GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


Blank Desktop After Windows XP Login on Network

2 posters

descriptionBlank Desktop After Windows XP Login on Network EmptyBlank Desktop After Windows XP Login on Network12th April 2011, 7:26 pm

more_horiz
After restarting Windows, signing onto the network at the login screen, my desktop shows old wallpaper I use to use and absolutely nothing else (no icons, no menu bar, etc) except the cursor. I've tried running malwarebyte, Trend Micro, Spyware Doctor, Super Anti Spyware and Symantec with no success. I've also been able to CTRL+ALT+DEL to bring up Task Manager and typed in "explorer" and "explorer.exe" and get the message: "Windows cannot find 'explorer'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search." I've also typed in "regedit" and went to HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows NT, CurrentVersion, Winlogon, Shell...and made sure that the only thing listed was 'Explorer.exe'. I get the same exact results if I do it in Safe Mode as well.

I don't know what else to try, I'm out of options and I need my computer back...please help!

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network12th April 2011, 10:05 pm

more_horiz
Hello.

Try opening explorer via Task Manager again, but this time, do it's full path:

C:\Windows\explorer.exe

See if it loads now, if you still get the same message about not found, then explorer.exe may be missing.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network12th April 2011, 10:57 pm

more_horiz
Hi,

I tried it as you suggested and I got the same message. So assuming that explorer.exe is missing, how do I get it and where do I put it?

Thanks

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network13th April 2011, 10:12 pm

more_horiz
Hello.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

  • Place a blank CD-R disc in to your CD burning drive.
  • Download OTLPEStd.exe and double-click on it to burn to a CD using ISO Burner.
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings

  • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network14th April 2011, 12:04 am

more_horiz
OTL logfile created on: 4/13/2011 5:52:03 PM - Run
OTLPE by OldTimer - Version 3.1.46.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 13.74 Gb Free Space | 36.93% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (sdCoreService)
SRV - File not found [Auto] -- -- (sdAuxService)
SRV - [2009/11/17 00:44:31 | 000,016,792 | ---- | M] () [Auto] -- C:\WINDOWS\DOWNLO~1\MyWebEx\319\atnthost.exe -- (atnthost)
SRV - [2009/09/16 19:22:08 | 000,020,480 | ---- | M] (Intuit) [Auto] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/03/17 15:02:24 | 000,438,272 | ---- | M] (RealVNC Ltd.) [Auto] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/01/29 00:04:24 | 000,840,008 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe -- (BackupExecAgentAccelerator)
SRV - [2008/01/09 15:43:56 | 000,472,440 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe -- (DLOChangeJournalSvc)
SRV - [2007/11/28 20:51:41 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/07 23:48:36 | 000,116,664 | ---- | M] (symantec) [Auto] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/10/07 23:48:32 | 001,822,648 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/10/07 23:48:24 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/09/12 21:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/27 20:14:00 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/07/26 22:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/05/29 19:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2007/05/29 19:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/05/24 10:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/09/13 13:32:12 | 000,128,536 | ---- | M] (iAnywhere Solutions, Inc.) [Disabled] -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe -- (QuickBooksDB18)
SRV - [2004/04/01 19:05:48 | 000,077,824 | ---- | M] (Broadcom Corp.) [Auto] -- C:\WINDOWS\SYSTEM32\BAsfIpM.exe -- (BAsfIpM)
SRV - [2004/02/13 11:47:02 | 000,155,648 | ---- | M] (Dell Inc) [Auto] -- C:\Program Files\Dell\OpenManage\Client\Iap.exe -- (Iap)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | Boot] -- -- (tonkqgc)
DRV - File not found [Kernel | On_Demand] -- -- (TMPassthruMP)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [File_System | System] -- -- (IKFileFlt)
DRV - File not found [Kernel | On_Demand] -- -- (EraserUtilDrv10822)
DRV - File not found [Kernel | On_Demand] -- -- (EraserUtilDrv10821)
DRV - File not found [Kernel | On_Demand] -- -- (EraserUtilDrv10820)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2011/04/07 17:45:36 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110407.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/04/07 17:45:36 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110407.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/12/02 18:57:35 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/12/02 18:57:35 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/08/06 15:59:46 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/09/25 17:52:30 | 000,054,192 | ---- | M] (Symantec Corporation) [Kernel | Boot] -- C:\WINDOWS\SYSTEM32\DRIVERS\VSP.sys -- (VSP)
DRV - [2007/08/27 20:13:36 | 000,189,320 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/07/26 22:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/05/23 19:58:50 | 000,083,024 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys -- (IKSysSec)
DRV - [2007/05/23 19:58:46 | 000,057,424 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys -- (IkSysFlt)
DRV - [2007/05/23 19:58:42 | 000,053,840 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys -- (IKFileSec)
DRV - [2006/09/06 17:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 17:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/05/29 18:41:54 | 000,186,112 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -- (b57w2k)
DRV - [2004/02/13 11:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2003/04/24 17:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\BASFND.sys -- (BASFND)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\administrator.DESSERT_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\administrator.DESSERT_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\administrator.DESSERT_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\administrator.DESSERT_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
IE - HKU\administrator.DESSERT_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\Administrator_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\DODUser_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\DODUser_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\DODUser_ON_C\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\DODUser_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
IE - HKU\DODUser_ON_C\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - Reg Error: Key error. File not found
IE - HKU\DODUser_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\jfaris_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\jfaris_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\jfaris_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\jfaris_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
IE - HKU\jfaris_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\k-admin_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\k-admin_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\k-admin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\k-admin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

IE - HKU\NetworkService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\QBDataServiceUser18_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\ssanders_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\ssanders_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\WaltB_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\WaltB_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\WaltB_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2008/04/13 20:12:08 | 000,004,921 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 82.165.237.14
O1 - Hosts: 127.0.0.1 82.165.250.33
O1 - Hosts: 127.0.0.1 akamai.avg.com
O1 - Hosts: 127.0.0.1 antivir.es
O1 - Hosts: 127.0.0.1 anti-virus.by
O1 - Hosts: 127.0.0.1 avast.com
O1 - Hosts: 127.0.0.1 avg.com
O1 - Hosts: 127.0.0.1 avp.com
O1 - Hosts: 127.0.0.1 avp.ru
O1 - Hosts: 127.0.0.1 avp.ru/download/
O1 - Hosts: 127.0.0.1 avpg.crsi.symantec.com
O1 - Hosts: 127.0.0.1 backup.avg.cz
O1 - Hosts: 127.0.0.1 bancoguayaquil.com
O1 - Hosts: 127.0.0.1 bcpzonasegura.viabcp.com
O1 - Hosts: 127.0.0.1 bitdefender.com
O1 - Hosts: 127.0.0.1 clamav.net
O1 - Hosts: 127.0.0.1 comodo.com
O1 - Hosts: 127.0.0.1 customer.symantec.com
O1 - Hosts: 127.0.0.1 dispatch.mcafee.com
O1 - Hosts: 127.0.0.1 download.mcafee.com
O1 - Hosts: 127.0.0.1 download.microsoft.com
O1 - Hosts: 127.0.0.1 downloads.microsoft.com
O1 - Hosts: 127.0.0.1 downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.1 downloads1.kaspersky-labs.com/products/
O1 - Hosts: 140 more lines...
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Viewpoint Toolbar) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll (Viewpoint Corporation)
O3 - HKU\administrator.DESSERT_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\administrator.DESSERT_ON_C\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\DODUser_ON_C\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\DODUser_ON_C\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
O3 - HKU\DODUser_ON_C\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\jfaris_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\jfaris_ON_C\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O3 - HKU\ssanders_ON_C\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\WaltB_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ADP Scheduler] File not found
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143156683\ee\aolsoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\ssanders_ON_C..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe (Sammsoft)
O4 - HKLM..\RunOnce: [*Restore] C:\WINDOWS\System32\restore\rstrui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk = C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Remote Access.LNK = C:\WINDOWS\DOWNLO~1\MyWebEx\319\raagtx.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe (Intuit)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Backup Exec Desktop Agent.lnk = C:\Program Files\Symantec\Backup Exec\DLO\DLOClientu.exe (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\DODUser\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\DODUser\Start Menu\Programs\Startup\Shortcut to MapDrives.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\administrator.DESSERT_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\administrator.DESSERT_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\DODUser_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\DODUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\jfaris_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\jfaris_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\jfaris_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\k-admin_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\k-admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\QBDataServiceUser18_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\QBDataServiceUser18_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\ssanders_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\ssanders_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\ssanders_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\ssanders_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\ssanders_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\WaltB_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\WaltB_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Quick AllToPDF - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\All_To_PDF\IEAddon.exe (QuickPDFtoWord)
O9 - Extra 'Tools' menuitem : Quick AllToPDF - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\All_To_PDF\IEAddon.exe (QuickPDFtoWord)
O15 - HKU\DODUser_ON_C\..Trusted Domains: fedex.com ([www] http in Trusted sites)
O15 - HKU\DODUser_ON_C\..Trusted Domains: hsn.net ([view] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} http://www.worldwinner.com/games/v53/dealornodeal/dealornodeal.cab (DealOrNoDeal Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} https://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB (FormLoader.Loader)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (LinkedIn ContactFinderControl)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257361301243 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab (WorldWinner ActiveX Launcher Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} http://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab (BejeweledTwist Control)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.102.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dessert.local
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll (TODO: )
O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\SYSTEM32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (PFDNNT C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/12 14:37:27 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/12 14:37:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/12 14:37:26 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/11 22:24:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ssanders\Local Settings\Application Data\Identities
[2011/04/11 18:33:26 | 000,997,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msgina.dll
[2011/04/11 18:33:26 | 000,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winlogon.exe
[2011/04/11 18:33:25 | 000,423,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\licdll.dll
[2011/04/11 18:32:51 | 001,396,264 | ---- | C] (Microsoft Corporation) -- C:\WindowsXP-KB948277-x86-ENU.exe
[2011/04/11 06:16:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\tmp
[2011/03/20 15:01:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ssanders\Application Data\Nikon
[2009/12/29 19:38:45 | 007,044,048 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\ssanders\gosetup.exe
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/13 19:44:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/04/13 19:12:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/04/13 19:11:47 | 000,000,318 | -HS- | M] () -- C:\WINDOWS\tasks\vlhpianc.job
[2011/04/13 12:40:02 | 000,058,652 | ---- | M] () -- C:\Documents and Settings\ssanders\Desktop\juniper041311.TIF
[2011/04/13 12:25:36 | 000,181,088 | ---- | M] () -- C:\Documents and Settings\ssanders\Desktop\041811.TIF
[2011/04/12 15:13:30 | 000,159,877 | ---- | M] () -- C:\Documents and Settings\ssanders\Desktop\JavaRa[1].zip
[2011/04/12 15:13:03 | 000,159,877 | ---- | M] () -- C:\Documents and Settings\ssanders\Desktop\JavaRa.zip
[2011/04/12 14:37:08 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/04/12 14:37:08 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/12 14:37:08 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/12 14:37:08 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/12 14:37:08 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/04/11 22:47:25 | 000,000,474 | ---- | M] () -- C:\Documents and Settings\ssanders\Desktop\Peachtree Classic 13.0.lnk
[2011/04/11 18:19:24 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2011/04/11 18:19:06 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2011/04/11 18:08:42 | 000,014,434 | -HS- | M] () -- C:\Documents and Settings\ssanders\Local Settings\Application Data\0nnj6s0q485lxgr78w4q2u5y4n81ki06
[2011/04/11 18:08:42 | 000,014,434 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0nnj6s0q485lxgr78w4q2u5y4n81ki06
[2011/04/11 15:03:55 | 000,280,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/11 13:31:55 | 000,405,618 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/04/11 13:31:55 | 000,063,976 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/03/27 00:56:28 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2011/03/25 16:59:20 | 000,002,435 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Publisher.lnk
[2011/03/20 15:04:23 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\ssanders\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/13 12:40:02 | 000,058,652 | ---- | C] () -- C:\Documents and Settings\ssanders\Desktop\juniper041311.TIF
[2011/04/13 12:24:28 | 000,181,088 | ---- | C] () -- C:\Documents and Settings\ssanders\Desktop\041811.TIF
[2011/04/12 15:13:42 | 000,159,877 | ---- | C] () -- C:\Documents and Settings\ssanders\Desktop\JavaRa[1].zip
[2011/04/12 14:42:02 | 000,159,877 | ---- | C] () -- C:\Documents and Settings\ssanders\Desktop\JavaRa.zip
[2011/04/11 22:47:25 | 000,000,474 | ---- | C] () -- C:\Documents and Settings\ssanders\Desktop\Peachtree Classic 13.0.lnk
[2011/04/11 18:19:06 | 000,002,109 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2011/04/11 18:19:06 | 000,001,848 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Backup Exec Desktop Agent.lnk
[2011/04/11 18:19:06 | 000,001,824 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
[2011/04/11 18:19:06 | 000,001,757 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2011/04/11 18:19:06 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/04/11 18:19:06 | 000,001,481 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Remote Access.LNK
[2011/04/11 18:19:06 | 000,001,078 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
[2011/04/11 18:19:06 | 000,001,017 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
[2011/04/11 18:19:06 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
[2011/04/11 17:05:26 | 000,014,434 | -HS- | C] () -- C:\Documents and Settings\ssanders\Local Settings\Application Data\0nnj6s0q485lxgr78w4q2u5y4n81ki06
[2011/04/11 17:05:26 | 000,014,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0nnj6s0q485lxgr78w4q2u5y4n81ki06
[2011/04/02 13:41:13 | 000,000,318 | -HS- | C] () -- C:\WINDOWS\tasks\vlhpianc.job
[2011/01/12 12:26:38 | 002,309,120 | ---- | C] () -- C:\WINDOWS\System32\pdftk.exe
[2011/01/12 12:26:29 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\gswin32c.exe
[2011/01/12 12:26:28 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\utility3.dll
[2011/01/12 12:26:28 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe
[2011/01/12 12:26:27 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\Execute.dll
[2010/12/14 21:49:53 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/14 21:49:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/14 21:49:53 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/14 21:49:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/14 21:49:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/17 14:35:00 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\ssanders\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/10 20:57:26 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\ssanders\Local Settings\Application Data\housecall.guid.cache
[2010/03/10 01:23:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/03/09 22:40:27 | 000,008,498 | ---- | C] () -- C:\WINDOWS\fs1235.dat1
[2010/01/30 14:25:29 | 000,000,490 | ---- | C] () -- C:\WINDOWS\paycal.INI
[2009/11/17 00:44:35 | 000,050,652 | ---- | C] () -- C:\WINDOWS\System32\drivers\atntwink.sys
[2009/06/29 20:14:30 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/08 14:39:57 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2008/03/19 11:55:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\.googlewebacchosts
[2007/11/28 14:03:03 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\People
[2007/11/28 14:03:03 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\DODUser\Application Data\PDEs
[2007/11/28 14:03:03 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2007/11/06 14:31:17 | 000,000,026 | ---- | C] () -- C:\WINDOWS\FPKPMSV.INI
[2007/09/18 22:34:27 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\DODUser\Local Settings\Application Data\fusioncache.dat
[2007/08/27 14:34:47 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/06/13 06:03:40 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/03/05 16:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/12/01 15:32:11 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2006/10/23 11:56:11 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\DODUser\Application Data\.googlewebacchosts
[2006/09/18 17:37:50 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx12_ic.ini
[2006/09/18 17:37:48 | 000,667,280 | ---- | C] () -- C:\WINDOWS\System32\tx12.dll
[2006/03/03 20:06:29 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\DODUser\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/02/09 21:42:04 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/09 21:39:04 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/06/23 14:33:51 | 000,096,733 | ---- | C] () -- C:\WINDOWS\System32\Crp9516e.dll
[2005/06/23 14:33:51 | 000,053,258 | ---- | C] () -- C:\WINDOWS\System32\Cryp95e.dll
[2005/05/17 19:44:18 | 000,000,067 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2005/05/02 07:13:27 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/05/02 07:11:38 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/05/02 07:10:56 | 000,000,549 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/02 06:56:08 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2005/05/02 06:55:26 | 000,405,618 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2005/05/02 06:55:26 | 000,063,976 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2005/05/02 06:44:52 | 000,000,367 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 18:25:56 | 000,000,791 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/11 18:20:10 | 000,280,536 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/11 18:14:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 18:12:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/11 11:31:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2004/08/11 11:31:24 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\SECUPD.DAT
[2004/08/04 06:00:00 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\k.dll
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2004/07/19 17:01:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SETPWRCG.EXE
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/06/28 16:20:54 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[2000/10/13 20:52:56 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\wh2robo.dll

========== LOP Check ==========

[2007/09/18 22:33:01 | 000,000,000 | ---D | M] -- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Kinko's
[2008/08/06 15:50:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.DESSERT\Application Data\JAM Software
[2005/07/19 19:37:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2007/10/06 11:55:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Aim
[2007/12/14 23:18:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Downloaded Installations
[2007/11/06 14:31:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Kinko's
[2007/09/15 14:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Leadertech
[2007/11/28 14:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Nikon
[2007/12/13 13:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Snapfish
[2007/05/22 14:06:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DODUser\Application Data\Viewpoint
[2007/09/18 22:32:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Kinko's
[2009/10/06 14:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/03/20 15:01:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\Nikon
[2010/03/10 22:52:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\Sammsoft
[2011/02/26 13:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\TeamViewer
[2010/08/05 13:14:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\Uniblue
[2008/11/21 13:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\Viewpoint
[2009/11/18 01:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ssanders\Application Data\Z-Firm LLC
[2008/07/29 15:54:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/12/29 19:39:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CitrixLogs
[2009/06/26 12:13:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2007/11/28 14:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dance Kit
[2007/11/28 14:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2007/11/28 21:18:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/12/30 20:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2007/11/28 14:04:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2007/10/02 18:49:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagull
[2008/03/22 17:39:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/11/28 14:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2008/08/10 21:50:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/08/29 16:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WorldWinner
[2011/04/13 19:11:47 | 000,000,318 | -HS- | M] () -- C:\WINDOWS\Tasks\vlhpianc.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CAAA7DD7
< End of report >

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network14th April 2011, 10:13 pm

more_horiz
Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    IE - HKU\administrator.DESSERT_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
    IE - HKU\DODUser_ON_C\..\URLSearchHook: - Reg Error: Key error. File not found
    IE - HKU\DODUser_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found
    IE - HKU\DODUser_ON_C\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - Reg Error: Key error. File not found
    O3 - HKU\administrator.DESSERT_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O3 - HKU\administrator.DESSERT_ON_C\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O3 - HKU\DODUser_ON_C\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O3 - HKU\DODUser_ON_C\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
    O3 - HKU\jfaris_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O3 - HKU\jfaris_ON_C\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
    O3 - HKU\WaltB_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    [2011/04/13 19:11:47 | 000,000,318 | -HS- | M] () -- C:\WINDOWS\tasks\vlhpianc.job
    [2011/04/11 18:08:42 | 000,014,434 | -HS- | M] () -- C:\Documents and Settings\ssanders\Local Settings\Application Data\0nnj6s0q485lxgr78w4q2u5y4n81ki06
    [2011/04/11 18:08:42 | 000,014,434 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0nnj6s0q485lxgr78w4q2u5y4n81ki06

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network15th April 2011, 12:24 am

more_horiz
Thanks, I did what you said, however all it said to do was Reboot. It did not provide a fix log nor did Notepad appear. I rebooted and when I logged in the same blank screen appeared, no apparent changes.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network16th April 2011, 1:16 am

more_horiz
Hello.

  • Download combofix from here
    Link 1

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Blank Desktop After Windows XP Login on Network CF_download_FF

    Blank Desktop After Windows XP Login on Network CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Blank Desktop After Windows XP Login on Network Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Blank Desktop After Windows XP Login on Network Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network16th April 2011, 3:14 am

more_horiz
ComboFix 11-04-15.01 - ssanders 04/15/2011 20:03:47.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1317 [GMT -7:00]
Running from: c:\documents and settings\ssanders\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-14 22:08 . 2011-03-06 22:12 2234368 ----a-r- C:\OTLPE.exe
2011-04-12 02:24 . 2011-04-12 02:24 -------- d-----w- c:\documents and settings\ssanders\Local Settings\Application Data\Identities
2011-04-11 22:33 . 2008-04-24 13:55 997888 ------w- c:\windows\system32\dllcache\msgina.dll
2011-04-11 22:33 . 2008-04-24 13:33 507904 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2011-04-11 22:33 . 2008-04-24 13:55 423936 ------w- c:\windows\system32\dllcache\licdll.dll
2011-04-11 22:32 . 2008-04-24 15:10 1396264 ----a-w- C:\WindowsXP-KB948277-x86-ENU.exe
2011-04-11 19:01 . 2011-04-11 19:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-11 10:16 . 2011-04-11 10:22 -------- d-----w- c:\windows\tmp
2011-03-20 19:01 . 2011-03-20 19:01 -------- d-----w- c:\documents and settings\ssanders\Application Data\Nikon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-12 18:37 . 2010-12-06 23:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-12 18:37 . 2007-07-26 14:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
c:\windows\explorer.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 68856]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2009-12-28 2137600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickBooksDB18"="c:\program files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe" [2006-09-13 128536]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-04 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-21 213936]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"HostManager"="c:\program files\Common Files\AOL\1143156683\ee\AOLSoftware.exe" [2006-05-10 50760]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\DODUser\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-5-15 479232]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [N/A]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Remote Access.LNK - c:\windows\DOWNLO~1\MyWebEx\319\raagtx.exe [2009-11-16 38200]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2008-2-15 300320]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [N/A]
Symantec Backup Exec Desktop Agent.lnk - c:\program files\Symantec\Backup Exec\DLO\DLOClientu.exe [2008-1-9 7316856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0PFDNNT c:\program files\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164678433-3373878337-2875747839-1137\Scripts\Logon\0\0]
"Script"=\\dessert.local\SysVol\dessert.local\scripts\Map_Drives.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164678433-3373878337-2875747839-1138\Scripts\Logon\0\0]
"Script"=\\dessert.local\NETLOGON\kaseya.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164678433-3373878337-2875747839-1138\Scripts\Logon\1\0]
"Script"=\\dessert.local\SysVol\dessert.local\scripts\Map_Drives.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\CONF.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143156683\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143156683\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Backup Exec\\RAWS\\beremote.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1754:UDP"= 1754:UDP:Windows Media Format SDK (iexplore.exe)
"1755:UDP"= 1755:UDP:Windows Media Format SDK (iexplore.exe)
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 VSP;Volume Snapshot Provider;c:\windows\SYSTEM32\DRIVERS\VSP.sys [9/25/2007 2:52 PM 54192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 atnthost;WebEx Remote Access Agent;c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe [11/16/2009 9:44 PM 16792]
R2 DLOChangeJournalSvc;Symantec Backup Exec Desktop Agent Change Journal Reader;c:\program files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe [1/9/2008 12:43 PM 472440]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/2/2010 3:58 PM 102448]
S0 tonkqgc;tonkqgc;c:\windows\system32\drivers\lgekswox.sys --> c:\windows\system32\drivers\lgekswox.sys [?]
S2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/10/2008 6:50 PM 24652]
S3 EraserUtilDrv10820;EraserUtilDrv10820;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys [?]
S3 EraserUtilDrv10821;EraserUtilDrv10821;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [?]
S3 EraserUtilDrv10822;EraserUtilDrv10822;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10822.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10822.sys [?]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\All_To_PDF\IEAddon.exe
Trusted Zone: adp.com\ezlmappdc1
Trusted Zone: adp.com\ezlmreportdc1
Trusted Zone: saif.com\www
Trusted Zone: umpquabank.com\bankonline
DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} - hxxps://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ADP Scheduler - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 20:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2011-04-15 20:12:09
ComboFix-quarantined-files.txt 2011-04-16 03:12
ComboFix2.txt 2010-12-15 03:41
.
Pre-Run: 16,357,867,520 bytes free
Post-Run: 16,333,860,864 bytes free
.
- - End Of File - - 341A40E676780928216DDCBEA1643829

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network16th April 2011, 6:20 pm

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    FCopy::
    c:\windows\ERDNT\cache\explorer.exe | c:\windows\explorer.exe

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Blank Desktop After Windows XP Login on Network Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network19th April 2011, 4:54 pm

more_horiz
ComboFix 11-04-19.01 - ssanders 04/19/2011 9:24.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1385 [GMT -7:00]
Running from: c:\documents and settings\ssanders\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\ssanders\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ERDNT\cache\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
2011-04-19 16:24 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe
2011-04-19 16:24 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2011-04-14 22:08 . 2011-03-06 22:12 2234368 ----a-r- C:\OTLPE.exe
2011-04-12 02:24 . 2011-04-12 02:24 -------- d-----w- c:\documents and settings\ssanders\Local Settings\Application Data\Identities
2011-04-11 22:33 . 2008-04-24 13:55 997888 ------w- c:\windows\system32\dllcache\msgina.dll
2011-04-11 22:33 . 2008-04-24 13:33 507904 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2011-04-11 22:33 . 2008-04-24 13:55 423936 ------w- c:\windows\system32\dllcache\licdll.dll
2011-04-11 22:32 . 2008-04-24 15:10 1396264 ----a-w- C:\WindowsXP-KB948277-x86-ENU.exe
2011-04-11 19:01 . 2011-04-11 19:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-11 10:16 . 2011-04-11 10:22 -------- d-----w- c:\windows\tmp
2011-03-20 19:01 . 2011-03-20 19:01 -------- d-----w- c:\documents and settings\ssanders\Application Data\Nikon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-12 18:37 . 2010-12-06 23:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-12 18:37 . 2007-07-26 14:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-16_03.09.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 15:42 . 2011-04-19 15:42 16384 c:\windows\Temp\Perflib_Perfdata_450.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 68856]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2009-12-28 2137600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickBooksDB18"="c:\program files\Intuit\QuickBooks Enterprise Solutions 8.0\QBDBMgrN.exe" [2006-09-13 128536]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-04 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-21 213936]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"HostManager"="c:\program files\Common Files\AOL\1143156683\ee\AOLSoftware.exe" [2006-05-10 50760]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"ADP Scheduler"="" [BU]
.
c:\documents and settings\DODUser\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-5-15 479232]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [N/A]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Remote Access.LNK - c:\windows\DOWNLO~1\MyWebEx\319\raagtx.exe [2009-11-16 38200]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2008-2-15 300320]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [N/A]
Symantec Backup Exec Desktop Agent.lnk - c:\program files\Symantec\Backup Exec\DLO\DLOClientu.exe [2008-1-9 7316856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0PFDNNT c:\program files\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164678433-3373878337-2875747839-1137\Scripts\Logon\0\0]
"Script"=\\dessert.local\SysVol\dessert.local\scripts\Map_Drives.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164678433-3373878337-2875747839-1138\Scripts\Logon\0\0]
"Script"=\\dessert.local\NETLOGON\kaseya.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1164678433-3373878337-2875747839-1138\Scripts\Logon\1\0]
"Script"=\\dessert.local\SysVol\dessert.local\scripts\Map_Drives.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\CONF.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143156683\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143156683\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Backup Exec\\RAWS\\beremote.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1754:UDP"= 1754:UDP:Windows Media Format SDK (iexplore.exe)
"1755:UDP"= 1755:UDP:Windows Media Format SDK (iexplore.exe)
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 VSP;Volume Snapshot Provider;c:\windows\SYSTEM32\DRIVERS\VSP.sys [9/25/2007 2:52 PM 54192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 atnthost;WebEx Remote Access Agent;c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe [11/16/2009 9:44 PM 16792]
R2 DLOChangeJournalSvc;Symantec Backup Exec Desktop Agent Change Journal Reader;c:\program files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe [1/9/2008 12:43 PM 472440]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/10/2008 6:50 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/2/2010 3:58 PM 102448]
S0 tonkqgc;tonkqgc;c:\windows\system32\drivers\lgekswox.sys --> c:\windows\system32\drivers\lgekswox.sys [?]
S2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe --> c:\program files\Spyware Doctor\svcntaux.exe [?]
S3 EraserUtilDrv10820;EraserUtilDrv10820;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys [?]
S3 EraserUtilDrv10821;EraserUtilDrv10821;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [?]
S3 EraserUtilDrv10822;EraserUtilDrv10822;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10822.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10822.sys [?]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\All_To_PDF\IEAddon.exe
Trusted Zone: adp.com\ezlmappdc1
Trusted Zone: adp.com\ezlmreportdc1
Trusted Zone: saif.com\www
Trusted Zone: umpquabank.com\bankonline
DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} - hxxps://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 09:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-04-19 09:30:51
ComboFix-quarantined-files.txt 2011-04-19 16:30
ComboFix2.txt 2011-04-19 16:10
ComboFix3.txt 2011-04-16 03:12
ComboFix4.txt 2010-12-15 03:41
.
Pre-Run: 16,261,087,232 bytes free
Post-Run: 16,230,117,376 bytes free
.
- - End Of File - - 1FA9C026AECFB07B81810291FFEEF9BE

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network19th April 2011, 7:57 pm

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

descriptionBlank Desktop After Windows XP Login on Network EmptyRe: Blank Desktop After Windows XP Login on Network

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum