\windows\system32\_003232_.tmp.dll
  115. c:\windows\system32\_003234_.tmp.dll
  116. c:\windows\system32\_003237_.tmp.dll
  117. c:\windows\system32\_003238_.tmp.dll
  118. c:\windows\system32\_003243_.tmp.dll
  119. c:\windows\system32\_003245_.tmp.dll
  120. c:\windows\system32\_003248_.tmp.dll
  121. c:\windows\system32\_003250_.tmp.dll
  122. c:\windows\system32\_003251_.tmp.dll
  123. c:\windows\system32\_003252_.tmp.dll
  124. c:\windows\system32\_003253_.tmp.dll
  125. c:\windows\system32\_003256_.tmp.dll
  126. c:\windows\system32\_003257_.tmp.dll
  127. c:\windows\system32\_003258_.tmp.dll
  128. c:\windows\system32\_003259_.tmp.dll
  129. c:\windows\system32\_003260_.tmp.dll
  130. c:\windows\system32\_003265_.tmp.dll
  131. c:\windows\system32\_003267_.tmp.dll
  132. c:\windows\system32\bikuhagu.dll
  133. c:\windows\system32\diwunawo.dll
  134. c:\windows\system32\dumenebi.dll
  135. c:\windows\system32\fugudipi.dll
  136. c:\windows\system32\gurutipa.exe
  137. c:\windows\system32\jaduzumi.dll
  138. c:\windows\system32\jisiponu.dll
  139. c:\windows\system32\jugopive.dll
  140. c:\windows\system32\lahesumo.dll
  141. c:\windows\system32\lozetasa.exe
  142. c:\windows\system32\mipasowu.dll
  143. c:\windows\system32\nigobani.dll
  144. c:\windows\system32\nubayiri.dll
  145. c:\windows\system32\pavebade.exe
  146. c:\windows\system32\sarefojo.exe
  147. c:\windows\system32\sibidapi.dll
  148. c:\windows\system32\tahemehu.dll
  149. c:\windows\system32\tijojepe.exe
  150. c:\windows\system32\tizabedi.dll
  151. c:\windows\system32\visujowo.dll
  152. c:\windows\system32\vizaleso.dll
  153. c:\windows\system32\wazonaya.dll
  154. c:\windows\system32\werohage.dll
  155. c:\windows\system32\yavipomu.dll
  156. c:\windows\system32\zurasujo.dll
  158. Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
  159. Restored copy from - c:\windows\system32\dllcache\ntvdm.exe
  161. .
  162. (((((((((((((((((((((((((  Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
  163. .
  165. 2009-09-29 12:58 . 2009-09-29 13:00    --------    d-----w-    C:\Combo-Fix
  166. 2009-09-29 12:50 . 2009-09-29 12:50    --------    d-----w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
  167. 2009-09-29 12:49 . 2009-09-29 12:49    --------    d-sh--w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
  168. 2009-09-21 13:03 . 2009-09-21 13:03    --------    d--h--w-    c:\windows\PIF
  169. 2009-09-21 12:34 . 2009-09-21 12:34    --------    d-----w-    c:\documents and settings\millerm\Application Data\Malwarebytes
  170. 2009-09-18 14:36 . 2009-09-21 11:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\15920314
  171. 2009-09-16 11:53 . 2009-09-16 11:53    --------    d-----w-    c:\documents and settings\millerm\Application Data\Juniper Networks
  173. .
  174. ((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
  175. .
  176. 2009-09-29 13:28 . 2009-06-24 14:28    256    ----a-w-    c:\windows\system32\pool.bin
  177. 2009-09-29 13:14 . 2009-06-08 16:55    --------    d-----w-    c:\program files\Symantec AntiVirus
  178. 2009-09-29 12:37 . 2009-06-29 12:37    91136    ----a-w-    c:\windows\system32\pomijowu.dll.vir
  179. 2009-09-29 12:36 . 2009-06-29 12:36    87552    ----a-w-    c:\windows\system32\dataheme.dll.vir
  180. 2009-09-28 02:22 . 2009-06-28 02:22    87552    ----a-w-    c:\windows\system32\fowibiya.dll.vir
  181. 2009-09-27 14:22 . 2009-06-27 14:22    88064    --sha-w-    c:\windows\system32\hifibugo.dll
  182. 2009-09-27 02:22 . 2009-06-27 02:22    88064    --sha-w-    c:\windows\system32\fodadowa.dll
  183. 2009-09-26 14:22 . 2009-06-26 14:22    87552    --sha-w-    c:\windows\system32\zowiyari.dll
  184. 2009-09-26 02:22 . 2009-06-26 02:22    49664    --sha-w-    c:\windows\system32\bojapume.dll
  185. 2009-09-23 14:21 . 2009-06-23 14:21    88576    ----a-w-    c:\windows\system32\bunofalo.dll.vir
  186. 2009-09-23 02:20 . 2009-06-23 02:20    87552    --sha-w-    c:\windows\system32\reporelo.dll
  187. 2009-09-22 14:20 . 2009-06-22 14:20    88064    --sha-w-    c:\windows\system32\niwazuba.dll
  188. 2009-09-22 02:22 . 2009-06-22 02:22    88064    --sha-w-    c:\windows\system32\dusuvivu.dll
  189. 2009-09-21 14:20 . 2009-06-21 14:20    88576    --sha-w-    c:\windows\system32\sesotoja.dll
  190. 2009-09-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\peluloge.dll
  191. 2009-09-21 14:13 . 2009-06-21 14:13    88576    --sha-w-    c:\windows\system32\gijiyeli.dll
  192. 2009-09-21 13:48 . 2009-08-24 13:05    --------    d-----w-    c:\program files\Spybot - Search & Destroy
  193. 2009-08-24 16:49 . 2009-08-24 16:49    --------    d-----w-    c:\program files\CPUID
  194. 2009-08-24 16:47 . 2009-08-24 16:47    --------    d-----w-    c:\documents and settings\collins\Application Data\Xerox
  195. 2009-08-24 13:22 . 2009-08-24 13:05    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
  196. 2009-08-24 13:06 . 2009-08-24 13:06    --------    d-----w-    c:\documents and settings\collins\Application Data\Malwarebytes
  197. 2009-08-24 12:57 . 2009-08-24 12:57    --------    d-----w-    c:\documents and settings\collins\Application Data\Research In Motion
  198. 2009-08-24 12:57 . 2008-06-12 20:05    115128    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  199. 2009-08-24 12:56 . 2008-11-11 18:59    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
  200. 2009-08-24 12:51 . 2008-06-23 17:07    --------    d-----w-    c:\program files\Microsoft Silverlight
  201. 2009-08-24 12:43 . 2008-06-12 19:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
  202. 2009-08-12 13:14 . 2008-10-20 17:46    115128    ----a-w-    c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  203. 2009-08-12 12:58 . 2009-06-24 14:08    --------    d-----w-    c:\program files\Common Files\Roxio Shared
  204. 2009-08-12 12:57 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Roxio
  205. 2009-08-12 12:56 . 2009-06-24 14:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\Roxio
  206. 2009-08-12 12:56 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Common Files\Sonic Shared
  207. 2009-08-12 12:51 . 2009-08-12 12:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\Research In Motion
  208. 2009-08-12 12:51 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Research In Motion
  209. 2009-08-12 12:49 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Common Files\Research In Motion
  210. 2009-08-06 05:28 . 2008-06-12 20:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\FLEXnet
  211. 2009-08-05 09:01 . 2004-08-11 21:00    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
  212. 2009-07-29 04:37 . 2004-08-11 21:00    119808    ----a-w-    c:\windows\system32\t2embed.dll
  213. 2009-07-29 04:37 . 2004-08-11 21:00    81920    ----a-w-    c:\windows\system32\fontsub.dll
  214. 2009-07-17 19:01 . 2004-08-11 21:00    58880    ----a-w-    c:\windows\system32\atl.dll
  215. 2009-07-14 03:43 . 2004-08-11 21:00    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
  216. 2009-07-10 13:13 . 2009-07-10 13:13    94208    ----a-w-    c:\windows\system32\msstkprp.dll
  217. 2009-07-10 13:13 . 2009-07-10 13:13    43160    ----a-w-    c:\windows\system32\AcSignIcon.dll
  218. 2009-07-10 13:13 . 2009-07-10 13:13    429720    ----a-w-    c:\windows\system32\AcSignOpt.exe
  219. 2009-07-10 13:13 . 2009-07-10 13:13    29848    ----a-w-    c:\windows\system32\AcSignExt.dll
  220. 2009-07-10 13:13 . 2009-07-10 13:13    14488    ----a-w-    c:\windows\system32\AcSignExtRes.dll
  221. 2009-07-03 17:09 . 2004-08-11 21:00    915456    ----a-w-    c:\windows\system32\wininet.dll
  222. 2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\kofirawa.dll.tmp
  223. 2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\koyagahu.dll.tmp
  224. 2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\likepuzu.dll.tmp
  225. 2009-06-26 14:22 . 2009-06-26 14:22    521216    --sha-w-    c:\windows\system32\lizimobu.exe
  226. 2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\tiyeyoma.dll.tmp
  227. 2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\velajoya.dll.tmp
  228. 2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\wiseyiwi.dll.tmp
  229. .
  231. (((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
  232. .
  233. .
  234. *Note* empty entries & legit default entries are not shown
  235. REGEDIT4
  237. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  238. "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
  240. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  241. "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
  242. "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
  243. "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
  244. "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
  245. "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
  246. "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
  247. "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
  248. "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
  249. "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
  250. "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
  251. "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
  252. "WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
  253. "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
  254. "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
  255. "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
  256. "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
  257. "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
  258. "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
  259. "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
  260. "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
  261. "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
  263. c:\documents and settings\millerm\Start Menu\Programs\Startup\
  264. Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
  266. c:\documents and settings\All Users\Start Menu\Programs\Startup\
  267. Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
  269. [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
  270. "disablecad"= 1 (0x1)
  272. [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
  273. "NoWelcomeScreen"= 1 (0x1)
  275. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
  276. "Bonjour Service"=2 (0x2)
  278. [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  279. "UpdatesDisableNotify"=dword:00000001
  281. [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
  282. "DisableMonitoring"=dword:00000001
  284. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  285. "%windir%\\system32\\sessmgr.exe"=
  286. "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
  287. "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
  288. "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
  289. "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
  291. R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
  292. R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
  293. R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
  294. R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
  295. S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]
  297. [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
  298. HPZ12    REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
  299. hpdevmgmt    REG_MULTI_SZ      hpqcxs08
  301. [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
  302. "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
  303. .
  304. Contents of the 'Scheduled Tasks' folder
  306. 2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
  307. - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
  308. .
  309. .
  310. ------- Supplementary Scan -------
  311. .
  312. uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
  313. uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
  314. IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
  315. IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
  316. IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
  317. IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
  318. IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
  319. IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
  320. IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
  321. IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
  322. TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
  323. TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
  324. FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
  325. FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
  326. FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
  327. .
  328. - - - - ORPHANS REMOVED - - - -
  330. HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
  331. SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
  332. SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
  336. **************************************************************************
  338. catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  339. Rootkit scan 2009-09-29 09:27
  340. Windows 5.1.2600 Service Pack 3 NTFS
  342. scanning hidden processes ... 
  344. scanning hidden autostart entries ...
  346. scanning hidden files ... 
  348. scan completed successfully
  349. hidden files: 0
  351. **************************************************************************
  352. .
  353. --------------------- LOCKED REGISTRY KEYS ---------------------
  355. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
  356. @Denied: (A 2) (Everyone)
  357. @="FlashBroker"
  358. "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
  360. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
  361. "Enabled"=dword:00000001
  363. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
  364. @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
  366. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
  367. @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
  369. [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
  370. @Denied: (A 2) (Everyone)
  371. @="IFlashBroker3"
  373. [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
  374. @="{00020424-0000-0000-C000-000000000046}"
  376. [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
  377. @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
  378. "Version"="1.0"
  379. .
  380. --------------------- DLLs Loaded Under Running Processes ---------------------
  382. - - - - - - - > 'explorer.exe'(3548)
  383. c:\windows\system32\WININET.dll
  384. c:\windows\system32\ieframe.dll
  385. c:\windows\system32\webcheck.dll
  386. c:\windows\system32\WPDShServiceObj.dll
  387. c:\windows\system32\PortableDeviceTypes.dll
  388. c:\windows\system32\PortableDeviceApi.dll
  389. c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
  390. c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
  391. c:\program files\Spybot - Search & Destroy\SDHelper.dll
  392. c:\windows\system32\hccutils.DLL
  393. c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
  394. .
  395. ------------------------ Other Running Processes ------------------------
  396. .
  397. c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
  398. c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
  399. c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  400. c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  401. c:\program files\Symantec AntiVirus\DefWatch.exe
  402. c:\program files\Juniper Networks\Common Files\dsNcService.exe
  403. c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
  404. c:\program files\Java\jre6\bin\jqs.exe
  405. c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
  406. c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
  407. c:\program files\Symantec AntiVirus\Rtvscan.exe
  408. c:\windows\system32\igfxsrvc.exe
  409. c:\program files\iPod\bin\iPodService.exe
  410. c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
  411. c:\program files\Java\jre6\bin\jucheck.exe
  412. .
  413. **************************************************************************
  414. .
  415. Completion time: 2009-09-29 9:52 - machine was rebooted
  416. ComboFix-quarantined-files.txt 2009-09-29 13:43
  418. Pre-Run: 130,088,759,296 bytes free
  419. Post-Run: 131,111,776,256 bytes free
  421. WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
  422. [boot loader]
  423. timeout=2
  424. default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
  425. [operating systems]
  426. c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  427. multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  429. 386    --- E O F ---    2009-06-29 15:02
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post September 29th, 2009, 1:15 pm

I'll have to try combo fix some time. Thanks for the info.
How do you know when a politician is lying? His mouth is moving.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post September 29th, 2009, 2:01 pm

One key thing I like about it is the added benefit of searching for rootkits. I've found and removed 4 already since discovering Combofix and to date I hadn't found any other software that did except for Microsoft's Malicious Software Removal Tool.

Plus when it runs, it installs recovery console if you don't already have it installed and makes it available at boot. No more need for the OS CD to get to recovery console.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post September 29th, 2009, 5:34 pm

Do you have combo fix burned to a CD?
How do you know when a politician is lying? His mouth is moving.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post September 29th, 2009, 6:11 pm

Both that and a network drive. Actually I have a whole set of current malware removal proggies burned to CD and on the mapped drive. I also have FF and Chrome as well in case I need to install an alternative browser.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.
  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post September 30th, 2009, 6:21 am

Then what do you do for updates when anti malware programs need an update? For example anti malware from malwarebytes needs to be updated before each use. Having it on a CD when you're trying to clean a machine that can't connect to the net, makes it worthless.

Doesn't combo fix need updates?
How do you know when a politician is lying? His mouth is moving.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Joined: May 28, 2003
  • Posts: 23404
  • Loc: Woodbridge VA
  • Status: Offline

Post September 30th, 2009, 7:33 am

Yes combo fix needs updates. When a new version of the softwares are available I update the version in the network folder then burn a new CD and toss the old.

Most of these programs will install just fine in safe mode. I do a lot of work on problem computers like that in safe mode with networking support. It allows the updates, but in safe mode as you know most of the malware usually isn't active. *note* the word USUALLY.

It's fairly effective. Alternatively you can put them on a flash drive vs a CD if you don't like wasting CD's.
"There's no place like 127.0.0.1 except for ::1."
Alexandria Networks. Leader in IT consulting for associations/non-profits, and small to medium sized businesses around the northern Virginia and Washington D.C. metro area.

Page 1 of 1

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: No registered users and 82 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.