Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.LameShield / Yontoo +++ HELP! [Solved]


  • This topic is locked This topic is locked

#1
Putt4Dough

Putt4Dough

    Member

  • Member
  • PipPipPip
  • 120 posts
Hello,

I have a multi-language translator client that was infected by a malware and/or virus resulting in very slow internet browsing and a keyboard issue. The accents don't work anymore even if the settings look good and even after reinstalling the keyboard layouts. The other issue is that Trend Micro AV service is down and it's impossible to bring it back up. I tried reinstalling it and the problem comes back. I attempted to clean the PC with Malewarebytes. The log is listed below. Rebooted and scanned again and it looks clean. I then ran Housecall virus scan and found virus Yontoo. Cleaned it. Problems with AV service and keyboard is still there. Can anyone help pls? See logs bellow.

Regards,


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2012-09-05
Time: 14:35:55
User: N/A
Computer:
Description:
The Trend Micro PreFilter service failed to start due to the following error:
A device attached to the system is not functioning.


OTL logfile created on: 2012-09-06 13:47:27 - Run 1
OTL by OldTimer - Version 3.2.61.0 Folder = C:\Documents and Settings\user\Desktop\spyware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

1,99 Gb Total Physical Memory | 1,28 Gb Available Physical Memory | 64,34% Memory free
3,84 Gb Paging File | 3,31 Gb Available in Paging File | 86,26% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465,76 Gb Total Space | 440,39 Gb Free Space | 94,55% Space Free | Partition Type: NTFS
Drive E: | 0,38 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: RACETTE | User Name: mracette | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-09-06 13:41:29 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\spyware\OTL.exe
PRC - [2012-09-03 23:00:57 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012-06-14 11:20:22 | 000,109,064 | ---- | M] (Wajam) -- C:\Program Files\Wajam\Updater\WajamUpdater.exe
PRC - [2010-10-26 12:27:42 | 000,703,080 | ---- | M] (Fortinet Inc.) -- C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
PRC - [2010-08-10 08:59:24 | 002,551,808 | ---- | M] (Philips Austria GmbH - Speech Processing) -- C:\Program Files\Philips Speech\SpeechExec Pro Dictate\SEPDict.exe
PRC - [2010-07-06 11:12:28 | 004,613,416 | ---- | M] (TeamViewer GmbH) -- C:\Documents and Settings\user\Local Settings\Temp\TeamViewer\Version5\TeamViewer.exe
PRC - [2010-07-01 10:33:48 | 000,231,424 | ---- | M] (Philips Austria GmbH - Speech Processing) -- C:\Program Files\Philips Speech\Device Control Center\PDCC.exe
PRC - [2009-09-08 03:30:50 | 000,849,192 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
PRC - [2009-09-04 20:14:34 | 001,304,528 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
PRC - [2009-04-29 05:02:01 | 000,270,336 | R--- | M] (LG Electronics) -- C:\Documents and Settings\user\Bluebirds\BlueBirds.exe
PRC - [2009-04-02 16:20:04 | 000,435,584 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
PRC - [2008-07-21 03:48:08 | 002,054,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2008-07-21 03:48:02 | 000,773,144 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
PRC - [2008-04-13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004-03-11 11:55:20 | 000,376,832 | ---- | M] (Philips Speech Processing) -- C:\WINDOWS\system32\pspcontr.exe


========== Modules (No Company Name) ==========

MOD - [2012-07-27 16:51:38 | 000,301,056 | ---- | M] () -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.FRA
MOD - [2012-06-22 12:07:47 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll
MOD - [2012-06-22 12:07:38 | 001,592,320 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll
MOD - [2012-06-22 12:07:35 | 010,682,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\f73a8455f384e90f6925309336fece24\System.Design.ni.dll
MOD - [2012-06-22 12:07:18 | 014,329,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e4ecfaaf5417aceecb7fa8abddf06113\PresentationFramework.ni.dll
MOD - [2012-06-22 12:07:00 | 012,218,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\f33e2a4d9b385234406fa2d662f78875\PresentationCore.ni.dll
MOD - [2012-06-22 12:06:22 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012-05-21 12:25:46 | 000,400,896 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\1c13b08593e99d6f5bef49ae7939c78b\System.Xml.Linq.ni.dll
MOD - [2012-05-21 12:18:48 | 000,311,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\a644ec04e18202b60f9d828bc207972b\System.Runtime.Serialization.Formatters.Soap.ni.dll
MOD - [2012-05-21 12:17:41 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll
MOD - [2012-05-21 12:17:27 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\016444dfc5f7e3d11c776f2fbc7a4594\Accessibility.ni.dll
MOD - [2012-05-21 12:07:27 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll
MOD - [2012-05-21 12:06:45 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\12c6fe8d4dd78f9bddf847d3b2821c03\System.Data.ni.dll
MOD - [2012-05-21 12:06:40 | 002,295,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\38d07a5ac34b99d94fd14f42e779f625\System.Core.ni.dll
MOD - [2012-05-21 12:06:32 | 000,539,648 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8b873631a0855fb6aa0ad25f1d9de7fe\PresentationFramework.Luna.ni.dll
MOD - [2012-05-21 12:06:00 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\6d8bef0d008389874e55c0308f0c18e5\WindowsBase.ni.dll
MOD - [2012-05-21 12:05:54 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll
MOD - [2012-05-21 12:05:47 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll
MOD - [2011-10-20 13:52:48 | 000,972,664 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll
MOD - [2011-10-19 14:12:42 | 000,720,896 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Dictcontroller\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Dictcontroller.dll
MOD - [2011-10-19 14:12:42 | 000,049,152 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.dictpropui\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.dictpropui.dll
MOD - [2011-10-19 14:12:42 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Shared\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Shared.dll
MOD - [2011-10-19 14:12:41 | 003,112,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.UICommon\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.UICommon.dll
MOD - [2011-10-19 14:12:41 | 002,519,040 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.UltraWinToolbars.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.UltraWinToolbars.v8.1.dll
MOD - [2011-10-19 14:12:41 | 000,626,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.UltraWinTree.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.UltraWinTree.v8.1.dll
MOD - [2011-10-19 14:12:41 | 000,573,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Common\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Common.dll
MOD - [2011-10-19 14:12:41 | 000,548,864 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Dictation\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Dictation.dll
MOD - [2011-10-19 14:12:41 | 000,472,064 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Recognition\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Recognition.dll
MOD - [2011-10-19 14:12:41 | 000,409,600 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Interop.DNSTools\10.0.200.449__12e79ac5d58f6c15\Interop.DNSTools.dll
MOD - [2011-10-19 14:12:41 | 000,131,072 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Internal\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Internal.dll
MOD - [2011-10-19 14:12:41 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.AudioCustomControls\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.AudioCustomControls.dll
MOD - [2011-10-19 14:12:41 | 000,049,152 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\PIA.DpmCtrlLib\3.230.35.0__12e79ac5d58f6c15\PIA.DpmCtrlLib.dll
MOD - [2011-10-19 14:12:41 | 000,049,152 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Interop.SmEXAudio\2.7.230.35__12e79ac5d58f6c15\Interop.SmEXAudio.dll
MOD - [2011-10-19 14:12:41 | 000,044,032 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Recognition.Settings.UI\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Recognition.Settings.UI.dll
MOD - [2011-10-19 14:12:41 | 000,044,032 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.AudioManager\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.AudioManager.dll
MOD - [2011-10-19 14:12:41 | 000,023,040 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\PSP.SpeechExec.Core\1.610.6.0__12e79ac5d58f6c15\PSP.SpeechExec.Core.dll
MOD - [2011-10-19 14:12:40 | 003,170,304 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.v8.1.dll
MOD - [2011-10-19 14:12:40 | 001,916,928 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.UltraWinGrid.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.UltraWinGrid.v8.1.dll
MOD - [2011-10-19 14:12:40 | 000,847,872 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.Misc.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.Misc.v8.1.dll
MOD - [2011-10-19 14:12:40 | 000,708,608 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.UltraWinDock.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.UltraWinDock.v8.1.dll
MOD - [2011-10-19 14:12:40 | 000,454,656 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.UltraWinEditors.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.UltraWinEditors.v8.1.dll
MOD - [2011-10-19 14:12:40 | 000,208,896 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Win.UltraWinStatusBar.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Win.UltraWinStatusBar.v8.1.dll
MOD - [2011-10-19 14:12:39 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Infragistics2.Shared.v8.1\8.1.20081.1000__7dd5c3163f2cd0cb\Infragistics2.Shared.v8.1.dll
MOD - [2010-06-17 16:18:28 | 000,277,504 | ---- | M] () -- C:\Program Files\Common Files\Philips Speech Shared\Components\SmEXLog.dll
MOD - [2008-04-13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008-04-13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2001-08-18 08:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll


========== Services (SafeList) ==========

SRV - [2012-09-03 23:00:57 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012-08-29 12:33:53 | 000,072,960 | ---- | M] () [Unknown (-1) | Unknown] -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys -- (c04ffeee1ab0d5a6)
SRV - [2012-08-15 05:39:13 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012-07-13 20:13:54 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012-06-14 11:20:22 | 000,109,064 | ---- | M] (Wajam) [Auto | Running] -- C:\Program Files\Wajam\Updater\WajamUpdater.exe -- (WajamUpdater)
SRV - [2010-10-26 12:27:42 | 000,703,080 | ---- | M] (Fortinet Inc.) [Auto | Running] -- C:\WINDOWS\system32\FortiSSLVPNdaemon.exe -- (FortiSslvpnDaemon)
SRV - [2009-09-04 20:14:34 | 001,304,528 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe -- (tmlisten)
SRV - [2009-09-04 20:12:28 | 001,389,864 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe -- (ntrtscan)
SRV - [2009-07-15 17:37:18 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy)
SRV - [2008-07-21 03:48:08 | 002,054,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\SMR310.SYS -- (SMR310)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012-09-03 03:32:05 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2012-08-29 12:33:53 | 000,072,960 | ---- | M] () [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys -- (c04ffeee1ab0d5a6)
DRV - [2012-08-29 12:33:21 | 000,072,960 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\408feef29aef2121.sys -- (408feef29aef2121)
DRV - [2011-07-12 10:43:58 | 000,036,624 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\Program Files\Trend Micro\OfficeScan Client\tmpreflt.sys -- (TmPreFilter)
DRV - [2011-07-12 10:09:32 | 001,405,720 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\vsapiNT.sys -- (VSApiNt)
DRV - [2010-01-29 02:31:44 | 005,884,960 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2010-01-18 17:50:10 | 000,235,520 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud)
DRV - [2009-11-17 19:17:00 | 001,395,800 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009-11-17 19:16:00 | 001,691,480 | R--- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009-08-17 19:16:06 | 001,390,976 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2009-08-05 14:16:42 | 000,039,424 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2009-07-21 17:53:06 | 000,036,384 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pppop.sys -- (pppop)
DRV - [2009-07-15 17:37:40 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009-06-05 03:16:32 | 000,142,336 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008-08-28 07:34:44 | 000,040,832 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI)
DRV - [2008-06-19 08:44:12 | 000,013,824 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2008-06-04 23:58:18 | 000,144,480 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress)
DRV - [2008-04-13 14:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006-07-17 21:51:40 | 000,041,600 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\jraid.sys -- (JRAID)
DRV - [2006-03-17 06:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006-02-07 07:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\JGOGO.sys -- (JGOGO)
DRV - [2004-08-12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004-08-04 01:29:26 | 000,327,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001-08-17 12:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman)
DRV - [2001-08-17 12:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1)
DRV - [2001-08-17 12:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k)
DRV - [2001-08-17 12:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001-08-17 08:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpaa.sys -- (ati2mpaa)
DRV - [2001-01-30 17:34:38 | 000,025,381 | ---- | M] (OLYMPUS OPTICAL CO.,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DSSUSBF.sys -- (DSSUSBF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmood...tB&cr=459309896
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {835D6662-246E-4681-AAE7-91377F3AC76B}
IE - HKLM\..\SearchScopes,DefaultScope = {835D6662-246E-4681-AAE7-91377F3AC76B}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{26A35A29-31F4-80DB-C9C4-6D28839E3D49}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{835D6662-246E-4681-AAE7-91377F3AC76B}: "URL" = http://start.funmood...tB&cr=459309896

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://search.babylo...000005345000000
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/de...fr-ca&OCID=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = fr-ca
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 64 84 7A 06 74 6F CA 01 [binary data]
IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmood...tB&cr=459309896
IE - HKCU\..\SearchScopes\{26A35A29-31F4-80DB-C9C4-6D28839E3D49}: "URL" = http://search.babylo...000005345000000
IE - HKCU\..\SearchScopes\{2C272558-193B-403E-B5B2-7C733A1B99D4}: "URL" = http://websearch.ask...apn_dtid=OSJ000
IE - HKCU\..\SearchScopes\{835D6662-246E-4681-AAE7-91377F3AC76B}: "URL" = http://www.google.co...1I7ADFA_enCA455
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://start.funmood...B&cr=459309896"
FF - prefs.js..browser.search.selectedEngine: "Ask.com Search"
FF - prefs.js..browser.search.order.1: "Ask.com Search"
FF - prefs.js..keyword.URL: ""
FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@FortinetCacheClean: C:\Program Files\Fortinet\SslvpnClient\npccplugin.dll (Fortinet Inc.)
FF - HKLM\Software\MozillaPlugins\@FortinetTunnelControl: C:\Program Files\Fortinet\SslvpnClient\nptcplugin.dll (Fortinet Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012-08-03 11:19:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012-08-03 09:01:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2012-08-03 11:24:19 | 000,002,299 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5azb4otg.default\searchplugins\askcom.xml
[2012-09-04 14:12:08 | 000,002,306 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\5azb4otg.default\searchplugins\askcomsearch.xml
[2012-08-03 11:19:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012-07-13 20:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012-07-13 20:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012-07-13 20:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2001-08-18 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Wajam) - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files\Wajam\IE\priam_bho.dll (Wajam)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Philips Device Control Center] C:\Program Files\Philips Speech\Device Control Center\PDCC.exe (Philips Austria GmbH - Speech Processing)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [PspContr] C:\WINDOWS\System32\pspcontr.exe (Philips Speech Processing)
O4 - HKLM..\Run: [PspUsbCf] C:\WINDOWS\System32\pspusbcf.exe (Philips Speech Processing)
O4 - HKLM..\Run: [SpeechExec Startup] C:\Program Files\Common Files\Philips Speech Shared\Components\PSP.SpeechExec.StartupApp.exe (Philips Austria GmbH - Speech Processing)
O4 - HKLM..\Run: [yiSNUTyakcfEQv.exe] C:\Documents and Settings\All Users\Application Data\yiSNUTyakcfEQv.exe File not found
O4 - HKCU..\Run: [bluebirds] C:\Documents and Settings\user\Bluebirds\BlueBirds.exe (LG Electronics)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - mswsock.dll File not found
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1212158786304 (WUWebControl Class)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{09E3DB22-DFCE-4DDD-A73C-65CD67E979A7}: DhcpNameServer = 206.191.0.210 206.191.0.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2EB33A13-D3F8-4F6C-B046-64778A9A7D33}: DhcpNameServer = 172.16.0.20 206.191.0.140 206.191.0.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7BA7B319-DF11-4C3A-82A5-7BF7D8E08CE1}: DhcpNameServer = 206.191.0.210 206.191.0.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D0CCD3B-09C7-4239-A519-EFFB2A149DD3}: DhcpNameServer = 206.191.0.210 206.191.0.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6AC5E2F-11DF-4D47-B791-CBE9A687DAE4}: DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B5929062-E3D0-4345-AF13-BE88F62C2A64}: DhcpNameServer = 206.191.0.210 206.191.0.140
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008-05-30 10:39:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009-04-29 05:02:01 | 000,000,055 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{24db74e7-fb62-11e0-ae80-00248cacc508}\Shell - "" = AutoRun
O33 - MountPoints2\{24db74e7-fb62-11e0-ae80-00248cacc508}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{24db74e7-fb62-11e0-ae80-00248cacc508}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{524b1084-de30-11e0-a1e7-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{524b1084-de30-11e0-a1e7-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{524b1084-de30-11e0-a1e7-806d6172696f}\Shell\AutoRun\command - "" = D:\ASUSACPI.exe
O33 - MountPoints2\{7fee049e-f9b8-11e0-8888-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7fee049e-f9b8-11e0-8888-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7fee049e-f9b8-11e0-8888-806d6172696f}\Shell\AutoRun\command - "" = D:\BlueBirds.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\BlueBirds.exe -- [2009-04-29 05:02:01 | 000,270,336 | R--- | M] (LG Electronics)
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012-09-06 13:46:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\spyware
[2012-09-05 15:08:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\NPE
[2012-09-05 15:08:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2012-09-05 15:07:47 | 002,892,816 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\user\Desktop\NPE.exe
[2012-09-05 14:31:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro OfficeScan Client
[2012-09-05 13:57:42 | 000,000,000 | ---D | C] -- C:\Avenger
[2012-09-05 13:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012-09-03 23:01:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012-09-03 23:00:54 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012-09-03 03:32:05 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2012-09-03 03:32:05 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2012-09-03 03:32:05 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2012-08-29 12:33:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012-08-16 11:13:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\McAfee
[2012-08-14 03:41:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012-09-06 13:48:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B0E313CD-E755-490A-B9FF-306F2013738C}.job
[2012-09-06 13:46:16 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Default.rdp
[2012-09-06 13:45:01 | 000,001,060 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012-09-06 13:45:01 | 000,001,056 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012-09-06 13:39:01 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012-09-05 15:36:05 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Word 2010.lnk
[2012-09-05 15:22:47 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2012-09-05 15:22:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012-09-05 15:06:38 | 002,892,816 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\user\Desktop\NPE.exe
[2012-09-05 15:00:33 | 000,102,400 | ---- | M] () -- C:\WINDOWS\RegBootClean.exe
[2012-09-05 14:55:07 | 000,191,349 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\census.cache
[2012-09-05 14:55:04 | 000,131,456 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\ars.cache
[2012-09-05 14:48:36 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2012-09-05 14:20:58 | 000,000,002 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012-09-05 14:20:58 | 000,000,002 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012-09-05 13:44:26 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012-09-03 13:31:57 | 000,004,706 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012-09-03 03:32:05 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2012-09-03 03:32:05 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2012-09-03 03:32:05 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2012-08-29 12:34:49 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-08-29 12:33:53 | 000,072,960 | ---- | M] () -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys
[2012-08-29 12:33:21 | 000,072,960 | ---- | M] () -- C:\WINDOWS\System32\drivers\408feef29aef2121.sys
[2012-08-16 12:19:22 | 000,294,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012-08-16 12:08:46 | 000,001,809 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012-09-05 14:55:07 | 000,191,349 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\census.cache
[2012-09-05 14:55:04 | 000,131,456 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\ars.cache
[2012-09-05 14:47:43 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2012-09-05 13:44:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012-08-29 12:34:49 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-08-29 12:33:53 | 000,072,960 | ---- | C] () -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys
[2012-08-29 12:33:21 | 000,072,960 | ---- | C] () -- C:\WINDOWS\System32\drivers\408feef29aef2121.sys
[2012-08-02 22:17:06 | 000,384,844 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\funmoods-speeddial.crx
[2012-08-02 18:43:18 | 000,000,064 | ---- | C] () -- C:\WINDOWS\GPlrLanc.dat
[2012-08-02 18:43:06 | 020,480,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\store-pp.jbs
[2012-08-01 14:12:27 | 000,163,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012-08-01 14:12:27 | 000,059,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2012-07-31 15:46:20 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewYr
[2012-07-31 15:46:20 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewY
[2012-07-31 15:46:17 | 000,000,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hXnZ6sl3qTrewY
[2012-07-24 11:04:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\cafe
[2012-05-31 14:31:06 | 000,180,592 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012-05-02 09:37:38 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012-04-17 14:10:40 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2r
[2012-04-17 14:10:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2
[2012-04-17 14:10:36 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5BGA2AMll8nJU2
[2012-02-15 23:21:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011-10-27 20:17:50 | 000,025,856 | ---- | C] () -- C:\WINDOWS\System32\drivers\usbprint.sys
[2011-10-19 14:13:35 | 000,060,032 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBAUDIO.sys
[2011-10-19 00:07:00 | 000,016,060 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2011-10-18 15:13:14 | 001,390,976 | R--- | C] () -- C:\WINDOWS\System32\drivers\viahduaa.sys
[2011-09-13 14:25:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2011-09-13 13:57:44 | 000,041,600 | R--- | C] () -- C:\WINDOWS\System32\drivers\jraid.sys
[2011-09-13 13:57:44 | 000,006,912 | R--- | C] () -- C:\WINDOWS\System32\drivers\JGOGO.sys
[2011-09-13 13:55:11 | 000,392,960 | R--- | C] () -- C:\WINDOWS\System32\drivers\senfilt.sys
[2011-09-13 13:52:03 | 000,021,247 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2011-09-13 13:49:05 | 001,481,884 | R--- | C] () -- C:\WINDOWS\System32\igkrng400.bin
[2011-03-28 11:26:43 | 000,004,096 | R--- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2011-03-28 11:26:43 | 000,000,151 | R--- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2011-03-28 11:26:40 | 000,870,560 | R--- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2011-03-28 11:26:40 | 000,127,868 | R--- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2011-03-28 11:25:44 | 000,235,520 | R--- | C] () -- C:\WINDOWS\System32\drivers\IntcDAud.sys
[2011-03-28 11:24:37 | 001,395,800 | R--- | C] () -- C:\WINDOWS\System32\drivers\Monfilt.sys
[2009-11-27 12:18:31 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\user\Application Data\PFP100JPR.{PB
[2009-11-27 12:18:31 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\user\Application Data\PFP100JCM.{PB
[2008-06-18 11:14:02 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2012-08-03 11:18:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
[2012-08-02 18:42:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2009-09-21 13:50:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Safend
[2012-09-05 14:22:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2012-08-02 18:42:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Babylon
[2011-03-28 11:33:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ICAClient
[2012-08-03 11:17:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Oracle
[2011-10-19 14:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Philips Speech
[2011-10-21 14:01:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2011-03-28 12:07:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Terminotix
[2012-09-06 13:48:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B0E313CD-E755-490A-B9FF-306F2013738C}.job
[2012-09-05 15:22:47 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



< End of report >

OTL Extras logfile created on: 2012-09-06 13:47:27 - Run 1
OTL by OldTimer - Version 3.2.61.0 Folder = C:\Documents and Settings\user\Desktop\spyware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

1,99 Gb Total Physical Memory | 1,28 Gb Available Physical Memory | 64,34% Memory free
3,84 Gb Paging File | 3,31 Gb Available in Paging File | 86,26% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465,76 Gb Total Space | 440,39 Gb Free Space | 94,55% Space Free | Partition Type: NTFS
Drive E: | 0,38 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: RACETTE | User Name: mracette | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntivirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00120409-78E1-11D2-B60F-006097C998E7}" = Microsoft FrontPage 2000 SR-1
"{069ECDE4-0A06-4C8C-88F2-F2F92D4CFC1E}" = SpeechExec Pro Dictate
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{2C251FE3-8EEB-47B7-893A-4008A79ACF2E}" = Philips Device Control Center
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{86A803A1-4D71-11D5-A770-00A0C9E895EB}" = WordPerfect Office 2002
"{8E35083D-B04F-4823-A260-C07FDD3D40FD}" = Olympus DSS Player Pro
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{95120000-0052-040C-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A34DCE59-0004-0000-2085-3F8A9926B752}" = FortiClient SSL VPN v4.0.2085
"{A474EA56-5DBD-4181-8230-806A4762EA7F}" = Antidote RX v8
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1036-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Franēais
"{BDE813B0-BF65-11D2-92B4-0060B0686AFB}" = SpeechMike Executive
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DDD076BF-C5C3-468C-AA1B-F9A7E47446FE}" = Intel® Network Connections 13.1.33.0
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel® Management Engine Interface
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"ITPM" = Intel® Trusted Platform Module
"LogiTerm_is1" = LogiTerm Toolbar
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"OfficeScanNT" = Trend Micro OfficeScan Client
"Wajam" = Wajam
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WordPerfect Office 2002" = WordPerfect Office 2002
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2012-09-03 13:28:13 | Computer Name = RACETTE | Source = Application Hang | ID = 1002
Description = Hanging application SEPDict.exe, version 1.610.6.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2012-09-03 14:16:07 | Computer Name = RACETTE | Source = SpeechExec | ID = 0
Description = General Information ********************************************* MachineName:
RACETTE TimeStamp: 2012-09-03 14:16:07 FullName: PSP.SpeechExec.Internal, Version=1.610.6.0,
Culture=neutral, PublicKeyToken=12e79ac5d58f6c15 AppDomainName: SEPDict.exe WindowsIdentity:
RACETTE\mracette 1) Exception Information *********************************************
Exception
Type: Philips.PSP.SpeechExec.Dictation.Licensing.DongleLicensing.Exceptions.DongleNotFoundException
LocalizedMessage:
The USB Smart Key has to be connected to complete this operation. Message: The USB
Smart Key needs to be connected to complete this operation. Data: System.Collections.ListDictionaryInternal
TargetSite:
Void ConvertReturnValuesToExceptions(Int32) HelpLink: NULL Source: PSP.SpeechExec.Dictation

Error - 2012-09-03 22:31:27 | Computer Name = RACETTE | Source = Application Error | ID = 1000
Description = Faulting application temp96.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.6055, fault address 0x00036822.

Error - 2012-09-03 22:45:31 | Computer Name = RACETTE | Source = SpeechExec | ID = 0
Description = General Information ********************************************* MachineName:
RACETTE TimeStamp: 2012-09-03 22:45:31 FullName: PSP.SpeechExec.Internal, Version=1.610.6.0,
Culture=neutral, PublicKeyToken=12e79ac5d58f6c15 AppDomainName: SEPDict.exe WindowsIdentity:
RACETTE\mracette 1) Exception Information *********************************************
Exception
Type: Philips.PSP.SpeechExec.Dictation.Exceptions.ExAudioComException MachineName:
RACETTE CreatedDateTime: 2012-09-03 22:45:31 AppDomainName: SEPDict.exe ThreadIdentityName:
WindowsIdentityName: RACETTE\mracette AdditionalInfo: HResult: -2147216946 Message:
An internal error occurred (SmAudio control). (smxaudInternal) Data: System.Collections.ListDictionaryInternal
TargetSite:
NULL HelpLink: NULL Source: NULL 2) Exception Information *********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2147216946 Message:
Exception from HRESULT: 0x800411CE Data: System.Collections.ListDictionaryInternal
TargetSite:
Void Record() HelpLink: NULL Source: Interop.SmEXAudio

Error - 2012-09-03 23:00:39 | Computer Name = RACETTE | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 2012-09-03 23:00:39 | Computer Name = RACETTE | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 2012-09-04 05:45:44 | Computer Name = RACETTE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2012-09-04 16:43:40 | Computer Name = RACETTE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2012-09-05 11:44:14 | Computer Name = RACETTE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2012-09-05 21:51:51 | Computer Name = RACETTE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00001e78.

[ OSession Events ]
Error - 2009-03-03 12:23:43 | Computer Name = INT040 | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 2009-03-03 12:25:25 | Computer Name = INT040 | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

[ System Events ]
Error - 2012-09-06 11:38:08 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 11:38:10 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 12:10:22 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 12:10:25 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 12:20:37 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 12:20:39 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 12:52:51 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 12:52:54 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 13:20:06 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31

Error - 2012-09-06 13:20:08 | Computer Name = RACETTE | Source = Service Control Manager | ID = 7000
Description = The Trend Micro PreFilter service failed to start due to the following
error: %%31


< End of report >


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.05.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
mracette :: RACETTE [administrator]

2012-09-05 13:45:54
mbam-log-2012-09-05 (13-45-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222713
Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Detected: 1
C:\WINDOWS\Temp\temp96.exe (Trojan.LameShield) -> 856 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.LameShield) -> Data: C:\WINDOWS\Temp\temp96.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|syshost32 (Backdoor.Agent) -> Data: C:\WINDOWS\Installer\{ADC8C91E-C5A6-2A02-E2A2-854EC284F4A1}\syshost.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$81695344d1b9a8a8792ab41986e3cbb5\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-290470409-650978795-2170371235-1007\$81695344d1b9a8a8792ab41986e3cbb5\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\WINDOWS\Temp\temp96.exe (Trojan.LameShield) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-290470409-650978795-2170371235-1007\$81695344d1b9a8a8792ab41986e3cbb5\n (Trojan.Agent.MRGGen) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$81695344d1b9a8a8792ab41986e3cbb5\n (Rootkit.0Access) -> Delete on reboot.
C:\WINDOWS\Temp\temp01.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\temp47.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\temp83.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\temp94.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\temp98.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{ADC8C91E-C5A6-2A02-E2A2-854EC284F4A1}\syshost.exe (Backdoor.Agent) -> Delete on reboot.

(end)
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there it is a little bit more that Yontto, you have a zero access infection

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image

    :OTL
    SRV - [2012-08-29 12:33:53 | 000,072,960 | ---- | M] () [Unknown (-1) | Unknown] -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys -- (c04ffeee1ab0d5a6)
    DRV - [2012-08-29 12:33:53 | 000,072,960 | ---- | M] () [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys -- (c04ffeee1ab0d5a6)
    DRV - [2012-08-29 12:33:21 | 000,072,960 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\408feef29aef2121.sys -- (408feef29aef2121)
    O4 - HKLM..\Run: [yiSNUTyakcfEQv.exe] C:\Documents and Settings\All Users\Application Data\yiSNUTyakcfEQv.exe File not found
    [2012-07-31 15:46:20 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewYr
    [2012-07-31 15:46:20 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewY
    [2012-07-31 15:46:17 | 000,000,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hXnZ6sl3qTrewY
    [2012-04-17 14:10:40 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2r
    [2012-04-17 14:10:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2
    [2012-04-17 14:10:36 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5BGA2AMll8nJU2
    [2012-08-29 12:33:53 | 000,072,960 | ---- | C] () -- C:\WINDOWS\System32\drivers\c04ffeee1ab0d5a6.sys
    [2012-08-29 12:33:21 | 000,072,960 | ---- | C] () -- C:\WINDOWS\System32\drivers\408feef29aef2121.sys
    
    :Reg
    [HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
    ""="%systemroot%\system32\wbem\wbemess.dll" 
    [-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 
    
    :Files
    ipconfig /flushdns /c
    netsh int ip reset c:\resetlog.txt  /c
    ipconfig /release /c
    ipconfig /renew /c
    
    :Commands
    [resethosts]
    [emptyjava]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

FINALLY

run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

#3
Putt4Dough

Putt4Dough

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
There you go. Thks!


========== OTL ==========
Error: No service named c04ffeee1ab0d5a6 was found to stop!
Service\Driver key c04ffeee1ab0d5a6 not found.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
Error: No service named c04ffeee1ab0d5a6 was found to stop!
Service\Driver key c04ffeee1ab0d5a6 not found.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
Service 408feef29aef2121 stopped successfully!
Service 408feef29aef2121 deleted successfully!
C:\WINDOWS\system32\drivers\408feef29aef2121.sys moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\yiSNUTyakcfEQv.exe deleted successfully.
C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewYr moved successfully.
C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewY moved successfully.
C:\Documents and Settings\All Users\Application Data\hXnZ6sl3qTrewY moved successfully.
C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2r moved successfully.
C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2 moved successfully.
C:\Documents and Settings\All Users\Application Data\5BGA2AMll8nJU2 moved successfully.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\drivers\408feef29aef2121.sys not found.
========== REGISTRY ==========
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\""|"%systemroot%\system32\wbem\wbemess.dll" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
PPP adapter fortissl:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.20
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user

Total Java Files Cleaned = 0,00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.61.0 log created on 09062012_151401

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

========== OTL ==========
Error: No service named c04ffeee1ab0d5a6 was found to stop!
Service\Driver key c04ffeee1ab0d5a6 not found.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
Error: No service named c04ffeee1ab0d5a6 was found to stop!
Service\Driver key c04ffeee1ab0d5a6 not found.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
Service 408feef29aef2121 stopped successfully!
Service 408feef29aef2121 deleted successfully!
C:\WINDOWS\system32\drivers\408feef29aef2121.sys moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\yiSNUTyakcfEQv.exe deleted successfully.
C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewYr moved successfully.
C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewY moved successfully.
C:\Documents and Settings\All Users\Application Data\hXnZ6sl3qTrewY moved successfully.
C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2r moved successfully.
C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2 moved successfully.
C:\Documents and Settings\All Users\Application Data\5BGA2AMll8nJU2 moved successfully.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\drivers\408feef29aef2121.sys not found.
========== REGISTRY ==========
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\""|"%systemroot%\system32\wbem\wbemess.dll" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
PPP adapter fortissl:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.20
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user

Total Java Files Cleaned = 0,00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.61.0 log created on 09062012_151401

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

========== OTL ==========
Error: No service named c04ffeee1ab0d5a6 was found to stop!
Service\Driver key c04ffeee1ab0d5a6 not found.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
Error: No service named c04ffeee1ab0d5a6 was found to stop!
Service\Driver key c04ffeee1ab0d5a6 not found.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
Service 408feef29aef2121 stopped successfully!
Service 408feef29aef2121 deleted successfully!
C:\WINDOWS\system32\drivers\408feef29aef2121.sys moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\yiSNUTyakcfEQv.exe deleted successfully.
C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewYr moved successfully.
C:\Documents and Settings\All Users\Application Data\-hXnZ6sl3qTrewY moved successfully.
C:\Documents and Settings\All Users\Application Data\hXnZ6sl3qTrewY moved successfully.
C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2r moved successfully.
C:\Documents and Settings\All Users\Application Data\-5BGA2AMll8nJU2 moved successfully.
C:\Documents and Settings\All Users\Application Data\5BGA2AMll8nJU2 moved successfully.
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\drivers\408feef29aef2121.sys not found.
========== REGISTRY ==========
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\""|"%systemroot%\system32\wbem\wbemess.dll" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12d0253a-7c96-815c-11e0-3034bbd97cc0}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
PPP adapter fortissl:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.20
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Documents and Settings\user\Desktop\spyware\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\spyware\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user

Total Java Files Cleaned = 0,00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.61.0 log created on 09062012_151401

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\c04ffeee1ab0d5a6.sys scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I may have to use a stronger tool later to kill the 3 services... But continue now with Roguekiller please
  • 0

#5
Putt4Dough

Putt4Dough

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Hi. I rebooted in safe mode with networking. Here are the 3 logs from rog and Farbar:

RogueKiller V8.0.2 [31/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : mracette [Admin rights]
Mode : Scan -- Date : 07/09/2012 11:06:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][PREVRUN] HKCU\[...]\Run : 4Y3Y0C3A4IVA3F5H (C:\ReGBe.Bin\071BAAF8F23.exe) -> FOUND
[RUN][PREVRUN] HKUS\S-1-5-21-290470409-650978795-2170371235-1007[...]\Run : 4Y3Y0C3A4IVA3F5H (C:\ReGBe.Bin\071BAAF8F23.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] fded34a153391c4ae57772282250fbe3
[BSP] 5053ba02a7b1c45a5a1460a84e2f28a6 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 62dc4b82a8db1bf9a66b6bfc1c415898
[BSP] 5053ba02a7b1c45a5a1460a84e2f28a6 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976768065 | Size: 2 Mo

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt



----------------------------------------------------------------------

RogueKiller V8.0.2 [31/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : mracette [Admin rights]
Mode : Remove -- Date : 07/09/2012 11:09:15

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[RUN][PREVRUN] HKCU\[...]\Run : 4Y3Y0C3A4IVA3F5H (C:\ReGBe.Bin\071BAAF8F23.exe) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] fded34a153391c4ae57772282250fbe3
[BSP] 5053ba02a7b1c45a5a1460a84e2f28a6 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

-------------------------------------------

RogueKiller V8.0.2 [31/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : mracette [Admin rights]
Mode : Shortcuts HJfix -- Date : 07/09/2012 11:14:05

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 1 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 18 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 18 / Fail 0
Backup: [FOUND] Success 0 / Fail 0 / Exists 130

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[6].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt



-----------------------------------------------------

Farbar Service Scanner Version: 06-08-2012
Ran by mracette (administrator) on 07-09-2012 at 11:16:26
Running from "C:\Documents and Settings\user\Desktop\spyware"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of wscsvc: ""C:\WINDOWS\system32\wscsvc.dll"".


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2001-08-18 08:00] - [2011-08-17 09:49] - 0138496 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\WINDOWS\system32\Drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\Drivers\netbt.sys
[2001-08-18 08:00] - [2008-04-13 15:21] - 0162816 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\WINDOWS\system32\Drivers\netbt.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\Drivers\tcpip.sys
[2001-08-18 08:00] - [2008-06-20 07:51] - 0361600 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\WINDOWS\system32\Drivers\tcpip.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\Drivers\ipsec.sys
[2001-08-18 08:00] - [2008-04-13 15:19] - 0075264 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\WINDOWS\system32\Drivers\ipsec.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys
[2008-05-30 10:37] - [2008-04-13 14:36] - 0073472 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\WINDOWS\system32\Drivers\sr.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK it is a bit more as you also have an MBR infection as well

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application
    Posted Image
  • Then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click the Start Scan button.

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Allow the installation of the recovery console

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#7
Putt4Dough

Putt4Dough

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
TDSSKiller.exe will not run on this PC. When I try to run it the process closes in less then a second.

Do I run Combofix or should i use a different tool to clean the MBR?
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Run Combofix please as I may need the recovery console installed. Are you able to burn a CD ?
  • 0

#9
Putt4Dough

Putt4Dough

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
I'm remotly connecting to the clients PC while doing this procedure. The client is not equiped to burn cd's. Would a USB key do the job or pushing files to a FTP folder? Let me know before I proceed with combo fix.
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Bear with me a second I will sort out a USB option
  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Download Tuxbot to your desktop
Run Tuxboot
On the first screen in the dropdown box select Gparted Live - stable
Posted Image
Select USB Drive from the Type drop-down.
Select the correct USB device from the Drive drop-down.
Click OK. This will start the process of creating the bootable USB device.

The instructions along with screenshot for Tuxbot are Here

Now boot off of the newly created Gparted USB.

You should be here... Press ENTER

Posted Image

By default, "do not touch keymap" is highlighted.

Posted Image

Leave this setting alone and just press ENTER.

Posted Image

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

Posted Image

According to your logs, the partition that you want to delete is 2 MB

Right click this partition and select delete .

Posted Image

The Partition has gone

Now select Apply

Now you should be here:

Posted Image

Select Apply after double checking that the right partition was deleted

Is "boot" next to your OS drive?
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
Posted Image

In the menu that pops up, place a checkmark in boot like the picture below, then close :

Posted Image


Under File select Quit
Posted Image

You will see this small Popup
Posted Image



Choose reboot and then press OK.

Once back in normal windows then run TDSSKiller please
  • 0

#12
Putt4Dough

Putt4Dough

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Do I run Combo fix before the procedure above?
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No there is no need at the moment .. We will keep that in reserve
  • 0

#14
Putt4Dough

Putt4Dough

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
OK thanks for all of this. I will have to postpone this till Monday morning since the user is unavailable at the moment. I'll re-post Monday morning.

Thanks again.
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Not a problem I will put you on the back burner :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP