borojamie Posted March 1, 2010 Author Posted March 1, 2010 ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2008/11/21 00:43:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm [2008/09/14 23:10:56 | 000,250,048 | RHS- | M] () -- C:\ntldr [2004/08/10 20:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2007/12/30 23:44:50 | 000,000,209 | RHS- | M] () -- C:\boot.ini [2006/08/18 21:54:18 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2006/08/18 22:41:54 | 000,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT [2006/08/18 21:54:18 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2006/08/18 21:54:18 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2006/08/18 22:31:32 | 000,000,519 | ---- | M] () -- C:\RHDSetup.log [2006/08/19 08:27:58 | 000,000,084 | RHS- | M] () -- C:\Preload.aaa [2008/12/06 18:00:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm [1999/11/11 00:17:54 | 000,000,049 | ---- | M] () -- C:\MCE.TAG [2010/02/22 19:56:34 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys [2010/01/27 21:49:02 | 000,069,632 | ---- | M] () -- C:\2057.MST [2008/11/21 00:43:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm [2008/12/06 18:00:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm [2008/12/06 18:51:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm [2008/12/06 18:51:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm [2008/12/08 00:21:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm [2008/12/08 00:21:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm [2008/12/09 00:46:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm [2008/12/09 00:46:36 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm [2008/12/09 22:26:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm [2008/12/09 22:26:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm [2008/12/12 12:20:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm [2008/12/12 12:20:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm [2008/12/12 14:36:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm [2008/12/12 14:36:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm [2008/12/14 14:14:32 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm [2008/12/14 14:14:32 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm [2008/12/29 01:44:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm [2008/12/29 01:44:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm [2008/10/15 17:58:24 | 000,014,943 | ---- | M] () -- C:\ainstall.log [2008/10/16 23:57:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm [2008/10/16 23:57:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm [2008/11/05 22:31:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm [2008/11/05 22:31:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm [2008/11/06 20:43:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm [2008/11/06 20:43:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm [2008/11/09 15:55:06 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm [2008/11/09 15:55:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm [2008/11/10 00:00:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm [2008/11/10 00:00:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm [2008/11/11 00:47:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm [2008/11/11 00:47:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm [2008/11/12 23:40:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm [2008/11/12 23:40:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm [2008/11/17 00:48:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm [2008/11/17 00:48:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm [2009/02/04 07:21:50 | 000,006,324 | ---- | M] () -- C:\analyse-it.log [2010/01/27 21:47:26 | 000,013,752 | ---- | M] () -- C:\0x0809.ini [2010/01/27 21:49:30 | 099,516,416 | ---- | M] () -- C:\Samsung New PC Studio.msi [2010/02/22 19:56:34 | 1071,763,456 | -HS- | M] () -- C:\hiberfil.sys [2008/05/05 19:45:04 | 000,008,147 | ---- | M] () -- C:\NTFY_CD.LOG [2008/11/19 01:16:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm [2008/11/19 01:16:56 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm [2008/11/20 17:55:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm [2008/11/20 17:55:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm [2008/06/19 15:05:48 | 000,000,074 | ---- | M] () -- C:\CMLoader.log < MD5 for: AGP440.SYS > [2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys [2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\I386\sp3.cab:AGP440.sys [2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\$NtServicePackUninstall$\sp3.cab:AGP440.sys [2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys [2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys [2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys [2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\I386\sp3.cab:atapi.sys [2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\$NtServicePackUninstall$\sp3.cab:atapi.sys [2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys [2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys [2004/08/10 20:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2004/08/10 20:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys [2008/04/13 19:40:30 | 000,096,512 | ---- | M] () MD5=E1E70D9EE75B81589F389E6D3BFD8C9E -- C:\WINDOWS\system32\drivers\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll [2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/10 20:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll [2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004/08/10 20:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/10 20:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll [2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\System32\config\*.sav > [2006/08/18 21:39:44 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav [2006/08/18 21:39:44 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2006/08/18 21:39:44 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav < End of report > Quote
Starbuck Posted March 1, 2010 Posted March 1, 2010 Hi borojamie Give me a little time to go through all this and i'll get back to you as soon as i can. Thanks Quote Member of:UNITE
borojamie Posted March 1, 2010 Author Posted March 1, 2010 no probs mate thanks for your help so far :-) jamie Quote
Starbuck Posted March 2, 2010 Posted March 2, 2010 Hi borojamie Ok, you don't need me to tell you that your pc is very infected. Some of the files found may well have been trying to steal your details, so it may be in your best interest to think about a reformat and re-install. This fix should knock a big hole in the malware and give us a chance for you to think about things and maybe save what you want from your system. Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C (make sure you include the first lot of : ) :Otl IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Internet Explorer Plugin) - {1DAA3B2E-65DF-4DA6-83C1-50B52ECD0E55} - C:\WINDOWS\System32\duivqwenq8.dll (Rox) O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [bisosonew] C:\WINDOWS\System32\jozavuyo.DLL () O4 - HKLM..\Run: [nonep] C:\Documents and Settings\Jamie Panico\Local Settings\Temp\miu6C.tmp.exe () O4 - HKU\Jamie_Panico_ON_C..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\setup.exe File not found O9 - Extra Button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - Reg Error: Value error. File not found O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) O20 - AppInit_DLLs: (pulasiya.dll) - C:\WINDOWS\System32\pulasiya.dll () O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\system32\jozavuyo.dll () O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe (Uzxepyilpoy) O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\system32\jozavuyo.dll () O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\system32\jozavuyo.dll () [2010/02/22 23:22:41 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\duivqwenq8.dll [2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll [2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll [2010/02/18 01:08:47 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec [2010/02/23 23:02:38 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rireluho [2010/02/23 23:00:08 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\agtttnsf.job [2010/02/23 17:21:08 | 000,093,184 | -HS- | M] () -- C:\WINDOWS\System32\jozavuyo.dll [2010/02/23 17:21:08 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kiyerili.dll [2010/02/22 23:22:44 | 000,022,568 | ---- | M] () -- C:\WINDOWS\System32\hzriuq [2010/02/22 23:22:42 | 000,049,664 | ---- | M] () -- C:\WINDOWS\System32\svae.jpg [2010/02/22 19:03:36 | 000,093,696 | -HS- | M] () -- C:\WINDOWS\System32\dorehimo.dll [2010/02/22 19:03:36 | 000,070,656 | -HS- | M] () -- C:\WINDOWS\System32\wobowedi.dll [2010/02/22 19:03:36 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\guwinoda.dll [2010/02/22 07:03:14 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\begajetu.dll [2010/02/22 07:03:14 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\nupuyuho.dll [2010/02/21 20:13:38 | 000,016,241 | ---- | M] () -- C:\WINDOWS\System32\jwespw [2010/02/21 19:05:46 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\kayugibu.dll [2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\pulasiya.dll [2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\hofohulu.dll [2010/02/21 19:05:00 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\zuseyubu.dll [2010/02/21 19:05:00 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\dasulelo.dll [2010/02/21 19:05:00 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\bebufizu.dll [2010/02/21 19:05:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\wipotazi.dll [2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\rogavove.dll [2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\funebaro.dll [2010/02/18 20:16:24 | 000,057,344 | -HS- | M] () -- C:\WINDOWS\System32\bavopipi.dll [2010/02/18 20:16:24 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\sudimiyi.dll [2010/02/18 16:58:06 | 000,039,424 | ---- | M] () -- C:\WINDOWS\System32\bahezefi.dll [2010/02/18 16:58:00 | 000,093,184 | ---- | M] () -- C:\WINDOWS\System32\zenemala.dll [2010/02/16 00:35:46 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/02/18 01:08:33 | 000,005,748 | -HS- | C] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845 :Files c:\documents and settings\jamie panico\local settings\temp\ygkafmgx.exe c:\documents and settings\jamie panico\local settings\temp\vwwixjz.exe c:\documents and settings\jamie panico\local settings\temp\msinits.exe c:\documents and settings\jamie panico\local settings\temp\c4531278.tmp c:\documents and settings\jamie panico\local settings\temp\e.exe c:\windows\system32\penarutu.dll.tmp c:\windows\system32\bevimahu.dll.tmp c:\windows\system32\perohapi.dll.tmp c:\documents and settings\jamie panico\local settings\temp\mdm.exe c:\documents and settings\jamie panico\local settings\temp\notepad.exe Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file... fix.txt Save the file to a USB stick. Start OTLPE as you did previously from CD Insert your USB drive with fix.txt on it Start OTLPE Drag and drop fix.txt into the Custom scans and fixes box If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done to normal mode if possible Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time ) Quote Member of:UNITE
borojamie Posted March 2, 2010 Author Posted March 2, 2010 Cheers Starbuck, I have ran the fix which unfortunately came up with some errors I have attached the error log below. I am just rebooting my system now. Attempting windows OS first. Thanks again for your help Error: Unable to interpret <O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)> in the current context! Error: Unable to interpret <O20 - AppInit_DLLs: (pulasiya.dll) - C:\WINDOWS\System32\pulasiya.dll ()> in the current context! Error: Unable to interpret <O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\system32\jozavuyo.dll ()> in the current context! Error: Unable to interpret <O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe (Uzxepyilpoy)> in the current context! Error: Unable to interpret <O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\system32\jozavuyo.dll ()> in the current context! Error: Unable to interpret <O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\system32\jozavuyo.dll ()> in the current context! Error: Unable to interpret <[2010/02/22 23:22:41 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\duivqwenq8.dll> in the current context! Error: Unable to interpret <[2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll> in the current context! Error: Unable to interpret <[2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll> in the current context! Error: Unable to interpret <[2010/02/18 01:08:47 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec> in the current context! Error: Unable to interpret <[2010/02/23 23:02:38 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rireluho> in the current context! Error: Unable to interpret <[2010/02/23 23:00:08 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\agtttnsf.job> in the current context! Error: Unable to interpret <[2010/02/23 17:21:08 | 000,093,184 | -HS- | M] () -- C:\WINDOWS\System32\jozavuyo.dll> in the current context! Error: Unable to interpret <[2010/02/23 17:21:08 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kiyerili.dll> in the current context! Error: Unable to interpret <[2010/02/22 23:22:44 | 000,022,568 | ---- | M] () -- C:\WINDOWS\System32\hzriuq> in the current context! Error: Unable to interpret <[2010/02/22 23:22:42 | 000,049,664 | ---- | M] () -- C:\WINDOWS\System32\svae.jpg> in the current context! Error: Unable to interpret <[2010/02/22 19:03:36 | 000,093,696 | -HS- | M] () -- C:\WINDOWS\System32\dorehimo.dll> in the current context! Error: Unable to interpret <[2010/02/22 19:03:36 | 000,070,656 | -HS- | M] () -- C:\WINDOWS\System32\wobowedi.dll> in the current context! Error: Unable to interpret <[2010/02/22 19:03:36 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\guwinoda.dll> in the current context! Error: Unable to interpret <[2010/02/22 07:03:14 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\begajetu.dll> in the current context! Error: Unable to interpret <[2010/02/22 07:03:14 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\nupuyuho.dll> in the current context! Error: Unable to interpret <[2010/02/21 20:13:38 | 000,016,241 | ---- | M] () -- C:\WINDOWS\System32\jwespw> in the current context! Error: Unable to interpret <[2010/02/21 19:05:46 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\kayugibu.dll> in the current context! Error: Unable to interpret <[2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\pulasiya.dll> in the current context! Error: Unable to interpret <[2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\hofohulu.dll> in the current context! Error: Unable to interpret <[2010/02/21 19:05:00 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\zuseyubu.dll> in the current context! Error: Unable to interpret <[2010/02/21 19:05:00 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\dasulelo.dll> in the current context! Error: Unable to interpret <[2010/02/21 19:05:00 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\bebufizu.dll> in the current context! Error: Unable to interpret <[2010/02/21 19:05:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\wipotazi.dll> in the current context! Error: Unable to interpret <[2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\rogavove.dll> in the current context! Error: Unable to interpret <[2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\funebaro.dll> in the current context! Error: Unable to interpret <[2010/02/18 20:16:24 | 000,057,344 | -HS- | M] () -- C:\WINDOWS\System32\bavopipi.dll> in the current context! Error: Unable to interpret <[2010/02/18 20:16:24 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\sudimiyi.dll> in the current context! Error: Unable to interpret <[2010/02/18 16:58:06 | 000,039,424 | ---- | M] () -- C:\WINDOWS\System32\bahezefi.dll> in the current context! Error: Unable to interpret <[2010/02/18 16:58:00 | 000,093,184 | ---- | M] () -- C:\WINDOWS\System32\zenemala.dll> in the current context! Error: Unable to interpret <[2010/02/16 00:35:46 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini> in the current context! Error: Unable to interpret <[2010/02/18 01:08:33 | 000,005,748 | -HS- | C] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845> in the current context! ========== FILES ========== c:\documents and settings\jamie panico\local settings\temp\ygkafmgx.exe moved successfully. c:\documents and settings\jamie panico\local settings\temp\vwwixjz.exe moved successfully. c:\documents and settings\jamie panico\local settings\temp\msinits.exe moved successfully. c:\documents and settings\jamie panico\local settings\temp\c4531278.tmp moved successfully. c:\documents and settings\jamie panico\local settings\temp\e.exe moved successfully. c:\windows\system32\penarutu.dll.tmp moved successfully. c:\windows\system32\bevimahu.dll.tmp moved successfully. c:\windows\system32\perohapi.dll.tmp moved successfully. File\Folder c:\documents and settings\jamie panico\local settings\temp\mdm.exe not found. File\Folder c:\documents and settings\jamie panico\local settings\temp\notepad.exe not found. OTLPE by OldTimer - Version 3.1.30.3 log created on 03022010_122552 Quote
borojamie Posted March 2, 2010 Author Posted March 2, 2010 Hi Starbuck my laptop has now loaded up windows OS without looping Quote
borojamie Posted March 2, 2010 Author Posted March 2, 2010 Exe Files all appear workable and i have an internet connection. Mcafee has found and blocked a trojan. Should i download OTLPE to my windows OS as it is only accessible thru running realtogo OS? Quote
Starbuck Posted March 2, 2010 Posted March 2, 2010 I have ran the fix which unfortunately came up with some errors I have attached the error log below. this would nornally happen if you forgot to add the : before Otl in the fix. As you can run the OS , try this: Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Quote Member of:UNITE
borojamie Posted March 2, 2010 Author Posted March 2, 2010 hi mate, i have just got back to try and download combofix and my computer will not reboot. I have started the steps above again ensuring i started the OTLPE fix with the : and i have an error message half way through saying access violation at address 0059a803 in module 'OTLPE.exe'. Read of address 00000000. Once i confirm this i get the option to rerun the fix. I have attached the log below however upon completion of this i cannot re-enter normal windows OS. Sorry it seems i have gone backwards! :-(03022010_174958.txt Quote
Starbuck Posted March 2, 2010 Posted March 2, 2010 Re-run Otlpe again only this time just click on 'Scan' .... don't run a fix. Let me have the report that comes up. Thanks. Quote Member of:UNITE
borojamie Posted March 2, 2010 Author Posted March 2, 2010 OLT.TXT cheers Bud Sorry bowt that mate. PSA cheers Quote
borojamie Posted March 2, 2010 Author Posted March 2, 2010 Mate, teh file is massive so the first part is attached below thanks OTL logfile created on: 3/2/2010 6:51:52 PM - Run OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,022.00 Mb Total Physical Memory | 781.00 Mb Available Physical Memory | 76.00% Memory free 906.00 Mb Paging File | 839.00 Mb Available in Paging File | 93.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 53.20 Gb Total Space | 7.27 Gb Free Space | 13.67% Space Free | Partition Type: FAT32 D: Drive not present or media not loaded Drive E: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32 F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO Current User Name: SYSTEM Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard Using ControlSet: ControlSet002 ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental) SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service) SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon) SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc) SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService) SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS) SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield) SRV - [2009/08/29 16:11:10 | 000,133,104 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca28baf7cbe6a6) Google Update Service (gupdate1ca28baf7cbe6a6) SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor) SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service) SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy) SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc) SRV - [2009/06/05 11:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService) SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2008/04/17 22:56:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2008/04/14 01:11:56 | 000,028,160 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon) SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2008/01/11 19:49:06 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7) SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc) SRV - [2006/12/15 04:01:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01) SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend) SRV - [2006/07/20 05:58:00 | 000,143,426 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc) SRV - [2006/06/23 10:40:58 | 000,086,016 | ---- | M] (Logitech) [Auto] -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv) SRV - [2006/05/18 16:52:06 | 000,049,152 | ---- | M] (Hewlett-Packard Company) [Auto] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService) SRV - [2005/11/28 11:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel® SRV - [2005/11/28 11:29:00 | 000,114,753 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel® SRV - [2005/11/28 11:28:14 | 000,217,164 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel® SRV - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) [Auto] -- C:\Acer\Empowering Technology\admServ.exe -- (AWService) SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT) SRV - [2005/03/10 00:49:52 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService) SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)OTL.Txt Quote
Starbuck Posted March 2, 2010 Posted March 2, 2010 Hi borojamie Because the first part of the last fix didn't run correctly, the malware has re-spawned. I'll go through everything and write a fresh fix. Back later. Quote Member of:UNITE
borojamie Posted March 2, 2010 Author Posted March 2, 2010 Starbuck, Thanks for your help and patience I doubled checked the copied fix file and it started with the : however had a blank text line before the file copied?? I can still take all media and ms office files off my hard disk, mcafee, make a note of all the software i have on (not much psp media converters, ms office, hand full of games and photoshop) all of which i have discs for. So if its easier to reset to factory settings i can try that. If so am i safe to drag and drop folders or would it be best just to chose specific files / exts? to avoid cross contamination? Thanks again for your help mate Quote
Starbuck Posted March 2, 2010 Posted March 2, 2010 Hi borojamie however had a blank text line before the file copied?? yep, make sure that :Otl is on the first line. So if its easier to reset to factory settings i can try that. Let's give this new fix a try and if we get nowhere.... we can always fall back on that. If so am i safe to drag and drop folders or would it be best just to chose specific files / exts? to avoid cross contamination? Just take what is necessary and also make sure you scan everything before putting it back on. I've re-written the fix (slightly different this time) Give it a try, i'll also add an attachment if it makes things easier for you. Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C :Otl O21 - SSODL: kedilizos - {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - C:\WINDOWS\system32\jukabama.dll () O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\System32\jozavuyo.dll File not found O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\System32\jozavuyo.dll File not found O22 - SharedTaskScheduler: {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - mujuzedij - C:\WINDOWS\system32\jukabama.dll () :Files C:\WINDOWS\System32\lowsec C:\WINDOWS\System32\pulasiya.dll C:\WINDOWS\System32\jozavuyo.dll C:\WINDOWS\system32\jukabama.dll C:\WINDOWS\system32\sdra64.exe C:\WINDOWS\System32\rireluho C:\WINDOWS\System32\nynw.wmo C:\WINDOWS\tasks\twkotokz.job C:\WINDOWS\System32\jukabama.dll C:\WINDOWS\System32\polekove.dll C:\WINDOWS\System32\nudeleze.dll C:\WINDOWS\System32\dijanumo.dll C:\WINDOWS\System32\kiyerili.dll C:\WINDOWS\System32\hzriuq C:\WINDOWS\System32\guwinoda.dll C:\WINDOWS\System32\begajetu.dll C:\WINDOWS\System32\nupuyuho.dll C:\WINDOWS\System32\jwespw C:\WINDOWS\System32\svae.jpg C:\WINDOWS\System32\kayugibu.dll C:\WINDOWS\System32\hofohulu.dll C:\WINDOWS\System32\bebufizu.dll C:\WINDOWS\System32\zuseyubu.dll C:\WINDOWS\System32\dasulelo.dll C:\WINDOWS\System32\wipotazi.dll C:\WINDOWS\System32\rogavove.dll C:\WINDOWS\System32\funebaro.dll C:\WINDOWS\System32\bavopipi.dll C:\WINDOWS\System32\sudimiyi.dll C:\WINDOWS\System32\bahezefi.dll C:\WINDOWS\System32\zenemala.dll C:\WINDOWS\System32\rireluho C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845 C:\WINDOWS\xobglu16.dll :Reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "appinit_dlls"="" :Commands [purity] [emptytemp] [Reboot] Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file fix.txt Save the file to a USB stick. Start OTLPE as you did previously from CD Insert your USB drive with fix.txt on it Start OTLPE Drag and drop fix.txt into the Custom scans and fixes box If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done to normal mode if possible Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time ) Thanksfix.txt Quote Member of:UNITE
borojamie Posted March 2, 2010 Author Posted March 2, 2010 :-) thanks for that mate worked fine this time ive rerun the otl report but had to do it in reatogo because otl is not loaded on my windows OS. Ive attached teh report with the first bit below as it is ove 2kb cheers jamie OTL logfile created on: 3/2/2010 11:00:01 PM - Run OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,022.00 Mb Total Physical Memory | 781.00 Mb Available Physical Memory | 76.00% Memory free 906.00 Mb Paging File | 835.00 Mb Available in Paging File | 92.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 53.20 Gb Total Space | 7.38 Gb Free Space | 13.87% Space Free | Partition Type: FAT32 Drive D: | 963.73 Mb Total Space | 963.48 Mb Free Space | 99.97% Space Free | Partition Type: FAT Drive E: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32 F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO Current User Name: SYSTEM Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard Using ControlSet: ControlSet002 ========== Win32 Services (All) ========== SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental) SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service) SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon) SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc) SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService) SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS) SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield) SRV - [2009/08/29 16:11:10 | 000,133,104 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca28baf7cbe6a6) Google Update Service (gupdate1ca28baf7cbe6a6) SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor) SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service) SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy) SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc) SRV - [2009/06/10 07:14:50 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation) SRV - [2009/06/05 11:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService) SRV - [2009/02/09 08:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi) SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs) Remote Procedure Call (RPC) SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\rpcss.dll -- (DcomLaunch) SRV - [2009/02/06 07:11:06 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\services.exe -- (PlugPlay) SRV - [2009/02/06 07:11:06 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\services.exe -- (Eventlog) SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2008/07/29 21:10:04 | 000,046,104 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0) SRV - [2008/07/29 19:24:50 | 000,881,664 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc) SRV - [2008/07/29 19:16:38 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing) SRV - [2008/07/25 11:17:02 | 000,069,632 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2008/07/25 11:16:40 | 000,034,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state) SRV - [2008/07/07 21:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\es.dll -- (EventSystem) SRV - [2008/06/20 18:46:58 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA) SRV - [2008/04/17 22:56:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2008/04/14 01:12:40 | 000,126,464 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv) SRV - [2008/04/14 01:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\vssvc.exe -- (VSS) SRV - [2008/04/14 01:12:38 | 000,073,216 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr) SRV - [2008/04/14 01:12:38 | 000,018,432 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\ups.exe -- (UPS) SRV - [2008/04/14 01:12:36 | 000,089,600 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog) SRV - [2008/04/14 01:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler) SRV - [2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\svchost.exe -- (HidServ) SRV - [2008/04/14 01:12:34 | 000,141,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr) SRV - [2008/04/14 01:12:34 | 000,095,744 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr) SRV - [2008/04/14 01:12:30 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm) SRV - [2008/04/14 01:12:30 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE) SRV - [2008/04/14 01:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer) SRV - [2008/04/14 01:12:28 | 000,006,144 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC) SRV - [2008/04/14 01:12:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc) SRV - [2008/04/14 01:12:24 | 000,075,264 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\locator.exe -- (RpcLocator) Remote Procedure Call (RPC) SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (SamSs) SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage) SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent) SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp) SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon) SRV - [2008/04/14 01:12:22 | 000,267,776 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\fxssvc.exe -- (Fax) SRV - [2008/04/14 01:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService) SRV - [2008/04/14 01:12:18 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin) SRV - [2008/04/14 01:12:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv) SRV - [2008/04/14 01:12:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp) SRV - [2008/04/14 01:12:14 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv) SRV - [2008/04/14 01:12:14 | 000,005,632 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc) SRV - [2008/04/14 01:12:12 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC) SRV - [2008/04/14 01:12:12 | 000,129,024 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\xmlprov.dll -- (xmlprov) SRV - [2008/04/14 01:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\alg.exe -- (ALG) SRV - [2008/04/14 01:12:12 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv) SRV - [2008/04/14 01:12:10 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt) SRV - [2008/04/14 01:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc) SRV - [2008/04/14 01:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA) SRV - [2008/04/14 01:12:08 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv) SRV - [2008/04/14 01:12:08 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\upnphost.dll -- (upnphost) SRV - [2008/04/14 01:12:08 | 000,175,104 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\w32time.dll -- (W32Time) SRV - [2008/04/14 01:12:08 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\srsvc.dll -- (srservice) SRV - [2008/04/14 01:12:08 | 000,096,768 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver) SRV - [2008/04/14 01:12:08 | 000,090,112 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\trkwks.dll -- (TrkWks) SRV - [2008/04/14 01:12:08 | 000,071,680 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\ssdpsrv.dll -- (SSDPSRV) SRV - [2008/04/14 01:12:08 | 000,068,096 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient) SRV - [2008/04/14 01:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter) SRV - [2008/04/14 01:12:06 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule) SRV - [2008/04/14 01:12:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes) SRV - [2008/04/14 01:12:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection) SRV - [2008/04/14 01:12:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility) SRV - [2008/04/14 01:12:06 | 000,039,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\sens.dll -- (SENS) SRV - [2008/04/14 01:12:06 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon) SRV - [2008/04/14 01:12:04 | 000,409,088 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\qmgr.dll -- (BITS) SRV - [2008/04/14 01:12:04 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\qagentrt.dll -- (napagent) SRV - [2008/04/14 01:12:04 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan) SRV - [2008/04/14 01:12:04 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto) SRV - [2008/04/14 01:12:04 | 000,059,904 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\regsvc.dll -- (RemoteRegistry) SRV - [2008/04/14 01:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc) SRV - [2008/04/14 01:12:02 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\netman.dll -- (Netman) SRV - [2008/04/14 01:12:02 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc) SRV - [2008/04/14 01:12:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger) SRV - [2008/04/14 01:11:58 | 000,053,248 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\mprdim.dll -- (RemoteAccess) SRV - [2008/04/14 01:11:56 | 000,331,264 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS) SRV - [2008/04/14 01:11:56 | 000,061,440 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\kmsvc.dll -- (hkmsvc) SRV - [2008/04/14 01:11:56 | 000,028,160 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon) SRV - [2008/04/14 01:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts) SRV - [2008/04/14 01:11:54 | 000,023,040 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc) SRV - [2008/04/14 01:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc) SRV - [2008/04/14 01:11:52 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp) SRV - [2008/04/14 01:11:52 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc) SRV - [2008/04/14 01:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache) SRV - [2008/04/14 01:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost) SRV - [2008/04/14 01:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver) SRV - [2008/04/14 01:11:50 | 000,167,936 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\appmgmts.dll -- (AppMgmt) SRV - [2008/04/14 01:11:50 | 000,077,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\browser.dll -- (Browser) SRV - [2008/04/14 01:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv) SRV - [2008/04/14 01:11:50 | 000,030,208 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\bthserv.dll -- (BthServ) SRV - [2008/04/14 01:11:50 | 000,017,408 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter) SRV - [2008/04/14 01:11:48 | 000,100,352 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\6to4svc.dll -- (6to4) SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2008/01/11 19:49:06 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7) SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc) SRV - [2006/12/15 04:01:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01) SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend) SRV - [2006/10/18 21:47:16 | 000,027,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\MsPMSNSv.dll -- (WmdmPmSN)OTL.Txt Quote
Starbuck Posted March 2, 2010 Posted March 2, 2010 Hi borojamie Nice work :) Now try the previous instructions for ComboFix. Let's see if we can get that to run. I'm working away for the next 2 days, so won't be able to answer as much. Quote Member of:UNITE
borojamie Posted March 2, 2010 Author Posted March 2, 2010 :-( sorry mate its still looping the reboot sequence now, wont go back into windows have tried safe mode too and nothing :-( Quote
Starbuck Posted March 3, 2010 Posted March 3, 2010 Hi borojamie The only problem with running scans and fixes in a PE environment is that we can't see any 'Processes' that will run with Windows. If there's a malicious process, we can't detect it. This maybe what's happening here. Without being able to get a scan done whilst Windows is running we could end up going around in circles. It's odd that we clear out all the bad files we can see, but the problem continues. Just to point one thing out to you: Drive C: | 53.20 Gb Total Space | 7.38 Gb Free Space | 13.87% Space Free | Partition Type: FAT32 Drive D: | 963.73 Mb Total Space | 963.48 Mb Free Space | 99.97% Space Free | Partition Type: FAT Drive E: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32 Running FAT32 is very unsecure nowadays. If you did decide to go with a reformat/re-install .... make sure that you reformat the system to NTFS. it's a lot more secure and will give you a lot of added security features. Quote Member of:UNITE
borojamie Posted March 4, 2010 Author Posted March 4, 2010 ok mate, if i could get into windows again i could download OTL, although that said i am happy to reset to factory settings if its easier. I dont know if that will give me access to format the c: in NFTS or the ctrl alt F10 just does it automatically. Can you advise a reasonable virus checker as i have now had 2 serious dramas with mcafee. I had nod32 a while ago but this also let a virus through. I think Norton is too much of a drain and limits too much stuff is this true? Thanks for your help mate Quote
borojamie Posted March 4, 2010 Author Posted March 4, 2010 sorry Starbuck please can i check should reatogo fire out popups for windows blinds?? As the OS isl loaded from cd i would of thought no virus could impair this? Quote
borojamie Posted March 4, 2010 Author Posted March 4, 2010 God Starbuck, Im a nuisance! :-( sorry mate I've plugged in a brand new wd passport 320gb portable hd in to my infected machine whilst in reatogo OS and it registers and allows me to see the drive but says there is 569mb used on the drive and 0kb available to use so unfortuantley cannot back up my files :-( Sorry to be a pain in the ass mate Quote
Starbuck Posted March 4, 2010 Posted March 4, 2010 Hi borojamie, Ok, let's see what we have: please can i check should reatogo fire out popups for windows blinds?? Rea2Go uses WindowBlinds when creating the PE environment. It's just a skin option that can be set. I haven't seen that message come up any of the times I've run the CD so I'm not sure why it would come up. But, it's nothing to worry about. if i could get into windows again i could download OTL, although that said i am happy to reset to factory settings if its easier. I dont know if that will give me access to format the c: in NFTS or the ctrl alt F10 just does it automatically. Our first concern is to always try and clean a m/c, if that isn't possible or it's an inconvenience for the member.... then a reformat/reinstall is the answer. Do you have a 'Windows installation' disc? or is your backup on a partition on the hard drive? Let me have your pc make and model ... and i'll look the info up for you. Can you advise a reasonable virus checker as i have now had 2 serious dramas with mcafee. I had nod32 a while ago but this also let a virus through. No problem, i can give you this and other security info when you are ready. Please remember though... All security programs are good up to a point. There isn't a single program that can stop everything. The security vendors can only add definitions for what they have available. The bad guys are getting good at hiding their programs, so it takes the security vendors longer to find out what to block. Quote Member of:UNITE
borojamie Posted March 4, 2010 Author Posted March 4, 2010 Cheers for your help mate, Ive got an acer aspire 5633WLMi laptop. I cant find my original start up back up disk (im in the air force so assume its at my house rather than up here at camp. I have asked my gf to bring it up with her this weekend. Thanks for your help. Ive now got OTL PE on CD too so will be able to open in windows once we can stop the looping. Would you like me to go back to the first OTL PE scan and post the report? Is there a setting on reatogo for me to allow read-write access on my portable hd as i cannot wriet files to it for some reason despite it working on my other system Hope everythings goin well down there, I was hoping to get down to Wales this weekend for the Cardiff - Boro match but unfortunately im stuck on duty :-( Thanks again for your help mate Quote
borojamie Posted March 5, 2010 Author Posted March 5, 2010 new otl.txt file Hi Starbuck Ive attached a new otl scan the first part of the file is below. Thanks again OTL logfile created on: 3/4/2010 11:48:01 PM - Run OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,022.00 Mb Total Physical Memory | 786.00 Mb Available Physical Memory | 77.00% Memory free 906.00 Mb Paging File | 844.00 Mb Available in Paging File | 93.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 53.20 Gb Total Space | 7.38 Gb Free Space | 13.87% Space Free | Partition Type: FAT32 Drive D: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32 Drive E: | 963.73 Mb Total Space | 963.72 Mb Free Space | 100.00% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO Current User Name: SYSTEM Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard Using ControlSet: ControlSet002 ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental) SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service) SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon) SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc) SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService) SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS) SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield) SRV - [2009/08/29 16:11:10 | 000,133,104 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca28baf7cbe6a6) Google Update Service (gupdate1ca28baf7cbe6a6) SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor) SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service) SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy) SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc) SRV - [2009/06/05 11:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService) SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2008/04/17 22:56:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service) SRV - [2008/04/14 01:11:56 | 000,028,160 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon) SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2008/01/11 19:49:06 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7) SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc) SRV - [2006/12/15 04:01:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01) SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend) SRV - [2006/07/20 05:58:00 | 000,143,426 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc) SRV - [2006/06/23 10:40:58 | 000,086,016 | ---- | M] (Logitech) [Auto] -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv) SRV - [2006/05/18 16:52:06 | 000,049,152 | ---- | M] (Hewlett-Packard Company) [Auto] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService) SRV - [2005/11/28 11:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel® SRV - [2005/11/28 11:29:00 | 000,114,753 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel® SRV - [2005/11/28 11:28:14 | 000,217,164 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel® SRV - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) [Auto] -- C:\Acer\Empowering Technology\admServ.exe -- (AWService) SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT) SRV - [2005/03/10 00:49:52 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService) SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)OTL.Txt Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.