Internet Redirect - iexplorer - shutting down select programs - help?

[proskoma]

ComboFix 09-04-23.02 - David Wilson 04/22/2009 18:53.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1107 [GMT -4:00]
Running from: c:\documents and settings\David Wilson\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dds.pif
c:\windows\IE4 Error Log.txt
c:\windows\jestertb.dll
c:\windows\system32\bnrfil.dll
c:\windows\system32\bsnlst.dll
c:\windows\system32\igefil.dll
c:\windows\system32\lastupdate.dll
c:\windows\system32\macfil.dll
c:\windows\system32\nfil.dll
c:\windows\system32\picsfil.dll
c:\windows\system32\snetfil.dll
c:\windows\system32\srchfrgn.dll
c:\windows\system32\srchout.dll
c:\windows\vaseo.lex
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 01:22 . 2009-04-22 01:22 2709 ----a-w c:\windows\system32\co32andlo.dat
2009-04-20 23:43 . 2009-04-20 23:43 -------- d-----w C:\rsit
2009-04-20 22:47 . 2009-04-20 22:47 2709 ----a-w c:\windows\system32\gapiyshe.dat
2009-04-20 01:14 . 2009-04-20 01:14 2709 ----a-w c:\windows\system32\cocoerrfo.dat
2009-04-19 22:34 . 2009-04-19 22:29 360021 ----a-w C:\something.scr
2009-04-19 22:13 . 2009-04-19 22:13 2709 ----a-w c:\windows\system32\orptofo.dat
2009-04-18 14:09 . 2009-04-18 14:09 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-18 04:21 . 2009-04-18 04:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-18 01:04 . 2009-04-18 01:04 -------- d-----w c:\documents and settings\David Wilson\Application Data\Malwarebytes
2009-04-18 01:04 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 01:04 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 01:04 . 2009-04-18 01:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 23:53 . 2009-04-17 23:53 66 ----a-w c:\windows\wininit.ini
2009-04-17 12:22 . 2009-04-17 12:22 -------- d-----w C:\!KillBox
2009-04-17 01:53 . 2009-04-17 01:53 184304 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 01:42 . 2009-04-17 01:42 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Seven Zip
2009-04-17 01:28 . 2009-04-17 01:28 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-04-17 01:28 . 2009-04-17 01:28 -------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-04-17 01:19 . 2009-04-17 01:19 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Seven Zip
2009-04-17 01:18 . 2009-04-17 01:18 -------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer
2009-04-17 01:18 . 2009-04-17 01:18 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-04-17 01:00 . 2009-04-17 01:00 -------- d-----w c:\documents and settings\All Users\Application Data\{A21E413E-98CC-4ABB-9843-E6AA4F456F61}
2009-04-17 00:59 . 2009-04-17 00:59 -------- d-----w c:\documents and settings\David Wilson\Local Settings\Application Data\Seven Zip
2009-04-14 18:33 . 2009-04-15 01:39 2709 ----a-w c:\windows\system32\dllto32to.dat
2009-04-14 13:44 . 2009-04-14 13:44 -------- d-----w C:\fixwareout
2009-04-14 01:57 . 2009-04-14 01:57 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\NovaStor
2009-04-14 01:09 . 2009-04-14 01:09 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 22:58 . 2008-10-11 18:01 1024 ---h--w C:\diskfile1
2009-04-22 22:58 . 2008-10-11 17:52 16896 ---h--w C:\logicinf.bin
2009-04-18 21:54 . 2003-10-25 14:41 40654 ----a-w C:\winzip.log
2009-04-18 18:49 . 2009-04-18 18:49 -------- d-----w c:\program files\ERUNT
2009-04-18 18:32 . 2009-04-18 18:11 722 ----a-w C:\aaw7boot.log
2009-04-18 04:21 . 2009-04-18 04:21 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 01:04 . 2009-04-18 01:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 13:40 . 2009-04-14 13:40 -------- d-----w c:\program files\Trend Micro
2009-04-14 01:09 . 2009-04-14 01:09 -------- d-----w c:\program files\AVG
2009-03-07 13:20 . 2009-03-07 13:20 -------- d-----w c:\program files\RayDream
2009-02-09 11:13 . 2008-10-14 21:51 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2001-08-23 16:00 1846784 ------w c:\windows\SYSTEM32\win32k.sys
2008-12-16 23:23 . 2008-12-16 23:23 726008 ----a-w c:\documents and settings\David Wilson\gotomypc_438.exe
2008-11-06 16:33 . 2008-03-15 15:11 726008 ----a-w c:\documents and settings\David Wilson\gotomypc_437.exe
2008-10-11 15:27 . 2004-10-06 03:17 184304 ----a-w c:\documents and settings\David Wilson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-03-11 03:02 . 2008-03-11 03:02 311752 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-01-15 03:17 . 2005-01-15 03:17 135 ----a-w c:\documents and settings\David Wilson\Local Settings\Application Data\fusioncache.dat
2001-11-06 04:23 . 2000-05-13 03:43 266 --sh--w c:\program files\desktop.ini
2001-11-06 04:23 . 2000-05-13 03:43 11079 ---h--w c:\program files\folder.htt
2001-01-19 16:04 . 2005-02-06 20:12 21841 ----a-w c:\program files\Common Files\tppupd2k.dll
2001-01-19 15:04 . 2002-02-24 01:38 21329 ------w c:\program files\Common Files\tppupd98.dll
2007-10-09 05:2005-04-28 02:53 33:30 . c:\program files\mozilla firefox\components\jar50.dll
2007-10-09 05:2005-04-28 02:53 33:30 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-10-09 05:2007-10-20 14:31 33:32 . c:\program files\mozilla firefox\components\myspell.dll
2007-10-09 05:2007-10-20 14:31 33:32 . c:\program files\mozilla firefox\components\spellchk.dll
2007-10-09 05:2005-04-28 02:53 33:32 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-04 19:44 . 2008-10-04 19:44 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
2001-11-13 14:18 . 2001-11-13 14:18 8 --sh--w c:\windows\All Users\DRM\pdrm.dat
2008-05-19 02:07 . 2008-05-19 02:07 0 --sha-w c:\windows\All Users\DRM\Cache\Indiv02.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-13 290905]
"C2K"="c:\windows\CYB2K.EXE" [2007-07-24 3163648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-14 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-14 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2007-02-14 1622016]

c:\documents and settings\David Wilson\Start Menu\Programs\Startup\
TrayDay.lnk - c:\program files\TrayDay\TrayDay.exe [2003-12-6 204800]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - e:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2002-9-25 156160]
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.exe [2007-8-18 335979]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\EUDORA\EUSHLEXT.DLL" [2005-11-14 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 10.lnk]
backup=c:\windows\pss\CorelCENTRAL 10.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FastCheck Monitoring Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\FastCheck Monitoring Utility.lnk
backup=c:\windows\pss\FastCheck Monitoring Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David Wilson^Start Menu^Programs^Startup^Dialog Box Assistant.lnk]
path=c:\documents and settings\David Wilson\Start Menu\Programs\Startup\Dialog Box Assistant.lnk
backup=c:\windows\pss\Dialog Box Assistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^David Wilson^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"EnsoniqMixer"=starter.exe
"AtiPTA"=Atiptaxx.exe
"AtiCwd32"=Aticwd32.exe
"AtiQiPcl"=AtiQiPcl.exe
"POINTER"=point32.exe
"LoadQM"=loadqm.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"QuickTime Task"=e:\program files\QuickTime\qttask.exe
"MMTray"=d:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Cyb2k.exe"=
"e:\\Program Files\\GetRight\\getright.exe"=
"e:\\Age of Empires II\\Age2_X1\\AGE2_X1.ICD"=
"e:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"=
"c:\\Program Files\\Common Files\\Doppler 10 Pinpoint Alert\\TrueWeather.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"e:\\Program Files\\ICQ\\Icq.exe"=
"e:\\Program Files\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"f:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 efbDisk;efbDisk; [x]
R2 Backup Scheduler;Backup Scheduler;c:\program files\NovaStor\NovaStor NovaBACKUP\DR\CBP\DCSchdlerSRVC.exe [2008-06-17 98304]
R3 ati2mpaa;ati2mpaa;c:\windows\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
R3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);c:\windows\system32\DRIVERS\atirtcap.sys [2001-08-17 49920]
R3 DDCCI;DDC/CI monitor;c:\windows\system32\DRIVERS\Moni2c.sys [2003-03-30 6494]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 zremote;zremote;c:\windows\system32\drivers\zremote.sys [2004-03-01 10368]
S0 amdagp10;AMD IG AGP Bus Filter;c:\windows\System32\DRIVERS\amdagp10.sys [2000-06-27 22994]
S0 dcsnap;dcsnap; [x]
S0 fasttrak;fasttrak;c:\windows\system32\DRIVERS\fasttrak.sys [2002-05-23 70656]
S1 DCDisk;DCDisk; [x]
S1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 5632]
S2 NsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\NovaStor\NovaStor NovaBACKUP\NsService.exe [2008-06-17 207936]
S2 Real time Backup Loader;Real time Backup Loader;c:\program files\NovaStor\NovaStor NovaBACKUP\DR\Fsloader.exe [2008-06-17 93248]
S3 4mmdat;4mmdat;c:\windows\system32\DRIVERS\4mmdat.sys [2008-04-13 12288]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2de2786-6cdd-11db-97eb-00045a68bf2f}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-09 00:12]

2009-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
HKCU-Run-LDM - \Program\BackWeb-8876480.exe
HKCU-Run-WPCycle.exe - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/index.html
mStart Page = hxxp://my.yahoo.com/index.html
IE: Download with GetRight - e:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Open with GetRight Browser - e:\program files\GetRight\GRbrowse.htm
LSP: c:\windows\system32\lspcs.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} - hxxp://www.live365.com/players/p365vip.cab
DPF: {5197842F-0557-48AE-9552-7594F7C98F04} - hxxp://www.cybersitter.com/recovery/ocx/PasswordReset.ocx
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 18:59
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\$$$\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E8066BAB-BCF1-46CA-D8AA-605D8DE00F6D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{210BD7C7-47ED-BBE9-95D0F9FAA3BD0E97}\{C5D4C247-F1D1-D183-A63FC2DFAAC29AA3}\{B55B3474-A2E6-F6F7-4AD088E6434601A2}*]
"KGHQ1WVPMWYCTK5FHYUB2KQRGA1"=hex:01,00,01,00,00,00,00,00,61,e9,6d,81,db,39,d8,
7a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"KGHQ1WVPMWYCTK5FHYUB2KQRGA1"=hex:01,00,01,00,00,00,00,00,61,e9,6d,81,db,39,d8,
7a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A73A7B6D-D5C7-2D01-6A3ED58A203D5FEA}\{958FE6C0-B367-4AD6-C310294BFC5DB709}\{E2E9EAF6-387C-4947-07B2C800F4ACC9F3}*]
"KGHQ1WVPMWYCTK5FHYUB2KQRGA1"=hex:01,00,01,00,00,00,00,00,61,e9,6d,81,db,39,d8,
7a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}*]
"KGHQ1WVPMWYCTK5FHYUB2KQRGA1"=hex:01,00,01,00,00,00,00,00,61,e9,6d,81,db,39,d8,
7a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-096A-EBEBEFD33B1AE416}*]
"KGHQ1WVPMWYCTK5FHYUB2KQRGA1"=hex:01,00,01,00,00,00,00,00,61,e9,6d,81,db,39,d8,
7a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(1240)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\lspcs.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\NovaStor\NovaStor NovaBACKUP\DR\CBP\DCSchdler.exe
c:\program files\Promise\FastTrak\FtrakSvc.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2009-04-22 19:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 23:01

Pre-Run: 31,939,166,208 bytes free
Post-Run: 32,058,310,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

298 --- E O F --- 2009-03-15 07:03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:06 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NovaStor\NovaStor NovaBACKUP\DR\CBP\DCSchdler.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NovaStor\NovaStor NovaBACKUP\NsService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NovaStor\NovaStor NovaBACKUP\DR\Fsloader.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\cyb2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\TrayDay\TrayDay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\cyb2k.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: TrayDay.lnk = C:\Program Files\TrayDay\TrayDay.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://gulllake.gospelcom.net/unsecu...iews/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {5197842F-0557-48AE-9552-7594F7C98F04} (PWReset Control) - http://www.cybersitter.com/recovery/...swordReset.ocx
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag3518.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/Veriz...oadControl.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfvi...iewerSetup.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.co...X/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3518.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Scheduler - Unknown owner - C:\Program Files\NovaStor\NovaStor NovaBACKUP\DR\CBP\DCSchdlerSRVC.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NovaStor NovaBACKUP Backup/Copy Engine (NsService) - NovaStor - C:\Program Files\NovaStor\NovaStor NovaBACKUP\NsService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Real time Backup Loader - Unknown owner - C:\Program Files\NovaStor\NovaStor NovaBACKUP\DR\Fsloader.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10980 bytes

[proskoma]

... I'm still getting multiple instances of iExplorer.exe in my task manager.

[Blade81]

Hi again,


Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.


Upload following files to

Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close browsers and fix checked.


Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.spybot.info/showthread.php?t=47863&page=2

Collect::
c:\windows\system32\co32andlo.dat
c:\windows\system32\gapiyshe.dat
c:\windows\system32\cocoerrfo.dat
c:\windows\system32\orptofo.dat
c:\windows\system32\dllto32to.dat

Driver::
efbDisk
dcsnap
DCDisk

File::
C:\diskfile1
C:\logicinf.bin

RegLock::
[HKEY_USERS\$$$\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E8066BAB-BCF1-46CA-D8AA-605D8DE00F6D}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{210BD7C7-47ED-BBE9-95D0F9FAA3BD0E97}\{C5D4C247-F1D1-D183-A63FC2DFAAC29AA3}\{B55B3474-A2E6-F6F7-4AD088E6434601A2}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A73A7B6D-D5C7-2D01-6A3ED58A203D5FEA}\{958FE6C0-B367-4AD6-C310294BFC5DB709}\{E2E9EAF6-387C-4947-07B2C800F4ACC9F3}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-096A-EBEBEFD33B1AE416}*]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. You will be asked to submit some samples. Please follow the given instructions.
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

[proskoma]

Followed instructions as posted. Combo fix ran a scan (including deleting a few files and rebooted the computer. The result was a STOP error. I tried rebooting three times including turning the machine off and on. I also attempted to boot into safe mode. Each time gave the following:


A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xF789E528,0xc0000034,0x00000000,0x00000000)

[Blade81]

Hi

We need to enter recovery console. Select Microsoft Windows Recovery Console -option in boot menu

After logging onto the Recovery Console, type each of the lines (press enter after each):

CD ERDNT
BATCH CFRECOVERY.BAT
BATCH CF_UNDO.BAT

After that type EXIT to exit Recovery Console. See if you can reboot now.

[proskoma]

Choosing the recovery console option in the boot menu was not successful. Screen went black, HD ran intensivly for a few seconds and returned to the OS selection screen. Attempted repeated times with the same result. Safe mode and full boot continue to give the stop screen.

Booted from the XP install CD and chose console option. My main drive is built on a RAID driven by the motherboard. A directory listing of the C drive in the recovery console showed no files. Going to have to find the RAID driver disc (or download), reattach my floppy drive (hope it still works) and load that driver with the recovery console from the CD before continuing.

Nothing is ever easy.

Any suggestions would be appreciated.

RAID: Promise Technology MB Fast Trak 133 "lite" BIOS Version - is what I see during the boot process.

[Blade81]

Hi

RAID makes this more complicated. Do you have driver floppy around? If not, driver should be found on motherboard manufacturer's web site.

When recovery console loads you should immediately press F6 to run that RAID driver from floppy (like when installing Windows).

[proskoma]

Successfully booted into recovery console from XP installation CD loading driver for the RAID from a floppy.

CD ERDNT worked and the first batch file worked, but the second batch file didn't exist in the directory.

Booting into windows took longer but ultimatly still gave the blue STOP screen error... same as before.

Does it make any difference that the recovery console mounts my main windows drive as e instead of c because of the RAID?

Discovered something odd... the CFrecovery.bat file was generated 4/22 6:56pm, but my recovery point was saved 4/23 in the evening. There is a directory called subs which seems to have a series of files which have the right time stamp for my backup.... as do the files in autobackup\4-23-2009. Are the batch files generic files that could be copied from a floppy into the directory and executed (he asked hopefully...).

[Blade81]

Hi

I think the drive appears as drive e: cos recovery console was launched from cd. That shouldn't affect here.

After logging onto the Recovery Console, type each of the lines (press enter after each):
CD ERDNT
BATCH CFRECOVERY.BAT

Then go to subs folder by giving command:
CD SUBS

In that folder should be ERDNT.CON file. Run following command:
BATCH ERDNT.CON

Then type EXIT to restart the machine.

[proskoma]

The ERDNT.CON file had all references to the c drive in it... so I manually executed each command in the batch file substituting the e drive for the c drive and rebooted. Windows still gave me the error.

I then copied the ERDNT.CON file to another computer - edited the file to change all reference of the c drive to the e drive moved it back to the infected machine... and executed the batch.

Same result.

ERDNT seems to have created a daily back-up as there is a series of directories named Autobackup with successive dates. My thought was to try and work backwards through successive dates to see if I can get Windows to come back up. My fear is that ComboFix deleted something Windows wants (I remember seeing the dialog box mention a few files it deleted - 4 I think) and this process will be futile since those important files are gone.

However, I'm hopeful that we will still find a solution through this mess.

One other note - when this happened, I drug the script file you provided over the ComboFix.exe icon to execute it... the first message I received was that ComboFix had a new version available so I updated it. Then it said ComboFix was restarting and went through the scan that has rendered Windows unbootable. Is it possible that when it restarted, it didn't follow your script and just ran a normal diagnostic?

I don't know if that's helpful but wanted to provide you with as much detail as possible to try and find a solution.