Inactive Live Security Platinum

quickener

quickener

Posts: 49   +0
My computer has been infected with the Live Security Platinum.
I was unable to run Malwarebytes in normal or safe mode.
I was unable to run GMER in normal mode. When I try to run it in Safe mode, I get the following error:
LoadDriver("C:\DOCUME~1\Owner\LOCALS~1\Temp\axtdqpow.sys") error 0xC000010E:
Cannot create a stable subkey under a volatile parent key
And then it does run and the result file is blank.
I then ran DDS and it started and ran all night but never finished. It seemed to have frozen.
 
Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

========================================

Start with this manual: http://www.bleepingcomputer.com/virus-removal/remove-live-security-platinum

Let me know when done.
 
I was able to get FixExec to run and the log file found no processes were found to kill.
Then I went to Add or Remove Programs and tried to remove Live Security Platinum. When I click on the "Change/Remove" button for Live Security Platinum, nothing happens. Nothing gets uninstalled.
Then I tried to launch my Firefox browser, but it says that Firefox is already running.
 
Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • When asked Do you wish to load the remote registry, select Yes
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes
  • Ensure the box Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
 
OTL logfile created on: 8/1/2012 10:25:09 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 369.20 Gb Free Space | 79.27% Space Free | Partition Type: NTFS
Drive D: | 76.68 Gb Total Space | 76.62 Gb Free Space | 99.91% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2012/07/19 12:14:48 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/19 14:44:22 | 000,777,728 | ---- | M] (Eastman Kodak Company) [Auto] -- C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe -- (Kodak AiO Status Monitor Service)
SRV - [2012/06/18 22:13:46 | 000,394,712 | ---- | M] (Eastman Kodak Company) [Auto] -- C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe -- (Kodak AiO Network Discovery Service)
SRV - [2011/10/08 00:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (MSICDSetup)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2012/07/31 18:24:37 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/07/07 19:21:30 | 000,119,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2011/01/13 22:29:14 | 006,312,040 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/12/28 21:37:40 | 000,276,968 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2010/03/22 06:29:08 | 000,018,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2009/11/17 19:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/17 19:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2007/04/16 17:46:34 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nxqi753.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/19 12:14:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/19 20:40:34 | 000,000,000 | ---D | M]

[2012/05/03 21:26:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/19 12:14:49 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/07/06 15:29:27 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol400.dll
[2011/03/18 14:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2012/03/31 23:09:54 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 14:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2012/06/19 20:35:06 | 000,002,252 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/19 20:35:06 | 000,002,040 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [gmupap] C:\Documents and Settings\Owner\Application Data\gmupap.dll (Crytek)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKLM..\Run: [Super-Charger] C:\Program Files\MSI\Super-Charger\StartSuperCharger.exe (TODO: <Company name>)
O4 - HKLM..\Run: [wiluit] C:\Documents and Settings\Owner\Application Data\wiluit.dll (EFD Software)
O4 - HKU\Owner_ON_C..\Run: [HP Photosmart 6510 series (NET)] C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe (Hewlett-Packard Co.)
O4 - HKU\Owner_ON_C..\Run: [KB00697532.exe] C:\Documents and Settings\Owner\Application Data\KB00697532.exe (polmop)
O4 - HKU\Owner_ON_C..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [KodakHomeCenter] C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe (Eastman Kodak Company)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\systemprofile_ON_C..\RunOnce: [KodakHomeCenter] C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe (Eastman Kodak Company)
O4 - HKU\systemprofile_ON_C..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\UpdatusUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1303497883750 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/04/22 02:03:27 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: logmgpwd - (C:\WINDOWS\system32\ddesator.dll) - C:\WINDOWS\system32\ddesator.dll (FRISK Software International)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/08/01 20:30:56 | 000,883,616 | ---- | C] (Bleeping Computer, LLC) -- C:\FixExec.com
[2012/07/31 22:55:51 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
[2012/07/31 18:03:56 | 000,000,000 | --SD | C] -- C:\Documents and Settings\NetworkService\UserData
[2012/07/31 17:58:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/07/31 17:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/07/31 17:26:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/07/31 17:26:18 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\UserData
[2012/07/31 17:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/07/31 17:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Live Security Platinum
[2012/07/31 17:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\036E1BAF0054753300081DB97B07D287
[2012/07/31 17:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{D80D9D8A-DB55-11E1-8270-B8AC6F996F26}
[2012/07/31 17:22:37 | 000,452,608 | ---- | C] (EFD Software) -- C:\Documents and Settings\Owner\Application Data\wiluit.dll
[2012/07/31 17:22:10 | 000,056,320 | -H-- | C] (FRISK Software International) -- C:\WINDOWS\System32\ddesator.dll
[2012/07/31 17:21:45 | 000,150,016 | -HS- | C] (Crytek) -- C:\Documents and Settings\Owner\Application Data\gmupap.dll
[2012/07/31 17:21:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Application Data\E9E174FD
[2012/07/31 17:21:36 | 000,116,591 | -HS- | C] (polmop) -- C:\Documents and Settings\Owner\Application Data\KB00697532.exe
[2012/07/31 17:18:30 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/07/31 17:11:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2012/07/21 20:54:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/07/21 08:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Kodak
[2012/07/12 16:25:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\My Games
[2012/07/12 16:25:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\My Documents\My Games
[2012/07/12 15:51:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Steam
[2012/07/12 12:42:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
[2012/07/12 12:42:44 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2012/07/05 07:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\GTT
[2011/10/30 20:37:55 | 000,800,824 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\UpdatusUser\Application Data\DPInst.exe
[2011/10/30 20:37:55 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\UpdatusUser\Application Data\gacutil.exe
[2011/10/30 20:37:55 | 000,036,352 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\UpdatusUser\Application Data\PnPutil.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/01 22:15:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/08/01 21:34:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/08/01 20:29:12 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/01 15:16:38 | 000,883,616 | ---- | M] (Bleeping Computer, LLC) -- C:\FixExec.com
[2012/07/31 18:24:37 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/07/31 17:25:19 | 000,002,256 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk
[2012/07/31 17:22:39 | 000,452,608 | ---- | M] (EFD Software) -- C:\Documents and Settings\Owner\Application Data\wiluit.dll
[2012/07/31 17:22:10 | 000,056,320 | -H-- | M] (FRISK Software International) -- C:\WINDOWS\System32\ddesator.dll
[2012/07/31 17:21:30 | 000,150,016 | -HS- | M] (Crytek) -- C:\Documents and Settings\Owner\Application Data\gmupap.dll
[2012/07/31 17:21:26 | 000,116,591 | -HS- | M] (polmop) -- C:\Documents and Settings\Owner\Application Data\KB00697532.exe
[2012/07/31 17:11:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
[2012/07/31 17:11:02 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
[2012/07/31 17:11:00 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/07/31 17:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
[2012/07/31 17:10:58 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
[2012/07/31 17:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\LEGO Company
[2012/07/31 17:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
[2012/07/31 17:10:53 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\OpenOffice.org 3.3
[2012/07/31 17:10:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/31 17:10:52 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/07/31 17:10:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
[2012/07/31 17:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Ulead PhotoImpact 6
[2012/07/31 16:01:01 | 000,000,332 | ---- | M] () -- C:\WINDOWS\tasks\HP Photo Creations Messager.job
[2012/07/31 15:40:37 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/07/31 11:10:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/07/31 08:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2012/07/31 08:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Legends of Norrath
[2012/07/31 08:11:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack
[2012/07/31 08:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\HP
[2012/07/31 08:11:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\EverQuest
[2012/07/30 21:40:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/07/30 19:56:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/07/30 15:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/07/27 15:35:53 | 000,141,982 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Insurance.jpg
[2012/07/27 15:35:53 | 000,003,974 | ---- | M] () -- C:\WINDOWS\ULEAD32.INI
[2012/07/26 21:41:07 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/07/26 21:41:07 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/07/25 09:40:55 | 000,033,456 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Whoops window.jpg
[2012/07/21 11:54:10 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/07/21 08:49:56 | 000,001,859 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
[2012/07/21 08:49:04 | 000,001,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
[2012/07/17 19:01:04 | 000,120,544 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/17 18:52:54 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/16 16:59:58 | 000,230,840 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2012/07/15 13:47:13 | 000,000,077 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
[2012/07/12 12:47:40 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2012/07/10 12:47:24 | 000,176,847 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\beauty_salon_makeover.jpg
[2012/07/03 14:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/31 18:07:13 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/31 17:25:18 | 000,002,256 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk
[2012/07/27 15:35:53 | 000,141,982 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Insurance.jpg
[2012/07/25 09:40:55 | 000,033,456 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Whoops window.jpg
[2012/07/21 08:49:56 | 000,001,859 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
[2012/07/21 08:49:04 | 000,001,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
[2012/07/12 15:51:57 | 000,000,077 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
[2012/07/12 12:42:46 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2012/07/10 12:47:23 | 000,176,847 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\beauty_salon_makeover.jpg
[2012/04/24 19:53:22 | 000,000,057 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Ament.ini
[2012/02/19 10:44:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/14 12:33:31 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit.INI
[2011/12/27 18:54:34 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2011/12/27 18:54:33 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2011/10/30 20:37:55 | 000,000,181 | ---- | C] () -- C:\Documents and Settings\UpdatusUser\Application Data\gacutil.exe.config
[2011/10/30 20:36:51 | 000,285,176 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/10/30 20:36:51 | 000,285,176 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/10/30 20:36:51 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/10/28 21:14:13 | 000,003,974 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2011/06/28 16:49:21 | 000,000,129 | -H-- | C] () -- C:\Documents and Settings\Owner\jagex_runescape_preferences2.dat
[2011/06/28 16:48:19 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
[2011/06/01 23:06:34 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/05/11 23:17:55 | 000,000,128 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2011/05/02 18:46:37 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/26 19:00:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/04/22 21:40:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/04/22 21:39:12 | 000,120,544 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/22 14:27:43 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011/04/22 14:22:20 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/04/22 14:22:20 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/04/22 14:22:19 | 000,631,808 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/04/22 14:22:19 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/04/22 14:22:18 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/04/22 02:09:37 | 000,081,936 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2011/04/22 02:04:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/04/22 02:01:22 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,441,450 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,071,642 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/05/03 23:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Temp
[2011/05/31 19:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canneverbe Limited
[2011/07/06 15:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Catalina Marketing Corp
[2012/07/31 17:22:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\E9E174FD
[2011/12/09 09:41:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EDrawings
[2011/12/27 18:52:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2011/09/04 11:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Juniper Networks
[2011/12/03 12:05:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEGO Company
[2011/04/26 19:00:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
[2012/04/24 20:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony Online Entertainment
[2011/12/18 16:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
[2011/04/29 08:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Temp
[2011/05/18 15:54:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Unity
[2011/09/08 00:26:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\UpdatusUser\Application Data\Temp
[2012/07/31 17:24:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\036E1BAF0054753300081DB97B07D287
[2011/05/31 19:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011/05/20 09:14:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2012/06/18 22:27:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2012/07/31 11:10:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2012/07/30 21:40:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2012/07/30 19:56:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2012/07/30 15:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job

========== Purity Check ==========


< End of report >
 
Do this on the computer you are posting from:
Copy the text in the codebox below:


Code: 
:OTL
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [gmupap] C:\Documents and Settings\Owner\Application Data\gmupap.dll (Crytek)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [wiluit] C:\Documents and Settings\Owner\Application Data\wiluit.dll (EFD Software)
O4 - HKU\Owner_ON_C..\Run: [KB00697532.exe] C:\Documents and Settings\Owner\Application Data\KB00697532.exe (polmop)
O36 - AppCertDlls: logmgpwd - (C:\WINDOWS\system32\ddesator.dll) - C:\WINDOWS\system32\ddesator.dll (FRISK Software International)
[2012/07/31 17:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Live Security Platinum
[2012/07/31 17:22:37 | 000,452,608 | ---- | C] (EFD Software) -- C:\Documents and Settings\Owner\Application Data\wiluit.dll
[2012/07/31 17:22:10 | 000,056,320 | -H-- | C] (FRISK Software International) -- C:\WINDOWS\System32\ddesator.dll
[2012/07/31 17:21:45 | 000,150,016 | -HS- | C] (Crytek) -- C:\Documents and Settings\Owner\Application Data\gmupap.dll
[2012/07/31 17:21:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Application Data\E9E174FD
[2012/07/31 17:21:36 | 000,116,591 | -HS- | C] (polmop) -- C:\Documents and Settings\Owner\Application Data\KB00697532.exe
[2012/07/31 11:10:01 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/07/30 21:40:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/07/30 19:56:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/07/30 15:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/07/31 17:25:18 | 000,002,256 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk


:Services

:Reg

:Files

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Remove the CD and shut down computer manually.
  • Attempt to reboot normally into Windows.

Let me know if you can operate your computer fairly normally.
 
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\gmupap deleted successfully.
C:\Documents and Settings\Owner\Application Data\gmupap.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wiluit deleted successfully.
C:\Documents and Settings\Owner\Application Data\wiluit.dll moved successfully.
Registry value HKEY_USERS\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\KB00697532.exe deleted successfully.
C:\Documents and Settings\Owner\Application Data\KB00697532.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\\logmgpwd deleted successfully.
C:\WINDOWS\system32\ddesator.dll moved successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Live Security Platinum folder moved successfully.
File C:\Documents and Settings\Owner\Application Data\wiluit.dll not found.
File C:\WINDOWS\System32\ddesator.dll not found.
File C:\Documents and Settings\Owner\Application Data\gmupap.dll not found.
C:\Documents and Settings\Owner\Application Data\E9E174FD folder moved successfully.
File C:\Documents and Settings\Owner\Application Data\KB00697532.exe not found.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\Documents and Settings\Owner\Desktop\Live Security Platinum.lnk moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 08012012_225136
I rebooted into Windows normally. However, some of the icons on the desktop (pictures, pdf files) are semi-transparent (but still accessible); normally, these icons are not transparent at all. However, Firefox still will not start - it says that another firefox is already running even though one is not running
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix seems like it's running - it shows a lot of actions being done, but there is no log file produced at C:\
It behaves the same in both normal mode and safe mode.
Since ComboFix seems to run, do I need to run the Rkill now?
 
I let it run all night but it never finished - the computer clock stopped and so, I assume it's frozen
 
Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
 
  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

==================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: Owner [Admin rights]
Mode: Scan -- Date: 08/03/2012 00:26:07
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 4 ¤¤¤
[] HKLM\[...]\Windows : () -> ACCESS DENIED
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows : () -> ACCESS DENIED
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : c:\windows\installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L --> FOUND
[ZeroAccess][FILE] n : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n --> FOUND
[ZeroAccess][FILE] @ : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\documents and settings\owner\local settings\application data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKX-001CA0 +++++
--- User ---
[MBR] f2b26f4a06648a628753ed362c9d30e5
[BSP] 7fb7dea00ad6e99de11b2a8ceacbf9b5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 64b8b3e7154e60982ac38a1f53fa5243
[BSP] 7fb7dea00ad6e99de11b2a8ceacbf9b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976752000 | Size: 10 Mo
+++++ PhysicalDrive1: HDS728080PLA380 +++++
Error reading User MBR!
Error reading LL1 MBR!
User = LL2 ... OK!
+++++ PhysicalDrive2: Generic Flash Disk USB Device +++++
--- User ---
[MBR] e9321e57397cd6917a1faf5e355946a9
[BSP] b110915c91eb31922bb631406f7f0bd7 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNOWN (0x72) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 Mo
1 - [XXXXXX] UNKNOWN (0x65) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 Mo
2 - [XXXXXX] UNKNOWN (0x79) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 Mo
3 - [XXXXXX] UNKNOWN (0x0d) [VISIBLE] Offset (sectors): 2885681152 | Size: 27 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt



aswMBR will not run in safe mode - it says that "A device attached to the system is not functioning"
 
We need to use the Recovery Console to try to fix your issue.

  • You'll need to find your Windows XP installation disk.
  • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
  • If prompted, click any options that are required to start the computer from the CD-ROM drive.
  • When the Welcome to Setup screen appears, press R to start the Recovery Console.
  • The Recovery Console will start and ask you which Windows installation you would like to log on to.
    • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
  • You will now be presented with a C:\Windows> prompt
  • Type with an Enter after each line:

  • fixmbr

    fixboot

    exit
  • Restart computer.

************************

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

====================================

When done post new RogueKiller log.
 
I did the recovery and now a black screen comes up on restart that says "NTLDR is missing" and all I can do is restart. But it always comes back to that screen. It seems that something is very wrong now.
 
You will need a USB flash drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download rst.sh to your USB flash drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named enum.log
  • Remove the USB drive and insert it back in your working computer and navigate to enum.log

    Please note - all text entries are case sensitive
Copy and paste the enum.log for my review
 
I made it to the Welcome to xPUD screen, then it went to a dos screen with a good number of problems such as "unable to connect to X server" and "Server error". At the bottom of the screen is a prompt

sh-4.0#
This is far as it gets.
 
Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

:step1:

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
    • Do not install to a folder with spaces in it's name.
    • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
      • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
      • Output: (C:\ubcd4win\BartPE)
        • Keep the default BartPE
    • Media output
      • Choose Create ISO image
      • Do not choose Burn to CD/DVD


      Please note: If your XP install disc is SP1 then please .....
      1. Disable- DComLaunch Service
      2. Enable- LargeIDE Fix

        This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

      Also note: If you have a Dell XP install disc you will need to follow the instructions here
      http://www.ubcd4win.com/faq.htm#dell

    3. Click on the "Build" button
    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit


    4. Burn your ISO file to CD
    • Please see HERE on how to burn an ISO to CD.

==========

:step2:

Next, from your clean computer:

Download Farbar Recovery Scan Tool
and save it to your flash drive.

Now plug your flashdrive back into your sick computer and follow the next instructions:

==========

:step3:

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:
    Main.jpg

==========

:step4:

  • Single click My computer from your UBCD4W desktop to navigate to the Farbar Recovery Scan Tool you saved to your flash drive.
  • Double click on it to begin running the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.
 
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 04-08-2012 02:26:18
Running from E:\Virus Removal
Microsoft Windows XP Service Pack 2 (X86) OS Language: Georgian
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]
HKLM\...\Run: [Super-Charger] C:\Program Files\MSI\Super-Charger\StartSuperCharger.exe [303104 2011-01-25] (TODO: <Company name>)
HKLM\...\Run: [Conime] %windir%\system32\conime.exe [x]
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [2510848 2011-06-16] (Eastman Kodak Company)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [16744256 2011-10-08] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login [x]
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet [1632360 2011-10-08] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Owner\...\Run: [HP Photosmart 6510 series (NET)] "C:\Program Files\HP\HP Photosmart 6510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN21G411Y305QB:NW" -scfn "HP Photosmart 6510 series (NET)" -AutoStart 1 [1804648 2011-09-16] (Hewlett-Packard Co.)
HKU\Owner\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [1242448 2012-07-12] (Valve Corporation)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
ShortcutTarget: Acrobat Assistant.lnk -> C:\PROGRAMS\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (No File)
Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\PROGRAMS\OpenOffice.org 3\program\quickstart.exe (No File)
================================ Services (Whitelisted) ==================
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
2 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [394712 2012-06-19] (Eastman Kodak Company)
2 Kodak AiO Status Monitor Service; "C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe" [777728 2012-06-19] (Eastman Kodak Company)
2 NMSAccess; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2010-03-05] ()
2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2253120 2011-10-08] (NVIDIA Corporation)
2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
========================== Drivers (Whitelisted) =============
3 Ambfilt; C:\Windows\System32\drivers\Ambfilt.sys [1691480 2009-11-17] (Creative)
1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows (R) Server 2003 DDK provider)
3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2012-08-03] (Malwarebytes Corporation)
3 Monfilt; C:\Windows\System32\drivers\Monfilt.sys [1395800 2009-11-17] (Creative Technology Ltd.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-21] (Microsoft Corporation)
3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [119656 2011-07-07] (NVIDIA Corporation)
3 nvsmu; C:\Windows\System32\DRIVERS\nvsmu.sys [18944 2010-03-22] (NVIDIA Corporation)
3 RTLE8023xp; C:\Windows\System32\DRIVERS\Rtenicxp.sys [276968 2010-12-29] (Realtek Semiconductor Corporation )
3 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [7168 2009-11-12] ()
4 Abiosdsk; [x]
4 abp480n5; [x]
4 adpu160m; [x]
4 Aha154x; [x]
4 aic78u2; [x]
4 aic78xx; [x]
4 AliIde; [x]
4 amsint; [x]
4 asc; [x]
4 asc3350p; [x]
4 asc3550; [x]
4 Atdisk; [x]
3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [x]
4 cd20xrnt; [x]
1 Changer; [x]
4 CmdIde; [x]
4 Cpqarray; [x]
4 dac2w2k; [x]
4 dac960nt; [x]
4 dpti2o; [x]
4 hpn; [x]
1 i2omgmt; [x]
4 i2omp; [x]
4 ini910u; [x]
4 IntelIde; [x]
1 lbrtfdc; [x]
4 mraid35x; [x]
3 MSICDSetup; \??\D:\CDriver.sys [x]
1 PCIDump; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
4 perc2; [x]
4 perc2hib; [x]
4 ql1080; [x]
4 Ql10wnt; [x]
4 ql12160; [x]
4 ql1240; [x]
4 ql1280; [x]
4 Simbad; [x]
4 Sparrow; [x]
4 symc810; [x]
4 symc8xx; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TosIde; [x]
4 ultra; [x]
4 ViaIde; [x]
3 WDICA; [x]
3 {79007602-0CDB-4405-9DBF-1257BB3226EE}; Combo-Fix.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-04 02:26 - 2012-08-04 02:26 - 00000000 ____D C:\FRST
2012-08-03 05:26 - 2012-08-03 05:26 - 00003089 ____A C:\Documents and Settings\Owner\Desktop\RKreport[1].txt
2012-08-03 05:25 - 2012-08-03 05:26 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\RK_Quarantine
2012-08-03 05:24 - 2012-08-03 02:27 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
2012-08-03 05:24 - 2012-08-03 02:26 - 01552384 ____A C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
2012-08-03 03:17 - 2012-08-01 19:39 - 10651816 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
2012-08-02 13:18 - 2012-08-02 13:24 - 00000000 ___SD C:\ComboFix
2012-08-02 05:58 - 2012-08-02 05:58 - 00000000 RASHD C:\cmdcons
2012-08-02 05:58 - 2011-04-22 18:11 - 00000223 ____A C:\Boot.bak
2012-08-02 05:58 - 2004-08-04 04:00 - 00260272 _RASH C:\cmldr
2012-08-02 05:41 - 2011-06-26 06:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-02 05:41 - 2010-11-07 17:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-02 05:41 - 2009-04-20 04:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-02 05:41 - 2000-08-31 00:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-02 05:41 - 2000-08-31 00:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-02 05:41 - 2000-08-31 00:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-08-02 05:41 - 2000-08-31 00:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-02 05:41 - 2000-08-31 00:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-02 05:41 - 2000-08-31 00:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-02 05:28 - 2012-08-02 05:28 - 00000000 ____D C:\Windows\erdnt
2012-08-02 05:27 - 2012-08-02 05:27 - 00000000 ____D C:\Qoobox
2012-08-02 05:27 - 2012-08-02 03:22 - 04722680 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\ComboFix.exe
2012-08-02 02:51 - 2012-08-02 02:51 - 00000000 ____D C:\_OTL
2012-08-02 02:26 - 2012-08-02 02:26 - 00057456 ____A C:\OTL.Txt
2012-08-02 00:31 - 2012-08-02 00:35 - 00001240 ____A C:\Documents and Settings\Owner\Desktop\FixExec.txt
2012-08-02 00:30 - 2012-08-01 19:16 - 00883616 ____A (Bleeping Computer, LLC) C:\FixExec.com
2012-07-31 22:07 - 2012-08-03 10:30 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-07-31 22:03 - 2012-07-31 22:03 - 00000000 ___SD C:\Documents and Settings\NetworkService\UserData
2012-07-31 21:58 - 2012-07-31 21:58 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
2012-07-31 21:58 - 2012-07-31 21:58 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
2012-07-31 21:54 - 2012-07-31 21:54 - 00090112 ____A C:\Windows\Minidump\Mini073112-01.dmp
2012-07-31 21:26 - 2012-07-31 21:26 - 00000000 ___SD C:\Documents and Settings\LocalService\UserData
2012-07-31 21:26 - 2012-07-31 21:26 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2012-07-31 21:26 - 2012-07-31 21:26 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2012-07-31 21:22 - 2012-07-31 21:24 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\036E1BAF0054753300081DB97B07D287
2012-07-31 21:22 - 2012-07-31 21:22 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\{D80D9D8A-DB55-11E1-8270-B8AC6F996F26}
2012-07-31 21:18 - 2012-08-03 03:15 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-07-31 21:03 - 2012-07-21 12:45 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\KODAK AiO Home Center462547390
2012-07-22 00:54 - 2012-07-22 00:55 - 00000000 ____D C:\Windows\System32\NtmsData
2012-07-21 12:49 - 2012-07-21 12:49 - 00001859 ____A C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
2012-07-21 12:49 - 2012-07-21 12:49 - 00001790 ____A C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
2012-07-21 12:48 - 2012-07-21 12:48 - 00000000 ____D C:\Documents and Settings\All Users\Kodak
2012-07-21 12:45 - 2012-07-21 12:45 - 00000000 ____D C:\Documents and Settings\Default User\Application Data\KODAK AiO Home Center462547390
2012-07-17 22:52 - 2012-07-17 22:52 - 00010756 ____A C:\Windows\KB2718523.log
2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2719985$
2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2718523$
2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2691442$
2012-07-17 22:52 - 2012-07-17 22:52 - 00000000 __HDC C:\Windows\$NtUninstallKB2655992$
2012-07-17 22:50 - 2012-07-17 22:50 - 00010115 ____A C:\Windows\KB2698365.log
2012-07-17 22:50 - 2012-07-17 22:50 - 00000000 __HDC C:\Windows\$NtUninstallKB2698365$
2012-07-14 19:57 - 2012-07-17 22:53 - 00017063 ____A C:\Windows\KB2691442.log
2012-07-14 19:57 - 2012-07-17 22:52 - 00016173 ___AH C:\Windows\KB2655992.log
2012-07-14 19:57 - 2012-07-17 22:52 - 00015755 ____A C:\Windows\KB2719985.log
2012-07-12 20:25 - 2012-07-12 20:25 - 00000000 ___HD C:\Documents and Settings\Owner\My Documents\My Games
2012-07-12 20:25 - 2012-07-12 20:25 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\My Games
2012-07-12 19:51 - 2012-07-15 17:47 - 00000077 ___AH C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
2012-07-12 16:42 - 2012-08-03 03:15 - 00000000 ____D C:\Program Files\Steam
2012-07-12 16:42 - 2012-07-12 16:47 - 00000664 ____A C:\Documents and Settings\All Users\Desktop\Steam.lnk
2012-07-05 11:09 - 2012-07-05 11:09 - 00000000 ____D C:\Documents and Settings\Owner\Desktop\GTT
============ 3 Months Modified Files ========================
2012-08-03 14:35 - 2011-04-22 06:07 - 00000178 __ASH C:\Documents and Settings\Owner\ntuser.ini
2012-08-03 14:35 - 2011-04-22 06:02 - 01660885 ___AH C:\Windows\WindowsUpdate.log
2012-08-03 10:30 - 2012-07-31 22:07 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-08-03 05:26 - 2012-08-03 05:26 - 00003089 ____A C:\Documents and Settings\Owner\Desktop\RKreport[1].txt
2012-08-03 03:56 - 2011-04-22 06:07 - 00000062 __ASH C:\Documents and Settings\Owner\Local Settings\desktop.ini
2012-08-03 03:56 - 2011-04-22 06:06 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-08-03 03:56 - 2011-04-22 06:05 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-08-03 03:56 - 2008-04-14 12:00 - 00013646 ____A C:\Windows\System32\wpa.dbl
2012-08-03 03:39 - 2011-04-23 01:41 - 00000048 ___AH C:\Windows\wiaservc.log
2012-08-03 03:39 - 2011-04-22 06:06 - 00032588 ____A C:\Windows\SchedLgU.Txt
2012-08-03 03:39 - 2011-04-22 06:06 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-03 03:15 - 2012-07-31 21:18 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-08-03 03:15 - 2011-10-31 00:37 - 00000062 __ASH C:\Documents and Settings\UpdatusUser\Local Settings\desktop.ini
2012-08-03 02:27 - 2012-08-03 05:24 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
2012-08-03 02:26 - 2012-08-03 05:24 - 01552384 ____A C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
2012-08-02 05:58 - 2011-04-23 01:38 - 00000339 _RASH C:\boot.ini
2012-08-02 03:22 - 2012-08-02 05:27 - 04722680 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\ComboFix.exe
2012-08-02 02:26 - 2012-08-02 02:26 - 00057456 ____A C:\OTL.Txt
2012-08-02 00:35 - 2012-08-02 00:31 - 00001240 ____A C:\Documents and Settings\Owner\Desktop\FixExec.txt
2012-08-01 19:39 - 2012-08-03 03:17 - 10651816 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
2012-08-01 19:16 - 2012-08-02 00:30 - 00883616 ____A (Bleeping Computer, LLC) C:\FixExec.com
2012-08-01 02:27 - 2011-10-31 00:37 - 00000178 ___SH C:\Documents and Settings\UpdatusUser\ntuser.ini
2012-07-31 21:54 - 2012-07-31 21:54 - 00090112 ____A C:\Windows\Minidump\Mini073112-01.dmp
2012-07-31 21:13 - 2011-04-23 01:39 - 00642672 ____A C:\Windows\setupapi.log
2012-07-31 20:01 - 2012-04-24 23:56 - 00000332 ____A C:\Windows\Tasks\HP Photo Creations Messager.job
2012-07-31 19:40 - 2012-05-01 03:23 - 00000384 ___AH C:\Windows\Tasks\Microsoft Antimalware Scheduled Scan.job
2012-07-31 12:32 - 2011-04-23 01:41 - 00000275 ___AH C:\Windows\wiadebug.log
2012-07-28 05:54 - 2011-04-22 06:01 - 00009646 ___AH C:\Windows\wmsetup.log
2012-07-27 19:35 - 2011-10-29 01:14 - 00003974 ____A C:\Windows\ULEAD32.INI
2012-07-27 01:41 - 2012-05-04 01:31 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-27 01:41 - 2011-05-15 18:27 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-21 12:49 - 2012-07-21 12:49 - 00001859 ____A C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
2012-07-21 12:49 - 2012-07-21 12:49 - 00001790 ____A C:\Documents and Settings\All Users\Desktop\Get CleanPrint.lnk
2012-07-21 12:46 - 2011-04-22 18:11 - 00036148 ___AH C:\Windows\DPINST.LOG
2012-07-21 12:45 - 2011-09-08 04:26 - 00800824 ____A (Microsoft Corporation) C:\Documents and Settings\Default User\Application Data\DPInst.exe
2012-07-21 12:45 - 2011-09-08 04:26 - 00106496 ____A (Microsoft Corporation) C:\Documents and Settings\Default User\Application Data\gacutil.exe
2012-07-21 12:45 - 2011-09-08 04:26 - 00036352 ____A (Microsoft Corporation) C:\Documents and Settings\Default User\Application Data\PnPutil.exe
2012-07-17 23:01 - 2011-04-23 01:39 - 00120544 ___AH C:\Windows\System32\FNTCACHE.DAT
2012-07-17 22:53 - 2012-07-14 19:57 - 00017063 ____A C:\Windows\KB2691442.log
2012-07-17 22:53 - 2011-04-23 01:40 - 01160797 ___AH C:\Windows\iis6.log
2012-07-17 22:53 - 2011-04-23 01:40 - 01011800 ___AH C:\Windows\FaxSetup.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00502584 ____A C:\Windows\ocgen.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00470349 ____A C:\Windows\tsoc.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00347744 ___AH C:\Windows\comsetup.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00322038 ____A C:\Windows\msmqinst.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00210151 ____A C:\Windows\ntdtcsetup.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00178231 ____A C:\Windows\netfxocm.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00070705 ____A C:\Windows\MedCtrOC.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00056907 ____A C:\Windows\ocmsn.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00051365 ____A C:\Windows\tabletoc.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00051188 ____A C:\Windows\msgsocm.log
2012-07-17 22:53 - 2011-04-23 01:40 - 00001374 ___AH C:\Windows\imsins.log
2012-07-17 22:52 - 2012-07-17 22:52 - 00010756 ____A C:\Windows\KB2718523.log
2012-07-17 22:52 - 2012-07-14 19:57 - 00016173 ___AH C:\Windows\KB2655992.log
2012-07-17 22:52 - 2012-07-14 19:57 - 00015755 ____A C:\Windows\KB2719985.log
2012-07-17 22:52 - 2011-04-23 01:40 - 00001374 ___AH C:\Windows\imsins.BAK
2012-07-17 22:52 - 2011-04-22 18:56 - 00087226 ____A C:\Windows\updspapi.log
2012-07-17 22:51 - 2011-04-22 19:00 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-17 22:50 - 2012-07-17 22:50 - 00010115 ____A C:\Windows\KB2698365.log
2012-07-16 20:59 - 2011-05-10 15:38 - 00230840 ___RA (Coupons, Inc.) C:\Windows\System32\cpnprt2.cid
2012-07-15 17:47 - 2012-07-12 19:51 - 00000077 ___AH C:\Documents and Settings\Owner\Desktop\Sid Meier's Civilization V.url
2012-07-12 16:47 - 2012-07-12 16:42 - 00000664 ____A C:\Documents and Settings\All Users\Desktop\Steam.lnk
2012-07-03 18:46 - 2011-05-11 00:44 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 23:17 - 2012-02-08 04:28 - 00027878 ___AH C:\Inventory.xls
2012-07-02 23:17 - 2012-02-08 04:28 - 00011668 ___AH C:\Spellbook.xls
2012-06-19 11:41 - 2012-06-19 11:41 - 00001866 ____A C:\Documents and Settings\Owner\Desktop\The Lord of the Rings Online.lnk
2012-06-19 02:26 - 2012-06-19 02:26 - 02377640 ____A C:\Documents and Settings\Owner\Desktop\lotrostandard.exe
2012-06-17 00:24 - 2012-06-16 20:30 - 00014355 ____A C:\Windows\KB2707511.log
2012-06-17 00:24 - 2011-04-23 01:40 - 00501770 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-17 00:20 - 2012-06-17 00:20 - 00007444 ____A C:\Windows\KB2685939.log
2012-06-17 00:17 - 2012-06-16 20:29 - 00012586 ____A C:\Windows\KB2709162.log
2012-06-13 13:19 - 2008-04-14 12:00 - 01866112 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\win32k.sys
2012-06-13 13:19 - 2008-04-14 12:00 - 01866112 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 16:42 - 2012-06-11 16:42 - 00323624 ____A (Microsoft Corporation) C:\Windows\System32\wiaaut.dll
2012-06-08 14:26 - 2008-04-14 12:00 - 08462848 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\shell32.dll
2012-06-08 14:26 - 2008-04-14 12:00 - 08462848 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 15:50 - 2008-04-14 12:00 - 01372672 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msxml6.dll
2012-06-05 15:50 - 2008-04-14 12:00 - 01372672 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 15:50 - 2008-04-14 12:00 - 01172480 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msxml3.dll
2012-06-05 15:50 - 2008-04-14 12:00 - 01172480 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 11:14 - 2012-06-04 11:13 - 00011504 ____A C:\Windows\KB2718704.log
2012-06-04 04:32 - 2008-04-14 12:00 - 00152576 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\schannel.dll
2012-06-04 04:32 - 2008-04-14 12:00 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 01933848 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuaueng.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00577048 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuapi.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00329240 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wucltui.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00329240 ____A (Microsoft Corporation) C:\Windows\System32\wucltui.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00219160 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuaucpl.cpl
2012-06-02 20:19 - 2011-04-22 06:02 - 00219160 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl
2012-06-02 20:19 - 2011-04-22 06:02 - 00210968 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuweb.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00210968 ____A (Microsoft Corporation) C:\Windows\System32\wuweb.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00053784 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wuauclt.exe
2012-06-02 20:19 - 2011-04-22 06:02 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 20:19 - 2011-04-22 06:02 - 00035864 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\wups.dll
2012-06-02 20:19 - 2011-04-22 06:02 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 20:19 - 2009-08-07 00:24 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 20:19 - 2009-08-07 00:24 - 00022040 ___AH (Microsoft Corporation) C:\Windows\System32\wucltui.dll.mui
2012-06-02 20:19 - 2009-08-07 00:24 - 00017944 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll.mui
2012-06-02 20:19 - 2009-08-07 00:24 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl.mui
2012-06-02 20:19 - 2009-08-07 00:24 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll.mui
2012-06-02 20:19 - 2008-04-14 12:00 - 00097304 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\cdm.dll
2012-06-02 20:19 - 2008-04-14 12:00 - 00097304 ____A (Microsoft Corporation) C:\Windows\System32\cdm.dll
2012-06-02 20:18 - 2011-04-26 23:04 - 00275696 ____A (Microsoft Corporation) C:\Windows\System32\mucltui.dll
2012-06-02 20:18 - 2011-04-26 23:04 - 00017136 ___AH (Microsoft Corporation) C:\Windows\System32\mucltui.dll.mui
2012-06-02 20:18 - 2009-08-07 00:23 - 00214256 ____A (Microsoft Corporation) C:\Windows\System32\muweb.dll
2012-05-31 13:22 - 2008-04-14 12:00 - 00599040 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\crypt32.dll
2012-05-31 13:22 - 2008-04-14 12:00 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-05-28 18:16 - 2011-04-22 06:01 - 00536576 ___AC (Microsoft Corporation) C:\Windows\System32\dllcache\msado15.dll
2012-05-16 23:43 - 2011-05-02 22:46 - 00019968 ____A C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-13 04:51 - 2012-05-13 04:51 - 00118149 ___AH C:\Windows\KB2659262.log
2012-05-13 04:46 - 2012-05-13 04:46 - 00120591 ____A C:\Windows\KB2686509.log
2012-05-13 04:46 - 2012-05-13 04:46 - 00119938 ____A C:\Windows\KB2695962.log
2012-05-13 04:46 - 2012-05-10 17:39 - 00130159 ____A C:\Windows\KB2676562.log

ZeroAccess:
C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}
C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L
C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n
C:\Windows\Installer\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U
ZeroAccess:
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\@
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\L
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\n
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U\00000001.@
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U\80000000.@
C:\Documents and Settings\Owner\Local Settings\Application Data\{cea913e6-5ff3-88e8-8cc2-ff05d6be4c4a}\U\800000cb.@
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points (XP) =====================
RP: -> 2012-08-02 13:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP609
RP: -> 2012-07-31 21:06 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP608
RP: -> 2012-07-31 12:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP607
RP: -> 2012-07-31 02:17 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP606
RP: -> 2012-07-30 01:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP605
RP: -> 2012-07-29 06:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP604
RP: -> 2012-07-29 01:44 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP603
RP: -> 2012-07-28 01:44 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP602
RP: -> 2012-07-27 01:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP601
RP: -> 2012-07-25 16:05 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP600
RP: -> 2012-07-24 16:06 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP599
RP: -> 2012-07-23 16:05 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP598
RP: -> 2012-07-22 16:06 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP597
RP: -> 2012-07-22 07:23 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP596
RP: -> 2012-07-21 19:59 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP595
RP: -> 2012-07-20 19:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP594
RP: -> 2012-07-20 01:32 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP593
RP: -> 2012-07-18 23:12 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP592
RP: -> 2012-07-18 23:05 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP591
RP: -> 2012-07-17 22:50 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP590
RP: -> 2012-07-17 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP589
RP: -> 2012-07-16 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP588
RP: -> 2012-07-15 06:33 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP587
RP: -> 2012-07-15 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP586
RP: -> 2012-07-14 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP585
RP: -> 2012-07-13 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP584
RP: -> 2012-07-12 19:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP583
RP: -> 2012-07-12 18:58 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP582
RP: -> 2012-07-12 17:11 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP581
RP: -> 2012-07-12 16:42 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP580
RP: -> 2012-07-12 16:41 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP579
RP: -> 2012-07-12 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP578
RP: -> 2012-07-11 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP577
RP: -> 2012-07-10 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP576
RP: -> 2012-07-09 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP575
RP: -> 2012-07-08 06:33 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP574
RP: -> 2012-07-08 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP573
RP: -> 2012-07-07 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP572
RP: -> 2012-07-06 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP571
RP: -> 2012-07-05 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP570
RP: -> 2012-07-04 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP569
RP: -> 2012-07-03 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP568
RP: -> 2012-07-02 01:56 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP567
RP: -> 2012-07-01 06:32 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP566
RP: -> 2012-07-01 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP565
RP: -> 2012-06-30 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP564
RP: -> 2012-06-29 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP563
RP: -> 2012-06-28 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP562
RP: -> 2012-06-27 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP561
RP: -> 2012-06-26 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP560
RP: -> 2012-06-25 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP559
RP: -> 2012-06-24 06:32 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP558
RP: -> 2012-06-24 01:54 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP557
RP: -> 2012-06-23 01:55 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP556
RP: -> 2012-06-23 00:48 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP555
RP: -> 2012-06-22 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP554
RP: -> 2012-06-22 00:13 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP553
RP: -> 2012-06-21 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP552
RP: -> 2012-06-20 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP551
RP: -> 2012-06-19 11:41 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP550
RP: -> 2012-06-19 11:41 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP549
RP: -> 2012-06-19 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP548
RP: -> 2012-06-18 00:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP547
RP: -> 2012-06-17 00:17 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP546
RP: -> 2012-06-16 20:38 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP545
RP: -> 2012-06-15 21:02 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP544
RP: -> 2012-06-14 21:01 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP543
RP: -> 2012-06-13 20:01 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP542
RP: -> 2012-06-12 19:08 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP541
RP: -> 2012-06-11 19:08 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP540
RP: -> 2012-06-11 07:01 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP539
RP: -> 2012-06-10 06:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP538
RP: -> 2012-06-10 00:28 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP537
RP: -> 2012-06-09 00:27 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP536
RP: -> 2012-06-08 00:28 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP535
RP: -> 2012-06-07 11:26 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP534
RP: -> 2012-06-06 11:14 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP533
RP: -> 2012-06-05 20:07 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP532
RP: -> 2012-06-04 19:21 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP531
RP: -> 2012-06-04 11:14 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP530
RP: -> 2012-06-03 19:21 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP529
RP: -> 2012-06-03 07:29 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP528
RP: -> 2012-06-03 02:14 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP527
RP: -> 2012-06-02 01:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP526
RP: -> 2012-06-01 01:20 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP525
RP: -> 2012-05-31 01:21 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP524
RP: -> 2012-05-29 03:28 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP523
RP: -> 2012-05-29 00:23 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP522
RP: -> 2012-05-27 23:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP521
RP: -> 2012-05-27 06:38 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP520
RP: -> 2012-05-26 23:46 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP519
RP: -> 2012-05-26 12:42 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP518
RP: -> 2012-05-25 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP517
RP: -> 2012-05-24 11:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP516
RP: -> 2012-05-24 11:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP515
RP: -> 2012-05-23 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP514
RP: -> 2012-05-22 12:08 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP513
RP: -> 2012-05-22 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP512
RP: -> 2012-05-21 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP511
RP: -> 2012-05-20 07:19 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP509
RP: -> 2012-05-19 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP508
RP: -> 2012-05-18 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP507
RP: -> 2012-05-17 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP506
RP: -> 2012-05-16 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP505
RP: -> 2012-05-15 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP504
RP: -> 2012-05-14 11:43 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP503
RP: -> 2012-05-14 07:36 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP502
RP: -> 2012-05-13 06:40 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP501
RP: -> 2012-05-13 04:45 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP500
RP: -> 2012-05-13 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP499
RP: -> 2012-05-12 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP498
RP: -> 2012-05-11 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP497
RP: -> 2012-05-10 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP496
RP: -> 2012-05-09 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP495
RP: -> 2012-05-08 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP494
RP: -> 2012-05-07 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP493
RP: -> 2012-05-06 06:40 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP492
RP: -> 2012-05-06 01:37 - 024576 _restore{82B3924D-D9D1-4628-AD24-5893A738E09F}\RP491

========================= Memory info ======================
Percentage of memory in use: 35%
Total physical RAM: 2047.17 MB
Available physical RAM: 1329.79 MB
Total Pagefile: 1877.86 MB
Available Pagefile: 1347.35 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.91 MB
======================= Partitions =========================
1 Drive b: (RAMDisk) (Fixed) (Total:0.5 GB) (Free:0.5 GB) FAT
2 Drive c: () (Fixed) (Total:465.75 GB) (Free:371.51 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (Lil Buddy) (Fixed) (Total:76.68 GB) (Free:76.61 GB) NTFS
4 Drive e: () (Removable) (Total:3.82 GB) (Free:3.58 GB) FAT32
5 Drive x: (UBCD4Windows) (CDROM) (Total:0.62 GB) (Free:0 GB) CDFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 Online 77 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 466 GB 32 KB
Partition 2 Unknown 10 MB 466 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 466 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Partition 10 MB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 77 GB 32 KB
==================================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Lil Buddy NTFS Partition 77 GB Healthy
==================================================================================
======================= End Of Log ==========================
 
We have all kind of issues here....

We'll try system restore first.

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can boot normally.
 

Attachments

  • fixlist.txt
    85 bytes · Views: 2
You must log in or register to reply here.

Similar threads

L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
H
BSOD during youtube video - Windows 7 64 - suspected hardware malfunction
Replies
15
Views
2K
Kshipper
Kshipper
R
Solved Data Hijacking, Help Please
2
Replies
37
Views
5K
Broni
Broni

Latest posts

Back