Solved Possible virus.patchload.o Infection?

[wisconsin]

Hello All,

I have been fighting probable virus/malware infection for the last week which has got progressively worse. The computer in question will now only partially complete the start-up sequence, even in safe mode. The computer gets as far as the screen where you can choose to log in as the Administrator or my regular Username, however the mouse pointer appears frozen and cannot be moved. I have tried the mouse-keys solution to attempt to get further into the start-up sequence, without any success.

My computer has Windows XP Service Pack 3 installed. The first problem to manifest itself was an error box coming up on every start-up which indicated a problem with a file called "googleupdate.exe" being unable to write to memory or similar. I subsequently installed both Malwarebytes Anti-Malware and the Ad Aware free package and ran those, which indicated some malware and supposedly removed the infections. My browser history was indicating dozens of visits to pages on a website called "meebo.com" as well as suspicious looking processes in the Task Manager window. The computer would become progressively more slugish throughout the day. Once the Malwarebytes and Ad Aware packages had done their "cleaning" I was getting clean scan logs, the visits to Meebo stopped and the processes list appeared clean of suspicious activity.

Things appeared to be fine for a couple of days and I believed I had resolved the issue. However, then the computer started behaving sluggishly again so I installed a third package, SpyHunter 4. That scan indicated a "virus.patchload.o" infection to files associated with my ATI graphics card software and recommended removal. As this was the free SpyHunter pacakge, the files in question were not removed. The scans with Malwarebytes and Ad Aware were coming up clean. Concerned that I was leaking sensitive info to the internet, I disconnected my broadband cable and attempted a reboot of the computer. Which brings me to the start-up problems as described at the top.

One other thing, my computer is home built and does not have a FDD or CD drive currently installed due to internal case issues. I can plug a CD drive in if necessary.

Any assistance gratefully received and appreciated.

 

[Broni]

Welcome aboard

We can try to do something if your BIOS supports booting from external CD drive.
If so...

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[wisconsin]

Hi Broni,

Thanks for your response and assistance. I will post the requested file for you within the next 24 hours. I first have to retrieve the CD drive from storage to run your initial instructions.

 

[Broni]

No problem

 

[wisconsin]

Hi again Broni,

Here is the requested scan. A couple of things I wanted to add ... first, in my description of the problem yesterday, I neglected to mention that prior to the start-up sequence problem I was getting requester boxes popping up from "Windows Firewall" everytime I launched a new program which would inform me that the firewall was down and did I want to approve the program I was attempting to launch at the time. Also, the Windows security shield icon was no longer appearing in the bottom right of the screen.

Second, when running your instructions to make the following scan log, the "When asked Do you wish to load the remote registry, select Yes" requester box did not come up. It went straight to the "remote user profiles" requester. I don't know if that is significant, just thought I should mention it just in case.



OTL logfile created on: 12/27/2011 8:50:17 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 0.31 Gb Free Space | 0.85% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 0.56 Gb Free Space | 1.51% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 0.41 Gb Free Space | 1.09% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2011/12/11 13:02:02 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/10/10 00:30:40 | 000,736,672 | ---- | M] (Enigma Software Group USA, LLC.) [Auto] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2004/12/12 11:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (.i8042prt)
DRV - [2011/12/01 13:49:14 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)
DRV - [2011/12/01 13:49:14 | 000,015,232 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2011/08/17 08:49:54 | 000,138,496 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2011/03/30 23:59:36 | 000,023,456 | ---- | M] (Phoenix Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\DrvAgent32.sys -- (DrvAgent32)
DRV - [2010/07/08 20:18:54 | 000,020,328 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\cpuz134_x32.sys -- (cpuz134)
DRV - [2010/02/11 02:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/09/17 00:45:27 | 000,024,416 | ---- | M] (Greatis Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard)
DRV - [2008/04/13 11:51:44 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 06:48:02 | 000,052,480 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/04/13 04:05:40 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2006/04/19 21:20:22 | 000,019,456 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\wf2ktunr.sys -- (tv2ktunr)
DRV - [2006/04/19 20:50:34 | 000,059,776 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\wf2kvcap.sys -- (BT848)
DRV - [2006/04/19 20:49:26 | 000,009,600 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\wf2kXbar.sys -- (Tv2kXbar)
DRV - [2004/03/19 02:02:08 | 000,613,244 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/02/23 17:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/17 15:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)
DRV - [2003/06/08 09:44:32 | 000,113,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/06/08 09:44:22 | 000,494,384 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2003/06/08 09:42:28 | 000,819,984 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/02/21 01:28:22 | 000,205,220 | ---- | M] (Jungo) [Kernel | On_Demand] -- C:\Documents and Settings\OEM\Desktop\hVC Alpha 2\hvwindr.sys -- (HVWINDR.SYS)
DRV - [2001/10/05 00:00:00 | 000,432,640 | ---- | M] (ITeX) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\TBCIwana.sys -- (itexadsla2)
DRV - [2001/08/16 18:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2000/07/23 08:01:00 | 000,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\OEM_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\OEM_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\OEM_ON_C\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
IE - HKU\OEM_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)



O1 HOSTS File: ([2011/12/09 14:52:04 | 000,000,884 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.240.135 www.google.com
O1 - Hosts: 94.63.240.136 www.bing.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Groove Folder Synchronization) - {4DA6114D-3366-1228-057D-509775E46FD4} - File not found
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKU\OEM_ON_C\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\OEM_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [\csrmore.exe] File not found
O4 - HKLM..\Run: [\iscsimap.exe] File not found
O4 - HKLM..\Run: [\maccfg.exe] File not found
O4 - HKLM..\Run: [\rssquery.exe] File not found
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [ADSL_A2] File not found
O4 - HKLM..\Run: [jusched] File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NBKeyScan] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe (Enigma Software Group USA, LLC.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\OEM_ON_C..\Run: [\csrmore.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [\iscsimap.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [\maccfg.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [\rssquery.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [{9C1E6911-1DB6-D84F-5291-7F34E3C4B8D4}] C:\Documents and Settings\OEM\Application Data\Afipat\piuguvi.exe (This is Free Software under the terms of the GNU GPL v2)
O4 - HKU\OEM_ON_C..\Run: [jusched] File not found
O4 - HKU\OEM_ON_C..\Run: [LightScribe Control Panel] File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware] File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ADSL Diagnostic Tools.LNK = File not found
O4 - Startup: C:\Documents and Settings\OEM\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\OEM_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267652763921 (WUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\OEM_ON_C Winlogon: Shell - (C:\Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\X) - C:\Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\X ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/08 21:08:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/12/17 20:23:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Start Menu\Programs\SpyHunter
[2011/12/17 20:23:31 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2011/12/17 20:23:31 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2011/12/17 20:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2011/12/17 20:15:15 | 000,706,976 | ---- | C] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\OEM\Desktop\SpyHunter-Installer.exe
[2011/12/17 19:15:25 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\UserData
[2011/12/17 17:23:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia
[2011/12/17 17:20:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe
[2011/12/17 17:18:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/12/17 17:15:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/12/17 16:49:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\adawaretb
[2011/12/17 16:41:39 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6
[2011/12/17 14:31:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Application Data\MediaWmplay
[2011/12/11 17:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/11 17:08:53 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/11 17:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/11 16:38:44 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\OEM\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/11 15:55:13 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/12/11 12:55:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Local Settings\Application Data\adaware
[2011/12/11 12:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2011/12/11 12:55:04 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2011/12/11 12:55:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Application Data\adawaretb
[2011/12/11 12:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2011/12/11 12:54:52 | 000,064,512 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2011/12/11 12:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/12/11 12:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/12/25 15:16:26 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/12/25 15:15:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/25 14:45:06 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/25 14:45:06 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/25 14:44:55 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/25 14:44:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/17 21:05:39 | 000,048,016 | -HS- | M] () -- C:\WINDOWS\System32\c_23141.nl_
[2011/12/17 20:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/17 20:57:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/12/17 20:23:45 | 000,001,969 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\SpyHunter.lnk
[2011/12/17 20:15:15 | 000,706,976 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\OEM\Desktop\SpyHunter-Installer.exe
[2011/12/17 19:01:40 | 000,000,241 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2011/12/17 18:51:42 | 000,000,454 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\WinPrefetchView.cfg
[2011/12/17 17:13:19 | 000,506,880 | ---- | M] () -- C:\Documents and Settings\OEM\My Documents\Ramones.pub
[2011/12/15 22:54:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/12/13 23:17:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/12/13 23:17:12 | 000,216,064 | ---- | M] () -- C:\Documents and Settings\OEM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/13 22:12:35 | 000,044,504 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\winprefetchview.zip
[2011/12/11 18:53:45 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/12/11 17:09:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/11 16:38:44 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\OEM\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/11 13:02:31 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/12/11 13:02:29 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/12/11 12:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[2011/12/11 12:52:41 | 012,406,784 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\Ad-Aware96Install.msi
[2011/12/10 18:49:28 | 000,502,382 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/10 18:49:28 | 000,088,288 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/01 23:43:47 | 003,105,215 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\Bravado_Cat.pdf
[2011/12/01 13:49:14 | 000,064,512 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/17 21:04:26 | 000,048,016 | -HS- | C] () -- C:\WINDOWS\System32\c_23141.nl_
[2011/12/17 20:23:45 | 000,001,969 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\SpyHunter.lnk
[2011/12/17 17:13:18 | 000,506,880 | ---- | C] () -- C:\Documents and Settings\OEM\My Documents\Ramones.pub
[2011/12/17 14:31:25 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/17 14:31:25 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/13 23:07:22 | 000,000,454 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\WinPrefetchView.cfg
[2011/12/13 22:12:34 | 000,044,504 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\winprefetchview.zip
[2011/12/11 16:22:18 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/12/11 12:52:40 | 012,406,784 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\Ad-Aware96Install.msi
[2011/12/04 00:46:15 | 367,423,488 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\JOA.0103.avi
[2011/12/01 23:43:46 | 003,105,215 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\Bravado_Cat.pdf
[2011/08/25 01:09:34 | 000,233,240 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/28 00:17:43 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\OEM\Local Settings\Application Data\Databases.db
[2010/10/26 23:43:29 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2010/10/24 13:54:28 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2010/10/24 13:54:25 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/10/23 21:51:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/07/18 16:02:36 | 000,000,021 | ---- | C] () -- C:\WINDOWS\captureur.ini
[2010/03/21 14:37:12 | 001,072,989 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2010/03/21 14:37:12 | 000,002,474 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2009/09/15 23:20:03 | 000,000,093 | ---- | C] () -- C:\WINDOWS\System32\mywebhit.ini
[2009/09/11 20:15:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\ROTSCXQIRIDMRF.SYS.del
[2009/07/31 20:09:24 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\Dvbpws.dll
[2009/04/19 17:03:52 | 000,009,030 | ---- | C] () -- C:\WINDOWS\HL-2040.INI
[2009/04/19 17:03:43 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/04/19 17:03:28 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\bd2040.dat
[2009/04/17 16:31:01 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2009/04/17 16:31:01 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2009/04/17 16:31:01 | 000,000,313 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2009/04/17 16:31:01 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2009/04/17 16:31:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/04/17 16:30:59 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2009/04/17 16:23:47 | 000,000,241 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/03/02 14:57:21 | 000,015,544 | ---- | C] () -- C:\Documents and Settings\OEM\Start Menu.rar
[2009/02/05 18:03:02 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/05 17:56:43 | 000,251,970 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2009/02/05 17:56:43 | 000,189,490 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2009/02/05 17:56:43 | 000,114,972 | ---- | C] () -- C:\WINDOWS\System32\ctbasicw.dat
[2009/02/05 17:56:43 | 000,053,674 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2008/11/14 17:44:01 | 000,216,064 | ---- | C] () -- C:\Documents and Settings\OEM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/09 16:48:45 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/10/09 12:12:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008/10/09 12:06:39 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2008/10/09 12:06:27 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2008/10/09 12:06:26 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2008/10/09 12:06:25 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2008/10/09 12:06:25 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008/10/09 09:23:08 | 000,000,791 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/08 21:12:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/10/08 21:03:58 | 000,023,348 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/10/08 13:55:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/08 13:54:01 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 00:42:04 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/04/13 11:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/13 06:49:24 | 000,138,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\afd.sys
[2008/04/13 06:48:02 | 000,052,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[2006/12/30 13:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/01/14 07:06:21 | 000,202,240 | R--- | C] () -- C:\WINDOWS\System32\UnInst.exe
[2004/01/14 07:06:20 | 000,211,456 | R--- | C] () -- C:\WINDOWS\System32\DllMapi8.exe
[2004/01/14 07:06:20 | 000,151,040 | R--- | C] () -- C:\WINDOWS\System32\DllMapi6.exe
[2004/01/14 07:06:20 | 000,147,968 | R--- | C] () -- C:\WINDOWS\System32\DllMapi7.exe
[2004/01/14 07:06:20 | 000,133,632 | R--- | C] () -- C:\WINDOWS\System32\dllmapi2.exe
[2004/01/14 07:06:20 | 000,002,430 | ---- | C] () -- C:\WINDOWS\System32\AdslCfg.ini
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,502,382 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,088,288 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/12/17 20:51:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\adawaretb
[2011/11/20 18:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\Afipat
[2011/12/17 16:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\Axrygue
[2011/12/16 15:35:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\MailWasherPro
[2011/12/17 16:41:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\MediaWmplay
[2011/11/21 14:29:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\METAbolt
[2011/01/27 16:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\Opera
[2011/10/26 20:21:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\SecondLife
[2011/10/23 18:58:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\T-App
[2011/12/17 17:22:55 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\adawaretb
[2011/12/11 12:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2009/01/07 22:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2011/12/25 15:16:26 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/12/15 22:54:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job

========== Purity Check ==========


< End of report >

 

[Broni]

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL
O1 - Hosts: 94.63.240.135 www.google.com
O1 - Hosts: 94.63.240.136 www.bing.com
O3 - HKU\OEM_ON_C\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\OEM_ON_C\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [\csrmore.exe] File not found
O4 - HKLM..\Run: [\iscsimap.exe] File not found
O4 - HKLM..\Run: [\maccfg.exe] File not found
O4 - HKLM..\Run: [\rssquery.exe] File not found
O4 - HKLM..\Run: [ADSL_A2] File not found
O4 - HKLM..\Run: [jusched] File not found
O4 - HKLM..\Run: [NBKeyScan] File not found
O4 - HKU\OEM_ON_C..\Run: [\csrmore.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [\iscsimap.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [\maccfg.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [\rssquery.exe] File not found
O4 - HKU\OEM_ON_C..\Run: [{9C1E6911-1DB6-D84F-5291-7F34E3C4B8D4}] C:\Documents and Settings\OEM\Application Data\Afipat\piuguvi.exe (This is Free Software under the terms of the GNU GPL v2)
O4 - HKU\OEM_ON_C..\Run: [jusched] File not found
O4 - HKU\OEM_ON_C..\Run: [LightScribe Control Panel] File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware] File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ADSL Diagnostic Tools.LNK = File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2011/12/17 16:41:39 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6
[2011/12/17 21:05:39 | 000,048,016 | -HS- | M] () -- C:\WINDOWS\System32\c_23141.nl_
[2011/12/15 22:54:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/11/20 18:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\Afipat
[2011/12/17 16:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\Axrygue


:Services

:Reg

:Files

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Attempt to reboot normally into Windows.

 

[wisconsin]

I have run the Fix.txt file as requested, then rebooted the computer from the CD drive. I was a little unclear on the instructions from that point ... was I to re-run OTLPE again and save that log? That is what I have done, so apologies if I was meant to save the log after running the Fix.txt file.

I entered the BIOS setup and reset the computer to boot from the HDD. It now boots to my desktop screen but the mouse is still frozen.


OTL logfile created on: 12/27/2011 10:04:33 AM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 0.32 Gb Free Space | 0.85% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 0.56 Gb Free Space | 1.51% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 0.41 Gb Free Space | 1.09% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)
SRV - [2011/12/11 13:02:02 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/10/10 00:30:40 | 000,736,672 | ---- | M] (Enigma Software Group USA, LLC.) [Auto] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2004/12/12 11:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (.i8042prt)
DRV - [2011/12/01 13:49:14 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)
DRV - [2011/12/01 13:49:14 | 000,015,232 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2011/08/17 08:49:54 | 000,138,496 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2011/03/30 23:59:36 | 000,023,456 | ---- | M] (Phoenix Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\DrvAgent32.sys -- (DrvAgent32)
DRV - [2010/07/08 20:18:54 | 000,020,328 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\cpuz134_x32.sys -- (cpuz134)
DRV - [2010/02/11 02:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/09/17 00:45:27 | 000,024,416 | ---- | M] (Greatis Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard)
DRV - [2008/04/13 11:51:44 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 06:48:02 | 000,052,480 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/04/13 04:05:40 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2006/04/19 21:20:22 | 000,019,456 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\wf2ktunr.sys -- (tv2ktunr)
DRV - [2006/04/19 20:50:34 | 000,059,776 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\wf2kvcap.sys -- (BT848)
DRV - [2006/04/19 20:49:26 | 000,009,600 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\wf2kXbar.sys -- (Tv2kXbar)
DRV - [2004/03/19 02:02:08 | 000,613,244 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/02/23 17:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/17 15:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)
DRV - [2003/06/08 09:44:32 | 000,113,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/06/08 09:44:22 | 000,494,384 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2003/06/08 09:42:28 | 000,819,984 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/02/21 01:28:22 | 000,205,220 | ---- | M] (Jungo) [Kernel | On_Demand] -- C:\Documents and Settings\OEM\Desktop\hVC Alpha 2\hvwindr.sys -- (HVWINDR.SYS)
DRV - [2001/10/05 00:00:00 | 000,432,640 | ---- | M] (ITeX) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\TBCIwana.sys -- (itexadsla2)
DRV - [2001/08/16 18:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2000/07/23 08:01:00 | 000,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\OEM_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\OEM_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\OEM_ON_C\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
IE - HKU\OEM_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)



O1 HOSTS File: ([2011/12/27 09:49:46 | 000,001,626 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Groove Folder Synchronization) - {4DA6114D-3366-1228-057D-509775E46FD4} - File not found
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe (Enigma Software Group USA, LLC.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Documents and Settings\OEM\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\OEM_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267652763921 (WUWebControl Class)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\OEM_ON_C Winlogon: Shell - (C:\Documents and Settings\OEM\Local Settings\Application Data\8e6ecde6\X) - File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/08 21:08:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/12/27 09:49:46 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/27 08:59:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LocalService\Recent
[2011/12/17 20:23:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Start Menu\Programs\SpyHunter
[2011/12/17 20:23:31 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2011/12/17 20:23:31 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2011/12/17 20:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2011/12/17 20:15:15 | 000,706,976 | ---- | C] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\OEM\Desktop\SpyHunter-Installer.exe
[2011/12/17 19:15:25 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\UserData
[2011/12/17 17:23:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia
[2011/12/17 17:20:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe
[2011/12/17 17:18:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/12/17 17:15:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/12/17 16:49:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\adawaretb
[2011/12/17 14:31:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Application Data\MediaWmplay
[2011/12/11 17:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/11 17:08:53 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/11 17:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/11 16:38:44 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\OEM\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/11 15:55:13 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/12/11 12:55:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Local Settings\Application Data\adaware
[2011/12/11 12:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2011/12/11 12:55:04 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2011/12/11 12:55:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\OEM\Application Data\adawaretb
[2011/12/11 12:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2011/12/11 12:54:52 | 000,064,512 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2011/12/11 12:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/12/11 12:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/12/27 09:49:47 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2011/12/25 15:16:26 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/12/25 15:15:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/25 14:45:06 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/25 14:45:06 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/25 14:44:55 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/25 14:44:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/17 20:57:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/17 20:57:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/12/17 20:23:45 | 000,001,969 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\SpyHunter.lnk
[2011/12/17 20:15:15 | 000,706,976 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Documents and Settings\OEM\Desktop\SpyHunter-Installer.exe
[2011/12/17 19:01:40 | 000,000,241 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2011/12/17 18:51:42 | 000,000,454 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\WinPrefetchView.cfg
[2011/12/17 17:13:19 | 000,506,880 | ---- | M] () -- C:\Documents and Settings\OEM\My Documents\Ramones.pub
[2011/12/13 23:17:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/12/13 23:17:12 | 000,216,064 | ---- | M] () -- C:\Documents and Settings\OEM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/13 22:12:35 | 000,044,504 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\winprefetchview.zip
[2011/12/11 18:53:45 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/12/11 17:09:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/11 16:38:44 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\OEM\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/11 13:02:31 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/12/11 13:02:29 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/12/11 12:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[2011/12/11 12:52:41 | 012,406,784 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\Ad-Aware96Install.msi
[2011/12/10 18:49:28 | 000,502,382 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/10 18:49:28 | 000,088,288 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/01 23:43:47 | 003,105,215 | ---- | M] () -- C:\Documents and Settings\OEM\Desktop\Bravado_Cat.pdf
[2011/12/01 13:49:14 | 000,064,512 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/17 20:23:45 | 000,001,969 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\SpyHunter.lnk
[2011/12/17 17:13:18 | 000,506,880 | ---- | C] () -- C:\Documents and Settings\OEM\My Documents\Ramones.pub
[2011/12/17 14:31:25 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/17 14:31:25 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/13 23:07:22 | 000,000,454 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\WinPrefetchView.cfg
[2011/12/13 22:12:34 | 000,044,504 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\winprefetchview.zip
[2011/12/11 16:22:18 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/12/11 12:52:40 | 012,406,784 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\Ad-Aware96Install.msi
[2011/12/04 00:46:15 | 367,423,488 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\JOA.0103.avi
[2011/12/01 23:43:46 | 003,105,215 | ---- | C] () -- C:\Documents and Settings\OEM\Desktop\Bravado_Cat.pdf
[2011/08/25 01:09:34 | 000,233,240 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/04/28 00:17:43 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\OEM\Local Settings\Application Data\Databases.db
[2010/10/26 23:43:29 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2010/10/24 13:54:28 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2010/10/24 13:54:25 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/10/23 21:51:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/07/18 16:02:36 | 000,000,021 | ---- | C] () -- C:\WINDOWS\captureur.ini
[2010/03/21 14:37:12 | 001,072,989 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2010/03/21 14:37:12 | 000,002,474 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2009/09/15 23:20:03 | 000,000,093 | ---- | C] () -- C:\WINDOWS\System32\mywebhit.ini
[2009/09/11 20:15:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\ROTSCXQIRIDMRF.SYS.del
[2009/07/31 20:09:24 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\Dvbpws.dll
[2009/04/19 17:03:52 | 000,009,030 | ---- | C] () -- C:\WINDOWS\HL-2040.INI
[2009/04/19 17:03:43 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/04/19 17:03:28 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\bd2040.dat
[2009/04/17 16:31:01 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2009/04/17 16:31:01 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2009/04/17 16:31:01 | 000,000,313 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2009/04/17 16:31:01 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2009/04/17 16:31:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/04/17 16:30:59 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2009/04/17 16:23:47 | 000,000,241 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2009/03/02 14:57:21 | 000,015,544 | ---- | C] () -- C:\Documents and Settings\OEM\Start Menu.rar
[2009/02/05 18:03:02 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/05 17:56:43 | 000,251,970 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2009/02/05 17:56:43 | 000,189,490 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2009/02/05 17:56:43 | 000,114,972 | ---- | C] () -- C:\WINDOWS\System32\ctbasicw.dat
[2009/02/05 17:56:43 | 000,053,674 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2008/11/14 17:44:01 | 000,216,064 | ---- | C] () -- C:\Documents and Settings\OEM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/09 16:48:45 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/10/09 12:12:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008/10/09 12:06:39 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2008/10/09 12:06:27 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2008/10/09 12:06:26 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2008/10/09 12:06:25 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2008/10/09 12:06:25 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008/10/09 09:23:08 | 000,000,791 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/10/08 21:12:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/10/08 21:03:58 | 000,023,348 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/10/08 13:55:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/08 13:54:01 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 00:42:04 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/04/13 11:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/13 06:49:24 | 000,138,496 | ---- | C] () -- C:\WINDOWS\System32\drivers\afd.sys
[2008/04/13 06:48:02 | 000,052,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[2006/12/30 13:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/01/14 07:06:21 | 000,202,240 | R--- | C] () -- C:\WINDOWS\System32\UnInst.exe
[2004/01/14 07:06:20 | 000,211,456 | R--- | C] () -- C:\WINDOWS\System32\DllMapi8.exe
[2004/01/14 07:06:20 | 000,151,040 | R--- | C] () -- C:\WINDOWS\System32\DllMapi6.exe
[2004/01/14 07:06:20 | 000,147,968 | R--- | C] () -- C:\WINDOWS\System32\DllMapi7.exe
[2004/01/14 07:06:20 | 000,133,632 | R--- | C] () -- C:\WINDOWS\System32\dllmapi2.exe
[2004/01/14 07:06:20 | 000,002,430 | ---- | C] () -- C:\WINDOWS\System32\AdslCfg.ini
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,502,382 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,088,288 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/12/17 20:51:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\adawaretb
[2011/12/16 15:35:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\MailWasherPro
[2011/12/17 16:41:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\MediaWmplay
[2011/11/21 14:29:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\METAbolt
[2011/01/27 16:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\Opera
[2011/10/26 20:21:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\SecondLife
[2011/10/23 18:58:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\OEM\Application Data\T-App
[2011/12/17 17:22:55 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\adawaretb
[2011/12/11 12:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2009/01/07 22:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2011/12/25 15:16:26 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========


< End of report >

 

[Broni]

I'm glad to see your computer is bootable again

Now...

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

 

[wisconsin]

I apologise if I was unclear earlier. While the computer boots from the HDD to the desktop screen, the mouse is frozen on the center of the screen and I am unable to move it to click and launch any of the malware/antivirus steps in your next set of instructions.

Should I attempt to start the computer in safe mode from the HDD and see if I have use of the mouse back?

 

[Broni]

Yes, try safe mode.

 

[wisconsin]

I tried booting in safe mode, I get as far as the windows screen asking me to select Administrator or my Username but the mouse is frozen at that point and I am unable to click one and move further along the boot sequence.

 

[Broni]

Is it USB mouse?
If so can you try different mouse, PS/2 type?

 

[wisconsin]

No, it's a ps/2 type mouse, plugged into the dedicated socket for it on the motherboard. I don't own a USB mouse.

 

[Broni]

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

fixboot

exit

Attempt to boot normally.

 

[wisconsin]

I'm sorry Broni, I must be dense but I don't see any such options when I reboot the computer? It goes to a text screen which says I had some problem with my last bootup attempt and do I want to start in Safe Mode, Last Known Good Configuration, etc, and gives me 30 seconds to make a choice.

 

[Broni]

Most likely recovery console is not installed.

If you have Windows XP CD...

• You'll need to find your Windows XP installation disk.
• Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
• If prompted, click any options that are required to start the computer from the CD-ROM drive.
• When the Welcome to Setup screen appears, press R to start the Recovery Console.
• The Recovery Console will start and ask you which Windows installation you would like to log on to.
• If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.

[*]It will then prompt you for the Administrator's password. If there is no password, simply press enter.
[*]You will now be presented with a C:\Windows> prompt
[/list]
Then continue with commands from my previous reply.

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

 

[wisconsin]

Okay, understood. I need to log for the day so will come back to you tomorrow once I've completed those steps.

Thanks for your patience

 

[Broni]

No problem

 

[wisconsin]

Hi Broni,

I have run the Recovery Console from my Windows XP installation disk, and completed the steps requested. The mouse is still frozen.

 

[Broni]

Try repair installation: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

 

[wisconsin]

Okay, I have run the repair installation procedure as per your instructions, and now have use of the mouse back.

The computer booted up from the completion of the repair, the Windows security shield once again appeared down the bottom on the task bar with the Firewall and Virus Protection both indicating green and on. Then the SpyHunter4 launched as part of the boot squence (I think I had it set to start at launch, or it is the default setting).

I clicked on the Quick Scan button and it ran for about 30 seconds then the window promptly disappeared, as did the little icon for it down the bottom in the task bar. Even though the Windows Secutiry Center says I have virus protection though Lavasoft Ad-Watch Live! and that it is on, I don't see the little icon for that on the task bar either. Clicking on SpyHunter4 via the Start/Programs... brings up a window which says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Running the installed Malwarebytes Anti-Malware software results in exactly the same thing happening. runs for 30 seconds, disappears, then can't be relaunched.

 

[Broni]

Good news

Skip MBAM for now, post other logs.

 

[wisconsin]

Okay, just to be absolutely clear, should I also skip Step 1 as I am supposedly receiving antivirus protection from Lavasoft Ad-Watch Live? The Windows Security Center says it is on but I am skeptical as I can't see its little icon down the bottom on my task bar.

 

[Broni]

Yes...............

 

[wisconsin]

Okay, 10-4, I will get stuck into it now then!