Previously cleaned PC won't boot

  1. 10-11-2010  #1
    tluxon
    tluxon is offline Junior Member

    Previously cleaned PC won't boot

    My WinXP SP3 PC that had been cleaned per the thread, http://www.d-a-l.com/help/spyware-ad...me-pc-has.html, got hit by something tonight. I was downloading and installing the latest Windows updates while going through the usual numerous emails in Outlook when an Avast! warning popped up saying it blocked a malicious attempt to connect to the internet. I let the updates finish installing and then restarted the PC. Only thing is it wouldn't start Windows - it just kept rebooting every time it got to the Windows startup splash screen. Same thing when I tried to start in Safe Mode.

    So I grabbed the Reatogo-X-PE boot CD I had used from the above mentioned thread and booted to it. Can I please get some assistance getting my PC clean and running again?

    Thanks,
    Tim

    Here's the OTL log file:

    OTL logfile created on: 11/9/2010 11:40:05 PM - Run
    OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 31.25 Gb Total Space | 7.27 Gb Free Space | 23.26% Space Free | Partition Type: NTFS
    Drive D: | 31.25 Gb Total Space | 3.56 Gb Free Space | 11.39% Space Free | Partition Type: NTFS
    Drive E: | 63.47 Gb Total Space | 2.93 Gb Free Space | 4.62% Space Free | Partition Type: NTFS
    Drive F: | 31.25 Gb Total Space | 1.68 Gb Free Space | 5.39% Space Free | Partition Type: NTFS
    Drive G: | 117.80 Gb Total Space | 7.35 Gb Free Space | 6.24% Space Free | Partition Type: NTFS
    Drive H: | 202.51 Gb Total Space | 1.61 Gb Free Space | 0.79% Space Free | Partition Type: NTFS
    Drive I: | 62.46 Mb Total Space | 62.46 Mb Free Space | 99.99% Space Free | Partition Type: FAT
    Drive J: | 867.98 Gb Total Space | 18.17 Gb Free Space | 2.09% Space Free | Partition Type: NTFS
    Drive K: | 900.26 Gb Total Space | 6.77 Gb Free Space | 0.75% Space Free | Partition Type: NTFS
    Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO
    Current User Name: SYSTEM
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: All users
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/08/10 14:26:40 | 001,570,056 | ---- | M] (Raxco Software, Inc.) [Auto] -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent)
    SRV - [2010/08/10 14:26:30 | 001,475,848 | ---- | M] (Raxco Software, Inc.) [On_Demand] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)
    SRV - [2010/06/10 23:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/02/12 00:52:38 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2009/11/02 16:17:00 | 001,098,968 | ---- | M] (TiVo Inc.) [Disabled] -- C:\Program Files\TiVo\Desktop\TiVoBeacon.exe -- (TivoBeacon2)
    SRV - [2009/10/07 15:48:44 | 000,376,680 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Home Server\WHSConnector.exe -- (WHSConnector)
    SRV - [2009/06/30 18:06:50 | 000,038,728 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\IGRS\ReadyComm\common\IGRS.exe -- (IGRS)
    SRV - [2008/12/29 13:43:48 | 000,827,392 | ---- | M] (Hauppauge Computer Works) [On_Demand] -- C:\Program Files\WinTV\HCWTVServer.exe -- (HauppaugeTVServer)
    SRV - [2008/05/02 18:51:52 | 000,077,824 | ---- | M] () [Auto] -- C:\Program Files\pyTivo\pyTivoService.exe -- (pyTivo)
    SRV - [2008/04/14 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\System32\IgrsSvcs.exe -- (ReadyComm.DirectRouter)
    SRV - [2006/10/01 07:37:42 | 000,016,384 | ---- | M] () [On_Demand] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (NHCIENUM)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2010/09/07 09:53:58 | 000,340,048 | ---- | M] (AVAST Software) [File_System | System] -- C:\WINDOWS\system32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2010/09/07 09:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2010/09/07 09:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
    DRV - [2010/09/07 09:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2010/09/07 09:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2010/09/07 09:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/09/07 09:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2010/07/17 0252 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
    DRV - [2010/04/07 08:22:06 | 000,135,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DefragFs.sys -- (DefragFS)
    DRV - [2009/09/29 23:18:22 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2009/06/17 07:20:34 | 000,012,648 | ---- | M] (Secunia) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
    DRV - [2008/04/14 03:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
    DRV - [2008/04/14 03:16:22 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
    DRV - [2008/04/14 03:16:22 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
    DRV - [2008/04/14 03:16:08 | 000,013,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\avcstrm.sys -- (AVCSTRM)
    DRV - [2008/01/28 20:44:04 | 000,384,896 | ---- | M] (Hauppauge Computer Works, Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hcw18bda.sys -- (hcw18bda)
    DRV - [2007/12/06 12:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
    DRV - [2007/06/04 13:58:08 | 000,054,016 | ---- | M] (Keyspan) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nhcimono.sys -- (NHCIMONO)
    DRV - [2006/10/01 07:37:02 | 000,026,624 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tap0801.sys -- (tap0801)
    DRV - [2004/02/26 11:50:38 | 000,611,820 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
    DRV - [2004/02/23 22:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
    DRV - [2003/11/11 10:34:00 | 000,022,891 | ---- | M] (Matsu****a Electric Industorial Co.,Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\meistb.sys -- (MEITUNER)
    DRV - [2003/11/11 10:33:54 | 000,013,195 | ---- | M] (Matsu****a Electric Industorial Co.,Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\meistrm.sys -- (MEISTRM)
    DRV - [2003/08/05 21:43:04 | 000,159,744 | R--- | M] (Promise Technology, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Fasttx2k.sys -- (fasttx2k)
    DRV - [1997/04/22 13:16:00 | 000,006,272 | ---- | M] () [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\ CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Tim_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
    IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Tim_ON_C\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyOverride" = <local>;*.local

    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892 B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\E xt [2010/04/02 21:05:57 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/01 01:04:50 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/01 01:04:50 | 000,000,000 | ---D | M]

    [2010/11/10 01:55:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/04/19 23:44:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/09/06 21:54:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2010/11/05 20:41:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2010/09/15 06:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2010/07/12 11:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

    O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrow serrecordplugin.dll (RealPlayer)
    O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll (LastPass)
    O2 - BHO: (BrowserHelper Class) - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
    O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll (LastPass)
    O3 - HKLM\..\Toolbar: (Home Server Banner) - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll (Microsoft Corporation)
    O3 - HKU\Tim_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\Tim_ON_C\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
    O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKLM..\Run: [Auto EPSON Stylus Photo RX620 Series on HOMELIGHT2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 HA.EXE (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - HKLM..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 HA.EXE (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [EPSON Stylus Photo RX620 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 HA.EXE (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe ()
    O4 - HKLM..\Run: [Ptipbmf] C:\WINDOWS\System32\ptipbmf.dll (Promise Technology, Inc.)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
    O4 - HKU\Tim_ON_C..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
    O4 - HKU\Tim_ON_C..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc.)
    O4 - HKU\Tim_ON_C..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc.)
    O4 - HKU\Tim_ON_C..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe (TiVo Inc.)
    O4 - HKU\Tim_ON_C..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe ()
    O4 - HKU\Tim_ON_C..\Run: [WHSClientUI.exe] C:\Program Files\Lenovo\EasyAccess\WHSClientUI.exe (Lenovo Group Limited)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe (Hauppauge Computer Works)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Keyspan USB Server Task.lnk = C:\Program Files\Keyspan\USB Server\nhciTask.exe (Keyspan)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Home Server.lnk = C:\WINDOWS\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Tim\Start Menu\Programs\Startup\eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\C urrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows \CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Tim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Tim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Tim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll (LastPass)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/reso...an8/oscan8.cab (BDSCANONLINE Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKU\Tim_ON_C Winlogon: Shell - (C:\Documents and Settings\Tim\Application Data\hotfix.exe) - C:\Documents and Settings\Tim\Application Data\hotfix.exe File not found
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop BackupWallPaper:
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/02/11 03:15:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/10 00:48:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
    [2010/11/10 00:13:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/11/10 00:13:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/11/05 20:41:16 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010/11/05 20:41:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010/11/05 20:41:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2010/10/14 22:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim\Application Data\vlc

    ========== Files - Modified Within 30 Days ==========

    [2010/11/10 02:14:21 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
    [2010/11/10 02:14:21 | 000,241,664 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
    [2010/11/10 02:14:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/11/10 02:14:18 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Tim\NTUSER.DAT
    [2010/11/10 02:14:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/11/10 02:13:52 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Tim\ntuser.ini
    [2010/11/10 02:10:44 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-1935655697-1644491937-1003.job
    [2010/11/10 02:10:44 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-299502267-1935655697-1644491937-1003.job
    [2010/11/10 02:06:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/11/09 23:38:53 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/11/09 01:04:50 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/11/09 01:04:50 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/11/09 01:04:50 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/11/06 13:47:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2010/11/05 03:22:12 | 000,051,232 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/10/30 18:55:17 | 000,000,439 | ---- | M] () -- C:\WINDOWS\Ulead32.ini
    [2010/10/30 18:55:17 | 000,000,052 | ---- | M] () -- C:\WINDOWS\Pex.INI
    [2010/10/19 22:46:47 | 000,237,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/10/19 09:57:02 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/10/19 09:52:21 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini

    ========== Files Created - No Company Name ==========

    [2010/06/04 21:27:56 | 000,028,672 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
    [2010/06/04 21:27:56 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
    [2010/06/04 21:27:54 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
    [2010/05/07 0324 | 000,000,003 | ---- | C] () -- C:\Documents and Settings\Tim\dxva_sig.txt
    [2010/05/02 16:28:23 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\nhciClassInstall.dll
    [2010/05/02 15:25:12 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
    [2010/05/02 15:23:23 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
    [2010/05/02 15:23:23 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
    [2010/05/02 15:18:59 | 000,000,193 | ---- | C] () -- C:\WINDOWS\EPSON RX620 Installer.ini
    [2010/04/18 14:45:38 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
    [2010/04/07 0218 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
    [2010/04/07 0217 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2010/03/23 02:52:37 | 000,000,052 | ---- | C] () -- C:\WINDOWS\Pex.INI
    [2010/03/23 02:50:10 | 000,000,439 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
    [2010/02/18 05:03:28 | 000,299,454 | ---- | C] () -- C:\WINDOWS\Allsim.ini
    [2010/02/18 05:03:28 | 000,061,268 | ---- | C] () -- C:\WINDOWS\Biutilsm.ini
    [2010/02/18 05:03:28 | 000,057,969 | ---- | C] () -- C:\WINDOWS\Simsim.ini
    [2010/02/18 05:03:28 | 000,000,580 | ---- | C] () -- C:\WINDOWS\Common.ini
    [2010/02/18 05:03:25 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\Prtserv.dll
    [2010/02/15 21:32:25 | 000,000,248 | ---- | C] () -- C:\WINDOWS\HCWBlast.ini
    [2010/02/15 21:31:37 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll
    [2010/02/15 21:31:04 | 000,217,149 | ---- | C] () -- C:\WINDOWS\System32\hcwChDB.dll
    [2010/02/15 21:30:58 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI
    [2010/02/13 04:58:10 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\Tim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/02/11 08:02:55 | 000,033,117 | ---- | C] () -- C:\WINDOWS\Irremote.ini
    [2010/02/11 08:02:04 | 000,002,763 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
    [2010/02/11 04:31:11 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2010/02/11 04:06:05 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
    [2010/02/11 03:57:08 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
    [2010/02/11 03:42:02 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
    [2010/02/11 03:37:57 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
    [2010/02/11 03:37:54 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
    [2010/02/11 03:29:50 | 000,003,753 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
    [2010/02/11 03:29:49 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
    [2010/02/11 03:19:13 | 000,020,480 | -H-- | C] () -- C:\Documents and Settings\Tim\ntuser.dat.LOG
    [2010/02/11 03:19:13 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Tim\ntuser.ini
    [2010/02/11 03:19:12 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\Tim\NTUSER.DAT
    [2010/02/11 03:18:23 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
    [2010/02/11 03:18:22 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
    [2010/02/11 03:18:22 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
    [2010/02/11 03:18:10 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
    [2010/02/11 03:18:09 | 000,241,664 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
    [2010/02/11 03:18:09 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
    [2009/01/05 17:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
    [2006/07/21 18:50:34 | 000,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll
    [2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2010/07/17 03:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\DAEMON Tools Lite
    [2010/02/27 13:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Easy Duplicate Finder
    [2010/03/03 01:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\eFax Messenger
    [2010/05/02 16:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\EPSON
    [2010/08/22 00:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\foobar2000
    [2010/03/03 01:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\j2 Global
    [2010/05/02 15:25:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Leadertech
    [2010/02/12 03:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\LEAPS
    [2010/02/12 03:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Pegasys Inc
    [2010/05/06 0247 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\RipIt4Me
    [2010/09/01 21:27:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\uTorrent
    [2010/11/09 10:52:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\VideoReDo-Plus
    [2010/09/27 03:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\VideoReDoPlus
    [2010/07/15 23:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\VirtualStore
    [2010/03/25 01:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\VitySoft
    [2010/06/25 21:26:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim\Application Data\Windows Home Server

    ========== Purity Check ==========


    < End of report >
  2. 11-11-2010  #2
    broni
    broni is offline Senior Member
    It looks like you got hit by ThinkPoint.
    It usually comes with the fake Microsoft Security Essentials Alert.
    More info: Remove ThinkPoint, removal instructions

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
O20 - HKU\Tim_ON_C Winlogon: Shell - (C:\Documents and Settings\Tim\Application Data\hotfix.exe) - C:\Documents and Settings\Tim\Application Data\hotfix.exe File not found

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.

      • (The content of Fix.txt should appear in the box)

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.
  3. 11-11-2010  #3
    tluxon
    tluxon is offline Junior Member
    Yes, I got hit by that fake Microsoft Essentials thing a couple months ago, but I caught it right away and thought it got cleaned out.

    I'll try booting onto the hard drive OS after posting the OTL Fix log.

    Here's the log:

    ========== OTL ==========
    Registry value HKEY_USERS\Tim_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Tim\Application Data\hotfix.exe deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 85279772 bytes
    ->Flash cache emptied: 42471 bytes

    User: Tim
    ->Temp folder emptied: 2796846688 bytes
    ->Temporary Internet Files folder emptied: 331529735 bytes
    ->Java cache emptied: 148124 bytes
    ->FireFox cache emptied: 99007385 bytes
    ->Flash cache emptied: 55955 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1241430 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15240278 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

    Total Files Cleaned = 3,175.00 mb


    OTLPE by OldTimer - Version 3.1.39.0 log created on 11102010_182238
  4. 11-11-2010  #4
    broni
    broni is offline Senior Member
    Let me know....
  5. 11-11-2010  #5
    tluxon
    tluxon is offline Junior Member
    Still no luck on the booting part. I get the BSOD on the 1st third of the second swipe across the progress bar on the splash screen.
  6. 11-11-2010  #6
    broni
    broni is offline Senior Member
    I don't see anything malicious in your log anymore.
    What does the BSOD say?
  7. 11-11-2010  #7
    tluxon
    tluxon is offline Junior Member
    I can't tell as it just flashes on the screen for a split second and then the PC restarts. Could it be something that got into the master boot record?
  8. 11-11-2010  #8
    broni
    broni is offline Senior Member
    Did you try "Last known good configuration"?
  9. 11-11-2010  #9
    tluxon
    tluxon is offline Junior Member
    Yes. Same thing.

    I took a video of the screen during the BSOD flash to see if I could get a frame capture. Here it is.

    vlcsnap-2010-11-10-20h47m44s88.jpg

    I have 2 IDE drives and 2 SATA drives in the Sonata case. The boot drive doesn't have many hours on it and the OS has been on it less than a year. I've never had a hard drive actually fail before being voluntarily retired and I've had probably 40 of them over the years. Do you think it could be a physical problem?
  10. 11-11-2010  #10
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    The boot drive doesn't have many hours on it and the OS has been on it less than a year
    It really doesn't matter. When I bought my desktop (brand new), the hard drive lasted 6 weeks...LOL

    Run hard drive diagnostics: Hard Drive Diagnostics Tools and Utilities (Storage) - TACKtech Corp. (or Hard Drive Installation and Diagnostic Tools)
    Make sure, you select tool, which is appropriate for the brand of your hard drive.
    Depending on the program, it'll create bootable floppy, or bootable CD.
    If downloaded file is of .iso type, use ImgBurn: The Official ImgBurn Website to burn .iso file to a CD (select "Write image file to disc" option), and make the CD bootable.
    For Toshiba hard drives, see here: Software Utilities

    Note : If you do not know how to set your computer to boot from CD follow the steps here
+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
« Infected IE | Google search results redirect to other sites »