Inactive bsod, trojan.agent. exploit.drop2,windows runs is safe mode only

broni · 2012/01/11

Leave this entry alone:
SynTPEnh
All others can be disabled.

mva5493 · 2012/01/11

okay...next step;

mva5493 · 2012/01/11

still crashes after typing login password,

broni · 2012/01/11

Reverse all changes.

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps HERE

Your system should now display a REATOGO-X-PE desktop.

Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.

Double-click on the OTLPE icon.

When asked Do you wish to load the remote registry, select Yes

When asked Do you wish to load remote user profile(s) for scanning, select Yes

Ensure the box Automatically Load All Remaining Users" is checked and press OK

OTL should now start.

Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive if you do not have internet connection on this system

Please post the contents of the OTL.txt file in your reply.

mva5493 · 2012/01/11

it also crashes if left on the login page (no password entered) and reboots

broni · 2012/01/11

Go ahead with my previous reply.

mva5493 · 2012/01/11

otl scan log:

TL logfile created on: 1/11/2012 2:55:31 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 1 (Version = 6.0.6001) - Type = System
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.01 Gb Total Space | 150.89 Gb Free Space | 67.96% Space Free | Partition Type: NTFS
Drive D: | 1.86 Gb Total Space | 1.69 Gb Free Space | 90.72% Space Free | Partition Type: FAT
Drive F: | 10.88 Gb Total Space | 1.83 Gb Free Space | 16.83% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2009/08/04 21:40:25 | 000,099,056 | ---- | M] (Radialpoint Inc.) [On_Demand] -- C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe -- (RPSUpdaterR)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () [Auto] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/04/28 06:23:36 | 000,738,568 | ---- | M] (Raxco Software, Inc.) [On_Demand] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)
SRV - [2008/04/28 06:23:28 | 000,414,984 | ---- | M] (Raxco Software, Inc.) [Auto] -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent)
SRV - [2008/02/19 08:12:18 | 000,537,256 | ---- | M] ( ) [Auto] -- C:\Windows\System32\lxbkcoms.exe -- (lxbk_device)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/27 13:02:48 | 000,177,448 | R--- | M] (Authentium, Inc.) [Auto] -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe -- (dvpapi)
SRV - [2007/06/28 15:09:14 | 000,293,104 | ---- | M] (AT&T) [Auto] -- C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe -- (RP_FWS)
SRV - [2006/12/19 12:45:16 | 000,280,080 | ---- | M] (CA, Inc.) [Auto] -- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - File not found [Kernel | System] -- -- (fjdqcvgo)
DRV - [2009/08/04 21:40:26 | 000,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2009/07/23 20:01:00 | 009,791,072 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/06/05 11:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 14:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 14:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/25 05:38:22 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Boot] -- C:\Windows\System32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2008/04/24 17:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/29 08:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/01/20 21:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2007/11/26 15:33:52 | 000,835,792 | ---- | M] (Authentium, Inc) [Kernel | Auto] -- C:\Windows\System32\drivers\css-dvp.sys -- (CSS DVP)
DRV - [2007/10/17 18:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/02/20 13:07:56 | 000,005,632 | R--- | M] () [File_System | System] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Hosea_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=14196
IE - HKU\Hosea_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\Hosea_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\Hosea_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Hosea_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\Hosea\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll (Move Networks)

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Users\Hosea\AppData\Roaming\Move Networks [2009/12/30 20:11:42 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/01/11 01:09:28 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (100% Free Spades Toolbar Helper) - {17DF7D60-3575-497F-8D11-F8882E3E1CE9} - C:\Program Files\100% Free Spades Toolbar\v3.3.0.1\100%_Free_Spades_Toolbar.dll ()
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (PopKill Class) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll (Radialpoint Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (100% Free Spades Toolbar) - {02F7A7EB-89F8-47FF-A75C-52C1060EC144} - C:\Program Files\100% Free Spades Toolbar\v3.3.0.1\100%_Free_Spades_Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\Hosea_ON_C\..\Toolbar\WebBrowser: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AT&T Internet Security Suite] C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe (AT&T)
O4 - HKLM..\Run: [-FreedomNeedsReboot] C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe (AT&T)
O4 - HKLM..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ISW.exe] C:\Program Files\AT&T\Internet Security Wizard\ISW.exe (AT&T)
O4 - HKLM..\Run: [lxbkbmgr.exe] C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
F3 - HKU\.DEFAULT WinNT: Load - (C:\Windows\Temp\{61228~1.EXE) - File not found
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Hosea_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Hosea_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4 208.67.222.222
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Dots.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Dots.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\Windows\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 01:11:14 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/01/11 01:11:14 | 000,000,000 | ---D | C] -- C:\Windows\system32\config\systemprofile\AppData\Local\temp
[2012/01/11 01:11:14 | 000,000,000 | ---D | C] -- C:\Users\Hosea\AppData\Local\temp
[2012/01/11 01:10:23 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/11 01:00:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/11 01:00:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/11 01:00:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/11 01:00:24 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/11 01:00:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/10 12:33:15 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2012/01/10 10:52:38 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/01/10 09:26:43 | 000,000,000 | ---D | C] -- C:\Users\Hosea\AppData\Roaming\Malwarebytes
[2012/01/10 09:26:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/10 09:26:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/10 09:26:38 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/10 09:26:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/20 22:36:01 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxbkserv.dll
[2010/04/20 22:36:01 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\lxbkusb1.dll
[2010/04/20 22:36:01 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxbkinpa.dll
[2010/04/20 22:36:01 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbkiesc.dll
[2010/04/20 22:36:01 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBKhcp.dll
[2010/04/20 22:36:00 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxbkhbn3.dll
[2010/04/20 22:36:00 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxbkcomc.dll
[2010/04/20 22:36:00 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxbkpmui.dll
[2010/04/20 22:36:00 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbklmpm.dll
[2010/04/20 22:36:00 | 000,537,256 | ---- | C] ( ) -- C:\Windows\System32\lxbkcoms.exe
[2010/04/20 22:36:00 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxbkcomm.dll
[2010/04/20 22:36:00 | 000,385,704 | ---- | C] ( ) -- C:\Windows\System32\lxbkih.exe
[2010/04/20 22:36:00 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxbkprox.dll
[2010/04/20 22:36:00 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxbkpplc.dll
[2010/04/20 22:35:59 | 000,381,608 | ---- | C] ( ) -- C:\Windows\System32\lxbkcfg.exe

========== Files - Modified Within 30 Days ==========

[2012/01/11 13:59:35 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/01/11 13:59:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/11 13:59:30 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2012/01/11 13:59:28 | 1877,372,928 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/11 13:55:54 | 000,603,516 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/11 13:55:54 | 000,103,586 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/11 13:27:08 | 000,000,680 | ---- | M] () -- C:\Users\Hosea\AppData\Local\d3d9caps.dat
[2012/01/11 13:26:56 | 000,002,281 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2012/01/11 01:09:28 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/10 21:53:20 | 000,000,512 | ---- | M] () -- C:\Users\Hosea\Documents\MBR.dat
[2012/01/10 21:35:34 | 000,000,301 | ---- | M] () -- C:\Users\Hosea\Desktop\0rfgynsg - Shortcut.lnk
[2012/01/10 20:55:54 | 000,302,592 | ---- | M] () -- C:\Users\Hosea\Desktop\0rfgynsg.exe
[2012/01/10 09:35:32 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\cnia.sys
[2012/01/10 09:26:40 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/10 09:26:40 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/07 14:19:21 | 000,000,246 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2012/01/07 14:19:10 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/01/07 14:14:35 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/07 14:14:35 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/07 14:14:34 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/07 14:07:21 | 000,000,000 | -H-- | M] () -- C:\Users\Hosea\Documents\Default.rdp
[2011/12/31 18:04:54 | 000,000,000 | ---- | M] () -- C:\Users\Hosea\AppData\Local\{7E3BB1C4-18E9-427D-B005-1C88C2B5EE02}
[2011/12/31 15:18:34 | 000,000,943 | ---- | M] () -- C:\Users\Hosea\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/31 14:56:00 | 000,000,000 | ---- | M] () -- C:\Users\Hosea\AppData\Local\{8DB1236C-9AD2-4816-8001-57C24DEF52C3}

========== Files Created - No Company Name ==========

[2012/01/11 13:59:28 | 1877,372,928 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/11 01:00:25 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/11 01:00:25 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/11 01:00:25 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/11 01:00:25 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/11 01:00:25 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/10 21:53:20 | 000,000,512 | ---- | C] () -- C:\Users\Hosea\Documents\MBR.dat
[2012/01/10 21:35:48 | 000,302,592 | ---- | C] () -- C:\Users\Hosea\Desktop\0rfgynsg.exe
[2012/01/10 21:35:34 | 000,000,301 | ---- | C] () -- C:\Users\Hosea\Desktop\0rfgynsg - Shortcut.lnk
[2012/01/10 09:35:32 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\cnia.sys
[2012/01/10 09:26:40 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/10 09:20:51 | 000,000,680 | ---- | C] () -- C:\Users\Hosea\AppData\Local\d3d9caps.dat
[2012/01/10 08:44:32 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys
[2012/01/07 14:07:21 | 000,000,000 | -H-- | C] () -- C:\Users\Hosea\Documents\Default.rdp
[2011/12/31 18:04:54 | 000,000,000 | ---- | C] () -- C:\Users\Hosea\AppData\Local\{7E3BB1C4-18E9-427D-B005-1C88C2B5EE02}
[2011/12/31 14:56:00 | 000,000,000 | ---- | C] () -- C:\Users\Hosea\AppData\Local\{8DB1236C-9AD2-4816-8001-57C24DEF52C3}
[2011/11/17 21:43:23 | 000,000,000 | ---- | C] () -- C:\Users\Hosea\AppData\Local\{49C5D531-35F7-4A86-8E53-51D706004B69}
[2010/07/12 01:59:38 | 000,003,584 | ---- | C] () -- C:\Users\Hosea\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/20 22:39:57 | 000,000,109 | ---- | C] () -- C:\Windows\Lexstat.ini
[2010/04/20 22:36:01 | 000,413,696 | ---- | C] () -- C:\Windows\System32\lxbkutil.dll
[2010/04/20 22:36:01 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBKinst.dll
[2010/01/18 13:52:27 | 000,000,016 | ---- | C] () -- C:\Windows\popcinfo.dat
[2009/08/04 06:39:02 | 000,031,871 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/08/04 06:39:00 | 000,031,871 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/12/27 06:13:19 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2008/12/27 05:39:28 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/10/25 17:59:53 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/10/25 17:59:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2007/02/20 13:07:56 | 000,005,632 | R--- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2007/02/07 16:57:50 | 000,039,899 | ---- | C] () -- C:\Windows\System32\rtsicis.ini
[2007/01/22 07:49:34 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxbkcoin.dll
[2006/11/02 08:02:10 | 000,001,356 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,390,456 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,603,516 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,103,586 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/10/05 11:19:32 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxbkvs.dll
[2005/09/13 15:27:10 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxbkcnv5.dll
[2005/09/13 15:27:10 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxbkcnv4.dll

========== LOP Check ==========

[2009/08/04 21:37:50 | 000,000,000 | ---D | M] -- C:\Users\Hosea\AppData\Roaming\AT&T
[2011/11/14 09:47:00 | 000,000,000 | ---D | M] -- C:\Users\Hosea\AppData\Roaming\Azureus
[2009/08/09 15:40:01 | 000,000,000 | ---D | M] -- C:\Users\Hosea\AppData\Roaming\WildTangent
[2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2009/08/04 21:20:34 | 000,000,000 | ---D | M] -- C:\ProgramData\AT&T
[2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2008/12/27 06:17:10 | 000,000,000 | ---D | M] -- C:\ProgramData\Temp
[2006/11/02 08:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2010/01/18 13:44:15 | 000,000,000 | ---D | M] -- C:\ProgramData\WildTangent
[2008/10/25 18:55:37 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2011/10/31 22:41:20 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/10 19:39:20 | 000,000,000 | ---D | M] -- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/11/16 03:42:38 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2011/10/31 10:27:40 | 000,000,124 | ---- | M] ()(C:\Users\Hosea\Desktop\BLUEWAY12bassFINAL.pdf? (1 MB?).url) -- C:\Users\Hosea\Desktop\BLUEWAY12bassFINAL.pdf‎ (1 MB‎).url
[2011/10/31 10:27:40 | 000,000,124 | ---- | C] ()(C:\Users\Hosea\Desktop\BLUEWAY12bassFINAL.pdf? (1 MB?).url) -- C:\Users\Hosea\Desktop\BLUEWAY12bassFINAL.pdf‎ (1 MB‎).url
[2009/09/13 08:40:26 | 000,005,942 | ---- | M] ()(C:\Users\Hosea\Documents\Teacher?s Guide The Mouse and the Motorcycle.txt) -- C:\Users\Hosea\Documents\Teacher�s Guide The Mouse and the Motorcycle.txt
[2009/09/13 08:40:26 | 000,005,942 | ---- | C] ()(C:\Users\Hosea\Documents\Teacher?s Guide The Mouse and the Motorcycle.txt) -- C:\Users\Hosea\Documents\Teacher�s Guide The Mouse and the Motorcycle.txt
< End of report >

broni · 2012/01/11

Is Authentium AntiVirus still functional or those are just leftovers?

Do this on the computer you are posting from:
Copy the text in the codebox below:
Code:
:OTL
DRV - File not found [Kernel | System] -- -- (fjdqcvgo)
O4 - HKLM..\Run: [] File not found
F3 - HKU\.DEFAULT WinNT: Load - (C:\Windows\Temp\{61228~1.EXE) - File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2012/01/11 13:59:30 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2012/01/10 08:44:32 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys

:Commands
[purity]
Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive

On the infected computer the following...

Run OTLPE

Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.

(The content of Fix.txt should appear in the box)

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post the log produced (you'll need to transfer it with USB stick)

Attempt to reboot normally into Windows.

mva5493 · 2012/01/11

still crashing after log in

fix results:Code:
:OTL
DRV - File not found [Kernel | System] -- -- (fjdqcvgo)
O4 - HKLM..\Run: [] File not found
F3 - HKU\.DEFAULT WinNT: Load - (C:\Windows\Temp\{61228~1.EXE) - File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2012/01/11 13:59:30 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2012/01/10 08:44:32 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys

:Commands
[purity]

broni · 2012/01/11

You didn't run any fix. You just pasted my script.
Re-read my instructions, redo.

mva5493 · 2012/01/11

will try again. posted the wrong fill I think.

mva5493 · 2012/01/11

========== OTL ==========
Service\Driver key fjdqcvgo not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\Windows\Temp\{61228~1.EXE deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\Hosea_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
File C:\Windows\System32\temppf.sys not found.
File C:\Windows\System32\temppf.sys not found.
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 01112012_155013

broni · 2012/01/11

Restart normally.

mva5493 · 2012/01/11

trying to do that now,still giving me the blue screen

mva5493 · 2012/01/11

gotta run for a bit, will try to check back in here in about an hour

broni · 2012/01/11

OK.
Do you have Vista DVD?

mva5493 · 2012/01/11

no I don't, not even sure if it came with the disc, these is a recovery drive I think.

broni · 2012/01/11

If you have Vista/7 DVD...

start with step 2

If you don't have Vista/7 DVD...

1. Create Vista/7 Recovery Disc.

Option 1 :
Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

Option 2:
Download Vista Recovery Disc iso image: http://digiex.net/downloads/downloa...6-windows-vista-32-bit-x86-recovery-disc.html
Download Windows 7 Recovery Disc iso image: http://digiex.net/downloads/downloa.../2659-windows-7-32-bit-x86-recovery-disc.html
Burn it to DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

2. Boot from created disk. You may need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

Vista users. At first screen click on Repair your computer:

Windows 7 users. At first screen click on Install now:

Select your language and click next:

Click the button for "Use recovery tools ":

The following applies to both, Vista and Windows 7 users.

This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:

After this, it will present you with a list of options including startup repair, system restore and command prompt:

Select Command Prompt

Type in:
bootrec /fixmbr (<--- there is a "space" after "bootrec ")
and then press Enter

Type in:
bootrec /fixboot (<--- there is a "space" after "bootrec ")
and then press Enter

Once completed then type Exit, press Enter and restart computer.

See if normal mode works.

mva5493 · 2012/01/12

mva5493, you do not have permission to access this page. This could be due to one of several reasons:

Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

am I missing something?? I got that message when trying to got to the option 2 link (if you don't have a vista dvd)

broni · 2012/01/12

What page are you referring to?

Log in or Sign up

Inactive bsod, trojan.agent. exploit.drop2,windows runs is safe mode only

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive bsod, trojan.agent. exploit.drop2,windows runs is safe mode only

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

mva5493 Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches