1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

no user login screen

Discussion in 'Virus & Other Malware Removal' started by iltos, Oct 18, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    windows vista home premium
    dell inspiron 1525
    avast free version

    i got home from running some errands to a blank screen with a working cursor....it's not a bsod

    my daughter's boyfriend is real apologetic, said he downloaded a game :mad:....then extracted it onto my desktop....tried the .exe file and nothing happened, so he tried the readme file

    got a "notepad is not working" message and clicked on the "find a solution the web" link

    got a "firefox is not working" message

    at this point he panicked, i guess, and deleted the game folder and the zipped.rar file and shut down.

    rebooted, entered the computer password (yes my daughter knows it), and everything seemed fine, 'cept he never got to the windows icon that precedes the user login prompt....it's just sittin on the dark screen with the working cursor....no harddrive activity whatsoever (near as i can tell, anyway)

    so i shut down and booted into safe mode, and i see a lot of error messages in the event log surrounding this game. windows security/firewall is turned off and won't turn (i don't know if this normal for safe mode or not.....pretty much a technodope) tried a system restore to a time early this morning when i downloaded some updates, and rebooted....no difference

    i logged in in safe mode again and changed to boot settings to safe mode with diagnostics (thinking that might help....remember, technodope).....booting up that was leaves me at the same screen as a normal boot.

    i'm currently running a scan through avast, and plan on posting a hijack this log as soon as i can...

    but i wanted to lay this out and see what sort of comments y'all got.
     
  2. DaveBurnett

    DaveBurnett Account Closed

    Joined:
    Nov 11, 2002
    Messages:
    12,970
    Change the password.
    Shoot the boyfriend.
    This sounds like a nasty virus.
    Get hold of Malwarebytes and SuperAntispyware and run them.
     
  3. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    fwiw, here's the hijackthis log from safe mode

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:01:59 PM, on 10/18/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18294)
    Boot mode: Safe mode

    Running processes:
    C:\Windows\Explorer.EXE
    G:\hijackthis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
    O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O13 - Gopher Prefix:
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

    --
    End of file - 4002 bytes
     
  4. aka Brett

    aka Brett Banned

    Joined:
    Nov 25, 2008
    Messages:
    16,918
    Boot f8 menu and select
    Last Known good configuration
     
  5. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    it's a good thought, but f8 isn't doing anything at the moment: i've restored back to a point before yesterday's updates with no difference, as well

    other scans, as suggested, found nothing more than the usual adware i always collect

    i think the only thing left to do is make a startup repair disk, and try that :(
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,578
    The safe mode log doesn't tell us anything.

    Are the deleted files still in the recycle bin? I'd like to know the name of that game's executable.

    Can you post those error messages please?

    Can you boot to safe mode with networking and get on-line?
     
  7. aka Brett

    aka Brett Banned

    Joined:
    Nov 25, 2008
    Messages:
    16,918
    The windows dvd that came with your dell 1525 already has the files..boot the dvd.......you will see the options.
    To boot that dvd you need to start tapping f12 after powering up then select boot the dvd....this is a one time boot option thus preventing you from having to change bios settings

    For whats its worth..the memory that came out in these units are junk.Mine failed twice...and friend of mine has one of these units his also failed...you can have some very strange symptoms with failing ram...If you can boot to f12 and select diagnostics,,it will check the ram
     
  8. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    i thought as much

    nope

    yes....i'm posting that way at the moment

    sure....in the interests of being thorough, here's the whole timeline....there are two about the game (in red)

    1. this is an error that occured downloading the upgrades yesterday morning around 6:00am (10/18)
    2. this is the error from the game that was downloaded
    3. here is notepad's failure to open
    4. another error message from the game (a few minutes later)
    5. another notepad error
    6.and another one, a few seconds later
    7. then a firefox error
    8. another error, 45 seconds later...i've no idea what this is
    9. there's two of these, back to back, after firefox refused to open
    10. then, about 9 minutes later, there this...i'm just guessing this is about the time the boyfriend tried to reboot
    then this, seconds later
    11. then this, a few hours later....pretty sure this is from the first time i tried a normal boot.
    12. and for reference, here's the error from a try at a normal boot this morning.
     
  9. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    bingo!!!....right you are (y)

    NOW you tell me :D
    that might explain why CS3 started acting odd last week, tho :(
     
  10. aka Brett

    aka Brett Banned

    Joined:
    Nov 25, 2008
    Messages:
    16,918
    You never asked:p
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,578
    You have a TDSS rootkit infection. :(

    I trust you have backed up any important documents, photos, etc. If not, I suggest you do so now as the machine is unstable.

    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  12. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    yuck :mad:....
    ok....security's off, and puppy is on the desktop
    one quick question....should i leave normal boot on (for the puppy.exe reboots), or set it to one of the safe mode options?
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,578
    Leave it on normal boot. After puppy runs, it may be able to boot normally. You should never use the forced safe boot as that can backfire and result in an infinite reboot loop. :)
     
  14. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    got'cha :)
    thanks....
    here's hoping :cool:
     
  15. iltos

    iltos Thread Starter

    Joined:
    Jun 13, 2004
    Messages:
    18,287
    that didn't take very long :confused:
    still in safe mode, tho.....so we're not done yet

    here's the puppy log and a new hjt log
    btw...combo fix tells me i've got super anti-spyware running....and it's not on my computer (i ran it remotely yesterday)

    anyway....combo fix log here....hjt, next post.
    ComboFix 09-10-18.06 - Bob 10/19/2009 12:33.1.2 - NTFSx86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.3004 [GMT -7:00]
    Running from: c:\users\Bob\Desktop\puppy.exe
    SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
    c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-1001
    c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-1002
    c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-1003
    c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-500
    C:\install.exe
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\oem8.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
    .

    2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\users\Bob\AppData\Roaming\Malwarebytes
    2009-10-19 03:49 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\programdata\Malwarebytes
    2009-10-19 03:49 . 2009-10-19 03:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-19 03:49 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-10-19 03:04 . 2009-10-19 03:04 -------- d-----w- c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
    2009-10-19 03:04 . 2009-10-19 03:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2009-10-18 23:37 . 2009-10-19 13:40 -------- d-----w- c:\windows\system32\wbem\repository
    2009-10-15 13:26 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
    2009-10-15 13:26 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
    2009-10-15 13:26 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2009-10-15 13:26 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-10-15 13:26 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
    2009-10-15 13:26 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2009-10-03 12:00 . 2009-10-01 17:29 195440 ----a-w- c:\windows\system32\MpSigStub.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-10-19 19:35 . 2009-05-05 14:25 6648 ----a-w- c:\users\Bob\AppData\Local\d3d9caps.dat
    2009-10-18 23:59 . 2009-08-12 17:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-10-18 23:32 . 2009-03-05 16:51 -------- d-----w- c:\programdata\HP Product Assistant
    2009-09-10 16:48 . 2009-09-10 16:48 118784 ----a-w- C:\J3rhaO9w.exe
    2009-09-10 16:48 . 2009-09-10 16:48 -------- d-----w- c:\program files\Company
    2009-09-10 16:48 . 2009-09-10 16:48 7984187 ----a-w- C:\ErosAdv03Full.exe
    2009-09-04 21:09 . 2008-06-06 15:55 -------- d-----w- c:\program files\Google
    2009-09-04 21:08 . 2009-09-04 21:08 -------- d-----w- c:\programdata\Google Updater
    2009-09-04 21:08 . 2009-09-04 21:08 1246328 ----a-w- c:\program files\Google Updater.exe
    2009-09-03 18:00 . 2009-09-03 18:00 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-08-29 15:15 . 2009-03-05 14:13 -------- d-----w- c:\program files\Java
    2009-08-28 12:39 . 2009-09-02 13:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2009-08-28 10:15 . 2009-09-02 13:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2009-08-23 21:30 . 2008-08-25 18:20 60376 ----a-w- c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
    2009-08-21 16:52 . 2008-09-01 22:51 -------- d-----w- c:\program files\Mozilla Thunderbird
    2009-08-17 16:10 . 2008-08-26 01:28 1279456 ----a-w- c:\windows\system32\aswBoot.exe
    2009-08-17 16:05 . 2008-08-26 01:28 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2009-08-17 16:05 . 2008-08-26 01:28 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2009-08-17 16:05 . 2008-08-26 01:28 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2009-08-17 16:04 . 2008-08-26 01:28 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-08-17 16:04 . 2008-08-26 01:28 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-08-17 16:02 . 2008-08-26 01:28 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2009-08-14 17:07 . 2009-09-12 14:41 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2009-08-14 16:29 . 2009-09-12 14:41 104960 ----a-w- c:\windows\system32\netiohlp.dll
    2009-08-14 16:29 . 2009-09-12 14:41 17920 ----a-w- c:\windows\system32\netevent.dll
    2009-08-14 14:16 . 2009-09-12 14:41 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2009-08-14 14:16 . 2009-09-12 14:41 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2009-08-14 14:16 . 2009-09-12 14:41 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2009-08-14 14:16 . 2009-09-12 14:41 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2009-08-14 14:16 . 2009-09-12 14:41 19968 ----a-w- c:\windows\system32\ARP.EXE
    2009-08-14 14:16 . 2009-09-12 14:41 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2009-08-14 14:16 . 2009-09-12 14:41 10240 ----a-w- c:\windows\system32\finger.exe
    2009-07-25 12:23 . 2008-12-14 16:42 411368 ----a-w- c:\windows\system32\deploytk.dll
    2008-06-06 15:49 . 2008-06-06 15:49 76 --sh--r- c:\windows\CT4CET.bin
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-06 29744]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-6 50688]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-06-06 16:02 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001

    S1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/25/2008 6:28 PM 114768]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [6/6/2008 3:34 AM 73728]
    S2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/25/2008 6:28 PM 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/25/2008 6:28 PM 53328]
    S2 gupdate1ca2da3ff288ddd;Google Update Service (gupdate1ca2da3ff288ddd);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 2:09 PM 133104]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [6/6/2008 11:31 AM 111616]
    S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [6/6/2008 11:30 AM 235648]
    S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [6/6/2008 11:30 AM 7424]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2009-10-17 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:08]

    2009-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]

    2009-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\l0d4t1gv.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\users\Bob\Netscape6\nppl3260.dll
    FF - plugin: c:\users\Bob\Netscape6\nprjplug.dll
    FF - plugin: c:\users\Bob\Netscape6\nprpjplug.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-SUPERAntiSpyware - g:\superantispyware\SUPERAntiSpyware.exe
    HKLM-RunOnce-<NO NAME> - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-19 12:41
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2009-10-19 12:44
    ComboFix-quarantined-files.txt 2009-10-19 19:44

    Pre-Run: 171,291,848,704 bytes free
    Post-Run: 173,635,080,192 bytes free

    - - End Of File - - 66EEBF5B6B861961EB6404416368763E
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/869643

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice