partial zeroaccess removal?

drjc · May 3, 2013

Hi ---

My daughter's laptop was infected with a fake av. I ran tdsskiller, installed Malwarebytes and avast. Mbam scanned clean but avast noted unreadable files in c:\windows\$ntuninstallkb....$, apparently a symlinkd to c:\windows\system32\config, actually a reparse point. I removed the reparse point, exposed the files and deleted them. I had to reconstruct the exefile association and netbt. The system seems to be ok but I am paranoid. Is it infected? Thanks for your attention!

Robybel · May 3, 2013

Hi and Welcome!! drjc

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Having said that....Let's get going!!

=============================

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scan paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
/md5stop
%systemroot%\*. /rp /s
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
DRIVES
CREATERESTOREPOINT
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
- You may need two posts to fit them both in.

=============================== Next =======================================

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
Allow it to update where necessary
Click Scan
- Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
- You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

On your next reply please post :

OTL.txt
Extras.txt
aswMBR log

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

drjc · May 3, 2013

################################################################

SecurityCheck.exe checkup.txt follows:

################################################################

Results of screen317's Security Check version 0.99.63

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Windows Firewall Disabled!

avast! Antivirus

Antivirus up to date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Secunia PSI (3.0.0.6005)

Malwarebytes Anti-Malware version 1.75.0.1300

CCleaner

Java™ 6 Update 45

Java version out of Date!

Adobe Flash Player 11.7.700.169

Adobe Reader XI

Mozilla Firefox (20.0.1)

````````Process Check: objlist.exe by Laurent````````

AVAST Software Avast AvastSvc.exe

AVAST Software Avast AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

################################################################

OTL did NOT create Extras.txt

OTL.Txt follows:

################################################################

OTL logfile created on: 5/3/2013 5:57:15 AM - Run 5

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Administrator\Desktop

Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.10.9200.16540)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.86 Gb Available Physical Memory | 67.91% Memory free

5.49 Gb Paging File | 4.68 Gb Available in Paging File | 85.19% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 288.71 Gb Total Space | 249.82 Gb Free Space | 86.53% Space Free | Partition Type: NTFS

Computer Name: SHEBA | User Name: Administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)

PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)

PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)

PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)

PRC - C:\Program Files\TOSHIBA\TECO\TecoService.exe (TOSHIBA Corporation)

PRC - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe (TOSHIBA CORPORATION)

PRC - C:\Windows\System32\atieclxx.exe (AMD)

PRC - C:\Windows\System32\atiesrxx.exe (AMD)

PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe (TOSHIBA CORPORATION)

PRC - C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)

PRC - C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)

PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()

========== Services (SafeList) ==========

SRV - (WBTDEKZKTJYC) -- C:\Users\adm\AppData\Local\Temp\WBTDEKZKTJYC.exe File not found

SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)

SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)

SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)

SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)

SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)

SRV - (TosCoSrv) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)

SRV - (TMachInfo) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe (TOSHIBA Corporation)

SRV - (TOSHIBA eco Utility Service) -- C:\Program Files\TOSHIBA\TECO\TecoService.exe (TOSHIBA Corporation)

SRV - (cfWiMAXService) -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe (TOSHIBA CORPORATION)

SRV - (TPCHSrv) -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe (TOSHIBA Corporation)

SRV - (TOSHIBA HDD SSD Alert Service) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe (TOSHIBA Corporation)

SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)

SRV - (TODDSrv) -- C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)

SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)

SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)

SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (GameConsoleService) -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe (WildTangent, Inc.)

SRV - (ConfigFree Service) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)

SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (USBCCID) -- system32\DRIVERS\RtsUCcid.sys File not found

DRV - (RtsUIR) -- system32\DRIVERS\Rts516xIR.sys File not found

DRV - (rootrepeal) -- C:\windows\system32\drivers\rootrepeal.sys File not found

DRV - (mbr) -- C:\Users\ADMINI~1\AppData\Local\Temp\mbr.sys File not found

DRV - (aswSnx) -- C:\windows\System32\drivers\aswSnx.sys (AVAST Software)

DRV - (aswSP) -- C:\windows\System32\drivers\aswSP.sys (AVAST Software)

DRV - (aswVmm) -- C:\windows\System32\drivers\aswVmm.sys ()

DRV - (aswTdi) -- C:\windows\System32\drivers\aswTdi.sys (AVAST Software)

DRV - (aswRvrt) -- C:\windows\System32\drivers\aswRvrt.sys ()

DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)

DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr2.sys (AVAST Software)

DRV - (aswFsBlk) -- C:\windows\System32\drivers\aswFsBlk.sys (AVAST Software)

DRV - (PSI) -- C:\Windows\System32\drivers\psi_mf_x86.sys (Secunia)

DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)

DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)

DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)

DRV - (RTL8187Se) -- C:\Windows\System32\drivers\RTL8187Se.sys (Realtek Semiconductor Corporation )

DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)

DRV - (tdcmdpst) -- C:\Windows\System32\drivers\tdcmdpst.sys (TOSHIBA Corporation.)

DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)

DRV - (tos_sps32) -- C:\Windows\System32\drivers\tos_sps32.sys (TOSHIBA Corporation)

DRV - (TVALZ) -- C:\Windows\System32\drivers\TVALZ_O.SYS (TOSHIBA Corporation)

DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)

DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)

DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)

DRV - (FwLnk) -- C:\Windows\System32\drivers\FwLnk.sys (TOSHIBA Corporation)

DRV - (TVALZFL) -- C:\Windows\System32\drivers\TVALZFL.sys (TOSHIBA Corporation)

DRV - (AtiPcie) -- C:\Windows\System32\drivers\AtiPcie.sys (Advanced Micro Devices Inc.)

DRV - (LVUSBSta) -- C:\Windows\System32\drivers\LVUSBSta.sys (Logitech Inc.)

DRV - (LVRS) -- C:\Windows\System32\drivers\lvrs.sys (Logitech Inc.)

DRV - (PID_PEPI) -- C:\Windows\System32\drivers\LV302V32.SYS (Logitech Inc.)

DRV - (pepifilter) -- C:\Windows\System32\drivers\lv302af.sys (Logitech Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKLM\..\SearchScopes,DefaultScope = {0EF3D5EE-B833-43EC-8265-E0B5C71D50AB}

IE - HKLM\..\SearchScopes\{0EF3D5EE-B833-43EC-8265-E0B5C71D50AB}: "URL" = http://www.google.co...ng}&rlz=1I7TSNA

IE - HKCU\..\SearchScopes,DefaultScope = {0EF3D5EE-B833-43EC-8265-E0B5C71D50AB}

IE - HKCU\..\SearchScopes\{0EF3D5EE-B833-43EC-8265-E0B5C71D50AB}: "URL" = http://www.google.co...1I7ADFA_enUS430

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_45: C:\windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: File not found

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/03/22 05:30:24 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/24 12:35:40 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2013/04/24 15:55:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions

[2013/04/24 12:35:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2013/04/24 12:35:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}

[2013/04/24 12:35:40 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012/09/05 21:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2013/03/24 07:25:01 | 000,002,086 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

Hosts file not found

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.

O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)

O4 - HKCU..\Run: [MyTOSHIBA] C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe (TOSHIBA)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 153

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: @C:\windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @C:\windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_45)

O16 - DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_45)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_45)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{462DCBD9-9DE0-4EB2-A247-6CC345E84654}: DhcpNameServer = 75.75.75.75 75.75.76.76

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5508A9C7-AE3C-4BC3-9BE7-8C5D692818EF}: DhcpNameServer = 75.75.75.75 75.75.76.76

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - Winlogon\Notify\mejerux: DllName - () - File not found

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O36 - AppCertDlls: djoil386 - (C:\windows\certator.dll) - File not found

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/05/03 05:24:25 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe

[2013/05/03 05:24:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe

[2013/05/02 23:34:40 | 000,000,000 | ---D | C] -- C:\windows\Microsoft Antimalware

[2013/05/02 22:09:41 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes

[2013/05/02 16:22:32 | 000,000,000 | ---D | C] -- C:\bd_logs

[2013/04/30 16:28:25 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2013/04/30 11:48:50 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WildTangent

[2013/04/29 11:16:35 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Macromedia

[2013/04/29 10:47:30 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\oops

[2013/04/29 08:46:28 | 000,000,000 | ---D | C] -- C:\io

[2013/04/29 08:25:49 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\JAM Software

[2013/04/29 08:18:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Macromedia

[2013/04/27 08:51:18 | 000,000,000 | ---D | C] -- C:\bin

[2013/04/27 07:53:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LibreOffice 4.0

[2013/04/27 07:53:49 | 000,000,000 | ---D | C] -- C:\windows\System64

[2013/04/27 07:11:11 | 000,000,000 | ---D | C] -- C:\windows\System32\appmgmt

[2013/04/24 19:22:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IrfanView

[2013/04/24 15:55:07 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Mozilla

[2013/04/24 15:55:07 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Mozilla

[2013/04/24 12:35:33 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2013/04/22 19:21:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PuTTY

[2013/04/21 20:57:28 | 000,162,224 | ---- | C] (Sun Microsystems, Inc.) -- C:\windows\System32\javaws.exe

[2013/04/21 20:57:28 | 000,149,936 | ---- | C] (Sun Microsystems, Inc.) -- C:\windows\System32\javaw.exe

[2013/04/21 20:57:28 | 000,149,936 | ---- | C] (Sun Microsystems, Inc.) -- C:\windows\System32\java.exe

[2013/04/11 04:03:05 | 002,706,432 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mshtml.tlb

[2013/04/11 04:03:02 | 002,877,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jscript9.dll

[2013/04/11 04:03:02 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iesetup.dll

[2013/04/11 04:03:02 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll

[2013/04/11 04:03:01 | 000,493,056 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll

[2013/04/11 04:03:01 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieui.dll

[2013/04/11 04:03:00 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iesysprep.dll

[2013/04/11 04:03:00 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\RegisterIEPKEYs.exe

[2013/04/11 04:03:00 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ie4uinit.exe

[2013/04/11 04:03:00 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iernonce.dll

[2013/04/10 12:32:17 | 002,347,008 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\win32k.sys

[2013/04/10 12:32:12 | 003,913,560 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ntoskrnl.exe

[2013/04/10 12:32:11 | 003,968,856 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ntkrnlpa.exe

[2013/04/10 12:32:10 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\csrsrv.dll

[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/05/03 05:56:00 | 000,000,944 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-493042686-4190031859-2840707548-1000UA.job

[2013/05/03 05:50:00 | 000,000,902 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/05/03 05:22:16 | 000,890,825 | ---- | M] () -- C:\Users\Administrator\Desktop\SecurityCheck.exe

[2013/05/03 05:22:12 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe

[2013/05/03 05:22:09 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe

[2013/05/03 05:15:35 | 000,000,898 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/05/03 05:04:35 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat

[2013/05/03 05:04:34 | 000,000,892 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-493042686-4190031859-2840707548-1000Core1cca67f43554a32.job

[2013/05/03 05:04:34 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job

[2013/05/02 21:12:54 | 000,030,624 | ---- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2013/05/02 21:12:54 | 000,030,624 | ---- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2013/05/02 21:07:18 | 2211,577,856 | -HS- | M] () -- C:\hiberfil.sys

[2013/05/02 19:29:04 | 000,000,000 | ---- | M] () -- C:\windows\ToDisc.INI

[2013/05/02 18:52:09 | 000,624,412 | ---- | M] () -- C:\windows\System32\perfh009.dat

[2013/05/02 18:52:09 | 000,106,756 | ---- | M] () -- C:\windows\System32\perfc009.dat

[2013/05/01 14:02:58 | 000,001,304 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe.lnk

[2013/04/27 12:06:32 | 000,389,384 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT

[2013/04/27 07:53:54 | 000,000,919 | ---- | M] () -- C:\Users\Public\Desktop\LibreOffice 4.0.lnk

[2013/04/27 07:46:21 | 000,000,681 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/04/26 16:33:57 | 000,001,032 | ---- | M] () -- C:\Users\Public\Desktop\Seahaven.lnk

[2013/04/24 19:22:55 | 000,001,620 | ---- | M] () -- C:\Users\Public\Desktop\IrfanView Thumbnails.lnk

[2013/04/24 19:22:55 | 000,000,760 | ---- | M] () -- C:\Users\Public\Desktop\IrfanView.lnk

[2013/04/22 19:21:43 | 000,000,693 | ---- | M] () -- C:\Users\Public\Desktop\PuTTY.lnk

[2013/04/21 20:57:18 | 000,477,616 | ---- | M] (Sun Microsystems, Inc.) -- C:\windows\System32\npdeployJava1.dll

[2013/04/21 20:57:18 | 000,473,520 | ---- | M] (Sun Microsystems, Inc.) -- C:\windows\System32\deployJava1.dll

[2013/04/21 20:57:18 | 000,162,224 | ---- | M] (Sun Microsystems, Inc.) -- C:\windows\System32\javaws.exe

[2013/04/21 20:57:18 | 000,149,936 | ---- | M] (Sun Microsystems, Inc.) -- C:\windows\System32\javaw.exe

[2013/04/21 20:57:18 | 000,149,936 | ---- | M] (Sun Microsystems, Inc.) -- C:\windows\System32\java.exe

[2013/04/11 04:08:10 | 000,691,592 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerApp.exe

[2013/04/11 04:08:10 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerCPLApp.cpl

[2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys

[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/05/03 05:24:25 | 000,890,825 | ---- | C] () -- C:\Users\Administrator\Desktop\SecurityCheck.exe

[2013/05/02 19:29:04 | 000,000,000 | ---- | C] () -- C:\windows\ToDisc.INI

[2013/05/01 08:18:01 | 000,001,304 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe.lnk

[2013/04/27 07:53:54 | 000,000,919 | ---- | C] () -- C:\Users\Public\Desktop\LibreOffice 4.0.lnk

[2013/04/26 16:39:14 | 000,001,032 | ---- | C] () -- C:\Users\Public\Desktop\Seahaven.lnk

[2013/04/24 19:22:55 | 000,001,620 | ---- | C] () -- C:\Users\Public\Desktop\IrfanView Thumbnails.lnk

[2013/04/24 19:22:55 | 000,000,760 | ---- | C] () -- C:\Users\Public\Desktop\IrfanView.lnk

[2013/04/22 19:21:43 | 000,000,693 | ---- | C] () -- C:\Users\Public\Desktop\PuTTY.lnk

[2013/03/22 05:30:27 | 000,164,736 | ---- | C] () -- C:\windows\System32\drivers\aswVmm.sys

[2013/03/22 05:30:26 | 000,049,248 | ---- | C] () -- C:\windows\System32\drivers\aswRvrt.sys

[2012/10/07 06:58:53 | 000,000,022 | -HS- | C] () -- C:\windows\90C7D912BE2316.sys

[2012/02/02 11:08:49 | 000,000,304 | ---- | C] () -- C:\ProgramData\~pKsWQr3ZHEAH5y

[2012/02/02 11:08:49 | 000,000,224 | ---- | C] () -- C:\ProgramData\~pKsWQr3ZHEAH5yr

[2012/02/02 11:08:34 | 000,000,336 | ---- | C] () -- C:\ProgramData\pKsWQr3ZHEAH5y

[2012/02/02 10:22:19 | 000,103,733 | ---- | C] () -- C:\windows\System32\itusbcore.dat

[2012/02/02 10:22:19 | 000,000,195 | ---- | C] () -- C:\windows\System32\itlsvc.dat

[2011/09/23 17:16:42 | 000,066,048 | ---- | C] () -- C:\windows\System32\PrintBrmUi.exe

[2011/06/16 15:23:56 | 000,102,400 | ---- | C] () -- C:\windows\RegBootClean.exe

[2011/06/13 09:31:50 | 000,000,127 | ---- | C] () -- C:\windows\System32\MRT.INI

[2011/06/12 20:54:18 | 000,011,264 | ---- | C] () -- C:\windows\DCEBoot.exe

[2011/06/10 07:34:52 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll

========== ZeroAccess Check ==========

[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 00:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

========== LOP Check ==========

[2013/04/29 08:25:49 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\JAM Software

[2011/05/28 11:40:23 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\kock

[2013/04/30 11:48:50 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\WildTangent

[2011/05/28 11:40:23 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\xmldm

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >

[2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe

[2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe

[2011/02/26 01:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe

[2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe

[2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe

[2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe

[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe

[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe

[2009/08/03 01:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe

[2009/08/03 01:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe

[2009/10/31 02:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: SERVICES.EXE >

[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\System32\services.exe

[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

< MD5 for: SVCHOST.EXE >

[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe

[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\opt\mbam\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >

[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe

[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe

[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: WINLOGON.EXE >

[2009/10/28 02:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe

[2009/10/28 01:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe

[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe

[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe

[2009/07/13 21:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\opt\mbam\Chameleon\winlogon.exe

< %systemroot%\*. /rp /s >

< %systemdrive%\$Recycle.Bin|@;true;true;true /fp >

========== Drive Information ==========

Physical Drives

---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media

Interface type: IDE

Media Type: Fixed hard disk media

Model: TOSHIBA MK3263GSX ATA Device

Partitions: 3

Status: OK

Status Info: 0

Partitions

---------------

DeviceID: Disk #0, Partition #0

PartitionType: Unknown

Bootable: True

BootPartition: True

PrimaryPartition: True

Size: 1.00GB

Starting Offset: 1048576

Hidden sectors: 0

DeviceID: Disk #0, Partition #1

PartitionType: Installable File System

Bootable: False

BootPartition: False

PrimaryPartition: True

Size: 289.00GB

Starting Offset: 1573912576

Hidden sectors: 0

DeviceID: Disk #0, Partition #2

PartitionType: Unknown

Bootable: False

BootPartition: False

PrimaryPartition: True

Size: 8.00GB

Starting Offset: 311570726912

Hidden sectors: 0

< End of report >

################################################################

aswMBR.txt follows:

MRB.zip attached

################################################################

Run date: 2013-05-03 06:04:39

-----------------------------

06:04:39.301 OS Version: Windows 6.1.7601 Service Pack 1

06:04:39.301 Number of processors: 2 586 0x602

06:04:39.301 ComputerName: SHEBA UserName:

06:04:40.596 Initialize success

06:04:42.156 AVAST engine defs: 13050201

06:05:36.990 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

06:05:36.990 Disk 0 Vendor: TOSHIBA_MK3263GSX FG020M Size: 305245MB BusType: 11

06:05:37.208 Disk 0 MBR read successfully

06:05:37.208 Disk 0 MBR scan

06:05:38.019 Disk 0 Windows VISTA default MBR code

06:05:38.035 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

06:05:38.706 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 295636 MB offset 3074048

06:05:38.753 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 8108 MB offset 608536576

06:05:38.877 Disk 0 scanning sectors +625141760

06:05:39.564 Disk 0 scanning C:\windows\system32\drivers

06:05:57.847 Service scanning

06:06:43.430 Modules scanning

06:07:05.364 Disk 0 trace - called modules:

06:07:05.380 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys

06:07:05.395 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fe8030]

06:07:05.395 3 CLASSPNP.SYS[8aa0459e] -> nt!IofCallDriver -> [0x85f41878]

06:07:05.395 5 ACPI.sys[833c13d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85fb7338]

06:07:06.425 AVAST engine scan C:\windows

06:07:09.498 AVAST engine scan C:\windows\system32

06:09:43.068 AVAST engine scan C:\windows\system32\drivers

06:09:55.875 AVAST engine scan C:\Users\Administrator

06:10:18.090 AVAST engine scan C:\ProgramData

06:12:17.774 Scan finished successfully

06:16:34.285 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"

06:16:34.301 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"

################################################################

MBR.zip

drjc · May 3, 2013

Apparently I ran OTL at some time in the Distant Past.

I deleted the OTL reg key to reset OTL counter and settings, and ran as directed.

Now I get both OTL.Txt and Extras.Txt

Sorry for my confusion, I won't do anything else until instructed.

################################################################

OTL.txt follows:

################################################################

OTL logfile created on: 5/3/2013 11:31:03 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Administrator\Desktop

Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.10.9200.16540)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 62.73% Memory free

5.49 Gb Paging File | 4.60 Gb Available in Paging File | 83.74% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 288.71 Gb Total Space | 248.98 Gb Free Space | 86.24% Space Free | Partition Type: NTFS