Red Button with a white cross

[noneckferret]

Hi I bet you're sick of hearing this but I have the anti-spyware 2009 thing (red button with the white cross in the system tray ) with the balloon that keeps telling me my computer is infected . I see it is a common problem but thought it best to ask before running any checks that have been recommended to others . I have not opened it so it is stil dormant but I did remove its desktop icon (delself) which was a MS-DOS batchfile . I have included a hijack this log Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:52, on 15/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [Make A Voozie] "C:\Documents and Settings\All Users\Application Data\Make A Voozie\VoozieMaker.exe" /startup
O4 - HKLM\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6796 bytes

[tetonbob]

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[noneckferret]

DDS (Version 1.0) - NTFSx86
Run by ron at 10:51:53.32 on 17/11/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1495 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\ron\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [Make A Voozie] "c:\documents and settings\all users\application data\make a voozie\VoozieMaker.exe" /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys
S3 Fs_rock2driv;Fs_rock2driv;

=============== Created Last 30 ================

2008-11-17 10:37 250 a------- c:\windows\gmer.ini
2008-11-15 15:32 <DIR> --d----- c:\docume~1\ron\applic~1\PPMate
2008-11-15 15:32 <DIR> --d----- c:\program files\common files\Synacast
2008-11-15 11:41 <DIR> --d----- c:\program files\Trend Micro
2008-11-15 11:41 812,344 a------- c:\program files\HJTInstall.exe
2008-11-15 09:57 10,240 a------- c:\windows\system32\brastk.exe
2008-11-14 17:05 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-14 17:05 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-03 19:28 24 a------- C:\url_history.xml
2008-10-31 11:53 1,025 a------- c:\windows\system32\sysprs7.tgz
2008-10-31 11:53 1,025 a------- c:\windows\system32\clauth2.dll
2008-10-31 11:53 1,025 a------- c:\windows\system32\clauth1.dll
2008-10-31 11:53 219 a------- c:\windows\system32\lsprst7.tgz
2008-10-31 11:53 87 a------- c:\windows\system32\ssprs.tgz
2008-10-31 11:53 73 a------- c:\windows\system32\ssprs.dll
2008-10-31 11:53 1,025 a------- c:\windows\system32\sysprs7.dll
2008-10-31 11:53 205 a------- c:\windows\system32\lsprst7.dll
2008-10-31 11:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Minnetonka Audio Software
2008-10-31 00:46 1,382 a------- c:\windows\cdplayer.ini
2008-10-31 00:42 <DIR> --d----- c:\program files\common files\xing shared
2008-10-31 00:41 <DIR> --d----- c:\program files\Real
2008-10-31 00:41 <DIR> --d----- c:\program files\common files\Real
2008-10-31 00:34 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-10-31 00:33 <DIR> --d----- C:\f8cffc4d4a51513b43
2008-10-31 00:33 <DIR> --d----- c:\windows\system32\LogFiles
2008-10-30 19:20 <DIR> --d----- c:\program files\Dan Elwell's Broadband Speed Test
2008-10-30 01:42 <DIR> --d----- c:\docume~1\ron\applic~1\VoozieMaker
2008-10-30 01:42 1,148 a------- c:\windows\system32\ezdigsgn.dat
2008-10-30 01:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Make A Voozie
2008-10-27 09:31 <DIR> --d----- c:\program files\Total Video Converter
2008-10-26 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Macrovision
2008-10-26 19:28 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2008-10-26 19:28 20,016 -------- c:\windows\system32\drivers\pxhelp20.sys
2008-10-26 16:55 <DIR> --d----- c:\program files\SecondLife
2008-10-24 17:45 <DIR> --d----- c:\windows\system32\scripting
2008-10-24 17:45 <DIR> --d----- c:\windows\system32\en
2008-10-24 17:45 <DIR> --d----- c:\windows\l2schemas
2008-10-24 17:45 <DIR> --d----- c:\windows\system32\bits
2008-10-24 16:56 <DIR> --d----- c:\program files\Crack
2008-10-24 16:54 <DIR> --d----- c:\program files\Adobe Premiere Pro
2008-10-24 13:37 <DIR> --d----- c:\windows\network diagnostic
2008-10-24 13:37 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2008-10-24 11:37 8 ---shr-- c:\windows\system32\0D49A5F9CC.sys
2008-10-24 11:37 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:37 <DIR> --d----- c:\program files\DivX
2008-10-24 11:36 <DIR> --d----- C:\MyWorks
2008-10-24 07:42 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-23 18:31 116 a------- c:\windows\NeroDigital.ini
2008-10-23 17:14 148,249 a------- C:\Azureus_Stats.xml
2008-10-23 14:46 <DIR> --d----- c:\docume~1\ron\applic~1\SecondLife
2008-10-23 14:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2008-10-23 14:39 <DIR> --d----- c:\docume~1\ron\applic~1\Azureus
2008-10-23 14:10 5,248 a------- c:\windows\system32\giveio.sys
2008-10-23 13:51 <DIR> --d----- c:\program files\Yahoo!
2008-10-23 13:29 <DIR> --d----- c:\program files\EPSON Print CD
2008-10-23 13:29 76,045 a------- c:\windows\system32\EBPMON24.DLL
2008-10-23 13:29 64,000 a------- c:\windows\system32\ECBTEG.DLL
2008-10-23 13:29 34,304 a------- c:\windows\system32\EBPCHP.DLL
2008-10-23 13:29 31,744 a------- c:\windows\system32\E_DCINST.DLL
2008-10-23 13:29 182 a------- c:\windows\system32\EBPPORT4.DAT
2008-10-23 13:28 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2008-10-23 13:28 <DIR> --d----- c:\program files\EPSON
2008-10-23 13:27 24 a------- c:\windows\CDER300Euro.ini
2008-10-23 13:24 737,280 a------- c:\windows\iun6002.exe
2008-10-23 13:24 <DIR> --d----- c:\program files\Codec Pack - All In 1
2008-10-23 13:21 <DIR> --d----- c:\program files\Nero
2008-10-23 13:00 66,725 -c------ c:\windows\system32\dllcache\revert.wmz
2008-10-23 12:59 32,592 a------- c:\windows\system32\msonpmon.dll
2008-10-23 12:54 <DIR> --d----- c:\windows\SHELLNEW
2008-10-23 12:43 <DIR> --d----- c:\program files\ASUS
2008-10-23 12:41 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-10-23 12:41 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-10-23 12:34 <DIR> --d----- c:\windows\system32\PreInstall
2008-10-23 12:34 <DIR> --d-h--- c:\windows\$hf_mig$
2008-10-23 12:26 253,952 -c------ c:\windows\system32\dllcache\es.dll
2008-10-23 12:23 <DIR> --d----- c:\program files\ASUSTeK
2008-10-23 12:22 43,573 a------- c:\windows\system32\nvapps.xml
2008-10-23 12:22 <DIR> --d----- c:\windows\nview
2008-10-23 12:22 180,224 a------- c:\windows\system32\nvudisp.exe
2008-10-23 12:22 16,356 a------- c:\windows\system32\nvdisp.nvu
2008-10-23 12:22 180,224 a------- c:\windows\system32\NVUNINST.EXE
2008-10-23 12:21 11,264 -----r-- c:\windows\system32\drivers\EIO.sys
2008-10-23 12:10 56 a---h--- c:\windows\system32\ezsidmv.dat
2008-10-23 12:09 <DIR> --d----- c:\program files\Skype
2008-10-23 12:01 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-23 12:01 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-10-23 12:01 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-10-23 12:00 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-10-23 12:00 <DIR> --d----- c:\docume~1\ron\applic~1\AVGTOOLBAR
2008-10-23 12:00 <DIR> --d----- c:\program files\AVG
2008-10-23 12:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-10-23 11:56 <DIR> --dsh--- c:\documents and settings\ron\UserData
2008-10-23 11:51 <DIR> --d----- c:\program files\Nero 7 Premium
2008-10-23 11:46 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2008-10-23 11:43 <DIR> --d----- c:\program files\Power Producer 4.0 + Serial (All real)
2008-10-23 11:35 2,323,706 a------- c:\program files\isobuster_eng.zip
2008-10-23 11:35 10,050,902 a------- c:\program files\Codecs6030_allin1.exe
2008-10-23 11:35 <DIR> --d----- c:\program files\SSC Service Utility
2008-10-23 11:35 <DIR> --d----- c:\program files\NoAdware4
2008-10-23 11:35 <DIR> --d----- c:\program files\CDex_150
2008-10-23 11:34 <DIR> --d----- c:\program files\Audacity
2008-10-23 11:27 2,422 a------- c:\windows\system32\wpa.bak
2008-10-23 11:24 3,072 a------- c:\windows\system32\drivers\audstub.sys
2008-10-23 11:24 57,600 a------- c:\windows\system32\drivers\redbook.sys
2008-10-23 11:24 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2008-10-23 11:24 10,624 a------- c:\windows\system32\drivers\gameenum.sys
2008-10-23 11:23 74,240 a------- c:\windows\system32\usbui.dll
2008-10-23 11:22 <DIR> --d----- c:\program files\common files\ODBC
2008-10-23 11:22 <DIR> --d----- c:\program files\common files\SpeechEngines
2008-10-23 11:22 <DIR> --d--r-- c:\documents and settings\all users\Documents
2008-10-23 11:21 <DIR> --d----- C:\Documents and Settings
2008-10-23 11:20 386 a------- c:\windows\system32\$winnt$.inf
2008-10-23 11:17 78,976 a------- c:\windows\system32\drivers\Rtenicxp.sys
2008-10-23 11:17 <DIR> --d----- c:\windows\OPTIONS
2008-10-23 11:10 <DIR> --d----- c:\program files\Realtek
2008-10-23 10:34 <DIR> --dsh--- c:\documents and settings\all users\DRM
2008-10-23 10:32 <DIR> --d----- c:\program files\common files\MSSoap
2008-10-23 10:31 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-10-23 10:31 <DIR> --d----- c:\program files\Online Services
2008-10-23 10:31 <DIR> --d----- c:\program files\Messenger
2008-10-23 10:31 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-10-23 10:30 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2008-10-31 00:41 499,712 a------- c:\windows\system32\msvcp71.dll
2008-10-31 00:41 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-24 17:47 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 10:32 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 10:52:07.04 ===============

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download Lop S&D < here We'll use this later.
   
   
2. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
4. Double click on combofix.exe & follow the prompts.
   
5. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
8. Double-click Lop S&D.exe
   Choose the language, then choose Option 1 (Search)
   Wait till the end of the scan
   Post the log which is created: (C:\lopR.txt )
   
   
9. Ensure your AntiVirus and AntiSpyware applications are re-enabled. Post logs from ComboFix (C:\ComboFix.txt) and Lop S&D (C:\lopR.txt)
   
   
   ---------------------------------------------------------------------------------------------

[noneckferret]

Hi I tried to install the recovery programme but it came up with an error message saying the boot partition could not be successfully enumerated. Do I continue with the scan ?

[tetonbob]

Hello -

If you've not already, please click on No to exit the scan. We should determine the status of your boot.ini

When you start the machine, do you notice a message indicating invalid boot.ini file booting from Windows?

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Post the contents of that file in your next reply, and close the file.

[noneckferret]

The notepad is blank

[tetonbob]

Ok, that's what I expected after the ComboFix message you reported.

Before we continue, can you answer this question?

Quote:

When you start the machine, do you notice a message indicating invalid boot.ini file booting from Windows?

[noneckferret]

yes .........sorry I meant to put that in last time

[tetonbob]

Ok, we need to create a boot.ini which is correct for your machine. This will take a few steps, but is relatively simple. I need you to follow each step exactly, and ask questions first if you have them.


Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Go to C:\boot.ini

If that file exists, right click and uncheck 'Read Only' and click Apply>OK

Now right click the file again and select 'Open With' and choose Notepad.

If the boot.ini doesn't exist, then open Notepad.

Copy/paste the following text in the quote box below, into Notepad (either the existing boot.ini, or a new Notepad file)

Quote:

[boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect

Close the file, and approve the changes made when asked by Windows.

If there was no boot.ini, save the file you just created. Name it boot.ini and save it directly to C:\ drive.

Do Not reboot yet!

Please create and perform the peek.bat once again, as instructed in my previous post. Post the log which opens.

It's important that you do not reboot the sytem until I've reviewed that log.

[tetonbob]

If you've not already done so, the peek.bat can be created with only these lines

Quote:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt

Omitting this line, as we will use the peek.bat once more

del peek.bat

[noneckferret]

boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect

[tetonbob]

Ok, looks good. Read through this next set of instructions and print them out if you're not sure you'll remember.

Reboot your system

• Upon reboot, you'll have 30 seconds to choose from the boot menu.
• Use your arrow key move up to 1 /fastdetect in the list and press Enter
• Wait for it to boot Windows.
• If it boots to Windows, let me know.
• If you receive an error, click OK to restart the system, or use Ctrl + Alt + Del

• Upon restart you will see the boot menu again. Arrow up to 2 /fastdetect and press Enter.
• Wait for Windows to boot. If you receive an error message, same as before, click OK to restart.

Continue using the arrow key, going in succession from 3 /fastdetect, etc., one at a time, until Windows boots up.

Come back and tell me which selection worked for you.

[noneckferret]

I didn't get the boot menu it just booted straight to windows as normal

[tetonbob]

Looking back at post #12, I missed what is the likely source of that problem. I had thought it was a copy/paste error in the reply.

This line in the boot.ini created:

boot loader]

Should read

[boot loader]

Note the missing [ at the beginning of the quote box I gave you. This will have Windows bypass a bootloader menu.

So, please open the boot.ini once again. Add [ to the beginning, so it looks like the above quote box. Close the file, and allow the changes.

Run peek.bat once again.

[noneckferret]

[boot loader]
timeout=30
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=1 /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=2 /fastdetect
scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS=3 /fastdetect
scsi(0)disk(0)rdisk(0)partition(2)\WINDOWS=4 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=5 /fastdetect
scsi(0)disk(0)rdisk(1)partition(2)\WINDOWS=6 /fastdetect
C:\WINDOWS=7 /fastdetect
It started withthe first option

[tetonbob]

Ok, great.

Now that we know which partition Windows is located in, we need to set it one more time.

Right click the C:\boot.ini and rename it to boot.bak

Open Notepad and copy/paste the text in the quote box below, into that empty Notepad:

Quote:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Save this as boot.ini directly on the C:\ drive.

-------------------------

Run the peek.bat and post the report contents here for review. Do not reboot until I review that text.

[noneckferret]

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

[tetonbob]

Good work! All is in order now. ComboFix should now allow the installation of Recovery Console as prelude to malware removal. Review Post # 4, and carry on.

[noneckferret]

--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) D CPU 2.66GHz )
BIOS : Default System BIOS
USER : ron ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus Free 8.0 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:149 Go (Free:129 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( 17/11/2008|20:43 )

--------------------\\ Listing folders in APPLIC~1

[17/11/2008|16:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
[23/10/2008|14:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
[24/10/2008|11:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[26/10/2008|19:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
[31/10/2008|02:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Make A Voozie
[23/10/2008|13:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[23/10/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[31/10/2008|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Minnetonka Audio Software
[23/10/2008|12:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
[31/10/2008|11:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[30/10/2008|20:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
[23/10/2008|13:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

[23/10/2008|10:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[17/11/2008|16:20] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[17/11/2008|16:20] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[24/10/2008|17:07] C:\DOCUME~1\ron\APPLIC~1\Adobe
[26/10/2008|19:51] C:\DOCUME~1\ron\APPLIC~1\AdobeUM
[23/10/2008|13:22] C:\DOCUME~1\ron\APPLIC~1\Ahead
[23/10/2008|12:17] C:\DOCUME~1\ron\APPLIC~1\AVGTOOLBAR
[17/11/2008|10:29] C:\DOCUME~1\ron\APPLIC~1\Azureus
[24/10/2008|11:44] C:\DOCUME~1\ron\APPLIC~1\CyberLink
[23/10/2008|10:38] C:\DOCUME~1\ron\APPLIC~1\Identities
[23/10/2008|13:49] C:\DOCUME~1\ron\APPLIC~1\Macromedia
[17/11/2008|16:20] C:\DOCUME~1\ron\APPLIC~1\Microsoft
[15/11/2008|15:32] C:\DOCUME~1\ron\APPLIC~1\PPMate
[31/10/2008|00:44] C:\DOCUME~1\ron\APPLIC~1\Real
[23/10/2008|14:48] C:\DOCUME~1\ron\APPLIC~1\SecondLife
[17/11/2008|20:36] C:\DOCUME~1\ron\APPLIC~1\Skype
[17/11/2008|17:10] C:\DOCUME~1\ron\APPLIC~1\skypePM
[17/11/2008|17:10] C:\DOCUME~1\ron\APPLIC~1\VoozieMaker
[23/10/2008|13:53] C:\DOCUME~1\ron\APPLIC~1\Yahoo!

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[17/11/2008 20:40][--ah-----] C:\WINDOWS\tasks\SA.DAT
[31/03/2003 12:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[26/10/2008|19:27] C:\Program Files\Adobe
[24/10/2008|16:57] C:\Program Files\Adobe Premiere Pro
[23/10/2008|12:43] C:\Program Files\ASUS
[23/10/2008|12:23] C:\Program Files\ASUSTeK
[23/10/2008|11:35] C:\Program Files\Audacity
[23/10/2008|12:00] C:\Program Files\AVG
[23/10/2008|11:35] C:\Program Files\CDex_150
[23/10/2008|13:24] C:\Program Files\Codec Pack - All In 1
[17/11/2008|20:38] C:\Program Files\Common Files
[23/10/2008|10:32] C:\Program Files\ComPlus Applications
[24/10/2008|16:56] C:\Program Files\Crack
[24/10/2008|11:38] C:\Program Files\CyberLink
[16/11/2008|13:00] C:\Program Files\Dan Elwell's Broadband Speed Test
[24/10/2008|11:37] C:\Program Files\DivX
[23/10/2008|13:29] C:\Program Files\EPSON
[23/10/2008|13:29] C:\Program Files\EPSON Print CD
[26/10/2008|19:27] C:\Program Files\InstallShield Installation Information
[23/10/2008|11:15] C:\Program Files\Intel
[24/10/2008|14:06] C:\Program Files\Internet Explorer
[24/10/2008|17:48] C:\Program Files\Messenger
[23/10/2008|10:35] C:\Program Files\microsoft frontpage
[23/10/2008|12:57] C:\Program Files\Microsoft Office
[23/10/2008|12:57] C:\Program Files\Microsoft Visual Studio
[23/10/2008|12:58] C:\Program Files\Microsoft Works
[24/10/2008|17:45] C:\Program Files\Movie Maker
[23/10/2008|12:58] C:\Program Files\MSBuild
[23/10/2008|10:31] C:\Program Files\MSN
[23/10/2008|10:31] C:\Program Files\MSN Gaming Zone
[23/10/2008|13:21] C:\Program Files\Nero
[23/10/2008|11:53] C:\Program Files\Nero 7 Premium
[24/10/2008|17:42] C:\Program Files\NetMeeting
[23/10/2008|11:35] C:\Program Files\NoAdware4
[23/10/2008|10:31] C:\Program Files\Online Services
[24/10/2008|17:42] C:\Program Files\Outlook Express
[23/10/2008|11:47] C:\Program Files\Power Producer 4.0 + Serial (All real)
[31/10/2008|00:41] C:\Program Files\Real
[23/10/2008|11:10] C:\Program Files\Realtek
[03/11/2008|19:28] C:\Program Files\SecondLife
[23/10/2008|12:09] C:\Program Files\Skype
[23/10/2008|11:35] C:\Program Files\Smart Projects
[23/10/2008|11:35] C:\Program Files\SSC Service Utility
[30/10/2008|00:20] C:\Program Files\Total Video Converter
[15/11/2008|11:41] C:\Program Files\Trend Micro
[23/10/2008|10:38] C:\Program Files\Uninstall Information
[31/10/2008|00:34] C:\Program Files\Windows Media Connect 2
[31/10/2008|02:09] C:\Program Files\Windows Media Player
[24/10/2008|17:42] C:\Program Files\Windows NT
[23/10/2008|10:31] C:\Program Files\WindowsUpdate
[23/10/2008|11:49] C:\Program Files\WinRAR
[23/10/2008|10:35] C:\Program Files\xerox
[23/10/2008|13:53] C:\Program Files\Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[24/10/2008|18:28] C:\Program Files\Common Files\Adobe
[26/10/2008|19:28] C:\Program Files\Common Files\Adobe Systems Shared
[23/10/2008|13:21] C:\Program Files\Common Files\Ahead
[23/10/2008|12:57] C:\Program Files\Common Files\DESIGNER
[23/10/2008|12:22] C:\Program Files\Common Files\InstallShield
[23/10/2008|12:58] C:\Program Files\Common Files\Microsoft Shared
[23/10/2008|10:32] C:\Program Files\Common Files\MSSoap
[23/10/2008|11:22] C:\Program Files\Common Files\ODBC
[31/10/2008|00:42] C:\Program Files\Common Files\Real
[23/10/2008|10:32] C:\Program Files\Common Files\Services
[23/10/2008|12:09] C:\Program Files\Common Files\Skype
[23/10/2008|11:22] C:\Program Files\Common Files\SpeechEngines
[15/11/2008|15:32] C:\Program Files\Common Files\Synacast
[24/10/2008|17:42] C:\Program Files\Common Files\System
[31/10/2008|00:42] C:\Program Files\Common Files\xing shared

--------------------\\ Process

( 34 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ron\Cookies\ron@advertising[1].txt
C:\DOCUME~1\ron\Cookies\ron@adopt.euroclick[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 20:44:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:158][D:0]-> C:\DOCUME~1\ron\Cookies
[F:89][D:4]-> C:\DOCUME~1\ron\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 17/11/2008|20:44 - Option : [1]

--------------------\\ Scan completed at 20:44:25
ComboFix 08-11-16.05 - ron 2008-11-17 20:38:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1641 [GMT 0:00]
Running from: c:\documents and settings\ron\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-17 10:37 . 2008-11-17 10:41 250 --a------ c:\windows\gmer.ini
2008-11-15 15:32 . 2008-11-15 15:32 <DIR> d-------- c:\program files\Common Files\Synacast
2008-11-15 15:32 . 2008-11-15 15:32 <DIR> d-------- c:\documents and settings\ron\Application Data\PPMate
2008-11-15 11:41 . 2008-11-15 11:41 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 11:41 . 2008-11-15 11:41 812,344 --a------ c:\program files\HJTInstall.exe
2008-11-14 17:05 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-14 17:05 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-03 19:28 . 2008-11-03 19:28 24 --a------ C:\url_history.xml
2008-10-31 11:53 . 2008-10-31 11:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2008-10-31 11:53 . 2008-10-31 11:53 1,025 --a------ c:\windows\system32\sysprs7.tgz
2008-10-31 11:53 . 2008-10-31 11:53 1,025 --a------ c:\windows\system32\sysprs7.dll
2008-10-31 11:53 . 2008-10-31 11:53 1,025 --a------ c:\windows\system32\clauth2.dll
2008-10-31 11:53 . 2008-10-31 11:53 1,025 --a------ c:\windows\system32\clauth1.dll
2008-10-31 11:53 . 2008-10-31 11:53 219 --a------ c:\windows\system32\lsprst7.tgz
2008-10-31 11:53 . 2008-10-31 11:53 87 --a------ c:\windows\system32\ssprs.tgz
2008-10-31 00:46 . 2008-11-15 18:55 1,382 --a------ c:\windows\cdplayer.ini
2008-10-31 00:42 . 2008-10-31 00:42 <DIR> d-------- c:\program files\Common Files\xing shared
2008-10-31 00:41 . 2008-10-31 00:41 <DIR> d-------- c:\program files\Real
2008-10-31 00:41 . 2008-10-31 00:42 <DIR> d-------- c:\program files\Common Files\Real
2008-10-31 00:34 . 2008-10-31 00:34 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-31 00:33 . 2008-10-31 00:33 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-31 00:33 . 2008-10-31 00:34 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-31 00:33 . 2008-10-31 00:34 <DIR> d-------- C:\f8cffc4d4a51513b43
2008-10-30 19:20 . 2008-11-16 13:00 <DIR> d-------- c:\program files\Dan Elwell's Broadband Speed Test
2008-10-30 01:42 . 2008-11-17 17:10 <DIR> d-------- c:\documents and settings\ron\Application Data\VoozieMaker
2008-10-30 01:42 . 2008-10-30 01:42 1,148 --a------ c:\windows\system32\ezdigsgn.dat
2008-10-30 01:39 . 2008-10-31 02:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Make A Voozie
2008-10-27 09:31 . 2008-10-30 00:20 <DIR> d-------- c:\program files\Total Video Converter
2008-10-26 19:51 . 2008-10-26 19:51 <DIR> d-------- c:\documents and settings\ron\Application Data\AdobeUM
2008-10-26 19:28 . 2008-10-26 19:28 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2008-10-26 19:28 . 2008-10-26 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2008-10-26 19:28 . 2004-05-07 16:01 20,016 --------- c:\windows\system32\drivers\pxhelp20.sys
2008-10-26 16:55 . 2008-11-03 19:28 <DIR> d-------- c:\program files\SecondLife
2008-10-24 17:45 . 2008-10-24 17:45 <DIR> d-------- c:\windows\system32\scripting
2008-10-24 17:45 . 2008-10-24 17:45 <DIR> d-------- c:\windows\system32\en
2008-10-24 17:45 . 2008-10-24 17:45 <DIR> d-------- c:\windows\system32\bits
2008-10-24 17:45 . 2008-10-24 17:45 <DIR> d-------- c:\windows\l2schemas
2008-10-24 16:56 . 2008-10-24 16:56 <DIR> d-------- c:\program files\Crack
2008-10-24 16:54 . 2008-10-24 16:57 <DIR> d-------- c:\program files\Adobe Premiere Pro
2008-10-24 13:41 . 2008-10-03 17:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-10-24 13:41 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-10-24 13:41 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-10-24 13:41 . 2008-08-26 07:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-10-24 13:41 . 2008-08-26 07:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-10-24 13:41 . 2008-08-26 07:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-10-24 13:41 . 2008-08-26 07:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-10-24 13:41 . 2008-08-26 07:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-10-24 13:41 . 2008-08-25 08:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-10-24 13:37 . 2007-08-13 17:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2008-10-24 11:44 . 2008-10-24 11:44 <DIR> d-------- c:\documents and settings\ron\Application Data\CyberLink
2008-10-24 11:44 . 2008-10-24 11:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-10-24 11:37 . 2008-10-24 11:37 <DIR> d-------- c:\program files\DivX
2008-10-24 11:37 . 2008-10-24 11:37 4,184 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:37 . 2008-10-24 11:37 8 -r-hs---- c:\windows\system32\0D49A5F9CC.sys
2008-10-24 11:36 . 2008-10-24 11:38 <DIR> d-------- c:\program files\CyberLink
2008-10-24 11:36 . 2008-10-30 20:15 <DIR> d-------- C:\MyWorks
2008-10-24 07:42 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 18:31 . 2008-11-17 13:14 116 --a------ c:\windows\NeroDigital.ini
2008-10-23 17:14 . 2008-11-17 10:29 148,249 --a------ C:\Azureus_Stats.xml
2008-10-23 14:46 . 2008-10-23 14:48 <DIR> d-------- c:\documents and settings\ron\Application Data\SecondLife
2008-10-23 14:39 . 2008-11-17 10:29 <DIR> d-------- c:\documents and settings\ron\Application Data\Azureus
2008-10-23 14:39 . 2008-10-23 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2008-10-23 14:10 . 2008-10-23 14:10 5,248 --a------ c:\windows\system32\giveio.sys
2008-10-23 13:53 . 2008-10-23 13:53 <DIR> d-------- c:\documents and settings\ron\Application Data\Yahoo!
2008-10-23 13:53 . 2008-10-23 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-23 13:52 . 2008-10-30 20:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-23 13:51 . 2008-10-23 13:53 <DIR> d-------- c:\program files\Yahoo!
2008-10-23 13:29 . 2008-10-23 13:29 <DIR> d-------- c:\program files\EPSON Print CD
2008-10-23 13:29 . 2003-07-28 19:10 76,045 --a------ c:\windows\system32\EBPMON24.DLL
2008-10-23 13:29 . 2003-05-21 20:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2008-10-23 13:29 . 2000-06-07 19:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2008-10-23 13:29 . 2003-07-17 07:14 31,744 --a------ c:\windows\system32\E_DCINST.DLL
2008-10-23 13:29 . 2001-09-04 20:04 182 --a------ c:\windows\system32\EBPPORT4.DAT
2008-10-23 13:28 . 2008-10-23 13:29 <DIR> d-------- c:\program files\EPSON
2008-10-23 13:28 . 2008-04-13 18:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-23 13:27 . 2008-10-23 13:27 24 --a------ c:\windows\CDER300Euro.ini
2008-10-23 13:24 . 2008-10-23 13:24 <DIR> d-------- c:\program files\Codec Pack - All In 1
2008-10-23 13:24 . 2008-10-23 13:23 737,280 --a------ c:\windows\iun6002.exe
2008-10-23 13:22 . 2008-10-23 13:22 <DIR> d-------- c:\documents and settings\ron\Application Data\Ahead
2008-10-23 13:21 . 2008-10-23 13:21 <DIR> d-------- c:\program files\Nero
2008-10-23 13:21 . 2008-10-23 13:21 <DIR> d-------- c:\program files\Common Files\Ahead
2008-10-23 13:00 . 2008-09-10 01:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2008-10-23 12:59 . 2006-10-26 18:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-23 12:58 . 2008-10-23 12:58 <DIR> d-------- c:\program files\MSBuild
2008-10-23 12:58 . 2008-10-23 12:58 <DIR> d-------- c:\program files\Microsoft Works
2008-10-23 12:54 . 2008-10-23 12:57 <DIR> d-------- c:\windows\SHELLNEW
2008-10-23 12:53 . 2008-10-23 12:53 <DIR> dr-h----- C:\MSOCache
2008-10-23 12:53 . 2008-10-23 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-23 12:43 . 2008-10-23 12:43 <DIR> d-------- c:\program files\ASUS
2008-10-23 12:41 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-23 12:41 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-23 12:40 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-23 12:40 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-23 12:40 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-23 12:40 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-23 12:40 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-23 12:40 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-10-23 12:40 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-10-23 12:40 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-10-23 12:34 . 2008-11-15 03:00 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-23 12:26 . 2008-07-07 20:26 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2008-10-23 12:23 . 2008-10-23 12:23 <DIR> d-------- c:\program files\ASUSTeK
2008-10-23 12:22 . 2008-10-23 12:24 <DIR> d-------- c:\windows\nview
2008-10-23 12:22 . 2005-12-10 03:16 180,224 --a------ c:\windows\system32\NVUNINST.EXE
2008-10-23 12:22 . 2005-12-09 19:06 180,224 --a------ c:\windows\system32\nvudisp.exe
2008-10-23 12:22 . 2008-11-17 20:09 43,573 --a------ c:\windows\system32\nvapps.xml
2008-10-23 12:22 . 2005-12-09 19:06 16,356 --a------ c:\windows\system32\nvdisp.nvu
2008-10-23 12:21 . 2005-10-20 14:30 11,264 -r------- c:\windows\system32\drivers\EIO.sys
2008-10-23 12:10 . 2008-11-17 17:10 <DIR> d-------- c:\documents and settings\ron\Application Data\skypePM
2008-10-23 12:10 . 2008-10-23 12:10 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-10-23 12:09 . 2008-10-23 12:09 <DIR> d-------- c:\program files\Skype
2008-10-23 12:09 . 2008-10-23 12:09 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-23 12:09 . 2008-11-17 20:36 <DIR> d-------- c:\documents and settings\ron\Application Data\Skype
2008-10-23 12:09 . 2008-10-23 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-10-23 12:01 . 2008-10-23 12:01 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-23 12:01 . 2008-10-23 12:01 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-10-23 12:01 . 2008-10-23 12:01 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-23 12:00 . 2008-11-17 08:30 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-23 12:00 . 2008-10-23 12:00 <DIR> d-------- c:\program files\AVG
2008-10-23 12:00 . 2008-10-23 12:17 <DIR> d-------- c:\documents and settings\ron\Application Data\AVGTOOLBAR
2008-10-23 12:00 . 2008-11-17 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 00:41 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-31 00:41 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-26 19:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 18:28 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:22 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-23 11:53 --------- d-----w c:\program files\Nero 7 Premium
2008-10-23 11:47 --------- d-----w c:\program files\Power Producer 4.0 + Serial (All real)
2008-10-23 11:35 --------- d-----w c:\program files\SSC Service Utility
2008-10-23 11:35 --------- d-----w c:\program files\Smart Projects
2008-10-23 11:35 --------- d-----w c:\program files\NoAdware4
2008-10-23 11:35 --------- d-----w c:\program files\CDex_150
2008-10-23 11:35 --------- d-----w c:\program files\Audacity
2008-10-23 11:15 --------- d-----w c:\program files\Intel
2008-10-23 11:10 --------- d-----w c:\program files\Realtek
2008-10-23 10:35 --------- d-----w c:\program files\microsoft frontpage
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2007-03-19 15:07 340 ----a-w c:\program files\Nero 7 Premium plus serial.txt
2006-08-23 16:14 2,323,706 ----a-w c:\program files\isobuster_eng.zip
2006-08-21 07:56 10,050,902 ----a-w c:\program files\Codecs6030_allin1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2005-12-15 1064960]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-23 1234712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2006-10-16 490496]
"Make A Voozie"="c:\documents and settings\All Users\Application Data\Make A Voozie\VoozieMaker.exe" [2008-02-20 64000]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2005-12-09 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-23 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-23 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-23 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-23 76040]
S3 Fs_rock2driv;Fs_rock2driv; []

*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 20:39:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\ron\LOCALS~1\Temp\RGI1.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-11-17 20:40:15
ComboFix-quarantined-files.txt 2008-11-17 20:39:57

Pre-Run: 137,275,273,216 bytes free
Post-Run: 138,570,207,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

233 --- E O F --- 2008-11-15 03:02:22