redirect virus and malware please help me!!!

Status
Not open for further replies.
An error warning comes up stating "Windows explorer has encountered a problem and needs to be closed"

I'm using my phone by the way to respond.
 
Hi mrclark,

Go back into Task Manger. This time type iexplore

Internet Explorer should open. Access this for and attach C:\combofix.txt to your next reply.
 
Hi unfortunetly there is no C:\combofix.txt in that folder, actually I dont think there was any text files there
 
Hi mrclark,

Sorry I may have confused you. After you type iexplore internet explorer should open and you should be able to go on line. Do you get that far?
 
Hi mrclark,

Let's try this. In Task Manager check on the process tab for explorer.exe. If it's there end the process and try to start it again.

In File > New Task use the browse button to locate DeskTop. Click on OTL.exe and click ok. When OTL opens click the Run Scan button and post the log that is produced.
 
hi I couldnt get to control panel from task man to turn off AVG and spybot, the windows explorer warning would pop up and again and crash.

but managed to get a log run

OTL logfile created on: 4/28/2012 2:37:48 PM - Run 2
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Administrator\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.78 Gb Available Physical Memory | 85.48% Memory free
5.09 Gb Paging File | 4.60 Gb Available in Paging File | 90.40% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 341.39 Gb Free Space | 36.65% Space Free | Partition Type: NTFS
Drive D: | 642.92 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ADMIN-FDC77CCCA | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
PRC - C:\Documents and Settings\Administrator\Desktop\New Folder\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (DeviceVM, Inc.)
PRC - C:\Program Files\Gigabyte\EasySaver\essvr.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
MOD - C:\Program Files\Gigabyte\EasySaver\ycc.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (HitmanProScheduler) -- C:\Program Files\HitmanPro\hmpsched.exe (SurfRight B.V.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AppleChargerSrv) -- C:\WINDOWS\system32\AppleChargerSrv.exe ()
SRV - (BCUService) -- C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (DeviceVM, Inc.)
SRV - (ES lite Service) -- C:\Program Files\Gigabyte\EasySaver\essvr.exe ()
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (gdrv) -- C:\WINDOWS\gdrv.sys (Windows (R) 2000 DDK provider)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (GVTDrv) -- C:\WINDOWS\system32\drivers\GVTDrv.sys ()
DRV - (etdrv) -- C:\WINDOWS\etdrv.sys (Windows (R) 2000 DDK provider)
DRV - (AppleCharger) -- C:\WINDOWS\system32\drivers\AppleCharger.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (usbfilter) -- C:\WINDOWS\system32\drivers\usbfilter.sys (Advanced Micro Devices)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (AmdLLD) -- C:\WINDOWS\system32\drivers\AmdLLD.sys (AMD, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (RTCore32) -- C:\Program Files\EVGA Precision\RTCore32.sys ()
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\system32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfhlp02.sys (Protection Technology)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {67B304DA-6278-40b3-B8E8-D46F814D6BFB}
IE - HKCU\..\SearchScopes\{0A4D1FD6-14A6-42b7-B9E4-A9A86BA9C833}: "URL" = http://www.google.com/cse?cx=partner-pub-3794288947762788%3A2938615334&ie=UTF-8&sa=Search&siteurl=www.google.com%2Fcse%2Fhome%3Fcx%3Dpartner-pub-3794288947762788%3A2938615334&q={searchTerms}
IE - HKCU\..\SearchScopes\{0C0AD665-632E-4818-A02A-A810DEFFC693}: "URL" = http://search.avg.com/route/?d=$instd$&v=$ver$&i=$dchid$&tp=chrome&q={searchTerms}&lng={moz:locale}&iy=&ychte=ca
IE - HKCU\..\SearchScopes\{67B304DA-6278-40b3-B8E8-D46F814D6BFB}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBD
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0: C:\Program Files\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=0.80.0: C:\Program Files\Battlelog Web Plugins\0.80.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@fileplanet.com/fpdlm: C:\Program Files\Download Manager\npfpdlm.dll (IGN Entertainment)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2012/04/27 18:43:27 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/01/31 21:04:43 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/04/26 21:14:51 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCU] C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF19386.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [EVGAPrecision] C:\Program Files\EVGA Precision\EVGAPrecision.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [Spybot-S&D Cleaning] C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [CPUThermometer] C:\Documents and Settings\Administrator\Desktop\CPU Thermometer\CPUThermometer.exe ()
O4 - HKCU..\Run: [dabebdbdaafdct] "C:\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe" File not found
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe (IGN Entertainment)
O4 - HKCU..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent File not found
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF19386.3XE (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab (CDownloadCtrl Object)
O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} http://www.gunbroker.com/WebResourc...ksu6ajL4Qvm6a-2VX8ROm8K0&t=634230999680000000 (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} https://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.66.2.cab (Battlefield Play4Free Updater)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AB79E8E6-3A4E-4955-9F00-0C1D77D8038C}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/09/06 02:55:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/04 08:00:00 | 000,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/26 21:11:44 | 001,058,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2012/04/26 21:11:38 | 000,545,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winlogon.exe
[2012/04/26 21:11:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\dllcache
[2012/04/26 21:10:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/04/26 21:10:38 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/04/22 13:55:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/04/22 13:53:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/04/22 13:53:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/04/22 13:53:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/04/22 13:53:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/04/22 13:53:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/04/22 13:52:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/22 13:41:12 | 004,470,812 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2012/04/21 18:41:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\New Folder
[2012/04/17 17:54:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Download Manager
[2012/04/17 17:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Download Manager
[2012/04/16 19:26:48 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2012/04/16 19:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/04/16 19:21:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2012/04/16 19:20:17 | 000,000,000 | ---D | C] -- C:\Program Files\New Folder
[2012/04/15 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/04/15 21:48:21 | 007,245,976 | ---- | C] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:24 | 008,250,768 | ---- | C] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2012/04/15 18:36:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/04/15 15:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/04/15 15:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
[2012/04/15 15:19:47 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\WINDOWS\System32\sdnclean.exe
[2012/04/15 15:19:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2012/04/15 15:17:03 | 000,325,200 | ---- | C] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2012/04/08 21:27:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/04/08 21:25:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/04/07 22:10:02 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/01/19 22:00:20 | 003,147,344 | ---- | C] (Macroplant, LLC ) -- C:\Program Files\iExplorer_Setup.exe
[2011/12/22 18:43:38 | 039,401,336 | ---- | C] (Apple Inc.) -- C:\Program Files\QuickTimeInstaller.exe
[2011/11/01 18:16:13 | 063,084,671 | ---- | C] (NovaLogic ) -- C:\Program Files\c4demo.exe
[2011/09/21 17:23:35 | 047,963,312 | ---- | C] (Electronic Arts, Inc.) -- C:\Program Files\OriginSetup.exe
[2011/03/21 17:36:17 | 038,191,344 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSAudioEditor.exe
[2011/03/21 17:36:16 | 150,895,952 | ---- | C] (Online Media Technologies Ltd. ) -- C:\Program Files\AVSVideoEditor.exe
[2010/11/06 12:47:43 | 034,226,736 | ---- | C] (Cisco Systems, Inc.) -- C:\Program Files\nmsetup.exe
[2010/10/16 16:10:34 | 002,129,648 | ---- | C] (Beepa Pty Ltd) -- C:\Program Files\fraps.exe
[2010/10/10 22:55:19 | 000,874,272 | ---- | C] (Sun Microsystems, Inc.) -- C:\Program Files\JavaSetup6u21.exe
[2010/10/07 20:09:26 | 000,589,640 | ---- | C] (Google Inc.) -- C:\Program Files\GoogleEarthSetup.exe
[2010/09/13 12:54:17 | 069,316,464 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2010/09/06 18:52:56 | 002,133,536 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stb_all_9_115_cnet.exe
[2010/09/06 01:30:18 | 016,883,056 | ---- | C] (Microsoft Corporation) -- C:\Program Files\IE8-WindowsXP-x86-ENU.exe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/28 14:09:17 | 096,476,685 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/04/28 14:03:54 | 000,000,598 | ---- | M] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2012/04/28 14:03:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/28 14:03:28 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2012/04/28 14:03:18 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/28 14:03:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/27 22:56:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/27 22:56:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/27 21:25:55 | 000,138,520 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2012/04/27 21:24:09 | 000,234,536 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2012/04/27 21:24:09 | 000,234,536 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.ex0
[2012/04/27 21:02:25 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/26 21:14:51 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/26 21:04:40 | 000,000,267 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\redirect virus and malware please help me!!! - Safer-Networking Forums.url
[2012/04/26 19:09:15 | 000,063,406 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CMD.JPG
[2012/04/26 19:04:56 | 001,367,030 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\untitled.bmp
[2012/04/26 19:04:45 | 001,367,030 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CMD.bmp
[2012/04/26 18:00:00 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\PC Unleashed Registration3.job
[2012/04/26 17:56:54 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2012/04/25 21:08:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/25 18:02:50 | 000,228,055 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/04/25 07:43:12 | 000,001,048 | -H-- | M] () -- C:\Documents and Settings\Administrator\Desktop\magicJack.lnk
[2012/04/22 13:56:03 | 000,000,367 | RHS- | M] () -- C:\boot.ini
[2012/04/22 13:41:18 | 004,470,812 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2012/04/21 18:43:25 | 000,205,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/19 19:29:25 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\play in right rear wheel of 08 ren x, is it bearings - can-am ATV Forums - can-amtalk.com.url
[2012/04/18 22:02:24 | 000,000,578 | ---- | M] () -- C:\WINDOWS\M3JPEG.INI
[2012/04/18 18:44:09 | 000,002,353 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Download Manager.lnk
[2012/04/17 17:52:26 | 000,000,172 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/04/17 17:41:59 | 000,000,257 | ---- | M] () -- C:\Boot.bak
[2012/04/16 19:26:48 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2012/04/15 21:48:31 | 007,245,976 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36.exe
[2012/04/15 21:46:37 | 008,250,768 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro36_x64.exe
[2012/04/15 15:19:59 | 000,000,594 | ---- | M] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:59 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2012/04/15 15:19:52 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/04/15 15:17:08 | 000,325,200 | ---- | M] (OpenInstall ) -- C:\Program Files\spybotsd-2.exe
[2012/04/15 13:15:25 | 000,000,683 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Another Renegade SUBSEA snorkel kit is created! - can-am ATV Forums - can-amtalk.com - Page 2.url
[2012/04/15 13:14:57 | 000,000,318 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\4 x Cases (Military Boxes) for .22.url
[2012/04/15 12:04:44 | 000,000,882 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.hitmanpro
[2012/04/15 12:04:44 | 000,000,882 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120415-183150.backup
[2012/04/13 20:56:05 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/13 20:56:04 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/11 06:55:30 | 000,573,400 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/11 06:55:30 | 000,108,130 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/11 06:45:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/08 21:27:47 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/04 17:51:43 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\PC Unleashed.job
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/26 19:09:14 | 000,063,406 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CMD.JPG
[2012/04/26 19:04:44 | 001,367,030 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CMD.bmp
[2012/04/26 19:03:20 | 001,367,030 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\untitled.bmp
[2012/04/22 13:56:03 | 000,000,257 | ---- | C] () -- C:\Boot.bak
[2012/04/22 13:55:57 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/04/22 13:53:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/22 13:53:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/22 13:53:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/22 13:53:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/22 13:53:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/04/19 21:12:01 | 000,000,267 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\redirect virus and malware please help me!!! - Safer-Networking Forums.url
[2012/04/17 17:54:55 | 000,002,353 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Download Manager.lnk
[2012/04/15 18:26:43 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\play in right rear wheel of 08 ren x, is it bearings - can-am ATV Forums - can-amtalk.com.url
[2012/04/15 17:42:23 | 000,000,172 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012/04/15 15:19:58 | 000,000,594 | ---- | C] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2012/04/15 15:19:58 | 000,000,462 | ---- | C] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2012/04/15 15:19:57 | 000,000,598 | ---- | C] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2012/04/15 15:19:52 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2012/04/15 15:19:52 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/04/08 21:27:47 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/07 22:10:03 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/04 21:28:35 | 000,409,738 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-682003330-308236825-725345543-500-0.dat
[2012/02/14 18:50:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/30 23:47:35 | 000,345,706 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/10/11 22:05:39 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/09/28 18:44:14 | 000,179,271 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2011/09/28 18:35:17 | 003,815,360 | ---- | C] () -- C:\Program Files\battlelog-web-plugins-0.80.0-retail-ob.exe
[2011/06/13 15:16:33 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/06/04 20:48:52 | 000,291,539 | ---- | C] () -- C:\Program Files\cputhermometer_setup.exe
[2011/04/23 13:14:57 | 000,203,792 | ---- | C] () -- C:\Program Files\EVGAPrecision.exe
[2011/04/23 13:14:57 | 000,044,048 | ---- | C] () -- C:\Program Files\EVGAPrecisionWrapper.exe
[2010/12/04 01:27:07 | 000,003,217 | ---- | C] () -- C:\WINDOWS\pi2000.ini
[2010/12/04 01:27:06 | 000,000,021 | ---- | C] () -- C:\WINDOWS\arcsuite.ini
[2010/11/29 02:16:18 | 000,056,844 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/28 18:37:42 | 002,250,024 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2010/11/06 12:50:38 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/10/16 18:18:57 | 000,000,578 | ---- | C] () -- C:\WINDOWS\M3JPEG.INI
[2010/10/12 15:18:39 | 002,601,752 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_moh.exe
[2010/09/13 13:13:32 | 000,000,026 | ---- | C] () -- C:\WINDOWS\GeoLan.ini
[2010/09/13 13:11:28 | 000,229,376 | R--- | C] () -- C:\WINDOWS\System32\GXGM20.dll
[2010/09/13 13:11:19 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\GODDNIF.ini
[2010/09/06 20:32:02 | 000,205,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/06 16:53:10 | 000,138,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/09/06 16:53:10 | 000,022,328 | -H-- | C] () -- C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
[2010/09/06 16:52:28 | 000,234,536 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2010/09/06 16:52:27 | 002,434,856 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_bc2.exe
[2010/09/06 16:52:27 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2010/09/06 16:06:01 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/09/06 15:38:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/09/06 14:52:38 | 001,364,522 | ---- | C] () -- C:\Program Files\winrar-x64-393.exe
[2010/09/06 03:39:30 | 000,080,416 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2010/09/06 03:33:41 | 000,207,400 | R--- | C] () -- C:\WINDOWS\GSetup.exe
[2010/09/06 03:33:41 | 000,000,010 | ---- | C] () -- C:\WINDOWS\GSetup.ini
[2010/09/06 03:18:17 | 001,588,224 | ---- | C] () -- C:\Program Files\SteamInstall.msi
[2010/09/06 02:56:39 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/09/06 02:52:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/09/06 02:42:09 | 000,194,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/06 00:55:07 | 000,286,760 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/09/06 00:55:06 | 000,286,760 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/09/06 00:55:06 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/09/06 00:47:59 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/06 00:47:58 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/09/06 00:47:03 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2010/09/06 00:39:52 | 000,031,272 | ---- | C] () -- C:\WINDOWS\System32\AppleChargerSrv.exe
[2010/09/06 00:39:52 | 000,019,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\AppleCharger.sys
[2010/09/05 19:41:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/09/05 19:40:07 | 001,563,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Files - Unicode (All) ==========
[2012/02/10 22:23:46 | 000,000,317 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Cat Massage?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Cat Massage‬‏ - YouTube.url
[2011/11/26 23:16:32 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?Husky Dog Talking - I love you ??.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪Husky Dog Talking - I love you ‬‏.url
[2011/09/11 11:38:13 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube.url
[2011/09/10 11:15:26 | 000,000,836 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube (2).url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube (2).url
[2011/09/07 23:07:40 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Commander 1000 XT BRP Can Am?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Commander 1000 XT BRP Can Am‬‏ - YouTube.url
[2011/08/12 00:59:28 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?GoRidingTV tests the 2011 CAN-AM Commander?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪GoRidingTV tests the 2011 CAN-AM Commander‬‏ - YouTube.url
[2011/08/06 17:03:37 | 000,000,836 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube (2).url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube (2).url
[2011/08/06 17:03:05 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Commander 1000 XT BRP Can Am?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Commander 1000 XT BRP Can Am‬‏ - YouTube.url
[2011/08/06 15:58:47 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Can-Am Commander Side-By-Side?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Can-Am Commander Side-By-Side‬‏ - YouTube.url
[2011/08/06 15:58:23 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?GoRidingTV tests the 2011 CAN-AM Commander?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪GoRidingTV tests the 2011 CAN-AM Commander‬‏ - YouTube.url
[2011/07/30 17:25:16 | 000,000,293 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\?Amy winehouse - Teach me tonight?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Amy winehouse - Teach me tonight‬‏ - YouTube.url
[2011/07/23 20:44:10 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Amy winehouse - Teach me tonight?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Amy winehouse - Teach me tonight‬‏ - YouTube.url
[2011/07/22 00:26:55 | 000,000,317 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\?Cat Massage?? - YouTube.url) -- C:\Documents and Settings\Administrator\My Documents\‪Cat Massage‬‏ - YouTube.url
[2011/06/30 13:33:23 | 000,000,267 | ---- | M] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?gardea23's Channel??#p-u-2-gRw-lfXy_tQ.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪gardea23's Channel‬‏#p-u-2-gRw-lfXy_tQ.url
[2011/06/30 13:33:23 | 000,000,267 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?gardea23's Channel??#p-u-2-gRw-lfXy_tQ.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪gardea23's Channel‬‏#p-u-2-gRw-lfXy_tQ.url
[2011/06/30 13:30:02 | 000,000,293 | ---- | C] ()(C:\Documents and Settings\Administrator\My Documents\YouTube - ?Husky Dog Talking - I love you ??.url) -- C:\Documents and Settings\Administrator\My Documents\YouTube - ‪Husky Dog Talking - I love you ‬‏.url

< End of report >
 
Hi mrclark,

I see only parts of the last fix we ran in the log. Have a look in C:\Qoobox for a file named ComboFix-quarantined-files.txt

Next Please open OTL.

  • When the window appears, click the None button near the top (it may looked greyed out)
  • In the window under Custom Scans/Fixes copy and paste the following



    /md5start
    svchost.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    /md5stop


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Please post back with
  • ComboFix-quarantined-files.txt
  • OTL.txt
 
hi

OTL logfile created on: 4/30/2012 7:42:42 PM - Run 3
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Administrator\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 84.15% Memory free
5.09 Gb Paging File | 4.54 Gb Available in Paging File | 89.26% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 341.27 Gb Free Space | 36.64% Space Free | Partition Type: NTFS

Computer Name: ADMIN-FDC77CCCA | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\dllcache\explorer.exe
[2012/02/07 17:19:30 | 003,149,736 | ---- | M] (Safer-Networking Ltd.) MD5=511D1BEF41D4A018501139F409DE5ED6 -- C:\Program Files\Spybot - Search & Destroy 2\explorer.exe
[2008/04/14 05:42:10 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=6771E48723C7ECFA3395CCBC666CE0E9 -- C:\WINDOWS\explorer.exe

< MD5 for: EXPLORER.EXE.VIR >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\Qoobox\Quarantine\C\explorer.exe.vir
[2008/04/14 05:42:10 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=86B13BD2DAC4D331B0B6406E632AB086 -- C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2012/04/30 15:45:27 | 000,020,936 | ---- | M] () MD5=33A5DE2DEE0DAD8D005147CF1E438BBE -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2004/08/04 08:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: EXPLORER.ZIP >
[2006/03/06 22:48:08 | 000,020,394 | ---- | M] () MD5=B469409C2B2A33C542190B720E11BD79 -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip

< MD5 for: SVCHOST.DAT >
[2000/08/30 20:00:00 | 000,000,555 | ---- | M] () MD5=75FCC9D372E19562BA0F254042739920 -- C:\ComboFix\svchost.dat

< MD5 for: SVCHOST.EXE >
[2012/04/26 21:11:42 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=E5900F36F2BD2335433334B56ECA9FDD -- C:\WINDOWS\system32\svchost.exe

< MD5 for: SVCHOST.EXE.ND_ >
[2012/04/26 21:13:40 | 000,000,014 | ---- | M] () MD5=45FCF799EB0FBE276985D816B9AE8E91 -- C:\ComboFix\svchost.exe.ND_

< MD5 for: SVCHOST.EXE.VIR >
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\Qoobox\Quarantine\C\svchost.exe.vir
[2008/04/14 05:42:10 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=E5900F36F2BD2335433334B56ECA9FDD -- C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir

< MD5 for: SVCHOST.EXE-3530F672.PF >
[2012/04/25 07:42:36 | 000,049,264 | ---- | M] () MD5=D8614F3D9ED6DC6FF778B0A9B45F80E6 -- C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

< MD5 for: SVCHOST.VISTA.X64.DAT >
[2010/11/27 01:12:00 | 000,000,749 | ---- | M] () MD5=14CAA9E2E82256EC016BE799DE6498DB -- C:\ComboFix\svchost.vista.x64.dat

< MD5 for: WINLOGON.EXE >
[2008/04/14 05:42:10 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=CEB69A8FC53AAF8BCB361A875A44B4CB -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2012/04/26 21:11:42 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=E12A7DF6EFB606316DBC801C473F1FE7 -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINLOGON.EXE.VIR >
[2008/04/14 05:42:10 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=E12A7DF6EFB606316DBC801C473F1FE7 -- C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\Qoobox\Quarantine\C\winlogon.exe.vir

< >

< End of report >
 
2012-04-25 22:20:18 . 2012-04-25 22:20:18 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2012-04-22 18:49:24 . 2012-04-22 18:49:24 474 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-XWW2_BF2_1.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,918 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 478 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Precision.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,544 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Nations at War6.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 46.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,666 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 36.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 26.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 1,666 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-N.A.W 6..0 MAP Pack 16.0.reg.dat
2012-04-22 18:49:24 . 2012-04-22 18:49:24 520 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-BattlEye.reg.dat
2012-04-22 18:49:02 . 2012-04-22 18:49:02 618 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-SDWinLogon.reg.dat
2012-04-22 18:48:58 . 2012-04-22 18:48:58 181 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-dabebdbdaafdct.reg.dat
2012-04-22 18:48:56 . 2012-04-22 18:48:56 179 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-dabebdbdaafdct.reg.dat
2012-04-22 18:48:55 . 2012-04-22 18:48:56 177 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-RGSC.reg.dat
2012-04-22 18:48:55 . 2012-04-25 22:32:38 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2012-04-22 18:48:55 . 2012-04-25 22:32:37 213 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2012-04-22 18:48:55 . 2012-04-25 22:32:37 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2012-04-22 18:41:46 . 2012-04-25 22:27:42 5,845 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-22 17:53:02 . 2012-04-25 22:19:18 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-04-21 03:38:11 . 2012-04-21 03:38:11 571 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\iiaraaa.tmp.vir
2012-04-15 17:04:28 . 2012-04-15 18:51:22 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\dabebdbdaafdct.exe.vir
2012-01-20 02:07:59 . 2012-01-20 02:07:59 10,498 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\unins000.msg.vir
2012-01-20 02:07:59 . 2011-11-07 15:16:46 192,512 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\ICSharpCode.SharpZipLib.dll.vir
2012-01-20 02:07:59 . 2011-11-30 21:05:46 27,648 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\MPUpdater.dll.vir
2012-01-20 02:07:59 . 2011-10-20 13:15:46 28,672 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\AxInterop.QTOControlLib.dll.vir
2012-01-20 02:07:59 . 2011-10-20 13:15:42 32,768 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\Interop.QTOControlLib.dll.vir
2012-01-20 02:07:59 . 2011-10-20 13:15:42 94,208 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\Interop.QTOLibrary.dll.vir
2012-01-20 02:07:59 . 2011-12-06 21:35:32 30,720 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\MPCrashReporter.dll.vir
2012-01-20 02:07:59 . 2011-12-06 21:35:32 41,984 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\PodPhone2.dll.vir
2012-01-20 02:07:58 . 2011-12-06 21:35:34 2,689,024 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\iExplorer.exe.vir
2012-01-20 02:07:58 . 2011-10-20 13:15:46 348,160 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\msvcr71.dll.vir
2012-01-20 02:07:58 . 2011-10-20 13:15:46 49,664 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\isxdl.dll.vir
2012-01-20 02:07:58 . 2012-01-20 02:07:59 22,221 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\unins000.dat.vir
2012-01-20 02:07:58 . 2012-01-20 02:00:30 770,624 ----a-w- C:\Qoobox\Quarantine\C\Program Files\iExplorer\unins000.exe.vir
2011-10-25 22:07:45 . 2011-10-25 22:32:25 89,643,496 ----a-w- C:\Qoobox\Quarantine\C\Program Files\285.58-desktop-winxp-32bit-english-whql.exe.vir
2011-07-25 04:31:27 . 2012-04-21 22:44:41 292,864 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Recent\Thumbs.db.vir
2011-04-23 17:22:32 . 2011-04-23 17:22:43 88,715,952 ----a-w- C:\Qoobox\Quarantine\C\Program Files\270.61-desktop-winxp-32bit-english-whql.exe.vir
2010-10-19 15:41:31 . 2010-10-19 15:41:53 4,290,744 ----a-w- C:\Qoobox\Quarantine\C\Program Files\avg_free_stb_all_2011_1136_upgrade.exe.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 1,033,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\expl.dat.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllc.dat.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\svch.dat.vir
2008-04-14 09:42:10 . 2008-04-14 09:42:10 507,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winl.dat.vir
2007-11-07 13:03:18 . 2007-11-07 13:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir
2006-10-19 01:47:20 . 2006-10-19 01:47:20 99,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET5C.tmp.vir
 
Hi mrclark,

We'll do this over 2 posts. In this one we'll move some files around. In the next one we'll put them where they belong.


Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
Code: 
:Services

:Files
ren "C:\WINDOWS\system32\dllcache\winlogon.exe" winlogon.xxe /c
copy "C:\Qoobox\Quarantine\C\winlogon.exe.vir" "C:\WINDOWS\system32\dllcache\winlogon.exe" /c
copy "C:\Qoobox\Quarantine\C\svchost.exe.vir" "C:\WINDOWS\system32\dllcache\svchost.exe" /c

Then click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.
 
the file seems a little short is this is?

========== SERVICES/DRIVERS ==========
========== FILES ==========
< ren "C:\WINDOWS\system32\dllcache\winlogon.exe" winlogon.xxe /c >
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\winlogon.exe.vir" "C:\WINDOWS\system32\dllcache\winlogon.exe" /c >
1 file(s) copied.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\svchost.exe.vir" "C:\WINDOWS\system32\dllcache\svchost.exe" /c >
1 file(s) copied.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.40.0 log created on 05012012_122058
 
Hi mrclark,

Yes that was all that should have been in the OTL log

Read through these instructions so you are familar with what you will be doing. You may want to print them out. If you are unsure of anything please ask.

Next, create this batch file.

Open a new Notepad session (type notepad into task manager)
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad.
Do Not copy the word CODE

Code: 
ren explorer.exe explorer.xxe
copy C:\WINDOWS\dllcache\explorer.exe
cd system32
ren winlogon.exe winlogon.xxe
ren svchost.exe svchost.xxe
copy C:\WINDOWS\system32\dllcache\winlogon.exe
copy C:\WINDOWS\system32\dllcache\svchost.exe
copy C:\WINDOWS\dllcache\explorer.exe C:\WINDOWS\system32\dllcache\explorer.exe
exit

In the notepad
  • Click File, Save as..., and set the Save in to C:\
  • In the filename box, type (including quotation marks) as the filename: "fix.bat"
  • Click save

Restat your computer. You should be presented with a screen asking you which operating system do you wish to start. Use the arrow keys to select Microsoft Windows Recovery Console

1. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
2. You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
3. Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a C:\windows> prompt

type the following line and hit enter

batch C:\fix.bat

Note there is a space after batch. It needs to be there.

When the prompt reappears type exit and hit enter. Your computer should boot to windows.

After the computer has restarted:

Please open OTL.

  • When the window appears, click the None button near the top (it may looked greyed out)
  • In the window under Custom Scans/Fixes copy and paste the following



    /md5start
    svchost.exe
    explorer.exe
    winlogon.exe
    /md5stop


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.
 
Last edited:
Hi unfortunetly it gets to to windows xp screen with the animated progress bar underneath and crashes. It just keeps cycling and restarts going through the process over and over again.
 
Hi mrclark,

We can undo the changes we made. You will need to a bit of typing though.

Boot to the recovery console as you did before. From the C:\windows> prompt type the following and hit enter after each line.

ren explorer.exe explorer.old
ren explorer.xxe explorer.exe
cd system32
ren winlogon.exe winlogon.old
ren winlogon.xxe winlogon.exe
ren svchost.exe svchost.old
ren svchost.xxe svchost.exe
exit

Note in the 1st,4th & 6th lines there is a space after ren and .exe

In the 2nd, 5th & 7th line there is a space after ren and .xxe

In the 3rd line there is a space after cd

Let me know if you can boot to windows now. Let me know if you recieve any error messages.
 
Hi no difference it still will not boot up even when I go to "start at the last know good configuration" or whatever.
 
Hi mrclark,

Ok we'll need to build a disk.


Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a working computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
    • Custom: (include files and folders from this directory)
      • No information is necessary, leave blank.
    • Output:
      • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
      • Download the RunScanner plugin and save it to your desktop
      http://www.paraglidernc.com/Files/RunScanner10025.cab

      Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!
      • Press the Plugin button on the PE Builder interface
      • Press the Add button and navigate to the location of the RunScanner plugin to install
      • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
    • When you're done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD
==========

Next........

On your working computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility
==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Copy and Paste the following code from your flash drive into the
    customFix.png
    textbox. Do not include the word "Code"

    Code: 
    /md5start
winlogon.*
svchost.*
explorer.*
/md5stop
    • Push
      runscanbutton.png
    • A report will open named "OTL.txt". Save it to your flash drive. Copy and Paste it in your next reply.
    =========

    With your next post please provide:

    * OTLPE.txt
 
Status
Not open for further replies.
Back
Top