shawnh Posted October 23, 2011 Posted October 23, 2011 Hi everyone, I've got an old Compaq Presario laptop running XP Home (SP2) that certainly is well past its Best Before date, but cheap like I am, I'm trying to squeeze some more use out of. Today when I tried to boot up, it gave this message as it was just starting to bring Windows up: lsass.exe - "An invalid parameter was passed to a service or function" ... followed by an OK button. When clicked, it just goes back to booting up and then gives this error over again. I do have a "BartPE" CD that has saved my ass numerous times and hoped that it would do so again. I booted up using that and once in that environment did a full CHKDSK \R. It indeed found some corrupted crap that it rectified, then I attempted to boot again. This time it was again an Lsass error, but with a different message: Lsass.exe - "when trying to update a password, this return status indicates that the value provided as the current password is not correct" ... and it won't allow me to get any further than that. Googling around I found a site that said it could be a virus and it suggested to click START then RUN and type in a certain command ("shutdown -a") during the 60 seconds before the virus shuts your system down again - but I never get as far as being able to access START, so maybe it's not that virus. Any thoughts please anyone? Thanks! Shawn Quote
shawnh Posted October 24, 2011 Author Posted October 24, 2011 Would anyone have any thoughts on this? I'm dead in the water! Cheers Shawn Quote
RandyL Posted October 24, 2011 Posted October 24, 2011 This could be a virus as you said. Can you boot into safemode? Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
shawnh Posted October 24, 2011 Author Posted October 24, 2011 Thanks for the reply Randy. OK, I just tried and I couldn't do it. It came up with the little "Safe Mode" things on each on the 4 corners, but then gave that same message as before: Lsass.exe - "when trying to update a password, this return status indicates that the value provided as the current password is not correct" ... bummer! Thanks Shawn Quote
RandyL Posted October 24, 2011 Posted October 24, 2011 I think we better let our malware experts take a look at this before going on. I'll let them know. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Goku Posted October 25, 2011 Posted October 25, 2011 Hello Shawn. Have you tried the troubleshooting instructions listed in this Microsoft KB article? If yes, what results did it yield? -- Goku Quote
shawnh Posted October 25, 2011 Author Posted October 25, 2011 No I never tried that Goku, although I have come across it while googling. That looks like a HELL of a procedure... I'm hoping that's a last resort. Quote
Starbuck Posted October 25, 2011 Posted October 25, 2011 Do you by any chance have the Win XP installation disc? Quote Member of:UNITE
shawnh Posted October 25, 2011 Author Posted October 25, 2011 Thanks for the reply Starbuck - yes I have all the original installation CD's that came with the laptop (years ago!): - Compaq Operating System CD - Compaq Restore CD - Compaq Application Restore CD Thanks! Shawn Quote
Starbuck Posted October 25, 2011 Posted October 25, 2011 Hi Shawnh, I'm assuming that the Compaq Operating System CD is very much like the Windows operating disc. I think your best course of action is a repair install: a repair installation does not alter any programs or data, other than Windows XP itself. Follow the instructions in the following link, it'll explain everything in detail. After reading each page, just click on 'Next' to move on to the following page. http://pcsupport.about.com/od/operatingsystems/ss/instxprepair1.htm Let us know how things go. Quote Member of:UNITE
shawnh Posted October 27, 2011 Author Posted October 27, 2011 Thanks Starbuck, well here's what happened: it did the Repair process up to Step 8, after it completed Step 8 it said it would do a re-boot and continue on with the Setup. During the reboot, it gave 3 choices of OS's to boot from: Microsoft Windows in C:\WINXP Microsoft Windows Recovery Console Microsoft Windows in C:\WINXP (please note that before I did have 2 OS's - the one I would always use was C:\WINXP. There was another one installed in C:\WINDOWS but that was corrupted from years before and I just left it there) Anyway, the first one of the 3 above was automatically highlighed and it did the reboot using that. It proceeded to a sort of "blue screen" looking window that said "Setup is continuing", with progress dots following. After that screen it brought up a black screen with the cursor arrow in the middle. This looked good and I was expecting it to come up with the "Windows" logo and proceed, but it then quickly flashed a "blue screen" of some sort with a short message at the upper left which I did not have time to read, then it self re-booted again. Next time, I selected the OS choice in the middle "Microsoft Windows Recovery Console", but this didn't get very far as it quickly gave a black screen message something about a file NTDRL or something. I rebooted again and chose the 3rd OS option (Microsoft Windows in C:\WINXP"), but this option just ultimately gave the LSASS.EXE error message again. So it looks like I'm stuck again Starbuck! Shawn Quote
shawnh Posted October 28, 2011 Author Posted October 28, 2011 I'm sorry to be a nag, but would you have any other advice for me Starbuck? I'm so dead right now! Thanks Shawn Quote
RandyL Posted October 28, 2011 Posted October 28, 2011 You could try what Goku suggested. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
shawnh Posted October 31, 2011 Author Posted October 31, 2011 The repair installation recommendation recommended by Starbuck kind of hit a brick wall, as I mentioned above. I even tried running a Kaspersky Rescue CD on it to get any viruses out - it found a couple, but I'm still having the same Lsass.exe error when I try to boot :-( Starbuck, can you give me any more assistance on that "repair install" procedure? What about the option of ding a repair using the "Recovery Console"... would that help? Thanks! Shawn P.S: Goku, does following that "registry recovery" procedure make you lose any of your data, or installed programs? Quote
RandyL Posted October 31, 2011 Posted October 31, 2011 does following that "registry recovery" procedure make you lose any of your data, or installed programs? No it will not. You will still have everything. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Starbuck Posted October 31, 2011 Posted October 31, 2011 Hi shawnh Sorry for the delay in responding to you. Because Lsass.exe serves as the Local Security Authentication Server by Microsoft, Inc and is responsible for the enforcement of the security policy within the operating system, I wanted to try and see if we could repair this using the repair install option. As it hasn't happened, it may well be related to malware. Without the system booting up properly this obviously causes us a few problems. Let's see if we can get a report using a PE environment. You will need to use another system to download the program and transfer it to a disc. I assume you haven't backed up all your data from the 'bad' system and that's why you asked about the 'Registry Recovery' and losing data. By using the following program, it will not only produce a report of the system, it will also allow you to backup anything that you require, just in case we have no option but to do a full reinstall. Please print these instruction out so that you know what you are doing Download OTLPENet.exe to your desktop Ensure that you have a blank CD in the drive Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD Reboot your bad system using the boot CD you just created. . Note : If you do not know how to set your computer to boot from CD follow the steps here As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :) . Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy Double-click on the OTLPE icon. Select the Windows folder of the infected drive if it asks for a location When asked "Do you wish to load the remote registry", select Yes When asked "Do you wish to load remote user profile(s) for scanning", select Yes Ensure the box "Automatically Load All Remaining Users" is checked and press OK OTL should now start. Press Run Scan to start the scan. When finished, the file will be saved in drive C:\OTL.txt Copy this file to your USB drive if you do not have internet connection on this system. Right click the file and select send to : select the USB drive. Confirm that it has copied to the USB drive by selecting it You can backup any files that you wish from this OS now. Please post the contents of the C:\OTL.txt file in your reply. Quote Member of:UNITE
shawnh Posted November 1, 2011 Author Posted November 1, 2011 Thanks so much Starbuck. OK, I followed your instructions and noted a few things along the way: - After I downloaded OTLPENet.exe, I doubleclicked OTLPENet.exe, not OTLPEStd.exe. I wasn't sure what you meant by OTLPEStd.exe - When I invoked OTLPE from the REATOGO environment, it only asked: ""Do you wish to load remote user profile(s) for scanning"". I clicked YES, and it displayed a list of other "users", I guess. The first one was highlighted and the checkbox "Automatically Load All Remaining Users" was checked so I just clicked OK. - it then displayed a window saying "One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful". I clicked OK on that. - I then ran OTLPE with the default settings and clicked "Run Scan". It completed pretty quick (10-15 mins)... is that normal? here is the report below: OTL logfile created on: 11/1/2011 7:11:22 PM - Run OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE Microsoft Windows XP (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 7.0.5730.11) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 767.00 Mb Total Physical Memory | 547.00 Mb Available Physical Memory | 71.00% Memory free 707.00 Mb Paging File | 584.00 Mb Available in Paging File | 83.00% Paging File free Paging file location(s): c:\pagefile.sys 1152 2304 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files Drive C: | 27.95 Gb Total Space | 6.07 Gb Free Space | 21.72% Space Free | Partition Type: NTFS Drive D: | 1.92 Gb Total Space | 0.55 Gb Free Space | 28.47% Space Free | Partition Type: FAT Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO | User Name: SYSTEM Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days Using ControlSet: ControlSet003 ========== Win32 Services (SafeList) ========== SRV - File not found [Auto] -- -- (PEVSystemStart) SRV - File not found [Auto] -- -- (LMIGuardianSvc) SRV - File not found [Auto] -- -- (Irmon) SRV - File not found [Disabled] -- -- (HidServ) SRV - File not found [On_Demand] -- -- (AppMgmt) SRV - [2009/02/15 23:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\WINXP\System32\ZoneLabs\vsmon.exe -- (vsmon) SRV - [2007/12/05 05:18:59 | 000,594,600 | ---- | M] ( ) [Auto] -- C:\WINXP\System32\lxdncoms.exe -- (lxdn_device) SRV - [2007/12/05 05:18:53 | 000,098,984 | ---- | M] () [Auto] -- C:\WINXP\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe -- (lxdnCATSCustConnectService) SRV - [2006/03/21 10:30:26 | 000,368,724 | ---- | M] (Atheros) [Auto] -- C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe -- (ACS) SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)) SRV - [2001/10/03 20:21:52 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto] -- C:\WINXP\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand] -- -- (WDICA) DRV - File not found [Kernel | Boot] -- -- (tclondrv) DRV - File not found [Kernel | On_Demand] -- -- (SWUMX20) Sierra Wireless USB MUX Driver (UMTS20) DRV - File not found [Kernel | On_Demand] -- -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00) DRV - File not found [Kernel | On_Demand] -- -- (SWMX00) Sierra Wireless USB MUX Driver (#00) DRV - File not found [Kernel | On_Demand] -- -- (Rasirda) WAN Miniport (IrDA) DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP) DRV - File not found [Kernel | System] -- -- (PCIDump) DRV - File not found [Kernel | On_Demand] -- -- (mxDisk) DRV - File not found [Kernel | Auto] -- -- (LXARScan) DRV - File not found [Kernel | On_Demand] -- -- (LMImirr) DRV - File not found [Kernel | System] -- -- (lbrtfdc) DRV - File not found [File_System | Boot] -- -- (Lbd) DRV - File not found [Kernel | On_Demand] -- -- (Lavasoft Kernexplorer) DRV - File not found [Kernel | Auto] -- -- (irda) DRV - File not found [Kernel | System] -- -- (i2omgmt) DRV - File not found [Kernel | Boot] -- -- (fytnbit) DRV - File not found [Kernel | System] -- -- (Changer) DRV - File not found [Kernel | On_Demand] -- -- (catchme) DRV - [2010/02/23 09:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(5).sys -- (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) DRV - [2010/02/23 09:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(4).sys -- (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) DRV - [2010/02/23 09:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(3).sys -- (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) DRV - [2010/02/23 09:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(2).sys -- (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) DRV - [2009/04/23 15:51:18 | 000,016,640 | ---- | M] (Wondershare) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) DRV - [2009/02/15 23:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- C:\WINXP\system32\vsdatant.sys -- (vsdatant) DRV - [2008/12/11 21:32:42 | 000,148,496 | ---- | M] (Kaspersky Lab) [Kernel | System] -- C:\WINXP\system32\drivers\klif.sys -- (KLIF) DRV - [2008/11/17 01:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot] -- C:\WINXP\system32\ZoneLabs\srescan.sys -- (srescan) DRV - [2008/02/29 16:08:08 | 000,024,840 | ---- | M] () [Kernel | On_Demand] -- C:\WINXP\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\winusb.sys -- (winusb) DRV - [2006/05/19 17:16:24 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System] -- C:\WINXP\System32\drivers\cdralw2k.sys -- (Cdralw2k) DRV - [2006/05/19 17:16:24 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System] -- C:\WINXP\System32\drivers\cdr4_xp.sys -- (Cdr4_xp) DRV - [2006/05/16 01:37:44 | 000,999,968 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\ar5416.sys -- (AR5416) DRV - [2004/02/23 08:40:38 | 000,014,976 | ---- | M] (CMS Peripherals, Inc.) [Kernel | Auto] -- C:\WINXP\system32\drivers\portd2k.sys -- (portD) DRV - [2003/11/13 21:47:00 | 000,640,000 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2003/11/08 02:00:02 | 001,063,040 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\HSF_DP.sys -- (HSF_DP) DRV - [2003/11/08 02:00:02 | 000,631,296 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/08 02:00:02 | 000,196,352 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2001/08/18 10:00:00 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\HSF_MSFT.sys -- (hsf_msft) DRV - [2001/08/18 10:00:00 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\HSF_BSC2.sys -- (basic2) DRV - [2001/08/18 10:00:00 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\HSF_SAMP.sys -- (Rksample) DRV - [2001/08/16 21:20:34 | 000,028,396 | ---- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINXP\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Administrator.N-66I8K7FUN69C1.000_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\LocalService.NT_AUTHORITY.000_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\LogMeInRemoteUser.N-66I8K7FUN69C1_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\LogMeInRemoteUser_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = [binary data] IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKU\Moe_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\Moe_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Moe_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKU\Moe_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = <local> IE - HKU\NetworkService.NT_AUTHORITY.000_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINXP\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINXP\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINXP\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/07/04 17:20:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/13 13:51:08 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/13 13:51:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011/09/29 02:53:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011/09/28 20:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml O1 HOSTS File: ([2001/08/18 10:00:00 | 000,000,734 | ---- | M]) - C:\WINXP\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.) O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.) O3 - HKU\Moe_ON_C\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.) O4 - HKLM..\Run: [PrinTray] C:\WINXP\system32\spool\drivers\w32x86\3\printray.exe (Lexmark) O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD) O4 - HKU\Moe_ON_C..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems) O4 - Startup: C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe (D-Link) O4 - Startup: C:\Documents and Settings\Moe\Start Menu\Programs\Startup\Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\Administrator.N-66I8K7FUN69C1.000_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\LocalService.NT_AUTHORITY.000_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\LogMeInRemoteUser.N-66I8K7FUN69C1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\LogMeInRemoteUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\Moe_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\Moe_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0 O7 - HKU\Moe_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\NetworkService.NT_AUTHORITY.000_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html () O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html () O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html () O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html () O9 - Extra Button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.) O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.) O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html () O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html () O9 - Extra Button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe () O9 - Extra 'Tools' menuitem : Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe () O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINXP\system32\nwprovau.dll (Microsoft Corporation) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINXP\explorer.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/04/08 22:47:00 | 000,000,018 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2004/11/20 19:36:58 | 000,000,000 | ---D | M] - C:\autoresponder -- [ NTFS ] O32 - AutoRun File - [2009/10/13 15:51:20 | 000,000,000 | ---D | M] - C:\AutoResponsePlus -- [ NTFS ] O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (sprestrt) - C:\WINXP\System32\sprestrt.exe (Microsoft Corporation) O34 - HKLM BootExecute: (sprestrt) - C:\WINXP\System32\sprestrt.exe (Microsoft Corporation) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2100/02/08 15:03:54 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe [2012/04/13 16:21:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moe\Start Menu\Programs\Push-Button Option Trader [2012/04/13 16:21:09 | 000,000,000 | ---D | C] -- C:\Program Files\Push-Button Option Trader [2011/10/30 12:31:48 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0 [2011/10/23 12:59:14 | 000,000,000 | -HSD | C] -- C:\found.003 [2011/10/20 20:39:47 | 000,000,000 | -HSD | C] -- C:\found.002 [2011/10/13 13:50:58 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2011/10/12 12:14:17 | 000,000,000 | ---D | C] -- C:\FirefoxBookmarks [2011/10/12 10:34:38 | 000,000,000 | ---D | C] -- C:\Eastlink [2009/04/20 15:06:15 | 000,262,144 | ---- | C] (ZoneAlarm) -- C:\Program Files\Uninstall Spy Blocker.dll [2008/09/25 17:37:57 | 000,438,272 | ---- | C] ( ) -- C:\WINXP\System32\LXDNhcp.dll [2008/09/25 17:37:56 | 000,364,544 | ---- | C] ( ) -- C:\WINXP\System32\lxdninpa.dll [2008/09/25 17:37:56 | 000,339,968 | ---- | C] ( ) -- C:\WINXP\System32\lxdniesc.dll [2008/09/25 17:37:55 | 001,101,824 | ---- | C] ( ) -- C:\WINXP\System32\lxdnserv.dll [2008/09/25 17:37:55 | 000,843,776 | ---- | C] ( ) -- C:\WINXP\System32\lxdnusb1.dll [2008/09/25 17:37:54 | 000,647,168 | ---- | C] ( ) -- C:\WINXP\System32\lxdnpmui.dll [2008/09/25 17:37:54 | 000,569,344 | ---- | C] ( ) -- C:\WINXP\System32\lxdnlmpm.dll [2008/09/25 17:37:54 | 000,053,248 | ---- | C] ( ) -- C:\WINXP\System32\lxdnprox.dll [2008/09/25 17:37:52 | 000,320,168 | ---- | C] ( ) -- C:\WINXP\System32\lxdnih.exe [2008/09/25 17:37:51 | 000,663,552 | ---- | C] ( ) -- C:\WINXP\System32\lxdnhbn3.dll [2008/09/25 17:37:49 | 000,851,968 | ---- | C] ( ) -- C:\WINXP\System32\lxdncomc.dll [2008/09/25 17:37:49 | 000,594,600 | ---- | C] ( ) -- C:\WINXP\System32\lxdncoms.exe [2008/09/25 17:37:49 | 000,376,832 | ---- | C] ( ) -- C:\WINXP\System32\lxdncomm.dll [2008/09/25 17:37:48 | 000,365,224 | ---- | C] ( ) -- C:\WINXP\System32\lxdncfg.exe [2006/10/11 18:58:30 | 000,563,712 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Moe\gotomypc_370.exe [2006/02/08 15:13:19 | 003,167,744 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Moe\gosetup.exe [2006/01/21 01:40:40 | 000,563,712 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Moe\370_gotomypc.exe [2005/08/11 11:36:20 | 000,483,401 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Moe\gotomypc.exe ========== Files - Modified Within 30 Days ========== [2011/10/31 00:49:16 | 804,704,256 | -HS- | M] () -- C:\hiberfil.sys [2011/10/30 20:47:41 | 000,002,048 | --S- | M] () -- C:\WINXP\bootstat.dat [2011/10/30 20:47:29 | 000,153,976 | ---- | M] () -- C:\WINXP\System32\FNTCACHE.DAT [2011/10/26 18:03:13 | 000,000,370 | RHS- | M] () -- C:\boot.ini [2011/10/26 18:00:40 | 000,000,318 | ---- | M] () -- C:\WINXP\System32\$winnt$.inf [2011/10/24 17:12:36 | 2306,569,248 | -HS- | M] () -- C:\WINXP\System32\drivers\fidbox.dat [2011/10/24 17:12:36 | 030,244,864 | -HS- | M] () -- C:\WINXP\System32\drivers\fidbox.idx [2011/10/22 23:57:00 | 000,000,970 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-839522115-2111687655-854245398-1004UA.job [2011/10/22 23:36:00 | 000,000,880 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineUA.job [2011/10/22 17:26:42 | 001,660,488 | ---- | M] () -- C:\Program Files\Ace WINScreen.rar [2011/10/22 15:10:27 | 000,000,998 | ---- | M] () -- C:\Documents and Settings\Moe\Desktop\magicJack.lnk [2011/10/22 12:57:01 | 000,000,918 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-839522115-2111687655-854245398-1004Core.job [2011/10/22 12:40:00 | 000,000,486 | ---- | M] () -- C:\WINXP\tasks\Ad-Aware Update (Weekly).job [2011/10/22 00:36:01 | 000,000,876 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineCore.job [2011/10/21 18:49:00 | 000,013,002 | ---- | M] () -- C:\WINXP\System32\wpa.dbl [2011/10/21 18:48:54 | 000,350,210 | ---- | M] () -- C:\WINXP\System32\vsconfig.xml [2011/10/19 21:28:06 | 000,001,198 | -H-- | M] () -- C:\Documents and Settings\Moe\My Documents\Default.rdp [2011/10/16 14:07:26 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINXP\System32\FlashPlayerCPLApp.cpl [2011/10/13 13:51:12 | 000,000,748 | ---- | M] () -- C:\Documents and Settings\Moe\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2011/10/13 13:51:12 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Mozilla Firefox.lnk [2011/10/13 13:51:11 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Mozilla Firefox.lnk [2011/10/06 19:02:00 | 000,002,248 | ---- | M] () -- C:\Documents and Settings\Moe\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [2011/10/06 19:01:57 | 000,002,270 | ---- | M] () -- C:\Documents and Settings\Moe\Desktop\Google Chrome.lnk ========== Files Created - No Company Name ========== [2100/02/23 13:35:34 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat [2100/02/08 14:53:34 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini [2011/10/24 17:10:31 | 804,704,256 | -HS- | C] () -- C:\hiberfil.sys [2011/10/22 17:26:39 | 001,660,488 | ---- | C] () -- C:\Program Files\Ace WINScreen.rar [2011/10/13 13:51:12 | 000,000,748 | ---- | C] () -- C:\Documents and Settings\Moe\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2011/10/13 13:51:12 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Mozilla Firefox.lnk [2011/10/13 13:51:11 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Mozilla Firefox.lnk [2011/05/12 07:10:30 | 000,291,864 | ---- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\census.cache [2011/05/12 07:09:26 | 000,262,705 | ---- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\ars.cache [2011/05/11 13:09:06 | 000,005,694 | -HS- | C] () -- C:\Documents and Settings\All Users.WINXP\Application Data\8d3477s2b521076 [2011/05/11 13:09:05 | 000,005,694 | -HS- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\8d3477s2b521076 [2011/04/19 23:15:42 | 000,815,104 | ---- | C] () -- C:\WINXP\System32\xvidcore.dll [2011/04/19 23:15:41 | 000,180,224 | ---- | C] () -- C:\WINXP\System32\xvidvfw.dll [2011/01/24 01:06:10 | 000,256,512 | ---- | C] () -- C:\WINXP\PEV.exe [2011/01/24 01:06:10 | 000,098,816 | ---- | C] () -- C:\WINXP\sed.exe [2011/01/24 01:06:10 | 000,089,088 | ---- | C] () -- C:\WINXP\MBR.exe [2011/01/24 01:06:10 | 000,080,412 | ---- | C] () -- C:\WINXP\grep.exe [2011/01/24 01:06:10 | 000,068,096 | ---- | C] () -- C:\WINXP\zip.exe [2011/01/16 19:17:42 | 000,102,400 | ---- | C] () -- C:\WINXP\RegBootClean.exe [2011/01/16 00:56:03 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\housecall.guid.cache [2011/01/11 17:18:28 | 000,001,437 | ---- | C] () -- C:\WINXP\ydownloaderlibpr.INI [2010/02/17 18:30:53 | 000,000,026 | ---- | C] () -- C:\WINXP\refsdm.dll [2010/02/17 17:29:09 | 000,000,299 | ---- | C] () -- C:\WINXP\winsrvm.dll [2010/02/17 17:29:09 | 000,000,001 | ---- | C] () -- C:\WINXP\dwatson.dll [2010/02/17 17:13:55 | 000,000,006 | ---- | C] () -- C:\WINXP\client.dll [2010/02/17 17:13:53 | 000,000,019 | ---- | C] () -- C:\WINXP\MCLDR.dll [2010/02/14 23:50:49 | 000,253,952 | ---- | C] () -- C:\WINXP\ddedll.dll [2009/12/17 18:14:30 | 000,000,070 | ---- | C] () -- C:\WINXP\MediaManager.INI [2009/12/17 16:53:02 | 000,007,207 | R--- | C] () -- C:\WINXP\Disktool.INI [2009/12/17 16:53:02 | 000,006,399 | R--- | C] () -- C:\WINXP\fwupgrade.ini [2009/12/17 16:53:02 | 000,003,677 | R--- | C] () -- C:\WINXP\PlaySnd.INI [2009/05/24 13:36:13 | 2306,569,248 | -HS- | C] () -- C:\WINXP\System32\drivers\fidbox.dat [2009/04/15 22:19:12 | 000,000,000 | ---- | C] () -- C:\WINXP\nsreg.dat [2009/03/31 14:37:34 | 000,000,056 | -H-- | C] () -- C:\WINXP\System32\ezsidmv.dat [2008/11/02 18:10:45 | 000,000,043 | ---- | C] () -- C:\WINXP\ib.ini [2008/11/02 04:00:33 | 000,000,664 | ---- | C] () -- C:\WINXP\System32\d3d9caps.dat [2008/09/25 17:48:51 | 000,040,960 | ---- | C] () -- C:\WINXP\System32\lxdnvs.dll [2008/09/25 17:48:43 | 000,348,160 | ---- | C] () -- C:\WINXP\System32\lxdncoin.dll [2008/09/25 17:46:36 | 000,782,336 | ---- | C] () -- C:\WINXP\System32\lxdndrs.dll [2008/09/25 17:46:36 | 000,081,920 | ---- | C] () -- C:\WINXP\System32\lxdncaps.dll [2008/09/25 17:46:35 | 000,069,632 | ---- | C] () -- C:\WINXP\System32\lxdncnv4.dll [2008/09/25 17:44:24 | 000,012,288 | ---- | C] () -- C:\WINXP\System32\LXF3PMRC.DLL [2008/09/25 17:38:20 | 000,000,044 | ---- | C] () -- C:\WINXP\System32\lxdnrwrd.ini [2008/09/25 17:37:57 | 000,348,160 | ---- | C] () -- C:\WINXP\System32\LXDNinst.dll [2008/09/25 17:37:51 | 000,208,896 | ---- | C] () -- C:\WINXP\System32\lxdngrd.dll [2008/02/29 16:08:08 | 000,024,840 | ---- | C] () -- C:\WINXP\System32\drivers\swmsflt.sys [2008/02/15 15:26:01 | 000,000,008 | RH-- | C] () -- C:\Documents and Settings\Moe\hwid [2008/02/15 13:42:12 | 000,027,136 | ---- | C] () -- C:\WINXP\toFront.dll [2008/02/15 13:42:12 | 000,026,624 | ---- | C] () -- C:\WINXP\GetIe.dll [2007/10/16 13:19:04 | 000,060,744 | ---- | C] () -- C:\Documents and Settings\Moe\g2mdlhlpx.exe [2007/03/13 22:32:48 | 000,000,035 | ---- | C] () -- C:\WINXP\LMDUJBQ.INI [2006/12/31 23:37:18 | 000,000,038 | ---- | C] () -- C:\WINXP\iltwain.ini [2006/10/27 22:47:06 | 000,004,096 | ---- | C] () -- C:\Documents and Settings\Moe\log.dat [2006/10/08 18:14:37 | 000,000,502 | ---- | C] () -- C:\Documents and Settings\Moe\bookies.xml [2006/09/06 07:44:27 | 000,000,182 | ---- | C] () -- C:\WINXP\System32\EBPPORT.DAT [2006/07/18 17:54:01 | 000,000,144 | ---- | C] () -- C:\WINXP\gvcasinos.ini [2006/07/17 16:19:48 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Moe\PUTTY.RND [2006/06/20 14:39:07 | 000,000,053 | ---- | C] () -- C:\WINXP\zbj22.ini [2006/04/10 11:18:12 | 000,008,784 | ---- | C] () -- C:\WINXP\System32\ractrlkeyhook.dll [2006/03/21 13:11:58 | 000,000,000 | ---- | C] () -- C:\WINXP\VPC32.INI [2005/11/08 20:25:12 | 000,107,520 | ---- | C] () -- C:\WINXP\System32\UnCasino5.exe [2005/10/28 14:25:47 | 000,000,059 | ---- | C] () -- C:\WINXP\ANS2000.INI [2005/10/28 14:25:47 | 000,000,020 | -H-- | C] () -- C:\WINXP\akebook.ini [2005/10/28 14:25:47 | 000,000,004 | -H-- | C] () -- C:\WINXP\a3kebook.ini [2005/09/23 23:03:41 | 000,000,227 | ---- | C] () -- C:\WINXP\ARKS-FAC.INI [2005/09/23 23:03:35 | 000,000,000 | ---- | C] () -- C:\WINXP\ARK-LOCK.DAT [2005/08/12 17:57:09 | 003,596,288 | ---- | C] () -- C:\WINXP\System32\qt-dx331.dll [2005/07/11 21:00:06 | 000,040,960 | ---- | C] () -- C:\WINXP\uneng.exe [2005/07/03 00:17:31 | 000,003,134 | ---- | C] () -- C:\WINXP\cdplayer.ini [2005/06/22 16:56:20 | 000,072,192 | ---- | C] () -- C:\WINXP\System32\zlib.dll [2005/06/21 20:17:52 | 000,000,052 | ---- | C] () -- C:\WINXP\winros.ini [2005/06/20 21:58:52 | 000,004,569 | ---- | C] () -- C:\WINXP\System32\secupd.dat [2005/06/19 22:54:46 | 000,001,252 | ---- | C] () -- C:\WINXP\ODBC.INI [2005/06/19 22:54:30 | 000,000,037 | ---- | C] () -- C:\WINXP\Server.INI [2005/06/15 18:46:12 | 000,000,043 | ---- | C] () -- C:\WINXP\WALLSTRT.INI [2005/06/14 21:04:16 | 000,000,000 | ---- | C] () -- C:\WINXP\OPPRIN~1.INI [2005/06/08 18:00:00 | 000,360,448 | ---- | C] () -- C:\WINXP\System32\fmtkit60.dll [2005/06/06 13:21:01 | 000,000,064 | ---- | C] () -- C:\WINXP\eFaxView.ini [2005/06/03 18:55:53 | 000,032,768 | ---- | C] () -- C:\WINXP\BBUninstall.exe [2005/05/30 14:24:35 | 000,000,044 | ---- | C] () -- C:\WINXP\System32\msssc.dll [2005/05/29 23:52:14 | 000,000,061 | ---- | C] () -- C:\WINXP\URLPROXY.INI [2005/05/26 18:33:18 | 000,004,212 | -H-- | C] () -- C:\WINXP\System32\zllictbl.dat [2005/05/26 18:19:41 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2005/05/26 18:03:18 | 000,002,048 | --S- | C] () -- C:\WINXP\bootstat.dat [2005/05/26 17:54:14 | 000,021,640 | ---- | C] () -- C:\WINXP\System32\emptyregdb.dat [2005/05/26 13:07:51 | 000,004,073 | ---- | C] () -- C:\WINXP\ODBCINST.INI [2005/05/26 13:06:09 | 000,153,976 | ---- | C] () -- C:\WINXP\System32\FNTCACHE.DAT [2005/05/26 13:01:09 | 000,000,006 | ---- | C] () -- C:\WINXP\System32\rasmon.bin [2005/05/26 13:01:09 | 000,000,004 | -H-- | C] () -- C:\WINXP\System32\ddefact.bin [2003/11/13 21:38:26 | 000,086,016 | ---- | C] () -- C:\WINXP\System32\ati2evxx.dll [2003/11/13 21:36:54 | 000,385,024 | ---- | C] () -- C:\WINXP\System32\ati2evxx.exe [2002/09/18 00:45:00 | 000,119,808 | ---- | C] () -- C:\WINXP\lsb_un20.exe [2002/03/10 17:36:14 | 000,012,288 | ---- | C] () -- C:\WINXP\System32\impborl.dll [2001/10/12 06:42:52 | 000,032,768 | ---- | C] () -- C:\WINXP\System32\LXARICO.DLL [2001/10/12 06:42:50 | 000,000,643 | ---- | C] () -- C:\WINXP\LEXSTAT.INI [2001/08/18 10:00:00 | 013,107,200 | ---- | C] () -- C:\WINXP\System32\oembios.bin [2001/08/18 10:00:00 | 000,673,088 | ---- | C] () -- C:\WINXP\System32\mlang.dat [2001/08/18 10:00:00 | 000,434,676 | ---- | C] () -- C:\WINXP\System32\perfh009.dat [2001/08/18 10:00:00 | 000,272,128 | ---- | C] () -- C:\WINXP\System32\perfi009.dat [2001/08/18 10:00:00 | 000,218,003 | ---- | C] () -- C:\WINXP\System32\dssec.dat [2001/08/18 10:00:00 | 000,152,576 | ---- | C] () -- C:\WINXP\System32\qasf.dll [2001/08/18 10:00:00 | 000,068,750 | ---- | C] () -- C:\WINXP\System32\perfc009.dat [2001/08/18 10:00:00 | 000,046,258 | ---- | C] () -- C:\WINXP\System32\mib.bin [2001/08/18 10:00:00 | 000,028,626 | ---- | C] () -- C:\WINXP\System32\perfd009.dat [2001/08/18 10:00:00 | 000,027,440 | ---- | C] () -- C:\WINXP\System32\drivers\secdrv.sys [2001/08/18 10:00:00 | 000,004,461 | ---- | C] () -- C:\WINXP\System32\oembios.dat [2001/08/18 10:00:00 | 000,001,420 | ---- | C] () -- C:\WINXP\System32\Dcache.bin [2001/08/18 10:00:00 | 000,000,741 | ---- | C] () -- C:\WINXP\System32\noise.dat [2001/07/20 09:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB [2001/01/18 14:55:22 | 000,131,584 | ---- | C] () -- C:\WINXP\System32\Ptlic32.exe [2000/12/05 14:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll [2000/01/11 11:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini ========== LOP Check ========== [2011/01/15 21:08:46 | 000,000,000 | ---D | M] -- C:\WINXP\system32\config\systemprofile\Application Data\Application Updater [2009/04/19 18:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.N-66I8K7FUN69C1.000\Application Data\VCOM [2008/09/08 15:58:54 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Moe\Application Data\.# [2010/11/15 13:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\acccore [2005/06/10 14:22:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Aim [2005/11/08 19:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Alien Skin [2005/07/05 13:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Allume Systems [2008/07/22 17:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\AtomPark [2008/08/27 18:56:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Aurora Web Editor [2011/03/25 22:31:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\eBookPro6 [2011/02/07 20:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\FEXTrader [2009/04/28 15:19:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\FLVPlayer2700 [2009/09/01 15:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\GlobalSCAPE [2008/08/22 18:09:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Good Keywords v2 [2010/09/15 18:07:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\HTML Executable [2009/05/22 18:41:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\IBP [2005/07/11 15:03:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\ICQ [2007/01/22 23:18:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\iMesh [2005/05/30 14:09:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\InterVideo [2008/06/24 07:49:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\iolo [2008/08/29 21:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\KompoZer [2008/09/25 18:19:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Lexmark Productivity Studio [2009/05/24 13:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\MailFrontier [2011/04/10 18:12:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Maxthon3 [2007/03/21 13:51:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Microgaming [2007/01/12 21:51:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\MindTerm [2011/10/22 15:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\mjusbsp [2009/08/25 14:42:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\MyLogoMaker [2010/09/16 19:28:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\NCH Swift Sound [2005/09/07 17:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Novosoft [2009/07/27 19:56:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\OpenCube Inc [2009/11/10 13:12:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\PADGen [2009/02/01 14:06:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Rbet [2009/04/01 20:28:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Sierra Wireless [2007/07/08 18:11:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Stilesoft [2005/07/28 01:51:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Tenebril [2008/08/29 19:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Trellian [2008/10/19 19:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\Uniblue [2005/06/15 18:55:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moe\Application Data\VCOM [2008/06/02 17:17:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\08lJQ [2008/06/02 17:53:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\1Bpg9VMaiQ40s [2008/05/29 21:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\1BS57MeaiQ40s [2009/05/14 09:15:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\1stWorks [2010/11/15 13:20:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\AIM [2008/05/29 19:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\cWTQ4y84iQ40sXrXpS0 [2009/09/01 15:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\GlobalSCAPE [2005/10/12 01:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\Insight Software Solutions [2011/01/15 21:07:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\IObit [2008/06/24 07:49:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\iolo [2011/10/12 10:12:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\LogMeIn [2011/09/29 21:58:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\magicJack [2007/09/20 21:42:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\MailFrontier [2010/08/08 19:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\MGS [2008/10/07 19:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\Microgaming [2010/09/16 19:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\NCH Swift Sound [2005/10/02 15:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\RoboForm [2010/02/17 15:56:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\Save Data [2010/09/16 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\TEMP [2010/09/16 19:46:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\TuneClone [2008/06/02 16:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\YOcTEDCHiQ40sXrX [2011/10/22 12:40:00 | 000,000,486 | ---- | M] () -- C:\WINXP\Tasks\Ad-Aware Update (Weekly).job ========== Purity Check ========== < End of report > Thanks!!! Shawn P.S: Thanks RandyL for the reply regarding the "Registry Recovery" procedure. Good to know that I won't lose any of my installed programs. if I have to do this. Quote
Starbuck Posted November 2, 2011 Posted November 2, 2011 Hi shawnh I then ran OTLPE with the default settings and clicked "Run Scan". It completed pretty quick (10-15 mins)... is that normal? It's not as quick as when OTL is run on a Windows system, but the report is fine. Microsoft Windows XP (Version = 5.1.2600) Are you running on the original Win XP.... no services packs?? Quote Member of:UNITE
shawnh Posted November 2, 2011 Author Posted November 2, 2011 I'm pretty sure I had Service Pack 2 on there Starbuck. Did that OTL report find any bad stuff? Cheers Shawn Quote
shawnh Posted November 3, 2011 Author Posted November 3, 2011 So should I just go maybe ahead with that Registry Recovery procedure that Goku suggested some time ago (http://support.microsoft.com/kb/307545), or should we continue with trying to find/delete the malware? Thanks Shawn Quote
shawnh Posted November 3, 2011 Author Posted November 3, 2011 are you still with me Starbuck? Cheers Shawn Quote
Starbuck Posted November 3, 2011 Posted November 3, 2011 Hi shawnh, are you still with me Starbuck? Yep, still here, just got in from work. I'm pretty sure I had Service Pack 2 on there I was thinking about that today, i know what's happened now. Because we ran the repair install, it reverted back to the original version of the OS. When you get an internet connection for 'Windows' you'll need to get all the windows updates again. Did that OTL report find any bad stuff? It found some bad entries dating back quite awhile. But nothing to suggest the problems you are currently experiencing. I'll go through the report again and double check again before posting a fix. So should I just go maybe ahead with that Registry Recovery procedure that Goku suggested Wait until i've posted the fix, this will clear off all the old bad entries and will tidy things up a bit. If after running the fix, nothing has changed.... then we'll try out the procedure that Goku suggested. Back in about 15 mins, after i've double checked the report. Quote Member of:UNITE
shawnh Posted November 3, 2011 Author Posted November 3, 2011 Thanks Starbuck! Yeah I guess the repair install I attempted rolled everything back to the original version of XP.... even though it never did complete the repair install, it would get partways then reboot by itself. Quote
Starbuck Posted November 3, 2011 Posted November 3, 2011 Hi shawnh, Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C :otl O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\Moe_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\Moe_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 [2011/05/11 13:09:06 | 000,005,694 | -HS- | C] () -- C:\Documents and Settings\All Users.WINXP\Application Data\8d3477s2b521076 [2011/05/11 13:09:05 | 000,005,694 | -HS- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\8d3477s2b521076 [2005/10/28 14:25:47 | 000,000,059 | ---- | C] () -- C:\WINXP\ANS2000.INI [2005/10/28 14:25:47 | 000,000,020 | -H-- | C] () -- C:\WINXP\akebook.ini [2005/10/28 14:25:47 | 000,000,004 | -H-- | C] () -- C:\WINXP\a3kebook.ini [2008/06/02 17:17:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\08lJQ [2008/06/02 17:53:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\1Bpg9VMaiQ40s [2008/05/29 21:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\1BS57MeaiQ40s [2008/05/29 19:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\cWTQ4y84iQ40sXrXpS0 [2008/06/02 16:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\YOcTEDCHiQ40sXrX :Files ipconfig /flushdns /c :commands [emptytemp] [purity] [RESETHOSTS] Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file fix.txt ...( notepad will add the .txt, so just save as fix) Save the file to a USB stick. Start OTLPE as you did previously from CD Insert your USB drive with fix.txt on it Start OTLPE Drag and drop fix.txt into the Custom scans and fixes box If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done to normal mode if possible If you still can't get 'Windows' to run after this.... then try the procedure that Goku recommended. If it's still a 'no go' after that, we may have to consider a full reinstall. If it comes to that, make sure you have saved everything that you need from the system as everything will be wiped out. Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.