Jump to content

Recommended Posts

Posted

========== Purity Check ==========

 

 

 

========== Custom Scans ==========

 

 

< %SYSTEMDRIVE%\*.* >

[2008/11/21 00:43:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm

[2008/09/14 23:10:56 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2004/08/10 20:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2007/12/30 23:44:50 | 000,000,209 | RHS- | M] () -- C:\boot.ini

[2006/08/18 21:54:18 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2006/08/18 22:41:54 | 000,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT

[2006/08/18 21:54:18 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2006/08/18 21:54:18 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2006/08/18 22:31:32 | 000,000,519 | ---- | M] () -- C:\RHDSetup.log

[2006/08/19 08:27:58 | 000,000,084 | RHS- | M] () -- C:\Preload.aaa

[2008/12/06 18:00:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm

[1999/11/11 00:17:54 | 000,000,049 | ---- | M] () -- C:\MCE.TAG

[2010/02/22 19:56:34 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

[2010/01/27 21:49:02 | 000,069,632 | ---- | M] () -- C:\2057.MST

[2008/11/21 00:43:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm

[2008/12/06 18:00:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm

[2008/12/06 18:51:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm

[2008/12/06 18:51:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm

[2008/12/08 00:21:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm

[2008/12/08 00:21:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm

[2008/12/09 00:46:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm

[2008/12/09 00:46:36 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm

[2008/12/09 22:26:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm

[2008/12/09 22:26:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm

[2008/12/12 12:20:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm

[2008/12/12 12:20:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm

[2008/12/12 14:36:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm

[2008/12/12 14:36:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm

[2008/12/14 14:14:32 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm

[2008/12/14 14:14:32 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm

[2008/12/29 01:44:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm

[2008/12/29 01:44:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm

[2008/10/15 17:58:24 | 000,014,943 | ---- | M] () -- C:\ainstall.log

[2008/10/16 23:57:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm

[2008/10/16 23:57:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm

[2008/11/05 22:31:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm

[2008/11/05 22:31:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm

[2008/11/06 20:43:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm

[2008/11/06 20:43:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm

[2008/11/09 15:55:06 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm

[2008/11/09 15:55:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm

[2008/11/10 00:00:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm

[2008/11/10 00:00:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm

[2008/11/11 00:47:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm

[2008/11/11 00:47:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm

[2008/11/12 23:40:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm

[2008/11/12 23:40:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm

[2008/11/17 00:48:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

[2008/11/17 00:48:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm

[2009/02/04 07:21:50 | 000,006,324 | ---- | M] () -- C:\analyse-it.log

[2010/01/27 21:47:26 | 000,013,752 | ---- | M] () -- C:\0x0809.ini

[2010/01/27 21:49:30 | 099,516,416 | ---- | M] () -- C:\Samsung New PC Studio.msi

[2010/02/22 19:56:34 | 1071,763,456 | -HS- | M] () -- C:\hiberfil.sys

[2008/05/05 19:45:04 | 000,008,147 | ---- | M] () -- C:\NTFY_CD.LOG

[2008/11/19 01:16:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm

[2008/11/19 01:16:56 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm

[2008/11/20 17:55:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm

[2008/11/20 17:55:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm

[2008/06/19 15:05:48 | 000,000,074 | ---- | M] () -- C:\CMLoader.log

 

 

< MD5 for: AGP440.SYS >

[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys

[2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\I386\sp3.cab:AGP440.sys

[2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\$NtServicePackUninstall$\sp3.cab:AGP440.sys

[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys

[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys

[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

 

< MD5 for: ATAPI.SYS >

[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys

[2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\I386\sp3.cab:atapi.sys

[2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\$NtServicePackUninstall$\sp3.cab:atapi.sys

[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008/11/28 19:02:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008/09/14 23:04:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys

[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[2004/08/10 20:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2004/08/10 20:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

[2008/04/13 19:40:30 | 000,096,512 | ---- | M] () MD5=E1E70D9EE75B81589F389E6D3BFD8C9E -- C:\WINDOWS\system32\drivers\atapi.sys

 

< MD5 for: EVENTLOG.DLL >

[2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

[2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/10 20:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

 

< MD5 for: NETLOGON.DLL >

[2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll

[2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2004/08/10 20:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

 

< MD5 for: SCECLI.DLL >

[2004/08/10 20:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

[2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

 

< %systemroot%\*. /mp /s >

 

< %systemroot%\System32\config\*.sav >

[2006/08/18 21:39:44 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

[2006/08/18 21:39:44 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2006/08/18 21:39:44 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

< End of report >

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Posted

Hi borojamie

 

Ok, you don't need me to tell you that your pc is very infected.

Some of the files found may well have been trying to steal your details, so it may be in your best interest to think about a reformat and re-install.

This fix should knock a big hole in the malware and give us a chance for you to think about things and maybe save what you want from your system.

 

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

(make sure you include the first lot of : )

:Otl
IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Internet Explorer Plugin) - {1DAA3B2E-65DF-4DA6-83C1-50B52ECD0E55} - C:\WINDOWS\System32\duivqwenq8.dll (Rox)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [bisosonew] C:\WINDOWS\System32\jozavuyo.DLL ()
O4 - HKLM..\Run: [nonep] C:\Documents and Settings\Jamie Panico\Local Settings\Temp\miu6C.tmp.exe ()
O4 - HKU\Jamie_Panico_ON_C..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\setup.exe File not found
O9 - Extra Button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - Reg Error: Value error. File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab  (Reg Error: Key error.)
O20 - AppInit_DLLs: (pulasiya.dll) - C:\WINDOWS\System32\pulasiya.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\system32\jozavuyo.dll ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe (Uzxepyilpoy)
O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\system32\jozavuyo.dll ()
O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\system32\jozavuyo.dll ()
[2010/02/22 23:22:41 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\duivqwenq8.dll
[2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll
[2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll
[2010/02/18 01:08:47 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/02/23 23:02:38 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rireluho
[2010/02/23 23:00:08 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\agtttnsf.job
[2010/02/23 17:21:08 | 000,093,184 | -HS- | M] () -- C:\WINDOWS\System32\jozavuyo.dll
[2010/02/23 17:21:08 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kiyerili.dll
[2010/02/22 23:22:44 | 000,022,568 | ---- | M] () -- C:\WINDOWS\System32\hzriuq
[2010/02/22 23:22:42 | 000,049,664 | ---- | M] () -- C:\WINDOWS\System32\svae.jpg
[2010/02/22 19:03:36 | 000,093,696 | -HS- | M] () -- C:\WINDOWS\System32\dorehimo.dll
[2010/02/22 19:03:36 | 000,070,656 | -HS- | M] () -- C:\WINDOWS\System32\wobowedi.dll
[2010/02/22 19:03:36 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\guwinoda.dll
[2010/02/22 07:03:14 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\begajetu.dll
[2010/02/22 07:03:14 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\nupuyuho.dll
[2010/02/21 20:13:38 | 000,016,241 | ---- | M] () -- C:\WINDOWS\System32\jwespw
[2010/02/21 19:05:46 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\kayugibu.dll
[2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\pulasiya.dll
[2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\hofohulu.dll
[2010/02/21 19:05:00 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\zuseyubu.dll
[2010/02/21 19:05:00 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\dasulelo.dll
[2010/02/21 19:05:00 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\bebufizu.dll
[2010/02/21 19:05:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\wipotazi.dll
[2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\rogavove.dll
[2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\funebaro.dll
[2010/02/18 20:16:24 | 000,057,344 | -HS- | M] () -- C:\WINDOWS\System32\bavopipi.dll
[2010/02/18 20:16:24 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\sudimiyi.dll
[2010/02/18 16:58:06 | 000,039,424 | ---- | M] () -- C:\WINDOWS\System32\bahezefi.dll
[2010/02/18 16:58:00 | 000,093,184 | ---- | M] () -- C:\WINDOWS\System32\zenemala.dll
[2010/02/16 00:35:46 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/18 01:08:33 | 000,005,748 | -HS- | C] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845

:Files
c:\documents and settings\jamie panico\local settings\temp\ygkafmgx.exe
c:\documents and settings\jamie panico\local settings\temp\vwwixjz.exe
c:\documents and settings\jamie panico\local settings\temp\msinits.exe
c:\documents and settings\jamie panico\local settings\temp\c4531278.tmp
c:\documents and settings\jamie panico\local settings\temp\e.exe
c:\windows\system32\penarutu.dll.tmp
c:\windows\system32\bevimahu.dll.tmp
c:\windows\system32\perohapi.dll.tmp
c:\documents and settings\jamie panico\local settings\temp\mdm.exe
c:\documents and settings\jamie panico\local settings\temp\notepad.exe

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file... fix.txt

Save the file to a USB stick.

 

Start OTLPE as you did previously from CD

 

  • Insert your USB drive with fix.txt on it
  • Start OTLPE
  • Drag and drop fix.txt into the Custom scans and fixes box
  • If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done to normal mode if possible
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Member of:

UNITE

Posted

Cheers Starbuck,

 

I have ran the fix which unfortunately came up with some errors I have attached the error log below. I am just rebooting my system now. Attempting windows OS first. Thanks again for your help

 

Error: Unable to interpret <O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)> in the current context!

Error: Unable to interpret <O20 - AppInit_DLLs: (pulasiya.dll) - C:\WINDOWS\System32\pulasiya.dll ()> in the current context!

Error: Unable to interpret <O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\system32\jozavuyo.dll ()> in the current context!

Error: Unable to interpret <O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe (Uzxepyilpoy)> in the current context!

Error: Unable to interpret <O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\system32\jozavuyo.dll ()> in the current context!

Error: Unable to interpret <O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\system32\jozavuyo.dll ()> in the current context!

Error: Unable to interpret <[2010/02/22 23:22:41 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\duivqwenq8.dll> in the current context!

Error: Unable to interpret <[2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll> in the current context!

Error: Unable to interpret <[2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll> in the current context!

Error: Unable to interpret <[2010/02/18 01:08:47 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec> in the current context!

Error: Unable to interpret <[2010/02/23 23:02:38 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rireluho> in the current context!

Error: Unable to interpret <[2010/02/23 23:00:08 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\agtttnsf.job> in the current context!

Error: Unable to interpret <[2010/02/23 17:21:08 | 000,093,184 | -HS- | M] () -- C:\WINDOWS\System32\jozavuyo.dll> in the current context!

Error: Unable to interpret <[2010/02/23 17:21:08 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kiyerili.dll> in the current context!

Error: Unable to interpret <[2010/02/22 23:22:44 | 000,022,568 | ---- | M] () -- C:\WINDOWS\System32\hzriuq> in the current context!

Error: Unable to interpret <[2010/02/22 23:22:42 | 000,049,664 | ---- | M] () -- C:\WINDOWS\System32\svae.jpg> in the current context!

Error: Unable to interpret <[2010/02/22 19:03:36 | 000,093,696 | -HS- | M] () -- C:\WINDOWS\System32\dorehimo.dll> in the current context!

Error: Unable to interpret <[2010/02/22 19:03:36 | 000,070,656 | -HS- | M] () -- C:\WINDOWS\System32\wobowedi.dll> in the current context!

Error: Unable to interpret <[2010/02/22 19:03:36 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\guwinoda.dll> in the current context!

Error: Unable to interpret <[2010/02/22 07:03:14 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\begajetu.dll> in the current context!

Error: Unable to interpret <[2010/02/22 07:03:14 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\nupuyuho.dll> in the current context!

Error: Unable to interpret <[2010/02/21 20:13:38 | 000,016,241 | ---- | M] () -- C:\WINDOWS\System32\jwespw> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:46 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\kayugibu.dll> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\pulasiya.dll> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\hofohulu.dll> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:00 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\zuseyubu.dll> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:00 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\dasulelo.dll> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:00 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\bebufizu.dll> in the current context!

Error: Unable to interpret <[2010/02/21 19:05:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\wipotazi.dll> in the current context!

Error: Unable to interpret <[2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\rogavove.dll> in the current context!

Error: Unable to interpret <[2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\funebaro.dll> in the current context!

Error: Unable to interpret <[2010/02/18 20:16:24 | 000,057,344 | -HS- | M] () -- C:\WINDOWS\System32\bavopipi.dll> in the current context!

Error: Unable to interpret <[2010/02/18 20:16:24 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\sudimiyi.dll> in the current context!

Error: Unable to interpret <[2010/02/18 16:58:06 | 000,039,424 | ---- | M] () -- C:\WINDOWS\System32\bahezefi.dll> in the current context!

Error: Unable to interpret <[2010/02/18 16:58:00 | 000,093,184 | ---- | M] () -- C:\WINDOWS\System32\zenemala.dll> in the current context!

Error: Unable to interpret <[2010/02/16 00:35:46 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini> in the current context!

Error: Unable to interpret <[2010/02/18 01:08:33 | 000,005,748 | -HS- | C] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845> in the current context!

========== FILES ==========

c:\documents and settings\jamie panico\local settings\temp\ygkafmgx.exe moved successfully.

c:\documents and settings\jamie panico\local settings\temp\vwwixjz.exe moved successfully.

c:\documents and settings\jamie panico\local settings\temp\msinits.exe moved successfully.

c:\documents and settings\jamie panico\local settings\temp\c4531278.tmp moved successfully.

c:\documents and settings\jamie panico\local settings\temp\e.exe moved successfully.

c:\windows\system32\penarutu.dll.tmp moved successfully.

c:\windows\system32\bevimahu.dll.tmp moved successfully.

c:\windows\system32\perohapi.dll.tmp moved successfully.

File\Folder c:\documents and settings\jamie panico\local settings\temp\mdm.exe not found.

File\Folder c:\documents and settings\jamie panico\local settings\temp\notepad.exe not found.

 

OTLPE by OldTimer - Version 3.1.30.3 log created on 03022010_122552

Posted
Exe Files all appear workable and i have an internet connection. Mcafee has found and blocked a trojan. Should i download OTLPE to my windows OS as it is only accessible thru running realtogo OS?
Posted
I have ran the fix which unfortunately came up with some errors I have attached the error log below.
this would nornally happen if you forgot to add the : before Otl in the fix.

 

As you can run the OS , try this:

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
     
    Then:
     
    Double click on Combo-Fix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Member of:

UNITE

Posted

hi mate,

 

i have just got back to try and download combofix and my computer will not reboot. I have started the steps above again ensuring i started the OTLPE fix with the : and i have an error message half way through saying access violation at address 0059a803 in module 'OTLPE.exe'. Read of address 00000000.

 

Once i confirm this i get the option to rerun the fix. I have attached the log below however upon completion of this i cannot re-enter normal windows OS. Sorry it seems i have gone backwards! :-(

03022010_174958.txt

Posted

Mate, teh file is massive so the first part is attached below

 

thanks

 

OTL logfile created on: 3/2/2010 6:51:52 PM - Run

OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 781.00 Mb Available Physical Memory | 76.00% Memory free

906.00 Mb Paging File | 839.00 Mb Available in Paging File | 93.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 53.20 Gb Total Space | 7.27 Gb Free Space | 13.67% Space Free | Partition Type: FAT32

D: Drive not present or media not loaded

Drive E: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

 

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet002

 

 

 

========== Win32 Services (SafeList) ==========

 

SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)

SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)

SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)

SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)

SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)

SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)

SRV - [2009/08/29 16:11:10 | 000,133,104 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca28baf7cbe6a6) Google Update Service (gupdate1ca28baf7cbe6a6)

SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)

SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)

SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)

SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)

SRV - [2009/06/05 11:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)

SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/04/17 22:56:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2008/04/14 01:11:56 | 000,028,160 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)

SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)

SRV - [2008/01/11 19:49:06 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)

SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)

SRV - [2006/12/15 04:01:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)

SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2006/07/20 05:58:00 | 000,143,426 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)

SRV - [2006/06/23 10:40:58 | 000,086,016 | ---- | M] (Logitech) [Auto] -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)

SRV - [2006/05/18 16:52:06 | 000,049,152 | ---- | M] (Hewlett-Packard Company) [Auto] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)

SRV - [2005/11/28 11:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®

SRV - [2005/11/28 11:29:00 | 000,114,753 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®

SRV - [2005/11/28 11:28:14 | 000,217,164 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®

SRV - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) [Auto] -- C:\Acer\Empowering Technology\admServ.exe -- (AWService)

SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2005/03/10 00:49:52 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)

SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

OTL.Txt

Posted

Hi borojamie

Because the first part of the last fix didn't run correctly, the malware has re-spawned.

I'll go through everything and write a fresh fix.

Back later.

Member of:

UNITE

Posted

Starbuck,

 

Thanks for your help and patience

 

I doubled checked the copied fix file and it started with the : however had a blank text line before the file copied??

 

I can still take all media and ms office files off my hard disk, mcafee, make a note of all the software i have on (not much psp media converters, ms office, hand full of games and photoshop) all of which i have discs for. So if its easier to reset to factory settings i can try that.

 

If so am i safe to drag and drop folders or would it be best just to chose specific files / exts? to avoid cross contamination?

 

Thanks again for your help mate

Posted

Hi borojamie

 

however had a blank text line before the file copied??
yep, make sure that :Otl is on the first line.

 

So if its easier to reset to factory settings i can try that.
Let's give this new fix a try and if we get nowhere.... we can always fall back on that.

 

If so am i safe to drag and drop folders or would it be best just to chose specific files / exts? to avoid cross contamination?
Just take what is necessary and also make sure you scan everything before putting it back on.

 

I've re-written the fix (slightly different this time)

Give it a try, i'll also add an attachment if it makes things easier for you.

 

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

:Otl
O21 - SSODL: kedilizos - {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - C:\WINDOWS\system32\jukabama.dll ()
O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\System32\jozavuyo.dll File not found
O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\System32\jozavuyo.dll File not found
O22 - SharedTaskScheduler: {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - mujuzedij - C:\WINDOWS\system32\jukabama.dll ()

:Files
C:\WINDOWS\System32\lowsec
C:\WINDOWS\System32\pulasiya.dll
C:\WINDOWS\System32\jozavuyo.dll
C:\WINDOWS\system32\jukabama.dll
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\System32\rireluho
C:\WINDOWS\System32\nynw.wmo
C:\WINDOWS\tasks\twkotokz.job
C:\WINDOWS\System32\jukabama.dll
C:\WINDOWS\System32\polekove.dll
C:\WINDOWS\System32\nudeleze.dll
C:\WINDOWS\System32\dijanumo.dll
C:\WINDOWS\System32\kiyerili.dll
C:\WINDOWS\System32\hzriuq
C:\WINDOWS\System32\guwinoda.dll
C:\WINDOWS\System32\begajetu.dll
C:\WINDOWS\System32\nupuyuho.dll
C:\WINDOWS\System32\jwespw
C:\WINDOWS\System32\svae.jpg
C:\WINDOWS\System32\kayugibu.dll
C:\WINDOWS\System32\hofohulu.dll
C:\WINDOWS\System32\bebufizu.dll
C:\WINDOWS\System32\zuseyubu.dll
C:\WINDOWS\System32\dasulelo.dll
C:\WINDOWS\System32\wipotazi.dll
C:\WINDOWS\System32\rogavove.dll
C:\WINDOWS\System32\funebaro.dll
C:\WINDOWS\System32\bavopipi.dll
C:\WINDOWS\System32\sudimiyi.dll
C:\WINDOWS\System32\bahezefi.dll
C:\WINDOWS\System32\zenemala.dll
C:\WINDOWS\System32\rireluho
C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845
C:\WINDOWS\xobglu16.dll

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""

:Commands
[purity]
[emptytemp]
[Reboot]

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file fix.txt

Save the file to a USB stick.

 

Start OTLPE as you did previously from CD

 

  • Insert your USB drive with fix.txt on it
  • Start OTLPE
  • Drag and drop fix.txt into the Custom scans and fixes box
  • If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done to normal mode if possible
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

 

Thanks

fix.txt

Member of:

UNITE

Posted

:-) thanks for that mate worked fine this time

 

ive rerun the otl report but had to do it in reatogo because otl is not loaded on my windows OS. Ive attached teh report with the first bit below as it is ove 2kb

 

cheers jamie

 

OTL logfile created on: 3/2/2010 11:00:01 PM - Run

OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

1,022.00 Mb Total Physical Memory | 781.00 Mb Available Physical Memory | 76.00% Memory free

906.00 Mb Paging File | 835.00 Mb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 53.20 Gb Total Space | 7.38 Gb Free Space | 13.87% Space Free | Partition Type: FAT32

Drive D: | 963.73 Mb Total Space | 963.48 Mb Free Space | 99.97% Space Free | Partition Type: FAT

Drive E: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

 

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet002

 

========== Win32 Services (All) ==========

 

SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)

SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)

SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)

SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)

SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)

SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)

SRV - [2009/08/29 16:11:10 | 000,133,104 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca28baf7cbe6a6) Google Update Service (gupdate1ca28baf7cbe6a6)

SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)

SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)

SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)

SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)

SRV - [2009/06/10 07:14:50 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

SRV - [2009/06/05 11:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)

SRV - [2009/02/09 08:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)

SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs) Remote Procedure Call (RPC)

SRV - [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\rpcss.dll -- (DcomLaunch)

SRV - [2009/02/06 07:11:06 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)

SRV - [2009/02/06 07:11:06 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\services.exe -- (Eventlog)

SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/07/29 21:10:04 | 000,046,104 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)

SRV - [2008/07/29 19:24:50 | 000,881,664 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)

SRV - [2008/07/29 19:16:38 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)

SRV - [2008/07/25 11:17:02 | 000,069,632 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2008/07/25 11:16:40 | 000,034,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)

SRV - [2008/07/07 21:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\es.dll -- (EventSystem)

SRV - [2008/06/20 18:46:58 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA)

SRV - [2008/04/17 22:56:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2008/04/14 01:12:40 | 000,126,464 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv)

SRV - [2008/04/14 01:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)

SRV - [2008/04/14 01:12:38 | 000,073,216 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr)

SRV - [2008/04/14 01:12:38 | 000,018,432 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\ups.exe -- (UPS)

SRV - [2008/04/14 01:12:36 | 000,089,600 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)

SRV - [2008/04/14 01:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)

SRV - [2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\svchost.exe -- (HidServ)

SRV - [2008/04/14 01:12:34 | 000,141,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr)

SRV - [2008/04/14 01:12:34 | 000,095,744 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr)

SRV - [2008/04/14 01:12:30 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)

SRV - [2008/04/14 01:12:30 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)

SRV - [2008/04/14 01:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)

SRV - [2008/04/14 01:12:28 | 000,006,144 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC)

SRV - [2008/04/14 01:12:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc)

SRV - [2008/04/14 01:12:24 | 000,075,264 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\locator.exe -- (RpcLocator) Remote Procedure Call (RPC)

SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)

SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)

SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)

SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp)

SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)

SRV - [2008/04/14 01:12:22 | 000,267,776 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\fxssvc.exe -- (Fax)

SRV - [2008/04/14 01:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)

SRV - [2008/04/14 01:12:18 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)

SRV - [2008/04/14 01:12:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)

SRV - [2008/04/14 01:12:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp)

SRV - [2008/04/14 01:12:14 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)

SRV - [2008/04/14 01:12:14 | 000,005,632 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)

SRV - [2008/04/14 01:12:12 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)

SRV - [2008/04/14 01:12:12 | 000,129,024 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\xmlprov.dll -- (xmlprov)

SRV - [2008/04/14 01:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\alg.exe -- (ALG)

SRV - [2008/04/14 01:12:12 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)

SRV - [2008/04/14 01:12:10 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)

SRV - [2008/04/14 01:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)

SRV - [2008/04/14 01:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)

SRV - [2008/04/14 01:12:08 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)

SRV - [2008/04/14 01:12:08 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\upnphost.dll -- (upnphost)

SRV - [2008/04/14 01:12:08 | 000,175,104 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\w32time.dll -- (W32Time)

SRV - [2008/04/14 01:12:08 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)

SRV - [2008/04/14 01:12:08 | 000,096,768 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)

SRV - [2008/04/14 01:12:08 | 000,090,112 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\trkwks.dll -- (TrkWks)

SRV - [2008/04/14 01:12:08 | 000,071,680 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\ssdpsrv.dll -- (SSDPSRV)

SRV - [2008/04/14 01:12:08 | 000,068,096 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)

SRV - [2008/04/14 01:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)

SRV - [2008/04/14 01:12:06 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)

SRV - [2008/04/14 01:12:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)

SRV - [2008/04/14 01:12:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)

SRV - [2008/04/14 01:12:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)

SRV - [2008/04/14 01:12:06 | 000,039,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\sens.dll -- (SENS)

SRV - [2008/04/14 01:12:06 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)

SRV - [2008/04/14 01:12:04 | 000,409,088 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)

SRV - [2008/04/14 01:12:04 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\qagentrt.dll -- (napagent)

SRV - [2008/04/14 01:12:04 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)

SRV - [2008/04/14 01:12:04 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)

SRV - [2008/04/14 01:12:04 | 000,059,904 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\regsvc.dll -- (RemoteRegistry)

SRV - [2008/04/14 01:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)

SRV - [2008/04/14 01:12:02 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\netman.dll -- (Netman)

SRV - [2008/04/14 01:12:02 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)

SRV - [2008/04/14 01:12:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)

SRV - [2008/04/14 01:11:58 | 000,053,248 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\mprdim.dll -- (RemoteAccess)

SRV - [2008/04/14 01:11:56 | 000,331,264 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)

SRV - [2008/04/14 01:11:56 | 000,061,440 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\kmsvc.dll -- (hkmsvc)

SRV - [2008/04/14 01:11:56 | 000,028,160 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)

SRV - [2008/04/14 01:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)

SRV - [2008/04/14 01:11:54 | 000,023,040 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc)

SRV - [2008/04/14 01:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)

SRV - [2008/04/14 01:11:52 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)

SRV - [2008/04/14 01:11:52 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)

SRV - [2008/04/14 01:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)

SRV - [2008/04/14 01:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)

SRV - [2008/04/14 01:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)

SRV - [2008/04/14 01:11:50 | 000,167,936 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\appmgmts.dll -- (AppMgmt)

SRV - [2008/04/14 01:11:50 | 000,077,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\browser.dll -- (Browser)

SRV - [2008/04/14 01:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)

SRV - [2008/04/14 01:11:50 | 000,030,208 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\bthserv.dll -- (BthServ)

SRV - [2008/04/14 01:11:50 | 000,017,408 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)

SRV - [2008/04/14 01:11:48 | 000,100,352 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\6to4svc.dll -- (6to4)

SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)

SRV - [2008/01/11 19:49:06 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)

SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)

SRV - [2006/12/15 04:01:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)

SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2006/10/18 21:47:16 | 000,027,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\system32\MsPMSNSv.dll -- (WmdmPmSN)

OTL.Txt

Posted

Hi borojamie

 

Nice work :)

Now try the previous instructions for ComboFix.

Let's see if we can get that to run.

 

I'm working away for the next 2 days, so won't be able to answer as much.

Member of:

UNITE

Posted

Hi borojamie

 

The only problem with running scans and fixes in a PE environment is that we can't see any 'Processes' that will run with Windows.

If there's a malicious process, we can't detect it.

This maybe what's happening here.

Without being able to get a scan done whilst Windows is running we could end up going around in circles.

It's odd that we clear out all the bad files we can see, but the problem continues.

 

Just to point one thing out to you:

Drive C: | 53.20 Gb Total Space | 7.38 Gb Free Space | 13.87% Space Free | Partition Type: FAT32

Drive D: | 963.73 Mb Total Space | 963.48 Mb Free Space | 99.97% Space Free | Partition Type: FAT

Drive E: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32

Running FAT32 is very unsecure nowadays.

If you did decide to go with a reformat/re-install .... make sure that you reformat the system to NTFS.

it's a lot more secure and will give you a lot of added security features.

Member of:

UNITE

Posted

ok mate, if i could get into windows again i could download OTL, although that said i am happy to reset to factory settings if its easier.

 

I dont know if that will give me access to format the c: in NFTS or the ctrl alt F10 just does it automatically.

 

Can you advise a reasonable virus checker as i have now had 2 serious dramas with mcafee. I had nod32 a while ago but this also let a virus through.

 

I think Norton is too much of a drain and limits too much stuff is this true?

 

Thanks for your help mate

Posted

sorry Starbuck please can i check should reatogo fire out popups for windows blinds??

 

As the OS isl loaded from cd i would of thought no virus could impair this?

Posted

God Starbuck, Im a nuisance! :-( sorry mate I've plugged in a brand new wd passport 320gb portable hd in to my infected machine whilst in reatogo OS and it registers and allows me to see the drive but says there is 569mb used on the drive and 0kb available to use so unfortuantley cannot back up my files :-(

 

Sorry to be a pain in the ass mate

Posted

Hi borojamie,

 

Ok, let's see what we have:

 

please can i check should reatogo fire out popups for windows blinds??
Rea2Go uses WindowBlinds when creating the PE environment. It's just a skin option that can be set. I haven't seen that message come up any of the times I've run the CD so I'm not sure why it would come up. But, it's nothing to worry about.

 

if i could get into windows again i could download OTL, although that said i am happy to reset to factory settings if its easier.

 

I dont know if that will give me access to format the c: in NFTS or the ctrl alt F10 just does it automatically.

Our first concern is to always try and clean a m/c, if that isn't possible or it's an inconvenience for the member.... then a reformat/reinstall is the answer.

Do you have a 'Windows installation' disc? or is your backup on a partition on the hard drive?

Let me have your pc make and model ... and i'll look the info up for you.

 

Can you advise a reasonable virus checker as i have now had 2 serious dramas with mcafee. I had nod32 a while ago but this also let a virus through.
No problem, i can give you this and other security info when you are ready.

Please remember though... All security programs are good up to a point. There isn't a single program that can stop everything. The security vendors can only add definitions for what they have available. The bad guys are getting good at hiding their programs, so it takes the security vendors longer to find out what to block.

Member of:

UNITE

Posted

Cheers for your help mate,

 

Ive got an acer aspire 5633WLMi laptop. I cant find my original start up back up disk (im in the air force so assume its at my house rather than up here at camp. I have asked my gf to bring it up with her this weekend.

 

Thanks for your help. Ive now got OTL PE on CD too so will be able to open in windows once we can stop the looping. Would you like me to go back to the first OTL PE scan and post the report?

 

Is there a setting on reatogo for me to allow read-write access on my portable hd as i cannot wriet files to it for some reason despite it working on my other system

 

Hope everythings goin well down there, I was hoping to get down to Wales this weekend for the Cardiff - Boro match but unfortunately im stuck on duty :-(

 

Thanks again for your help mate

Posted

new otl.txt file

 

Hi Starbuck Ive attached a new otl scan the first part of the file is below. Thanks again

 

OTL logfile created on: 3/4/2010 11:48:01 PM - Run

OTLPE by OldTimer - Version 3.1.30.3 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

1,022.00 Mb Total Physical Memory | 786.00 Mb Available Physical Memory | 77.00% Memory free

906.00 Mb Paging File | 844.00 Mb Available in Paging File | 93.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 53.20 Gb Total Space | 7.38 Gb Free Space | 13.87% Space Free | Partition Type: FAT32

Drive D: | 53.69 Gb Total Space | 10.33 Gb Free Space | 19.25% Space Free | Partition Type: FAT32

Drive E: | 963.73 Mb Total Space | 963.72 Mb Free Space | 100.00% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

 

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet002

 

========== Win32 Services (SafeList) ==========

 

SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)

SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)

SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)

SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)

SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)

SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)

SRV - [2009/08/29 16:11:10 | 000,133,104 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca28baf7cbe6a6) Google Update Service (gupdate1ca28baf7cbe6a6)

SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)

SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)

SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)

SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)

SRV - [2009/06/05 11:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)

SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/04/17 22:56:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2008/04/14 01:11:56 | 000,028,160 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)

SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)

SRV - [2008/01/11 19:49:06 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)

SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)

SRV - [2006/12/15 04:01:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)

SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2006/07/20 05:58:00 | 000,143,426 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)

SRV - [2006/06/23 10:40:58 | 000,086,016 | ---- | M] (Logitech) [Auto] -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)

SRV - [2006/05/18 16:52:06 | 000,049,152 | ---- | M] (Hewlett-Packard Company) [Auto] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)

SRV - [2005/11/28 11:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®

SRV - [2005/11/28 11:29:00 | 000,114,753 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®

SRV - [2005/11/28 11:28:14 | 000,217,164 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®

SRV - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) [Auto] -- C:\Acer\Empowering Technology\admServ.exe -- (AWService)

SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2005/03/10 00:49:52 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)

SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

OTL.Txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...