XP recovery console hangs. {resolved}

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

This is a new one on me. Looking for ideas.

Have a Dell PC that BSOD'd this morning with unmountable_boot_volume
Same error trying to boot to safe mode.

Got into RC once and did a fixmbr which normally works just fine.
This time it didn't, so I'm trying to get back to recovery console to run a chkdsk and perhaps fixmbr again, but now RC hangs at "Examining 252587 MB Disk 0 at Id 0 on bus 0 on iastor..."

Seen many posts from people with the same problem on searches, but haven't found any with a resolution or potential reason.

Any thoughts on resolving this?

(I can get to the repair XP installation option, but I'm saving a repair installation as a last option.)

The drive is SATA if that helps
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

Look at the boot CD. It could be damaged or just dirty. Clean it, see what happens.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

Thanks for the tip Don, but the CD was clean and just fine.

This gets interesting. I've been seeing a lot more of this lately (in fact 6 times in the last two months). I used an old "trick" I remembered and unplugged the machine, pulled out the CMOS battery and let it sit for a half hour to discharge the capacitors. Put it back in and booted to setup to test the hardware. Ran a four hour system diagnostic and all tests passed so I ruled out hardware failure.

Afterward was able to boot to recovery console.
Ran a chkdsk and fixmbr and got it to boot.

Here's the interesting part. Since I've already seen this happen several times in the last month, I immediately ran combofix (it's still running) and it's finding all kinds of nasties. In a nutshell, my best guess is there's at least several viruses / malware out there now that seem to like rewriting the MBR.

And I do know how he got it. He did a google search for a legit Nuclear Regulatory Commission page, and clicked the link that looked exactly like what he was searching for. Unfortunately he didn't look at the hyperlink closely when he clicked it, and BAM! (Even symantec enterprise couldn't stop it). I looked at several of the dll's Combofix has found already and everyone of them are resistant to interrogation by security products.

Guess it's an example of no matter how safely you surf, you can still get nailed.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

How are you so sure that the cause was that link?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

I had cleaned up his computer a week ago because it had some rogue antivirus.

He showed me the link he clicked. At that point the computer hadn't been rebooted. It was rebooted over the weekend, and that's when everything really became really active I guess (you'll see it in a lot of the startup entries).

In addition one entry in the log shows me that one of the nasties disabled antivirus monitoring on Symantec.

Quote:
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001


The other thing it did was infect ntvdm.exe which is a core system file that allows 16-bit applications to run on 32-bit machines.

Quote:
# Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
# Restored copy from - c:\windows\system32\dllcache\ntvdm.exe


For those familiar with this kind of stuff, the log is pretty interesting. You'll recognize all kinds of bad stuff on here.

Code: [ Select ]
ComboFix 09-09-28.01 - Administrator 09/29/2009 9:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\collins\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\faulkp\Application Data\alot\products\products.xml
c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\millerm\Application Data\alot
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
c:\documents and settings\millerm\Start Menu\Programs\Total Security
c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\documents and settings\noravitz\Application Data\alot
c:\windows\Installer\325a8.msi
c:\windows\Installer\472b3a1.msp
c:\windows\Installer\472b3a7.msp
c:\windows\system32\_003209_.tmp.dll
c:\windows\system32\_003210_.tmp.dll
c:\windows\system32\_003211_.tmp.dll
c:\windows\system32\_003212_.tmp.dll
c:\windows\system32\_003219_.tmp.dll
c:\windows\system32\_003220_.tmp.dll
c:\windows\system32\_003221_.tmp.dll
c:\windows\system32\_003223_.tmp.dll
c:\windows\system32\_003224_.tmp.dll
c:\windows\system32\_003227_.tmp.dll
c:\windows\system32\_003228_.tmp.dll
c:\windows\system32\_003231_.tmp.dll
c:\windows\system32\_003232_.tmp.dll
c:\windows\system32\_003234_.tmp.dll
c:\windows\system32\_003237_.tmp.dll
c:\windows\system32\_003238_.tmp.dll
c:\windows\system32\_003243_.tmp.dll
c:\windows\system32\_003245_.tmp.dll
c:\windows\system32\_003248_.tmp.dll
c:\windows\system32\_003250_.tmp.dll
c:\windows\system32\_003251_.tmp.dll
c:\windows\system32\_003252_.tmp.dll
c:\windows\system32\_003253_.tmp.dll
c:\windows\system32\_003256_.tmp.dll
c:\windows\system32\_003257_.tmp.dll
c:\windows\system32\_003258_.tmp.dll
c:\windows\system32\_003259_.tmp.dll
c:\windows\system32\_003260_.tmp.dll
c:\windows\system32\_003265_.tmp.dll
c:\windows\system32\_003267_.tmp.dll
c:\windows\system32\bikuhagu.dll
c:\windows\system32\diwunawo.dll
c:\windows\system32\dumenebi.dll
c:\windows\system32\fugudipi.dll
c:\windows\system32\gurutipa.exe
c:\windows\system32\jaduzumi.dll
c:\windows\system32\jisiponu.dll
c:\windows\system32\jugopive.dll
c:\windows\system32\lahesumo.dll
c:\windows\system32\lozetasa.exe
c:\windows\system32\mipasowu.dll
c:\windows\system32\nigobani.dll
c:\windows\system32\nubayiri.dll
c:\windows\system32\pavebade.exe
c:\windows\system32\sarefojo.exe
c:\windows\system32\sibidapi.dll
c:\windows\system32\tahemehu.dll
c:\windows\system32\tijojepe.exe
c:\windows\system32\tizabedi.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\vizaleso.dll
c:\windows\system32\wazonaya.dll
c:\windows\system32\werohage.dll
c:\windows\system32\yavipomu.dll
c:\windows\system32\zurasujo.dll

Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntvdm.exe

.
(((((((((((((((((((((((((  Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-29 12:58 . 2009-09-29 13:00    --------    d-----w-    C:\Combo-Fix
2009-09-29 12:50 . 2009-09-29 12:50    --------    d-----w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
2009-09-29 12:49 . 2009-09-29 12:49    --------    d-sh--w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
2009-09-21 13:03 . 2009-09-21 13:03    --------    d--h--w-    c:\windows\PIF
2009-09-21 12:34 . 2009-09-21 12:34    --------    d-----w-    c:\documents and settings\millerm\Application Data\Malwarebytes
2009-09-18 14:36 . 2009-09-21 11:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\15920314
2009-09-16 11:53 . 2009-09-16 11:53    --------    d-----w-    c:\documents and settings\millerm\Application Data\Juniper Networks

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 13:28 . 2009-06-24 14:28    256    ----a-w-    c:\windows\system32\pool.bin
2009-09-29 13:14 . 2009-06-08 16:55    --------    d-----w-    c:\program files\Symantec AntiVirus
2009-09-29 12:37 . 2009-06-29 12:37    91136    ----a-w-    c:\windows\system32\pomijowu.dll.vir
2009-09-29 12:36 . 2009-06-29 12:36    87552    ----a-w-    c:\windows\system32\dataheme.dll.vir
2009-09-28 02:22 . 2009-06-28 02:22    87552    ----a-w-    c:\windows\system32\fowibiya.dll.vir
2009-09-27 14:22 . 2009-06-27 14:22    88064    --sha-w-    c:\windows\system32\hifibugo.dll
2009-09-27 02:22 . 2009-06-27 02:22    88064    --sha-w-    c:\windows\system32\fodadowa.dll
2009-09-26 14:22 . 2009-06-26 14:22    87552    --sha-w-    c:\windows\system32\zowiyari.dll
2009-09-26 02:22 . 2009-06-26 02:22    49664    --sha-w-    c:\windows\system32\bojapume.dll
2009-09-23 14:21 . 2009-06-23 14:21    88576    ----a-w-    c:\windows\system32\bunofalo.dll.vir
2009-09-23 02:20 . 2009-06-23 02:20    87552    --sha-w-    c:\windows\system32\reporelo.dll
2009-09-22 14:20 . 2009-06-22 14:20    88064    --sha-w-    c:\windows\system32\niwazuba.dll
2009-09-22 02:22 . 2009-06-22 02:22    88064    --sha-w-    c:\windows\system32\dusuvivu.dll
2009-09-21 14:20 . 2009-06-21 14:20    88576    --sha-w-    c:\windows\system32\sesotoja.dll
2009-09-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\peluloge.dll
2009-09-21 14:13 . 2009-06-21 14:13    88576    --sha-w-    c:\windows\system32\gijiyeli.dll
2009-09-21 13:48 . 2009-08-24 13:05    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-08-24 16:49 . 2009-08-24 16:49    --------    d-----w-    c:\program files\CPUID
2009-08-24 16:47 . 2009-08-24 16:47    --------    d-----w-    c:\documents and settings\collins\Application Data\Xerox
2009-08-24 13:22 . 2009-08-24 13:05    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:06 . 2009-08-24 13:06    --------    d-----w-    c:\documents and settings\collins\Application Data\Malwarebytes
2009-08-24 12:57 . 2009-08-24 12:57    --------    d-----w-    c:\documents and settings\collins\Application Data\Research In Motion
2009-08-24 12:57 . 2008-06-12 20:05    115128    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 12:56 . 2008-11-11 18:59    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
2009-08-24 12:51 . 2008-06-23 17:07    --------    d-----w-    c:\program files\Microsoft Silverlight
2009-08-24 12:43 . 2008-06-12 19:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 13:14 . 2008-10-20 17:46    115128    ----a-w-    c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 12:58 . 2009-06-24 14:08    --------    d-----w-    c:\program files\Common Files\Roxio Shared
2009-08-12 12:57 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Roxio
2009-08-12 12:56 . 2009-06-24 14:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\Roxio
2009-08-12 12:56 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Common Files\Sonic Shared
2009-08-12 12:51 . 2009-08-12 12:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\Research In Motion
2009-08-12 12:51 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Research In Motion
2009-08-12 12:49 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Common Files\Research In Motion
2009-08-06 05:28 . 2008-06-12 20:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-05 09:01 . 2004-08-11 21:00    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-11 21:00    119808    ----a-w-    c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-11 21:00    81920    ----a-w-    c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-11 21:00    58880    ----a-w-    c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 21:00    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
2009-07-10 13:13 . 2009-07-10 13:13    94208    ----a-w-    c:\windows\system32\msstkprp.dll
2009-07-10 13:13 . 2009-07-10 13:13    43160    ----a-w-    c:\windows\system32\AcSignIcon.dll
2009-07-10 13:13 . 2009-07-10 13:13    429720    ----a-w-    c:\windows\system32\AcSignOpt.exe
2009-07-10 13:13 . 2009-07-10 13:13    29848    ----a-w-    c:\windows\system32\AcSignExt.dll
2009-07-10 13:13 . 2009-07-10 13:13    14488    ----a-w-    c:\windows\system32\AcSignExtRes.dll
2009-07-03 17:09 . 2004-08-11 21:00    915456    ----a-w-    c:\windows\system32\wininet.dll
2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\kofirawa.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\koyagahu.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\likepuzu.dll.tmp
2009-06-26 14:22 . 2009-06-26 14:22    521216    --sha-w-    c:\windows\system32\lizimobu.exe
2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\tiyeyoma.dll.tmp
2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\velajoya.dll.tmp
2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\wiseyiwi.dll.tmp
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

c:\documents and settings\millerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ      hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 09:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\system32\hccutils.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-09-29 9:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 13:43

Pre-Run: 130,088,759,296 bytes free
Post-Run: 131,111,776,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

386    --- E O F ---    2009-06-29 15:02
  1. ComboFix 09-09-28.01 - Administrator 09/29/2009 9:05.1.2 - NTFSx86
  2. Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2360 [GMT -4:00]
  3. Running from: i:\userhomes\bowkerm\Utilities\Spyware\Combo-Fix.exe
  4. AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
  5. * Created a new restore point
  6. .
  7. (((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
  8. .
  9. c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\alot
  10. c:\documents and settings\All Users\Microsoft Private Data
  11. c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
  12. c:\documents and settings\collins\Application Data\alot
  13. c:\documents and settings\faulkp\Application Data\alot
  14. c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml
  15. c:\documents and settings\faulkp\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
  16. c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml
  17. c:\documents and settings\faulkp\Application Data\alot\Button_0\Button_0.xml.backup
  18. c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml
  19. c:\documents and settings\faulkp\Application Data\alot\Button_1\Button_1.xml.backup
  20. c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml
  21. c:\documents and settings\faulkp\Application Data\alot\Button_2\Button_2.xml.backup
  22. c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml
  23. c:\documents and settings\faulkp\Application Data\alot\Button_3\Button_3.xml.backup
  24. c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml
  25. c:\documents and settings\faulkp\Application Data\alot\Button_4\Button_4.xml.backup
  26. c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml
  27. c:\documents and settings\faulkp\Application Data\alot\Button_5\Button_5.xml.backup
  28. c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml
  29. c:\documents and settings\faulkp\Application Data\alot\Button_6\Button_6.xml.backup
  30. c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml
  31. c:\documents and settings\faulkp\Application Data\alot\Button_7\Button_7.xml.backup
  32. c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml
  33. c:\documents and settings\faulkp\Application Data\alot\Button_8\Button_8.xml.backup
  34. c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml
  35. c:\documents and settings\faulkp\Application Data\alot\Button_9\Button_9.xml.backup
  36. c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml
  37. c:\documents and settings\faulkp\Application Data\alot\configurator\configurator.xml.backup
  38. c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml
  39. c:\documents and settings\faulkp\Application Data\alot\contextMenu\contextMenu.xml.backup
  40. c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml
  41. c:\documents and settings\faulkp\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
  42. c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml
  43. c:\documents and settings\faulkp\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
  44. c:\documents and settings\faulkp\Application Data\alot\products\products.xml
  45. c:\documents and settings\faulkp\Application Data\alot\products\products.xml.backup
  46. c:\documents and settings\faulkp\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
  47. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
  48. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
  49. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
  50. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_1\images\alot_search_button.png
  51. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.bmp
  52. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_2\images\default_1002_alot_videos_videosearch.png
  53. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.bmp
  54. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_3\images\default_1042_alot_video_vault.png
  55. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.bmp
  56. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_4\images\default_1605_ALOT_Email.png
  57. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.bmp
  58. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_5\images\default_1667_www.youtube.com_button.png
  59. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\alert-icon.png
  60. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
  61. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
  62. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_6\images\mcloud.png
  63. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.bmp
  64. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_7\images\default_1897_alot_scr_screensavers.png
  65. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.bmp
  66. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_8\images\default_1045_alot_rea_laughs.png
  67. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.bmp
  68. c:\documents and settings\faulkp\Application Data\alot\Resources\Button_9\images\default_1602_alot_mrkt_livinghealthy.png
  69. c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
  70. c:\documents and settings\faulkp\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
  71. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\domains.dat
  72. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_brand.png
  73. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\alot_splitter.png
  74. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\spinner.bmp
  75. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
  76. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
  77. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
  78. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_caption.bmp
  79. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
  80. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
  81. c:\documents and settings\faulkp\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
  82. c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml
  83. c:\documents and settings\faulkp\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
  84. c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml
  85. c:\documents and settings\faulkp\Application Data\alot\TimerManager\TimerManager.xml.backup
  86. c:\documents and settings\faulkp\Application Data\alot\toolbar.xml
  87. c:\documents and settings\faulkp\Application Data\alot\toolbar.xml.backup
  88. c:\documents and settings\faulkp\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
  89. c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml
  90. c:\documents and settings\faulkp\Application Data\alot\Updater\Updater.xml.backup
  91. c:\documents and settings\millerm\Application Data\alot
  92. c:\documents and settings\millerm\Local Settings\Temporary Internet Files\hardcopy.log
  93. c:\documents and settings\millerm\Local Settings\Temporary Internet Files\plot.log
  94. c:\documents and settings\millerm\Start Menu\Programs\Total Security
  95. c:\documents and settings\millerm\Start Menu\Programs\Total Security\Total Security 2009.lnk
  96. c:\documents and settings\noravitz\Application Data\alot
  97. c:\windows\Installer\325a8.msi
  98. c:\windows\Installer\472b3a1.msp
  99. c:\windows\Installer\472b3a7.msp
  100. c:\windows\system32\_003209_.tmp.dll
  101. c:\windows\system32\_003210_.tmp.dll
  102. c:\windows\system32\_003211_.tmp.dll
  103. c:\windows\system32\_003212_.tmp.dll
  104. c:\windows\system32\_003219_.tmp.dll
  105. c:\windows\system32\_003220_.tmp.dll
  106. c:\windows\system32\_003221_.tmp.dll
  107. c:\windows\system32\_003223_.tmp.dll
  108. c:\windows\system32\_003224_.tmp.dll
  109. c:\windows\system32\_003227_.tmp.dll
  110. c:\windows\system32\_003228_.tmp.dll
  111. c:\windows\system32\_003231_.tmp.dll
  112. c:\windows\system32\_003232_.tmp.dll
  113. c:\windows\system32\_003234_.tmp.dll
  114. c:\windows\system32\_003237_.tmp.dll
  115. c:\windows\system32\_003238_.tmp.dll
  116. c:\windows\system32\_003243_.tmp.dll
  117. c:\windows\system32\_003245_.tmp.dll
  118. c:\windows\system32\_003248_.tmp.dll
  119. c:\windows\system32\_003250_.tmp.dll
  120. c:\windows\system32\_003251_.tmp.dll
  121. c:\windows\system32\_003252_.tmp.dll
  122. c:\windows\system32\_003253_.tmp.dll
  123. c:\windows\system32\_003256_.tmp.dll
  124. c:\windows\system32\_003257_.tmp.dll
  125. c:\windows\system32\_003258_.tmp.dll
  126. c:\windows\system32\_003259_.tmp.dll
  127. c:\windows\system32\_003260_.tmp.dll
  128. c:\windows\system32\_003265_.tmp.dll
  129. c:\windows\system32\_003267_.tmp.dll
  130. c:\windows\system32\bikuhagu.dll
  131. c:\windows\system32\diwunawo.dll
  132. c:\windows\system32\dumenebi.dll
  133. c:\windows\system32\fugudipi.dll
  134. c:\windows\system32\gurutipa.exe
  135. c:\windows\system32\jaduzumi.dll
  136. c:\windows\system32\jisiponu.dll
  137. c:\windows\system32\jugopive.dll
  138. c:\windows\system32\lahesumo.dll
  139. c:\windows\system32\lozetasa.exe
  140. c:\windows\system32\mipasowu.dll
  141. c:\windows\system32\nigobani.dll
  142. c:\windows\system32\nubayiri.dll
  143. c:\windows\system32\pavebade.exe
  144. c:\windows\system32\sarefojo.exe
  145. c:\windows\system32\sibidapi.dll
  146. c:\windows\system32\tahemehu.dll
  147. c:\windows\system32\tijojepe.exe
  148. c:\windows\system32\tizabedi.dll
  149. c:\windows\system32\visujowo.dll
  150. c:\windows\system32\vizaleso.dll
  151. c:\windows\system32\wazonaya.dll
  152. c:\windows\system32\werohage.dll
  153. c:\windows\system32\yavipomu.dll
  154. c:\windows\system32\zurasujo.dll
  155. Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
  156. Restored copy from - c:\windows\system32\dllcache\ntvdm.exe
  157. .
  158. (((((((((((((((((((((((((  Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
  159. .
  160. 2009-09-29 12:58 . 2009-09-29 13:00    --------    d-----w-    C:\Combo-Fix
  161. 2009-09-29 12:50 . 2009-09-29 12:50    --------    d-----w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Research In Motion
  162. 2009-09-29 12:49 . 2009-09-29 12:49    --------    d-sh--w-    c:\documents and settings\Administrator.ALARON-NUCLEAR\IETldCache
  163. 2009-09-21 13:03 . 2009-09-21 13:03    --------    d--h--w-    c:\windows\PIF
  164. 2009-09-21 12:34 . 2009-09-21 12:34    --------    d-----w-    c:\documents and settings\millerm\Application Data\Malwarebytes
  165. 2009-09-18 14:36 . 2009-09-21 11:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\15920314
  166. 2009-09-16 11:53 . 2009-09-16 11:53    --------    d-----w-    c:\documents and settings\millerm\Application Data\Juniper Networks
  167. .
  168. ((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
  169. .
  170. 2009-09-29 13:28 . 2009-06-24 14:28    256    ----a-w-    c:\windows\system32\pool.bin
  171. 2009-09-29 13:14 . 2009-06-08 16:55    --------    d-----w-    c:\program files\Symantec AntiVirus
  172. 2009-09-29 12:37 . 2009-06-29 12:37    91136    ----a-w-    c:\windows\system32\pomijowu.dll.vir
  173. 2009-09-29 12:36 . 2009-06-29 12:36    87552    ----a-w-    c:\windows\system32\dataheme.dll.vir
  174. 2009-09-28 02:22 . 2009-06-28 02:22    87552    ----a-w-    c:\windows\system32\fowibiya.dll.vir
  175. 2009-09-27 14:22 . 2009-06-27 14:22    88064    --sha-w-    c:\windows\system32\hifibugo.dll
  176. 2009-09-27 02:22 . 2009-06-27 02:22    88064    --sha-w-    c:\windows\system32\fodadowa.dll
  177. 2009-09-26 14:22 . 2009-06-26 14:22    87552    --sha-w-    c:\windows\system32\zowiyari.dll
  178. 2009-09-26 02:22 . 2009-06-26 02:22    49664    --sha-w-    c:\windows\system32\bojapume.dll
  179. 2009-09-23 14:21 . 2009-06-23 14:21    88576    ----a-w-    c:\windows\system32\bunofalo.dll.vir
  180. 2009-09-23 02:20 . 2009-06-23 02:20    87552    --sha-w-    c:\windows\system32\reporelo.dll
  181. 2009-09-22 14:20 . 2009-06-22 14:20    88064    --sha-w-    c:\windows\system32\niwazuba.dll
  182. 2009-09-22 02:22 . 2009-06-22 02:22    88064    --sha-w-    c:\windows\system32\dusuvivu.dll
  183. 2009-09-21 14:20 . 2009-06-21 14:20    88576    --sha-w-    c:\windows\system32\sesotoja.dll
  184. 2009-09-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\peluloge.dll
  185. 2009-09-21 14:13 . 2009-06-21 14:13    88576    --sha-w-    c:\windows\system32\gijiyeli.dll
  186. 2009-09-21 13:48 . 2009-08-24 13:05    --------    d-----w-    c:\program files\Spybot - Search & Destroy
  187. 2009-08-24 16:49 . 2009-08-24 16:49    --------    d-----w-    c:\program files\CPUID
  188. 2009-08-24 16:47 . 2009-08-24 16:47    --------    d-----w-    c:\documents and settings\collins\Application Data\Xerox
  189. 2009-08-24 13:22 . 2009-08-24 13:05    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
  190. 2009-08-24 13:06 . 2009-08-24 13:06    --------    d-----w-    c:\documents and settings\collins\Application Data\Malwarebytes
  191. 2009-08-24 12:57 . 2009-08-24 12:57    --------    d-----w-    c:\documents and settings\collins\Application Data\Research In Motion
  192. 2009-08-24 12:57 . 2008-06-12 20:05    115128    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  193. 2009-08-24 12:56 . 2008-11-11 18:59    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
  194. 2009-08-24 12:51 . 2008-06-23 17:07    --------    d-----w-    c:\program files\Microsoft Silverlight
  195. 2009-08-24 12:43 . 2008-06-12 19:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
  196. 2009-08-12 13:14 . 2008-10-20 17:46    115128    ----a-w-    c:\documents and settings\millerm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  197. 2009-08-12 12:58 . 2009-06-24 14:08    --------    d-----w-    c:\program files\Common Files\Roxio Shared
  198. 2009-08-12 12:57 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Roxio
  199. 2009-08-12 12:56 . 2009-06-24 14:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\Roxio
  200. 2009-08-12 12:56 . 2009-08-12 12:56    --------    d-----w-    c:\program files\Common Files\Sonic Shared
  201. 2009-08-12 12:51 . 2009-08-12 12:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\Research In Motion
  202. 2009-08-12 12:51 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Research In Motion
  203. 2009-08-12 12:49 . 2009-06-24 14:03    --------    d-----w-    c:\program files\Common Files\Research In Motion
  204. 2009-08-06 05:28 . 2008-06-12 20:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\FLEXnet
  205. 2009-08-05 09:01 . 2004-08-11 21:00    204800    ----a-w-    c:\windows\system32\mswebdvd.dll
  206. 2009-07-29 04:37 . 2004-08-11 21:00    119808    ----a-w-    c:\windows\system32\t2embed.dll
  207. 2009-07-29 04:37 . 2004-08-11 21:00    81920    ----a-w-    c:\windows\system32\fontsub.dll
  208. 2009-07-17 19:01 . 2004-08-11 21:00    58880    ----a-w-    c:\windows\system32\atl.dll
  209. 2009-07-14 03:43 . 2004-08-11 21:00    286208    ----a-w-    c:\windows\system32\wmpdxm.dll
  210. 2009-07-10 13:13 . 2009-07-10 13:13    94208    ----a-w-    c:\windows\system32\msstkprp.dll
  211. 2009-07-10 13:13 . 2009-07-10 13:13    43160    ----a-w-    c:\windows\system32\AcSignIcon.dll
  212. 2009-07-10 13:13 . 2009-07-10 13:13    429720    ----a-w-    c:\windows\system32\AcSignOpt.exe
  213. 2009-07-10 13:13 . 2009-07-10 13:13    29848    ----a-w-    c:\windows\system32\AcSignExt.dll
  214. 2009-07-10 13:13 . 2009-07-10 13:13    14488    ----a-w-    c:\windows\system32\AcSignExtRes.dll
  215. 2009-07-03 17:09 . 2004-08-11 21:00    915456    ----a-w-    c:\windows\system32\wininet.dll
  216. 2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\kofirawa.dll.tmp
  217. 2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\koyagahu.dll.tmp
  218. 2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\likepuzu.dll.tmp
  219. 2009-06-26 14:22 . 2009-06-26 14:22    521216    --sha-w-    c:\windows\system32\lizimobu.exe
  220. 2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\tiyeyoma.dll.tmp
  221. 2009-06-26 02:23 . 2009-06-26 02:23    49664    --sha-w-    c:\windows\system32\velajoya.dll.tmp
  222. 2009-06-21 14:13 . 2009-06-21 14:13    49152    --sha-w-    c:\windows\system32\wiseyiwi.dll.tmp
  223. .
  224. (((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
  225. .
  226. .
  227. *Note* empty entries & legit default entries are not shown
  228. REGEDIT4
  229. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  230. "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
  231. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  232. "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
  233. "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
  234. "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
  235. "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
  236. "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
  237. "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
  238. "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
  239. "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
  240. "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-12 29744]
  241. "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
  242. "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
  243. "WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
  244. "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
  245. "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
  246. "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-24 185896]
  247. "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
  248. "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
  249. "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
  250. "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
  251. "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
  252. "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
  253. c:\documents and settings\millerm\Start Menu\Programs\Startup\
  254. Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
  255. c:\documents and settings\All Users\Start Menu\Programs\Startup\
  256. Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-7-1 1717592]
  257. [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
  258. "disablecad"= 1 (0x1)
  259. [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
  260. "NoWelcomeScreen"= 1 (0x1)
  261. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
  262. "Bonjour Service"=2 (0x2)
  263. [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  264. "UpdatesDisableNotify"=dword:00000001
  265. [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
  266. "DisableMonitoring"=dword:00000001
  267. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  268. "%windir%\\system32\\sessmgr.exe"=
  269. "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
  270. "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
  271. "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
  272. "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
  273. R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
  274. R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
  275. R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/23/2008 12:25 PM 6016]
  276. R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/15/2009 8:10 AM 102448]
  277. S0 tvay;tvay;c:\windows\system32\drivers\hxjrgpgw.sys --> c:\windows\system32\drivers\hxjrgpgw.sys [?]
  278. [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
  279. HPZ12    REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
  280. hpdevmgmt    REG_MULTI_SZ      hpqcxs08
  281. [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
  282. "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
  283. .
  284. Contents of the 'Scheduled Tasks' folder
  285. 2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
  286. - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
  287. .
  288. .
  289. ------- Supplementary Scan -------
  290. .
  291. uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080612
  292. uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
  293. IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
  294. IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
  295. IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
  296. IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
  297. IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
  298. IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
  299. IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
  300. IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
  301. TCP: {950A1CFE-8577-4FDF-92C3-7CA4FE2D19B2} = 77.74.48.113
  302. TCP: {DE1DCEA5-F2D3-48E5-AA35-E29468364622} = 77.74.48.113
  303. FF - ProfilePath - c:\documents and settings\Administrator.ALARON-NUCLEAR\Application Data\Mozilla\Firefox\Profiles\wl6kdhla.default\
  304. FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
  305. FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
  306. .
  307. - - - - ORPHANS REMOVED - - - -
  308. HKLM-Run-negunasok - c:\windows\system32\dataheme.dll
  309. SharedTaskScheduler-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
  310. SSODL-lakehiviw-{3284e2fa-ff22-4498-9fc7-2b6d416b115c} - c:\windows\system32\dataheme.dll
  311. **************************************************************************
  312. catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  313. Rootkit scan 2009-09-29 09:27
  314. Windows 5.1.2600 Service Pack 3 NTFS
  315. scanning hidden processes ... 
  316. scanning hidden autostart entries ...
  317. scanning hidden files ... 
  318. scan completed successfully
  319. hidden files: 0
  320. **************************************************************************
  321. .
  322. --------------------- LOCKED REGISTRY KEYS ---------------------
  323. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
  324. @Denied: (A 2) (Everyone)
  325. @="FlashBroker"
  326. "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
  327. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
  328. "Enabled"=dword:00000001
  329. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
  330. @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
  331. [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
  332. @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
  333. [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
  334. @Denied: (A 2) (Everyone)
  335. @="IFlashBroker3"
  336. [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
  337. @="{00020424-0000-0000-C000-000000000046}"
  338. [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
  339. @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
  340. "Version"="1.0"
  341. .
  342. --------------------- DLLs Loaded Under Running Processes ---------------------
  343. - - - - - - - > 'explorer.exe'(3548)
  344. c:\windows\system32\WININET.dll
  345. c:\windows\system32\ieframe.dll
  346. c:\windows\system32\webcheck.dll
  347. c:\windows\system32\WPDShServiceObj.dll
  348. c:\windows\system32\PortableDeviceTypes.dll
  349. c:\windows\system32\PortableDeviceApi.dll
  350. c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
  351. c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
  352. c:\program files\Spybot - Search & Destroy\SDHelper.dll
  353. c:\windows\system32\hccutils.DLL
  354. c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
  355. .
  356. ------------------------ Other Running Processes ------------------------
  357. .
  358. c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
  359. c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
  360. c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  361. c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
  362. c:\program files\Symantec AntiVirus\DefWatch.exe
  363. c:\program files\Juniper Networks\Common Files\dsNcService.exe
  364. c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
  365. c:\program files\Java\jre6\bin\jqs.exe
  366. c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
  367. c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
  368. c:\program files\Symantec AntiVirus\Rtvscan.exe
  369. c:\windows\system32\igfxsrvc.exe
  370. c:\program files\iPod\bin\iPodService.exe
  371. c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
  372. c:\program files\Java\jre6\bin\jucheck.exe
  373. .
  374. **************************************************************************
  375. .
  376. Completion time: 2009-09-29 9:52 - machine was rebooted
  377. ComboFix-quarantined-files.txt 2009-09-29 13:43
  378. Pre-Run: 130,088,759,296 bytes free
  379. Post-Run: 131,111,776,256 bytes free
  380. WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
  381. [boot loader]
  382. timeout=2
  383. default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
  384. [operating systems]
  385. c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  386. multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  387. 386    --- E O F ---    2009-06-29 15:02
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

I'll have to try combo fix some time. Thanks for the info.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

One key thing I like about it is the added benefit of searching for rootkits. I've found and removed 4 already since discovering Combofix and to date I hadn't found any other software that did except for Microsoft's Malicious Software Removal Tool.

Plus when it runs, it installs recovery console if you don't already have it installed and makes it available at boot. No more need for the OS CD to get to recovery console.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

Do you have combo fix burned to a CD?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

Both that and a network drive. Actually I have a whole set of current malware removal proggies burned to CD and on the mapped drive. I also have FF and Chrome as well in case I need to install an alternative browser.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4923
  • Loc: NY

Post 3+ Months Ago

Then what do you do for updates when anti malware programs need an update? For example anti malware from malwarebytes needs to be updated before each use. Having it on a CD when you're trying to clean a machine that can't connect to the net, makes it worthless.

Doesn't combo fix need updates?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23460
  • Loc: Woodbridge VA

Post 3+ Months Ago

Yes combo fix needs updates. When a new version of the softwares are available I update the version in the network folder then burn a new CD and toss the old.

Most of these programs will install just fine in safe mode. I do a lot of work on problem computers like that in safe mode with networking support. It allows the updates, but in safe mode as you know most of the malware usually isn't active. *note* the word USUALLY.

It's fairly effective. Alternatively you can put them on a flash drive vs a CD if you don't like wasting CD's.

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: No registered users and 55 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.