Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

zentom anti virus

  • 16-09-2011 11:20am
    #1
    Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭


    Hi folks, I really need some help, Im a bit green when it comes to computers so here goes;

    I caught the zentom virus last night, and promptly ran malware bytes & spybot s&d,

    Malware bytes said it deleted the virus, it deleted some of it, but it has significantly slowed my computer and internet connection, also my browser windows are intermittently closing and certain programs and applications will not run.

    I used OTL as i see mentioned in another thread, below is the report form OTL:

    OTL Extras logfile created on: 16/09/2011 12:02:35 - Run 1
    OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\Cheenso\My Documents\Downloads
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 62.41% Memory free
    7.34 Gb Paging File | 6.26 Gb Available in Paging File | 85.34% Paging File free
    Paging file location(s): C:\pagefile.sys 4605 5000 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 19.53 Gb Total Space | 1.47 Gb Free Space | 7.54% Space Free | Partition Type: NTFS
    Drive D: | 107.69 Gb Total Space | 80.04 Gb Free Space | 74.32% Space Free | Partition Type: NTFS
    Drive F: | 102.39 Gb Total Space | 102.29 Gb Free Space | 99.91% Space Free | Partition Type: NTFS

    Computer Name: SLISI-L3C5814 | User Name: Cheenso | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze
    "C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" = C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe:*:Enabled:3 USB Modem
    "C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{01C08A7D-4CCD-41F8-B020-4B4BB8C08C68}" = Catalyst Control Center - Branding
    "{03EC1FFD-2F3C-AB30-FC8F-8A464EA3AB54}" = CCC Help Norwegian
    "{055EE59D-217B-43A7-ABFF-507B966405D8}" = CCC
    "{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
    "{1A49527E-76D9-1A0E-1242-D1C449E2F246}" = Catalyst Control Center Localization French
    "{1EB867A9-2CAC-9F2B-70AA-225B89329957}" = Catalyst Control Center Localization Swedish
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3C22A328-753B-709F-B575-8E7F26EF5769}" = CCC Help Portuguese
    "{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
    "{426E1B57-707D-E5D9-82BB-D375728C0101}" = Catalyst Control Center Localization Dutch
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{46369E80-6A3D-55A6-D54A-489ADE5258A2}" = Catalyst Control Center Localization Portuguese
    "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
    "{476275FA-A3F8-3BD2-1042-2BD29F13CC2E}" = Skins
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51EAB826-C5A4-2578-44AE-61CB8F6AF06C}" = CCC Help Korean
    "{521E1CA4-C40B-E2E0-9C88-94B89CFE1FF9}" = Catalyst Control Center Localization German
    "{54213804-C8B0-FF91-FEE4-AE177D55EF56}" = CCC Help Finnish
    "{54C87F30-9A03-A151-E25D-643C6A19BE4D}" = Catalyst Control Center Localization Norwegian
    "{567B13FA-9FA9-050E-5CD7-6C07F3A28DF7}" = CCC Help Turkish
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
    "{5C51F530-415D-6DC1-AF78-4839F93B84C3}" = CCC Help English
    "{5F212730-512E-C674-11B5-C4AEECAE1366}" = Catalyst Control Center Localization Thai
    "{5F339FE5-9930-1B33-6090-EFFFD1749F3C}" = ccc-core-static
    "{64682560-7401-4C2D-4B68-622001EBDB38}" = CCC Help French
    "{666E9A48-A877-A912-6E7F-565C4E36A4BB}" = CCC Help Chinese Traditional
    "{672F8700-B561-252F-6585-333FEE398EE3}" = CCC Help Swedish
    "{68280718-3175-6C86-75E5-EA4706D0F545}" = Catalyst Control Center Localization Chinese Traditional
    "{6A0DC722-5AE2-7878-04E3-12FD42242815}" = CCC Help German
    "{6A41F0A6-445C-A426-3B9B-0F3138C36EC6}" = Catalyst Control Center Graphics Light
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{74F3AA35-BC41-119C-B74E-FFF0072973FE}" = CCC Help Spanish
    "{765A0DD0-B60B-F6A0-6A8D-54054A4E6487}" = Catalyst Control Center Localization Czech
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{79170233-E0A5-5A4A-28D9-C6A0CF774F13}" = Catalyst Control Center Localization Danish
    "{79435D1E-148B-8C58-8F3E-6E96D9284149}" = Catalyst Control Center Localization Chinese Standard
    "{7B0B88BC-FF93-DA03-F84E-D23477157E5C}" = Catalyst Control Center Core Implementation
    "{7CBFA1C0-9F76-FF29-3EFC-9F7655E8FF56}" = CCC Help Thai
    "{80361553-17D6-84D1-31E2-D8ABF0C66959}" = ccc-utility
    "{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
    "{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
    "{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
    "{8E87FED9-68EA-8A40-CB37-1F532F4D6D72}" = Catalyst Control Center Graphics Full New
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{97521F0B-9072-0C9C-C765-961B07DEA729}" = Catalyst Control Center Localization Japanese
    "{9A6C83A6-C190-EBA9-8E38-D480A994DA92}" = Catalyst Control Center Localization Italian
    "{9B6C43B6-8B1B-34DA-1E05-B5BC51B2B804}" = Catalyst Control Center Localization Spanish
    "{9C62C977-0111-F5FC-EBCA-4D917BADF751}" = CCC Help Dutch
    "{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A34C7BA8-938B-55FD-2600-57BECFB55D6A}" = CCC Help Greek
    "{A6139E1F-1392-1442-8152-87BA59B2F64D}" = ccc-core-preinstall
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AEF1E88C-A98D-890F-CFDC-FD6FD3B8E829}" = CCC Help Italian
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B46FFFB4-FE24-3338-D53F-3C899AFD5A23}" = CCC Help Polish
    "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
    "{B98B1629-E1F6-5DD5-8D1E-C8C3F6F80C89}" = Catalyst Control Center Graphics Full Existing
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C165A1B2-08D0-52C3-D5DB-665C8F251570}" = Catalyst Control Center Localization Turkish
    "{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
    "{CB88A5FF-59EE-6BF7-A5B5-2C7B63872745}" = Catalyst Control Center Localization Korean
    "{CC6C4177-6365-1500-9279-480C79B0E592}" = CCC Help Czech
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
    "{D26BCF43-7100-E5F9-27FD-EA03670F1AE8}" = CCC Help Danish
    "{DC34C68C-A16F-56A7-AEFA-5DB8DAA6E9E3}" = CCC Help Russian
    "{DD530FBD-D52A-8044-15B6-2E62E65AE83E}" = Catalyst Control Center Localization Polish
    "{E42BF37A-510C-D596-081D-307CA952D888}" = Catalyst Control Center Localization Hungarian
    "{E58BE852-C68B-D02E-A6CF-BB8B4614AD42}" = Catalyst Control Center Localization Greek
    "{E5A48BBD-7D1B-A49A-27D7-D02BE34940D6}" = CCC Help Hungarian
    "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
    "{E697374A-6555-990E-821F-09AF8388CEAA}" = CCC Help Japanese
    "{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
    "{ECB8E83D-CE7B-C7E5-7F36-7677EAAB5F39}" = Catalyst Control Center Localization Russian
    "{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F58C48CB-A079-3BEC-5CB3-1E81F36AC79D}" = Catalyst Control Center Localization Finnish
    "{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
    "{F915CF43-C7E7-9886-48F4-640F124A0AAB}" = CCC Help Chinese Standard
    "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.97
    "CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
    "CPUID CPU-Z_is1" = CPUID CPU-Z 1.54
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "ie8" = Windows Internet Explorer 8
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "McAfee Security Scan" = McAfee Security Scan Plus
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.22)" = Mozilla Firefox (3.6.22)
    "MSNINST" = MSN
    "NVIDIA Drivers" = NVIDIA Drivers
    "ProInst" = Intel(R) PROSet/Wireless Software
    "RealPlayer 12.0" = RealPlayer
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "VLC media player" = VLC media player 1.0.5
    "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    "WIC" = Windows Imaging Component
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinGimp-2.0_is1" = GIMP 2.6.11
    "WinLiveSuite_Wave3" = Windows Live Essentials

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 15/09/2011 18:39:03 | Computer Name = SLISI-L3C5814 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab&gt;
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 15/09/2011 18:39:03 | Computer Name = SLISI-L3C5814 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab&gt;
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 15/09/2011 18:39:03 | Computer Name = SLISI-L3C5814 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab&gt;
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 15/09/2011 19:04:56 | Computer Name = SLISI-L3C5814 | Source = Application Error | ID = 1000
    Description = Faulting application spybotsd.exe, version 1.6.2.46, faulting module
    kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

    Error - 15/09/2011 19:15:40 | Computer Name = SLISI-L3C5814 | Source = Application Error | ID = 1000
    Description = Faulting application realupgrade.exe, version 12.0.1.609, faulting
    module realupgrade.exe, version 12.0.1.609, fault address 0x00009fc7.

    Error - 15/09/2011 20:14:45 | Computer Name = SLISI-L3C5814 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
    Description = Faulting application ccc.exe, version 2.0.0.0, stamp 469cdc9c, faulting
    module mscorwks.dll, version 2.0.50727.3623, stamp 4d8c187e, debug? 0, fault address
    0x000b0dd2.

    Error - 15/09/2011 20:47:18 | Computer Name = SLISI-L3C5814 | Source = Application Error | ID = 1000
    Description = Faulting application realupgrade.exe, version 12.0.1.609, faulting
    module , version 0.0.0.0, fault address 0x00000000.

    Error - 16/09/2011 06:17:15 | Computer Name = SLISI-L3C5814 | Source = Application Error | ID = 1000
    Description = Faulting application hki901.exe, version 0.0.0.0, faulting module
    unknown, version 0.0.0.0, fault address 0x00005c1c.

    Error - 16/09/2011 06:23:34 | Computer Name = SLISI-L3C5814 | Source = Application Hang | ID = 1002
    Description = Hanging application hki36718.exe, version 0.0.0.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 16/09/2011 06:36:35 | Computer Name = SLISI-L3C5814 | Source = Application Error | ID = 1000
    Description = Faulting application realupgrade.exe, version 12.0.1.609, faulting
    module , version 0.0.0.0, fault address 0x00000000.

    [ System Events ]
    Error - 16/09/2011 06:55:31 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842810
    Description = Syntax error in manifest or policy file "C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe" on line 0.

    Error - 16/09/2011 06:55:31 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842811
    Description = Generate Activation Context failed for C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe. Reference error message: The operation completed
    successfully. .

    Error - 16/09/2011 06:55:45 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842810
    Description = Syntax error in manifest or policy file "C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe" on line 0.

    Error - 16/09/2011 06:55:45 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842811
    Description = Generate Activation Context failed for C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe. Reference error message: The operation completed
    successfully. .

    Error - 16/09/2011 06:56:00 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842810
    Description = Syntax error in manifest or policy file "C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe" on line 0.

    Error - 16/09/2011 06:56:00 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842811
    Description = Generate Activation Context failed for C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe. Reference error message: The operation completed
    successfully. .

    Error - 16/09/2011 06:56:09 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842810
    Description = Syntax error in manifest or policy file "C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe" on line 0.

    Error - 16/09/2011 06:56:09 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842811
    Description = Generate Activation Context failed for C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe. Reference error message: The operation completed
    successfully. .

    Error - 16/09/2011 06:56:32 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842810
    Description = Syntax error in manifest or policy file "C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe" on line 0.

    Error - 16/09/2011 06:56:32 | Computer Name = SLISI-L3C5814 | Source = SideBySide | ID = 16842811
    Description = Generate Activation Context failed for C:\Documents and Settings\Cheenso\My
    Documents\Downloads\msert.exe. Reference error message: The operation completed
    successfully. .


    < End of report >


    OTL logfile created on: 16/09/2011 12:02:35 - Run 1
    OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\Cheenso\My Documents\Downloads
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 62.41% Memory free
    7.34 Gb Paging File | 6.26 Gb Available in Paging File | 85.34% Paging File free
    Paging file location(s): C:\pagefile.sys 4605 5000 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 19.53 Gb Total Space | 1.47 Gb Free Space | 7.54% Space Free | Partition Type: NTFS
    Drive D: | 107.69 Gb Total Space | 80.04 Gb Free Space | 74.32% Space Free | Partition Type: NTFS
    Drive F: | 102.39 Gb Total Space | 102.29 Gb Free Space | 99.91% Space Free | Partition Type: NTFS

    Computer Name: SLISI-L3C5814 | User Name: Cheenso | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/09/16 12:01:07 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cheenso\My Documents\Downloads\OTL.exe
    PRC - [2011/09/16 11:27:03 | 000,113,664 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki37055.exe
    PRC - [2011/09/16 11:26:17 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\YgRORQe.exe
    PRC - [2011/09/16 11:26:17 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki37010.exe
    PRC - [2011/09/16 11:21:49 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36742.exe
    PRC - [2011/09/16 11:21:37 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36729.exe
    PRC - [2011/09/16 11:21:32 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36725.exe
    PRC - [2011/09/16 11:21:31 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36724.exe
    PRC - [2011/09/16 11:21:25 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36718.exe
    PRC - [2011/09/16 01:13:01 | 000,114,696 | ---- | M] (MadrasAddison Orestes FrenchSophia AmmanBeijing) -- C:\Program Files\QuickTime\QTTask .exe
    PRC - [2011/09/15 23:47:11 | 000,114,692 | ---- | M] (MadrasAddison Orestes FrenchSophia AmmanBeijing) -- C:\Program Files\real\realplayer\Update\realsched.exe
    PRC - [2011/09/15 23:47:11 | 000,114,692 | ---- | M] (MadrasAddison Orestes FrenchSophia AmmanBeijing) -- C:\Program Files\ClamWin\bin\ClamTray.exe
    PRC - [2011/09/15 23:47:10 | 000,114,692 | ---- | M] (MadrasAddison Orestes FrenchSophia AmmanBeijing) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
    PRC - [2011/09/15 23:47:10 | 000,114,692 | ---- | M] (MadrasAddison Orestes FrenchSophia AmmanBeijing) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    PRC - [2011/09/15 23:47:10 | 000,114,692 | ---- | M] (MadrasAddison Orestes FrenchSophia AmmanBeijing) -- C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    PRC - [2011/09/15 23:46:45 | 000,034,304 | ---- | M] () -- C:\WINDOWS\Temp\ymodpn\setup.exe
    PRC - [2011/09/07 17:57:56 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2011/02/16 00:34:50 | 000,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray .exe
    PRC - [2010/11/19 19:17:33 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched .exe
    PRC - [2010/09/24 03:10:52 | 000,421,160 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper .exe
    PRC - [2010/06/07 15:20:37 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Cheenso\Local Settings\Temp\RtkBtMnt.exe
    PRC - [2009/09/17 20:11:02 | 001,565,992 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
    PRC - [2008/04/14 01:12:31 | 000,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ping.exe
    PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/03/06 16:47:02 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
    PRC - [2007/03/06 16:44:48 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
    PRC - [2007/03/06 16:40:30 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/09/16 11:27:03 | 000,113,664 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki37055.exe
    MOD - [2011/09/16 11:26:17 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\YgRORQe.exe
    MOD - [2011/09/16 11:26:17 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki37010.exe
    MOD - [2011/09/16 11:21:49 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36742.exe
    MOD - [2011/09/16 11:21:37 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36729.exe
    MOD - [2011/09/16 11:21:32 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36725.exe
    MOD - [2011/09/16 11:21:31 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36724.exe
    MOD - [2011/09/16 11:21:25 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Temp\hki36718.exe
    MOD - [2011/09/15 23:46:45 | 000,034,304 | ---- | M] () -- C:\WINDOWS\Temp\ymodpn\setup.exe
    MOD - [2011/09/07 17:57:58 | 001,000,920 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
    MOD - [2011/08/16 23:24:22 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    MOD - [2011/08/12 19:41:58 | 011,800,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\40893760431f8f0dcce3e18630e45b23\System.Web.ni.dll
    MOD - [2011/08/11 19:40:54 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
    MOD - [2011/08/11 19:40:31 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d00cc387e462e4c3cdcd112b137cac87\System.Windows.Forms.ni.dll
    MOD - [2011/08/11 19:40:09 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7ed09623172a292eaee51e2e3bcaf784\System.Drawing.ni.dll
    MOD - [2011/08/11 19:37:06 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
    MOD - [2011/08/11 19:34:11 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
    MOD - [2011/06/20 18:25:18 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
    MOD - [2011/05/26 13:42:00 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2010/05/12 16:43:52 | 000,253,952 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime\2.0.3050.37221__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.dll
    MOD - [2010/05/12 16:43:52 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard\2.0.3050.37253__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.dll
    MOD - [2010/05/12 16:43:51 | 001,679,360 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Wizard\2.0.3050.37261__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Wizard.dll
    MOD - [2010/05/12 16:43:51 | 000,364,544 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Wizard\2.0.3050.37453__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Wizard.dll
    MOD - [2010/05/12 16:43:51 | 000,196,608 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Wizard\2.0.3050.37274__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Wizard.dll
    MOD - [2010/05/12 16:43:51 | 000,077,824 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Runtime\2.0.3050.37446__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Runtime.dll
    MOD - [2010/05/12 16:43:51 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Runtime\2.0.3050.37240__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll
    MOD - [2010/05/12 16:43:50 | 000,065,536 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Runtime\2.0.3050.37411__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Runtime.dll
    MOD - [2010/05/12 16:43:50 | 000,036,864 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Runtime\2.0.3050.37370__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Runtime.dll
    MOD - [2010/05/12 16:43:47 | 000,483,328 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Wizard\2.0.3050.37475__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Wizard.dll
    MOD - [2010/05/12 16:42:46 | 000,135,168 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Welcome.Graphics.Dashboard\2.0.3050.37482__90ba9c70f846762e\CLI.Aspect.Welcome.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:46 | 000,073,728 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard\2.0.3050.37234__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:45 | 000,090,112 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Wizard\2.0.3050.37425__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Wizard.dll
    MOD - [2010/05/12 16:42:36 | 000,217,088 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Dashboard\2.0.3050.37281__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:35 | 000,438,272 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Dashboard\2.0.3050.37241__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:34 | 000,901,120 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Dashboard\2.0.3050.37448__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:34 | 000,401,408 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Dashboard\2.0.3050.37405__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:34 | 000,307,200 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Wizard\2.0.3050.37293__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Wizard.dll
    MOD - [2010/05/12 16:42:34 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Runtime\2.0.3050.37404__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Runtime.dll
    MOD - [2010/05/12 16:42:33 | 000,479,232 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Dashboard\2.0.3050.37372__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:33 | 000,446,464 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Dashboard\2.0.3050.37365__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Dashboard.dll
    MOD - [2010/05/12 16:42:33 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Runtime\2.0.3050.37371__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Runtime.dll
    MOD - [2010/05/12 16:42:32 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Runtime\2.0.3050.37377__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Runtime.dll
    MOD - [2010/05/12 16:42:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Hotkeys.Shared\2.0.2939.23687__90ba9c70f846762e\AEM.Plugin.Hotkeys.Shared.dll
    MOD - [2010/05/12 16:42:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Actions.CCAA.Shared\2.0.2939.23679__90ba9c70f846762e\AEM.Actions.CCAA.Shared.dll
    MOD - [2010/05/12 16:42:32 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.EEU.Shared\2.0.2939.23710__90ba9c70f846762e\AEM.Plugin.EEU.Shared.dll
    MOD - [2010/05/12 16:42:31 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.GD.Shared\2.0.2939.23767__90ba9c70f846762e\AEM.Plugin.GD.Shared.dll
    MOD - [2010/05/12 16:42:31 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.DPPE.Shared\2.0.2939.23768__90ba9c70f846762e\AEM.Plugin.DPPE.Shared.dll
    MOD - [2010/05/12 16:42:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\atixclib\1.0.0.0__90ba9c70f846762e\atixclib.dll
    MOD - [2010/05/12 16:42:30 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\NEWAEM.Foundation\2.0.2939.23667__90ba9c70f846762e\NEWAEM.Foundation.dll
    MOD - [2010/05/12 16:42:29 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation\2.0.2939.23668__90ba9c70f846762e\CLI.Foundation.dll
    MOD - [2010/05/12 16:42:29 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0601\2.0.2573.17685__90ba9c70f846762e\DEM.Graphics.I0601.dll
    MOD - [2010/05/12 16:42:29 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation\2.0.2939.23662__90ba9c70f846762e\LOG.Foundation.dll
    MOD - [2010/05/12 16:42:29 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.XManifest\2.0.2939.23802__90ba9c70f846762e\CLI.Foundation.XManifest.dll
    MOD - [2010/05/12 16:42:29 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.OS.I0602\2.0.2939.23717__90ba9c70f846762e\DEM.OS.I0602.dll
    MOD - [2010/05/12 16:42:29 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Foundation\2.0.2939.23707__90ba9c70f846762e\MOM.Foundation.dll
    MOD - [2010/05/12 16:42:29 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.OS\2.0.2939.23717__90ba9c70f846762e\DEM.OS.dll
    MOD - [2010/05/12 16:42:29 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0706\2.0.2743.23304__90ba9c70f846762e\DEM.Graphics.I0706.dll
    MOD - [2010/05/12 16:42:29 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics\2.0.2939.23718__90ba9c70f846762e\DEM.Graphics.dll
    MOD - [2010/05/12 16:42:29 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Foundation\2.0.2573.17684__90ba9c70f846762e\DEM.Foundation.dll
    MOD - [2010/05/12 16:42:28 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Shared\2.0.2939.23689__90ba9c70f846762e\CLI.Caste.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Shared\2.0.2939.23764__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared\2.0.2939.23693__90ba9c70f846762e\CLI.Component.Wizard.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared\2.0.2939.23687__90ba9c70f846762e\CLI.Component.Dashboard.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared\2.0.2939.23679__90ba9c70f846762e\CLI.Component.Client.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared\2.0.2939.23688__90ba9c70f846762e\CLI.Component.Runtime.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard.Shared\2.0.2939.23734__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.Shared.dll
    MOD - [2010/05/12 16:42:28 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard.Shared\2.0.2939.23718__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.Shared.dll
    MOD - [2010/05/12 16:42:27 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Shared\2.0.2939.23743__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:25 | 000,065,536 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Shared\2.0.2965.22300__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:25 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Shared\2.0.2939.23738__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:25 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Shared\2.0.2939.23742__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:25 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Shared\2.0.2939.23708__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:25 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Shared\2.0.2939.23719__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:25 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Shared\2.0.2939.23719__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:24 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Shared\2.0.2939.23739__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:24 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.CustomFormats.Graphics.Shared\2.0.2939.23711__90ba9c70f846762e\CLI.Aspect.CustomFormats.Graphics.Shared.dll
    MOD - [2010/05/12 16:42:24 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Foundation\2.0.2939.23665__90ba9c70f846762e\AEM.Foundation.dll
    MOD - [2010/05/12 16:42:24 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ACE.Graphics.DisplaysManager.Shared\2.0.2573.17685__90ba9c70f846762e\ACE.Graphics.DisplaysManager.Shared.dll
    MOD - [2010/05/12 16:42:24 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\APM.Foundation\2.0.2939.23709__90ba9c70f846762e\APM.Foundation.dll
    MOD - [2010/05/12 16:42:24 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Server.Shared\2.0.2939.23687__90ba9c70f846762e\AEM.Server.Shared.dll
    MOD - [2010/05/12 16:42:02 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Source.Kit.Server\2.0.3050.37493__90ba9c70f846762e\AEM.Plugin.Source.Kit.Server.dll
    MOD - [2010/05/12 16:42:02 | 000,006,656 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Extension.EEU\2.0.3050.37214__90ba9c70f846762e\CLI.Component.Runtime.Extension.EEU.dll
    MOD - [2010/05/12 16:42:01 | 000,102,400 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Implementation\2.0.3050.37467__90ba9c70f846762e\MOM.Implementation.dll
    MOD - [2010/05/12 16:42:01 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.2939.23679__90ba9c70f846762e\LOG.Foundation.Private.dll
    MOD - [2010/05/12 16:42:01 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOCALIZATION.Foundation.Private\2.0.2939.23677__90ba9c70f846762e\LOCALIZATION.Foundation.Private.dll
    MOD - [2010/05/12 16:42:00 | 000,491,520 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard\2.0.3050.37248__90ba9c70f846762e\CLI.Component.Wizard.dll
    MOD - [2010/05/12 16:42:00 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.3050.37466__90ba9c70f846762e\LOG.Foundation.Implementation.dll
    MOD - [2010/05/12 16:42:00 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.Private\2.0.2939.23678__90ba9c70f846762e\CLI.Foundation.Private.dll
    MOD - [2010/05/12 16:42:00 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared.Private\2.0.2939.23694__90ba9c70f846762e\CLI.Component.Wizard.Shared.Private.dll
    MOD - [2010/05/12 16:42:00 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation.Private\2.0.2939.23712__90ba9c70f846762e\LOG.Foundation.Implementation.Private.dll
    MOD - [2010/05/12 16:41:59 | 000,073,728 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime\2.0.3050.37214__90ba9c70f846762e\CLI.Component.Runtime.dll
    MOD - [2010/05/12 16:41:59 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared.Private\2.0.2939.23713__90ba9c70f846762e\CLI.Component.Runtime.Shared.Private.dll
    MOD - [2010/05/12 16:41:58 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared.Private\2.0.2939.23711__90ba9c70f846762e\CLI.Component.Dashboard.Shared.Private.dll
    MOD - [2010/05/12 16:41:57 | 001,511,424 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard\2.0.3050.37228__90ba9c70f846762e\CLI.Component.Dashboard.dll
    MOD - [2010/05/12 16:41:57 | 000,065,536 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ATIDEMOS\2.0.3050.37215__90ba9c70f846762e\ATIDEMOS.dll
    MOD - [2010/05/12 16:41:57 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared.Private\2.0.2939.23689__90ba9c70f846762e\CLI.Component.Client.Shared.Private.dll
    MOD - [2010/05/12 16:41:57 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CCC.Implementation\2.0.3050.37467__90ba9c70f846762e\CCC.Implementation.dll
    MOD - [2010/05/12 16:41:57 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ATICCCom\2.0.0.0__90ba9c70f846762e\ATICCCom.dll
    MOD - [2010/05/12 16:41:57 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime.Shared.Private\2.0.2939.23746__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.Shared.Private.dll
    MOD - [2010/05/12 16:41:56 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\APM.Server\2.0.3050.37213__90ba9c70f846762e\APM.Server.dll
    MOD - [2010/05/12 16:41:56 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Server\2.0.3050.37213__90ba9c70f846762e\AEM.Server.dll
    MOD - [2010/02/05 19:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
    MOD - [2008/04/19 16:35:02 | 000,081,920 | ---- | M] () -- C:\Program Files\ClamWin\bin\ExpShell.dll
    MOD - [2008/04/14 01:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
    MOD - [2008/04/14 01:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
    MOD - [2008/02/04 13:29:02 | 000,688,128 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
    MOD - [2007/03/06 16:40:04 | 000,118,784 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll
    MOD - [2006/10/17 17:13:20 | 001,167,360 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\acAuth.dll
    MOD - [2005/02/08 17:23:10 | 000,979,005 | ---- | M] () -- C:\Program Files\ClamWin\bin\python23.dll
    MOD - [2004/11/20 03:27:54 | 000,106,496 | ---- | M] () -- C:\Program Files\ClamWin\lib\shell.pyd
    MOD - [2004/11/20 03:27:54 | 000,086,016 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32gui.pyd
    MOD - [2004/11/20 03:27:54 | 000,077,824 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32file.pyd
    MOD - [2004/11/20 03:27:54 | 000,069,632 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32api.pyd
    MOD - [2004/11/20 03:27:54 | 000,065,536 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32security.pyd
    MOD - [2004/11/20 03:27:54 | 000,036,864 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32process.pyd
    MOD - [2004/11/20 03:27:54 | 000,024,576 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32pipe.pyd
    MOD - [2004/11/20 03:27:54 | 000,024,576 | ---- | M] () -- C:\Program Files\ClamWin\lib\win32event.pyd
    MOD - [2004/10/11 20:22:18 | 000,315,392 | ---- | M] () -- C:\Program Files\ClamWin\lib\pythoncom23.dll
    MOD - [2004/10/11 20:21:26 | 000,094,208 | ---- | M] () -- C:\Program Files\ClamWin\lib\pywintypes23.dll
    MOD - [2004/05/25 21:20:30 | 000,036,864 | ---- | M] () -- C:\Program Files\ClamWin\lib\_winreg.pyd
    MOD - [2004/05/25 21:19:32 | 000,045,117 | ---- | M] () -- C:\Program Files\ClamWin\lib\datetime.pyd
    MOD - [2004/05/25 21:18:42 | 000,495,616 | ---- | M] () -- C:\Program Files\ClamWin\lib\_ssl.pyd
    MOD - [2004/05/25 21:18:28 | 000,057,401 | ---- | M] () -- C:\Program Files\ClamWin\lib\_sre.pyd
    MOD - [2004/05/25 21:18:20 | 000,049,212 | ---- | M] () -- C:\Program Files\ClamWin\lib\_socket.pyd
    MOD - [2004/05/25 21:17:14 | 000,622,651 | ---- | M] () -- C:\Program Files\ClamWin\lib\_bsddb.pyd
    MOD - [2004/01/15 14:45:22 | 000,061,440 | ---- | M] () -- C:\Program Files\ClamWin\lib\_ctypes.pyd
    MOD - [2003/10/01 13:40:00 | 002,240,512 | ---- | M] () -- C:\Program Files\ClamWin\lib\wxc.pyd
    MOD - [2003/10/01 11:43:02 | 003,239,936 | ---- | M] () -- C:\Program Files\ClamWin\lib\wxmsw24h.dll
    MOD - [2003/08/10 09:14:40 | 000,061,440 | ---- | M] () -- C:\Program Files\ClamWin\lib\mxDateTime.pyd


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (McComponentHostService)
    SRV - [2011/09/15 23:46:45 | 000,034,304 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\TEMP\ymodpn\setup.exe -- (AMService)


    ========== Driver Services (SafeList) ==========

    DRV - [2010/03/30 23:38:26 | 000,020,968 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys -- (cpuz133)
    DRV - [2008/06/03 13:37:04 | 000,005,632 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hidshim.sys -- (hidshim)
    DRV - [2008/06/03 13:37:00 | 000,023,040 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winbondhidcir.sys -- (winbondhidcir)
    DRV - [2008/05/09 01:00:00 | 002,880,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2007/07/20 18:40:10 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV - [2007/05/30 20:04:56 | 004,424,192 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2007/04/27 04:01:34 | 002,203,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
    DRV - [2007/03/21 22:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2007/03/01 22:22:04 | 000,988,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2007/03/01 22:21:24 | 000,210,688 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
    DRV - [2007/03/01 22:21:22 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2007/02/24 14:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2007/02/21 12:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2007/02/16 15:46:42 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2007/01/23 16:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2006/12/28 12:44:44 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "www.google.ie"
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.609: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.609: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.609: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.609: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/11/19 19:19:02 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/07 17:58:32 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/07 17:58:32 | 000,000,000 | ---D | M]

    [2010/05/05 19:12:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Extensions
    [2011/09/15 21:02:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\extensions
    [2010/08/03 01:20:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/08/02 18:15:41 | 000,000,000 | ---D | M] (FB Chat Sidebar Disabler) -- C:\Documents and Settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\extensions\fbsidebardisabler@vittgam.net
    [2010/05/05 19:12:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2010/11/19 19:19:02 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
    [2010/05/05 18:52:02 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/03/12 03:48:15 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2011/03/12 03:48:15 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2011/03/12 03:48:15 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2011/03/12 03:48:16 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2010/06/07 14:05:05 | 000,403,666 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 www.1-2005-search.com
    O1 - Hosts: 127.0.0.1 1-2005-search.com
    O1 - Hosts: 13964 more lines...
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask .exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (MadrasAddison Orestes FrenchSophia AmmanBeijing)
    O4 - HKCU..\Run: [Ngoyocijezowe] C:\WINDOWS\kpdh32.dll (Development Company, L.P.)
    O4 - HKLM..\RunOnce: [*evtsstreamntfs.exe] C:\WINDOWS\evtsstreamntfs.exe (My© Systems)
    O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
    O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7DF72FBF-1F11-44BD-8E6F-CC870E4704E1}: DhcpNameServer = 192.168.1.254
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cheenso\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/05/05 17:52:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O33 - MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\Shell - "" = AutoRun
    O33 - MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\Shell\AutoRun\command - "" = G:\AutoRun.exe
    O33 - MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\Shell - "" = AutoRun
    O33 - MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\Shell\AutoRun\command - "" = G:\AutoRun.exe
    O33 - MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\Shell - "" = AutoRun
    O33 - MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\Shell\AutoRun\command - "" = G:\LaunchU3.exe
    O33 - MountPoints2\G\Shell - "" = AutoRun
    O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/09/16 11:32:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2011/09/16 01:17:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cheenso\Desktop\System files for xp
    [2011/09/16 01:11:48 | 000,209,920 | ---- | C] (My© Systems) -- C:\WINDOWS\evtsstreamntfs.exe
    [2011/09/15 23:36:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cheenso\Application Data\0AEBE2FD6199C0BF6126DA57424DB8F4
    [2011/09/15 03:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cheenso\Application Data\U3
    [2011/09/08 21:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cheenso\.jenny
    [2011/09/03 11:17:37 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
    [2011/08/20 17:19:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
    [2011/08/20 17:09:41 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
    [2011/08/20 16:53:25 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
    [2011/08/20 16:46:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
    [2011/08/20 16:44:13 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
    [2011/08/20 16:41:00 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
    [2011/08/20 16:38:24 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/09/16 11:37:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/09/16 11:36:32 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    [2011/09/16 11:36:30 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    [2011/09/16 11:36:11 | 000,00


Comments

  • Moderators, Business & Finance Moderators, Regional South Moderators Posts: 6,854 Mod ✭✭✭✭mp22




  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Thanks for the reply mp22,

    Unfortunately, i have tried these steps, once in safe mode and once in normal boot mode, the rkill msdos program doesn't seem to run properly for me, It opens a black window for a moment and begins initializing and then just disappears, Im getting an egg timer popping up every few seconds since, I have ran malware anti bytes 3 times, twice on full scan and once on quick scan, It has removed several threats each time but they keep recurring.

    Now every few minutes, IE keeps trying to open and display adyieldmanager sites but i have knocked IE to offline only so they arent opening.


    I might ad that I am using xp, my laptop is originally vista but a 'repair man :rolleyes:' put xp on it for me..

    Is there a way to check and see is the virus still active?


  • Moderators, Business & Finance Moderators, Regional South Moderators Posts: 6,854 Mod ✭✭✭✭mp22


    Sounds like the rkill prog is being blocked,try downloading a renamed copy from the link to rkill home page.Or here http://www.bleepingcomputer.com/download/anti-virus/rkill


  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Still no joy Im afraid,

    The fake system warnings have began appearing constantly again,

    Rkill is flashing on and off every 30 seconds or so, seems like its being blocked in both filenames.

    Computer is now extremely slow, and i am getting an error message stating that a file is missing or has an incorrect filepath, the warning disappears after about 1 second so I cannot read the filepath..


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    open OTL paste this in the custom scan/fixes box



    :OTL
    SRV - [2011/09/15 23:46:45 | 000,034,304 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\TEMP\ymodpn\setup.exe -- (AMService)
    O4 - HKCU..\Run: [Ngoyocijezowe] C:\WINDOWS\kpdh32.dll (Development Company, L.P.)
    O4 - HKLM..\RunOnce: [*evtsstreamntfs.exe] C:\WINDOWS\evtsstreamntfs.exe (My© Systems)
    O33 - MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\Shell - "" = AutoRun
    O33 - MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\Shell\AutoRun\command - "" = G:\AutoRun.exe
    O33 - MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\Shell - "" = AutoRun
    O33 - MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\Shell\AutoRun\command - "" = G:\AutoRun.exe
    O33 - MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\Shell - "" = AutoRun
    O33 - MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\Shell\AutoRun\command - "" = G:\LaunchU3.exe
    O33 - MountPoints2\G\Shell - "" = AutoRun
    O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe
    [2011/09/16 01:11:48 | 000,209,920 | ---- | C] (My© Systems) -- C:\WINDOWS\evtsstreamntfs.exe
    [2011/09/16 11:28:11 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\4c57cCJ.dat
    [2011/09/16 11:26:17 | 000,113,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\YgRORQe.exe
    [2011/09/16 11:21:54 | 000,038,912 | ---- | M] () -- C:\WINDOWS\System32\YgRORQe.com
    [2011/09/16 11:21:27 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\Local Settings\Application Data\YgRORQe.exe
    [2011/09/16 11:21:25 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Cheenso\YgRORQe.com
    [2011/09/16 01:11:48 | 000,209,920 | ---- | M] (My© Systems) -- C:\WINDOWS\evtsstreamntfs.exe
    [2011/09/15 23:48:03 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\4c57cCJ.dat

    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [CREATERESTOREPOINT]
    [Reboot]
    :Files
    ipconfig /flushdns /c
    C:\WINDOWS\tasks\At*.job


    click run fix



    then download and run combofix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    and post that log here


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Thanks ASJ112,

    Here's the log from OTL:

    All processes killed
    ========== OTL ==========
    Service AMService stopped successfully!
    Service AMService deleted successfully!
    C:\WINDOWS\Temp\ymodpn\setup.exe moved successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Ngoyocijezowe not found.
    C:\WINDOWS\kpdh32.dll moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*evtsstreamntfs.exe not found.
    Invalid CLSID key: *evtsstreamntfs.exe
    File C:\WINDOWS\evtsstreamntfs.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2710141-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2710141-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2710141-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2710141-8033-11df-bb87-001e68915d89}\ not found.
    File G:\AutoRun.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2710145-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2710145-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2710145-8033-11df-bb87-001e68915d89}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2710145-8033-11df-bb87-001e68915d89}\ not found.
    File G:\AutoRun.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5448d6c-dadf-11e0-bbcb-c2db154e2397}\ not found.
    File G:\LaunchU3.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\ not found.
    File G:\LaunchU3.exe not found.
    File C:\WINDOWS\evtsstreamntfs.exe not found.
    C:\Documents and Settings\All Users\Application Data\4c57cCJ.dat moved successfully.
    C:\Documents and Settings\All Users\Application Data\YgRORQe.exe moved successfully.
    C:\WINDOWS\system32\YgRORQe.com moved successfully.
    C:\Documents and Settings\Cheenso\Local Settings\Application Data\YgRORQe.exe moved successfully.
    C:\Documents and Settings\Cheenso\YgRORQe.com moved successfully.
    File C:\WINDOWS\evtsstreamntfs.exe not found.
    File C:\Documents and Settings\All Users\Application Data\4c57cCJ.dat not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Cheenso
    ->Temp folder emptied: 358765094 bytes
    ->Temporary Internet Files folder emptied: 5950495 bytes
    ->Java cache emptied: 2413 bytes
    ->FireFox cache emptied: 84730811 bytes
    ->Google Chrome cache emptied: 26746521 bytes
    ->Flash cache emptied: 1870 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33664 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 5369741 bytes
    ->Flash cache emptied: 1745 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2162283 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 517964 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 226637665 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 12925 bytes

    Total Files Cleaned = 678.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Cheenso
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully
    Restore point Set: OTL Restore Point (0)
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Cheenso\My Documents\Downloads\cmd.bat deleted successfully.
    C:\Documents and Settings\Cheenso\My Documents\Downloads\cmd.txt deleted successfully.
    C:\WINDOWS\tasks\At100.job moved successfully.
    C:\WINDOWS\tasks\At101.job moved successfully.
    C:\WINDOWS\tasks\At102.job moved successfully.
    C:\WINDOWS\tasks\At103.job moved successfully.
    C:\WINDOWS\tasks\At104.job moved successfully.
    C:\WINDOWS\tasks\At105.job moved successfully.
    C:\WINDOWS\tasks\At106.job moved successfully.
    C:\WINDOWS\tasks\At107.job moved successfully.
    C:\WINDOWS\tasks\At108.job moved successfully.
    C:\WINDOWS\tasks\At109.job moved successfully.
    C:\WINDOWS\tasks\At110.job moved successfully.
    C:\WINDOWS\tasks\At111.job moved successfully.
    C:\WINDOWS\tasks\At112.job moved successfully.
    C:\WINDOWS\tasks\At113.job moved successfully.
    C:\WINDOWS\tasks\At114.job moved successfully.
    C:\WINDOWS\tasks\At115.job moved successfully.
    C:\WINDOWS\tasks\At116.job moved successfully.
    C:\WINDOWS\tasks\At117.job moved successfully.
    C:\WINDOWS\tasks\At118.job moved successfully.
    C:\WINDOWS\tasks\At119.job moved successfully.
    C:\WINDOWS\tasks\At120.job moved successfully.
    C:\WINDOWS\tasks\At121.job moved successfully.
    C:\WINDOWS\tasks\At122.job moved successfully.
    C:\WINDOWS\tasks\At123.job moved successfully.
    C:\WINDOWS\tasks\At124.job moved successfully.
    C:\WINDOWS\tasks\At125.job moved successfully.
    C:\WINDOWS\tasks\At126.job moved successfully.
    C:\WINDOWS\tasks\At127.job moved successfully.
    C:\WINDOWS\tasks\At128.job moved successfully.
    C:\WINDOWS\tasks\At129.job moved successfully.
    C:\WINDOWS\tasks\At130.job moved successfully.
    C:\WINDOWS\tasks\At131.job moved successfully.
    C:\WINDOWS\tasks\At132.job moved successfully.
    C:\WINDOWS\tasks\At133.job moved successfully.
    C:\WINDOWS\tasks\At134.job moved successfully.
    C:\WINDOWS\tasks\At135.job moved successfully.
    C:\WINDOWS\tasks\At136.job moved successfully.
    C:\WINDOWS\tasks\At137.job moved successfully.
    C:\WINDOWS\tasks\At138.job moved successfully.
    C:\WINDOWS\tasks\At139.job moved successfully.
    C:\WINDOWS\tasks\At140.job moved successfully.
    C:\WINDOWS\tasks\At141.job moved successfully.
    C:\WINDOWS\tasks\At142.job moved successfully.
    C:\WINDOWS\tasks\At143.job moved successfully.
    C:\WINDOWS\tasks\At144.job moved successfully.
    C:\WINDOWS\tasks\At145.job moved successfully.
    C:\WINDOWS\tasks\At146.job moved successfully.
    C:\WINDOWS\tasks\At147.job moved successfully.
    C:\WINDOWS\tasks\At148.job moved successfully.
    C:\WINDOWS\tasks\At149.job moved successfully.
    C:\WINDOWS\tasks\At150.job moved successfully.
    C:\WINDOWS\tasks\At151.job moved successfully.
    C:\WINDOWS\tasks\At152.job moved successfully.
    C:\WINDOWS\tasks\At153.job moved successfully.
    C:\WINDOWS\tasks\At154.job moved successfully.
    C:\WINDOWS\tasks\At155.job moved successfully.
    C:\WINDOWS\tasks\At156.job moved successfully.
    C:\WINDOWS\tasks\At157.job moved successfully.
    C:\WINDOWS\tasks\At158.job moved successfully.
    C:\WINDOWS\tasks\At159.job moved successfully.
    C:\WINDOWS\tasks\At160.job moved successfully.
    C:\WINDOWS\tasks\At161.job moved successfully.
    C:\WINDOWS\tasks\At162.job moved successfully.
    C:\WINDOWS\tasks\At163.job moved successfully.
    C:\WINDOWS\tasks\At164.job moved successfully.
    C:\WINDOWS\tasks\At165.job moved successfully.
    C:\WINDOWS\tasks\At166.job moved successfully.
    C:\WINDOWS\tasks\At167.job moved successfully.
    C:\WINDOWS\tasks\At168.job moved successfully.
    C:\WINDOWS\tasks\At169.job moved successfully.
    C:\WINDOWS\tasks\At170.job moved successfully.
    C:\WINDOWS\tasks\At171.job moved successfully.
    C:\WINDOWS\tasks\At172.job moved successfully.
    C:\WINDOWS\tasks\At173.job moved successfully.
    C:\WINDOWS\tasks\At174.job moved successfully.
    C:\WINDOWS\tasks\At175.job moved successfully.
    C:\WINDOWS\tasks\At176.job moved successfully.
    C:\WINDOWS\tasks\At177.job moved successfully.
    C:\WINDOWS\tasks\At178.job moved successfully.
    C:\WINDOWS\tasks\At179.job moved successfully.
    C:\WINDOWS\tasks\At180.job moved successfully.
    C:\WINDOWS\tasks\At181.job moved successfully.
    C:\WINDOWS\tasks\At182.job moved successfully.
    C:\WINDOWS\tasks\At183.job moved successfully.
    C:\WINDOWS\tasks\At184.job moved successfully.
    C:\WINDOWS\tasks\At185.job moved successfully.
    C:\WINDOWS\tasks\At186.job moved successfully.
    C:\WINDOWS\tasks\At187.job moved successfully.
    C:\WINDOWS\tasks\At188.job moved successfully.
    C:\WINDOWS\tasks\At189.job moved successfully.
    C:\WINDOWS\tasks\At190.job moved successfully.
    C:\WINDOWS\tasks\At191.job moved successfully.
    C:\WINDOWS\tasks\At192.job moved successfully.
    C:\WINDOWS\tasks\At193.job moved successfully.
    C:\WINDOWS\tasks\At194.job moved successfully.
    C:\WINDOWS\tasks\At195.job moved successfully.
    C:\WINDOWS\tasks\At196.job moved successfully.
    C:\WINDOWS\tasks\At197.job moved successfully.
    C:\WINDOWS\tasks\At198.job moved successfully.
    C:\WINDOWS\tasks\At199.job moved successfully.
    C:\WINDOWS\tasks\At200.job moved successfully.
    C:\WINDOWS\tasks\At201.job moved successfully.
    C:\WINDOWS\tasks\At202.job moved successfully.
    C:\WINDOWS\tasks\At203.job moved successfully.
    C:\WINDOWS\tasks\At204.job moved successfully.
    C:\WINDOWS\tasks\At205.job moved successfully.
    C:\WINDOWS\tasks\At206.job moved successfully.
    C:\WINDOWS\tasks\At207.job moved successfully.
    C:\WINDOWS\tasks\At208.job moved successfully.
    C:\WINDOWS\tasks\At209.job moved successfully.
    C:\WINDOWS\tasks\At210.job moved successfully.
    C:\WINDOWS\tasks\At211.job moved successfully.
    C:\WINDOWS\tasks\At212.job moved successfully.
    C:\WINDOWS\tasks\At213.job moved successfully.
    C:\WINDOWS\tasks\At214.job moved successfully.
    C:\WINDOWS\tasks\At215.job moved successfully.
    C:\WINDOWS\tasks\At216.job moved successfully.
    C:\WINDOWS\tasks\At217.job moved successfully.
    C:\WINDOWS\tasks\At218.job moved successfully.
    C:\WINDOWS\tasks\At219.job moved successfully.
    C:\WINDOWS\tasks\At220.job moved successfully.
    C:\WINDOWS\tasks\At221.job moved successfully.
    C:\WINDOWS\tasks\At222.job moved successfully.
    C:\WINDOWS\tasks\At223.job moved successfully.
    C:\WINDOWS\tasks\At224.job moved successfully.
    C:\WINDOWS\tasks\At225.job moved successfully.
    C:\WINDOWS\tasks\At226.job moved successfully.
    C:\WINDOWS\tasks\At227.job moved successfully.
    C:\WINDOWS\tasks\At228.job moved successfully.
    C:\WINDOWS\tasks\At229.job moved successfully.
    C:\WINDOWS\tasks\At230.job moved successfully.
    C:\WINDOWS\tasks\At231.job moved successfully.
    C:\WINDOWS\tasks\At232.job moved successfully.
    C:\WINDOWS\tasks\At233.job moved successfully.
    C:\WINDOWS\tasks\At234.job moved successfully.
    C:\WINDOWS\tasks\At235.job moved successfully.
    C:\WINDOWS\tasks\At236.job moved successfully.
    C:\WINDOWS\tasks\At237.job moved successfully.
    C:\WINDOWS\tasks\At238.job moved successfully.
    C:\WINDOWS\tasks\At239.job moved successfully.
    C:\WINDOWS\tasks\At240.job moved successfully.
    C:\WINDOWS\tasks\At241.job moved successfully.
    C:\WINDOWS\tasks\At242.job moved successfully.
    C:\WINDOWS\tasks\At243.job moved successfully.
    C:\WINDOWS\tasks\At244.job moved successfully.
    C:\WINDOWS\tasks\At245.job moved successfully.
    C:\WINDOWS\tasks\At246.job moved successfully.
    C:\WINDOWS\tasks\At247.job moved successfully.
    C:\WINDOWS\tasks\At248.job moved successfully.
    C:\WINDOWS\tasks\At249.job moved successfully.
    C:\WINDOWS\tasks\At250.job moved successfully.
    C:\WINDOWS\tasks\At251.job moved successfully.
    C:\WINDOWS\tasks\At252.job moved successfully.
    C:\WINDOWS\tasks\At253.job moved successfully.
    C:\WINDOWS\tasks\At254.job moved successfully.
    C:\WINDOWS\tasks\At255.job moved successfully.
    C:\WINDOWS\tasks\At256.job moved successfully.
    C:\WINDOWS\tasks\At257.job moved successfully.
    C:\WINDOWS\tasks\At258.job moved successfully.
    C:\WINDOWS\tasks\At259.job moved successfully.
    C:\WINDOWS\tasks\At26.job moved successfully.
    C:\WINDOWS\tasks\At260.job moved successfully.
    C:\WINDOWS\tasks\At261.job moved successfully.
    C:\WINDOWS\tasks\At262.job moved successfully.
    C:\WINDOWS\tasks\At263.job moved successfully.
    C:\WINDOWS\tasks\At264.job moved successfully.
    C:\WINDOWS\tasks\At265.job moved successfully.
    C:\WINDOWS\tasks\At266.job moved successfully.
    C:\WINDOWS\tasks\At267.job moved successfully.
    C:\WINDOWS\tasks\At268.job moved successfully.
    C:\WINDOWS\tasks\At269.job moved successfully.
    C:\WINDOWS\tasks\At270.job moved successfully.
    C:\WINDOWS\tasks\At271.job moved successfully.
    C:\WINDOWS\tasks\At272.job moved successfully.
    C:\WINDOWS\tasks\At273.job moved successfully.
    C:\WINDOWS\tasks\At274.job moved successfully.
    C:\WINDOWS\tasks\At275.job moved successfully.
    C:\WINDOWS\tasks\At276.job moved successfully.
    C:\WINDOWS\tasks\At277.job moved successfully.
    C:\WINDOWS\tasks\At278.job moved successfully.
    C:\WINDOWS\tasks\At279.job moved successfully.
    C:\WINDOWS\tasks\At28.job moved successfully.
    C:\WINDOWS\tasks\At280.job moved successfully.
    C:\WINDOWS\tasks\At281.job moved successfully.
    C:\WINDOWS\tasks\At282.job moved successfully.
    C:\WINDOWS\tasks\At283.job moved successfully.
    C:\WINDOWS\tasks\At284.job moved successfully.
    C:\WINDOWS\tasks\At285.job moved successfully.
    C:\WINDOWS\tasks\At286.job moved successfully.
    C:\WINDOWS\tasks\At287.job moved successfully.
    C:\WINDOWS\tasks\At288.job moved successfully.
    C:\WINDOWS\tasks\At289.job moved successfully.
    C:\WINDOWS\tasks\At290.job moved successfully.
    C:\WINDOWS\tasks\At291.job moved successfully.
    C:\WINDOWS\tasks\At292.job moved successfully.
    C:\WINDOWS\tasks\At293.job moved successfully.
    C:\WINDOWS\tasks\At294.job moved successfully.
    C:\WINDOWS\tasks\At295.job moved successfully.
    C:\WINDOWS\tasks\At296.job moved successfully.
    C:\WINDOWS\tasks\At297.job moved successfully.
    C:\WINDOWS\tasks\At298.job moved successfully.
    C:\WINDOWS\tasks\At299.job moved successfully.
    C:\WINDOWS\tasks\At30.job moved successfully.
    C:\WINDOWS\tasks\At300.job moved successfully.
    C:\WINDOWS\tasks\At301.job moved successfully.
    C:\WINDOWS\tasks\At302.job moved successfully.
    C:\WINDOWS\tasks\At303.job moved successfully.
    C:\WINDOWS\tasks\At304.job moved successfully.
    C:\WINDOWS\tasks\At305.job moved successfully.
    C:\WINDOWS\tasks\At306.job moved successfully.
    C:\WINDOWS\tasks\At307.job moved successfully.
    C:\WINDOWS\tasks\At308.job moved successfully.
    C:\WINDOWS\tasks\At309.job moved successfully.
    C:\WINDOWS\tasks\At310.job moved successfully.
    C:\WINDOWS\tasks\At311.job moved successfully.
    C:\WINDOWS\tasks\At312.job moved successfully.
    C:\WINDOWS\tasks\At32.job moved successfully.
    C:\WINDOWS\tasks\At34.job moved successfully.
    C:\WINDOWS\tasks\At36.job moved successfully.
    C:\WINDOWS\tasks\At38.job moved successfully.
    C:\WINDOWS\tasks\At40.job moved successfully.
    C:\WINDOWS\tasks\At42.job moved successfully.
    C:\WINDOWS\tasks\At44.job moved successfully.
    C:\WINDOWS\tasks\At46.job moved successfully.
    C:\WINDOWS\tasks\At48.job moved successfully.
    C:\WINDOWS\tasks\At50.job moved successfully.
    C:\WINDOWS\tasks\At52.job moved successfully.
    C:\WINDOWS\tasks\At54.job moved successfully.
    C:\WINDOWS\tasks\At56.job moved successfully.
    C:\WINDOWS\tasks\At58.job moved successfully.
    C:\WINDOWS\tasks\At59.job moved successfully.
    C:\WINDOWS\tasks\At61.job moved successfully.
    C:\WINDOWS\tasks\At62.job moved successfully.
    C:\WINDOWS\tasks\At64.job moved successfully.
    C:\WINDOWS\tasks\At65.job moved successfully.
    C:\WINDOWS\tasks\At66.job moved successfully.
    C:\WINDOWS\tasks\At68.job moved successfully.
    C:\WINDOWS\tasks\At69.job moved successfully.
    C:\WINDOWS\tasks\At71.job moved successfully.
    C:\WINDOWS\tasks\At72.job moved successfully.
    C:\WINDOWS\tasks\At74.job moved successfully.
    C:\WINDOWS\tasks\At75.job moved successfully.
    C:\WINDOWS\tasks\At77.job moved successfully.
    C:\WINDOWS\tasks\At78.job moved successfully.
    C:\WINDOWS\tasks\At80.job moved successfully.
    C:\WINDOWS\tasks\At81.job moved successfully.
    C:\WINDOWS\tasks\At82.job moved successfully.
    C:\WINDOWS\tasks\At83.job moved successfully.
    C:\WINDOWS\tasks\At84.job moved successfully.
    C:\WINDOWS\tasks\At85.job moved successfully.
    C:\WINDOWS\tasks\At86.job moved successfully.
    C:\WINDOWS\tasks\At87.job moved successfully.
    C:\WINDOWS\tasks\At88.job moved successfully.
    C:\WINDOWS\tasks\At89.job moved successfully.
    C:\WINDOWS\tasks\At90.job moved successfully.
    C:\WINDOWS\tasks\At91.job moved successfully.
    C:\WINDOWS\tasks\At92.job moved successfully.
    C:\WINDOWS\tasks\At93.job moved successfully.
    C:\WINDOWS\tasks\At94.job moved successfully.
    C:\WINDOWS\tasks\At95.job moved successfully.
    C:\WINDOWS\tasks\At96.job moved successfully.
    C:\WINDOWS\tasks\At97.job moved successfully.
    C:\WINDOWS\tasks\At98.job moved successfully.
    C:\WINDOWS\tasks\At99.job moved successfully.

    OTL by OldTimer - Version 3.2.28.0 log created on 09162011_230923

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...


    Getting combofix now i will post details when i have them.


  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Combofix refuses to run for me, it has failed twice now (got to level 2 and stopped), I'll reinstall tomorrow and try again.


    Could the faliure be due to the constant warnings from the virus popping up and disrupting it?


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    rename combofix.exe to explorer.exe

    does it run then ?

    if not, try run it in safe mode. Chances are the virus could be interfering.


  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Firstly - Thanks again, your help is very much appreciated.

    Ended up having to go to safe mode where combofix seems to have completed its operations.

    Below is the log, any further instructions?

    ComboFix 11-09-16.01 - Cheenso 17/09/2011 17:38:49.2.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3070.2774 [GMT 1:00]
    Running from: c:\documents and settings\Cheenso\Desktop\explorer.exe.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\ntfsadvproxy.exe
    c:\documents and settings\Cheenso\Application Data\0AEBE2FD6199C0BF6126DA57424DB8F4
    c:\documents and settings\Cheenso\Application Data\0AEBE2FD6199C0BF6126DA57424DB8F4\enemies-names.txt
    c:\documents and settings\Cheenso\Application Data\0AEBE2FD6199C0BF6126DA57424DB8F4\local.ini
    c:\documents and settings\Cheenso\Application Data\0AEBE2FD6199C0BF6126DA57424DB8F4\lsrslt.ini
    c:\documents and settings\Cheenso\Application Data\Adobe\plugs
    c:\documents and settings\Cheenso\Application Data\Adobe\shed
    c:\documents and settings\NetworkService\Local Settings\Application Data\YgRORQe.exe
    c:\windows\Fonts\YgRORQe.com
    c:\windows\system32\config\systemprofile\YgRORQe.com
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-17 to 2011-09-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-16 22:13 . 2011-09-16 10:21 38912 ----a-w- c:\windows\system32\YgRORQe.com
    2011-09-16 22:09 . 2011-09-16 22:09
    d
    w- C:\_OTL
    2011-09-16 13:42 . 2010-07-16 13:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2011-09-16 13:42 . 2010-07-16 13:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2011-09-16 13:42 . 2011-01-17 08:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-09-16 13:42 . 2010-12-10 15:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-09-16 13:42 . 2010-12-10 12:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-09-16 13:41 . 2010-12-16 07:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-09-16 13:41 . 2011-09-16 13:51
    d
    w- c:\program files\Common Files\PC Tools
    2011-09-16 13:41 . 2011-09-16 13:41
    d
    w- c:\documents and settings\Cheenso\Application Data\PC Tools
    2011-09-16 13:41 . 2011-09-16 15:35
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2011-09-16 13:36 . 2011-09-16 13:42
    d
    w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-09-16 13:26 . 2011-09-16 13:26
    d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2011-09-16 13:25 . 2011-09-16 13:25
    d-sh--w- c:\documents and settings\NetworkService\IECompatCache
    2011-09-15 02:39 . 2011-09-15 02:45
    d
    w- c:\documents and settings\Cheenso\Application Data\U3
    2011-09-08 20:38 . 2011-09-09 02:08
    d
    w- c:\documents and settings\Cheenso\.jenny
    2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-08-20 16:09 . 2011-09-15 22:47
    d
    w- c:\program files\iTunes
    2011-08-20 15:53 . 2011-08-20 16:19
    d
    w- c:\program files\iPod
    2011-08-20 15:44 . 2011-09-16 00:13
    d
    w- c:\program files\QuickTime
    2011-08-20 15:41 . 2011-08-20 15:41
    d
    w- c:\program files\Apple Software Update
    2011-08-20 15:38 . 2011-08-20 15:38
    d
    w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2004-08-03 15:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-31 16:00 . 2010-05-05 17:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-16 22:24 . 2011-08-16 22:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29 . 2004-08-03 14:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-08 14:02 . 2001-08-23 16:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2010-05-05 16:44 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-03 15:56 1469440
    w- c:\windows\system32\inetcpl.cpl
    2011-06-23 18:36 . 2004-08-03 15:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-03 15:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 12:05 . 2004-08-03 13:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-03 15:56 293376 ----a-w- c:\windows\system32\winsrv.dll
    .
    <pre>
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
    c:\program files\ClamWin\bin\ClamTray .exe
    c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
    c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\QuickTime\QTTask  .exe
    c:\program files\real\realplayer\Update\realsched .exe
    c:\program files\Realtek\InstallShield\AzMixerSel .exe
    c:\program files\Synaptics\SynTP\SynTPEnh .exe
    </pre>
    
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA&inst=NwA3AC0ANAAxADUAMAAzADgAMAAxADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA&prod=90&ver=9.0.894&quot; [?]
    "*advevtscache.exe"="c:\documents and settings\All Users\Application Data\advevtscache.exe" [N/A]
    "*windevcache.exe"="c:\documents and settings\NetworkService\windevcache.exe" [N/A]
    "*auditbootacl.exe"="c:\documents and settings\All Users\Application Data\auditbootacl.exe" [N/A]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    c:\documents and settings\Cheenso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    c:\program files\iTunes\iTunesHelper.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232
    w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    c:\program files\QuickTime\QTTask.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43 248040 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/09/2011 14:42 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [16/09/2011 14:42 338880]
    S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [07/06/2010 15:08 20968]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/05/2010 21:28 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [05/05/2010 21:28 135664]
    S3 hidshim;Service for HID-KMDF Shim layer;c:\windows\system32\drivers\hidshim.sys [03/06/2008 13:37 5632]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
    S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\PC Tools Security\pctsAuxs.exe [16/09/2011 14:41 366840]
    S3 winbondhidcir;Winbond HID CIR Receiver;c:\windows\system32\drivers\winbondhidcir.sys [03/06/2008 13:37 23040]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MDMXSDK
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-16 c:\windows\Tasks\At1.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At10.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At11.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At12.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At13.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At14.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At15.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At16.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At17.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-17 c:\windows\Tasks\At18.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At19.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At2.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At20.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At21.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At22.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At23.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At24.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At3.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At4.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At5.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At6.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At7.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At8.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At9.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 20:28]
    .
    2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 20:28]
    .
    2011-09-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-09-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-09-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-09-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ie/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\
    FF - prefs.js: browser.startup.homepage - www.google.ie
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-17 17:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500BEVS-22UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8ABE431B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    DLLs Loaded Under Running Processes
    .
    - - - - - - - > 'winlogon.exe'(876)
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'lsass.exe'(944)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-09-17 18:01:40
    ComboFix-quarantined-files.txt 2011-09-17 17:01
    .
    Pre-Run: 2,453,028,864 bytes free
    Post-Run: 2,402,054,144 bytes free
    .
    - - End Of File - - EF988F2C5BF77F0F190264E93CED1E07


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    bit more work to do, try do this step in normal mode so that combofix will install the recovery console


    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\YgRORQe.com
    DirLook::
    c:\documents and settings\Cheenso\.jenny
    Renv::
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
    c:\program files\ClamWin\bin\ClamTray .exe
    c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
    c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\QuickTime\QTTask  .exe
    c:\program files\real\realplayer\Update\realsched .exe
    c:\program files\Realtek\InstallShield\AzMixerSel .exe
    c:\program files\Synaptics\SynTP\SynTPEnh .exe
    AtJob::
    ClearJavaCache::
    


    Save it to your desktop as CFScript.txt

    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/CFScript.gif

    This will let ComboFix run again.

    Save the produced logfile to your desktop.

    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    then download aswmbr.exe

    http://public.avast.com/~gmerek/aswMBR.exe

    Double click the aswMBR.exe to run it Click the "Scan" button to start scan

    On completion of the scan click save log, save it to your desktop and post in your next reply


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Heres the combo fix log following your instructions above, (it worked in normal boot up mode this time)

    ComboFix 11-09-17.02 - Cheenso 17/09/2011 23:32:40.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3070.2619 [GMT 1:00]
    Running from: c:\documents and settings\Cheenso\Desktop\explorer.exe.exe
    Command switches used :: c:\documents and settings\Cheenso\Desktop\CFScript.txt
    .
    FILE ::
    "c:\windows\system32\YgRORQe.com"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-17 to 2011-09-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-16 22:13 . 2011-09-16 10:21 38912 ----a-w- c:\windows\system32\YgRORQe.com
    2011-09-16 22:09 . 2011-09-16 22:09
    d
    w- C:\_OTL
    2011-09-16 13:42 . 2010-07-16 13:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2011-09-16 13:42 . 2010-07-16 13:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2011-09-16 13:42 . 2011-01-17 08:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-09-16 13:42 . 2010-12-10 15:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-09-16 13:42 . 2010-12-10 12:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-09-16 13:41 . 2010-12-16 07:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-09-16 13:41 . 2011-09-16 13:51
    d
    w- c:\program files\Common Files\PC Tools
    2011-09-16 13:41 . 2011-09-16 13:41
    d
    w- c:\documents and settings\Cheenso\Application Data\PC Tools
    2011-09-16 13:41 . 2011-09-16 15:35
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2011-09-16 13:36 . 2011-09-16 13:42
    d
    w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-09-16 13:26 . 2011-09-16 13:26
    d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2011-09-16 13:25 . 2011-09-16 13:25
    d-sh--w- c:\documents and settings\NetworkService\IECompatCache
    2011-09-15 02:39 . 2011-09-15 02:45
    d
    w- c:\documents and settings\Cheenso\Application Data\U3
    2011-09-08 20:38 . 2011-09-09 02:08
    d
    w- c:\documents and settings\Cheenso\.jenny
    2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-08-20 16:09 . 2011-09-17 22:32
    d
    w- c:\program files\iTunes
    2011-08-20 15:53 . 2011-08-20 16:19
    d
    w- c:\program files\iPod
    2011-08-20 15:44 . 2011-09-17 22:32
    d
    w- c:\program files\QuickTime
    2011-08-20 15:41 . 2011-08-20 15:41
    d
    w- c:\program files\Apple Software Update
    2011-08-20 15:38 . 2011-08-20 15:38
    d
    w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2004-08-03 15:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-31 16:00 . 2010-05-05 17:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-16 22:24 . 2011-08-16 22:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29 . 2004-08-03 14:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-08 14:02 . 2001-08-23 16:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2010-05-05 16:44 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-03 15:56 1469440
    w- c:\windows\system32\inetcpl.cpl
    2011-06-23 18:36 . 2004-08-03 15:56 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-03 15:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 12:05 . 2004-08-03 13:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-03 15:56 293376 ----a-w- c:\windows\system32\winsrv.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\documents and settings\Cheenso\.jenny ----
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-09-17_16.54.39 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-09-17 18:43 . 2011-09-17 18:43 16384 c:\windows\temp\Perflib_Perfdata_3fc.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA&inst=NwA3AC0ANAAxADUAMAAzADgAMAAxADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA&prod=90&ver=9.0.894&quot; [?]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-24 02:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232
    w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43 248040 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/09/2011 14:42 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [16/09/2011 14:42 338880]
    R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [07/06/2010 15:08 20968]
    R3 hidshim;Service for HID-KMDF Shim layer;c:\windows\system32\drivers\hidshim.sys [03/06/2008 13:37 5632]
    R3 winbondhidcir;Winbond HID CIR Receiver;c:\windows\system32\drivers\winbondhidcir.sys [03/06/2008 13:37 23040]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/05/2010 21:28 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [05/05/2010 21:28 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
    S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\PC Tools Security\pctsAuxs.exe [16/09/2011 14:41 366840]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-16 c:\windows\Tasks\At1.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At10.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At11.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At12.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At13.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At14.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At15.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At16.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At17.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-17 c:\windows\Tasks\At18.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At19.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At2.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At20.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At21.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At22.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At23.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At24.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At3.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At4.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At5.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At6.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At7.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At8.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-16 c:\windows\Tasks\At9.job
    - c:\windows\system32\YgRORQe.com [2011-09-16 10:21]
    .
    2011-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 20:28]
    .
    2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-05 20:28]
    .
    2011-09-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-09-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-09-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-09-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-2052111302-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ie/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Cheenso\Application Data\Mozilla\Firefox\Profiles\kkqyf2hi.default\
    FF - prefs.js: browser.startup.homepage - www.google.ie
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    MSConfigStartUp-Google Update - c:\documents and settings\Cheenso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-17 23:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500BEVS-22UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8AD4131B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    DLLs Loaded Under Running Processes
    .
    - - - - - - - > 'winlogon.exe'(1080)
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'lsass.exe'(1140)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    .
    - - - - - - - > 'explorer.exe'(18156)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-09-17 23:55:53
    ComboFix-quarantined-files.txt 2011-09-17 22:55
    ComboFix2.txt 2011-09-17 17:01
    .
    Pre-Run: 1,859,170,304 bytes free
    Post-Run: 1,842,397,184 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 9E4A29EBC887960EA8CDC5E8179D5C35


    And here's the aswMBR log

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-09-18 00:02:23
    00:02:23.468 OS Version: Windows 5.1.2600 Service Pack 3
    00:02:23.468 Number of processors: 2 586 0xF0D
    00:02:23.468 ComputerName: SLISI-L3C5814 UserName: Cheenso
    00:02:29.562 Initialize success
    00:11:57.656 AVAST engine defs: 11091701
    00:12:00.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    00:12:00.921 Disk 0 Vendor: WDC_WD2500BEVS-22UST0 01.01A01 Size: 238475MB BusType: 3
    00:12:00.921 Device \Driver\atapi -> DriverStartIo 8ad4131b
    00:12:00.921 Disk 0 MBR read successfully
    00:12:00.921 Disk 0 MBR scan
    00:12:00.968 Disk 0 MBR:Alureon-G [Rtk]
    00:12:00.968 Disk 0 TDL4@MBR code has been found
    00:12:00.968 Disk 0 Windows XP default MBR code found via API
    00:12:00.968 Disk 0 MBR hidden
    00:12:00.968 Disk 0 MBR [TDL4] **ROOTKIT**
    00:12:00.968 Disk 0 trace - called modules:
    00:12:00.968 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8ad414d0]<<
    00:12:00.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adb6ab8]
    00:12:00.968 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> [0x8adcf920]
    00:12:00.984 5 PCTCore.sys[b9eb5099] -> nt!IofCallDriver -> \Device\00000081[0x8add39e8]
    00:12:00.984 7 ACPI.sys[b9f5f620] -> nt!IofCallDriver -> [0x8adb9940]
    00:12:00.984 \Driver\atapi[0x8ae12290] -> IRP_MJ_CREATE -> 0x8ad414d0
    00:12:02.203 AVAST engine scan C:\WINDOWS
    00:12:27.562 AVAST engine scan C:\WINDOWS\system32
    00:17:35.578 File: C:\WINDOWS\system32\YgRORQe.com **INFECTED** Win32:MalOb-GN [Cryp]
    00:17:36.703 AVAST engine scan C:\WINDOWS\system32\drivers
    00:18:09.515 AVAST engine scan C:\Documents and Settings\Cheenso
    00:21:45.453 AVAST engine scan C:\Documents and Settings\All Users
    00:22:39.625 Scan finished successfully
    00:23:12.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cheenso\Desktop\MBR.dat"
    00:23:12.468 The log file has been saved successfully to "C:\Documents and Settings\Cheenso\Desktop\aswMBRlog.txt"


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    Reopen aswMBR.exe, click FixMBR, save the log and post it here



    open OTL paste this in the custom scan/fixes box



    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [CREATERESTOREPOINT]
    [Reboot]
    :Files
    ipconfig /flushdns /c
    C:\YgRORQe.com /s
    c:\windows\Tasks\At*.job
    C:\ntfsadvproxy.exe /s
    C:\YgRORQe.exe /s


    click Run fix, post that log


  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    I completed the FixMBR & it did its automatic reboot, but I got no log :confused:

    Here's the log from OTL as per your instructions:

    All processes killed
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Cheenso
    ->Temp folder emptied: 61941546 bytes
    ->Temporary Internet Files folder emptied: 273290 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 16926586 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 756 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 130531 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 76.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Cheenso
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully
    Restore point Set: OTL Restore Point (0)
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Cheenso\My Documents\Downloads\cmd.bat deleted successfully.
    C:\Documents and Settings\Cheenso\My Documents\Downloads\cmd.txt deleted successfully.
    C:\_OTL\MovedFiles\09162011_230923\C_Documents and Settings\Cheenso\YgRORQe.com moved successfully.
    C:\_OTL\MovedFiles\09162011_230923\C_WINDOWS\system32\YgRORQe.com moved successfully.
    C:\_OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09162011_230923\C_Documents and Settings\Cheenso\YgRORQe.com moved successfully.
    C:\_OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09162011_230923\C_WINDOWS\system32\YgRORQe.com moved successfully.
    C:\WINDOWS\Fonts\YgRORQe.com moved successfully.
    C:\WINDOWS\system32\YgRORQe.com moved successfully.
    c:\windows\Tasks\At1.job moved successfully.
    c:\windows\Tasks\At10.job moved successfully.
    c:\windows\Tasks\At11.job moved successfully.
    c:\windows\Tasks\At12.job moved successfully.
    c:\windows\Tasks\At13.job moved successfully.
    c:\windows\Tasks\At14.job moved successfully.
    c:\windows\Tasks\At15.job moved successfully.
    c:\windows\Tasks\At16.job moved successfully.
    c:\windows\Tasks\At17.job moved successfully.
    c:\windows\Tasks\At18.job moved successfully.
    c:\windows\Tasks\At19.job moved successfully.
    c:\windows\Tasks\At2.job moved successfully.
    c:\windows\Tasks\At20.job moved successfully.
    c:\windows\Tasks\At21.job moved successfully.
    c:\windows\Tasks\At22.job moved successfully.
    c:\windows\Tasks\At23.job moved successfully.
    c:\windows\Tasks\At24.job moved successfully.
    c:\windows\Tasks\At25.job moved successfully.
    c:\windows\Tasks\At26.job moved successfully.
    c:\windows\Tasks\At27.job moved successfully.
    c:\windows\Tasks\At28.job moved successfully.
    c:\windows\Tasks\At29.job moved successfully.
    c:\windows\Tasks\At3.job moved successfully.
    c:\windows\Tasks\At30.job moved successfully.
    c:\windows\Tasks\At31.job moved successfully.
    c:\windows\Tasks\At32.job moved successfully.
    c:\windows\Tasks\At33.job moved successfully.
    c:\windows\Tasks\At34.job moved successfully.
    c:\windows\Tasks\At35.job moved successfully.
    c:\windows\Tasks\At36.job moved successfully.
    c:\windows\Tasks\At37.job moved successfully.
    c:\windows\Tasks\At38.job moved successfully.
    c:\windows\Tasks\At39.job moved successfully.
    c:\windows\Tasks\At4.job moved successfully.
    c:\windows\Tasks\At40.job moved successfully.
    c:\windows\Tasks\At41.job moved successfully.
    c:\windows\Tasks\At42.job moved successfully.
    c:\windows\Tasks\At43.job moved successfully.
    c:\windows\Tasks\At44.job moved successfully.
    c:\windows\Tasks\At45.job moved successfully.
    c:\windows\Tasks\At46.job moved successfully.
    c:\windows\Tasks\At47.job moved successfully.
    c:\windows\Tasks\At48.job moved successfully.
    c:\windows\Tasks\At5.job moved successfully.
    c:\windows\Tasks\At6.job moved successfully.
    c:\windows\Tasks\At7.job moved successfully.
    c:\windows\Tasks\At8.job moved successfully.
    c:\windows\Tasks\At9.job moved successfully.
    File\Folder C:\ntfsadvproxy.exe not found.
    C:\_OTL\MovedFiles\09162011_230923\C_Documents and Settings\All Users\Application Data\YgRORQe.exe moved successfully.
    C:\_OTL\MovedFiles\09162011_230923\C_Documents and Settings\Cheenso\Local Settings\Application Data\YgRORQe.exe moved successfully.
    C:\_OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09162011_230923\C_Documents and Settings\All Users\Application Data\YgRORQe.exe moved successfully.
    C:\_OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09162011_230923\C_Documents and Settings\Cheenso\Local Settings\Application Data\YgRORQe.exe moved successfully.
    C:\_OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09162011_230923\C_Documents and Settings\All Users\Application Data\YgRORQe.exe moved successfully.
    C:\_OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09182011_155323\C__OTL\MovedFiles\09162011_230923\C_Documents and Settings\Cheenso\Local Settings\Application Data\YgRORQe.exe moved successfully.

    OTL by OldTimer - Version 3.2.28.0 log created on 09182011_155323

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    hows the pc running now


  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    Its running great, really quick!!!, way better than even before the virus, :)

    Would i be correct in saying there must have been a lot more than just the zentom?

    I cannot thank you enough for your help, i really appreciate it, i owe you one.


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    yeah there was a rootkit and some other junk that came along with it. happens a lot. Keep an eye on the machine.

    Glad to help


  • Registered Users, Registered Users 2 Posts: 1,254 ✭✭✭Thatnastyboy


    I see,

    Thanks again


    one more for you, what antivirus program would you recommend to use? Avg?


Advertisement