MalWare Removal Forum

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-29 03:22:25
-----------------------------
03:22:25.395 OS Version: Windows x64 6.1.7601 Service Pack 1
03:22:25.395 Number of processors: 4 586 0x503
03:22:25.396 ComputerName: USER-HP UserName: User
03:22:30.852 Initialize success
03:22:34.614 AVAST engine defs: 11122801
03:22:40.540 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000061
03:22:40.542 Disk 0 Vendor: ST310005 HP35 Size: 953869MB BusType: 11
03:22:42.553 Disk 0 MBR read successfully
03:22:42.555 Disk 0 MBR scan
03:22:42.559 Disk 0 unknown MBR code
03:22:42.575 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
03:22:42.580 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 940184 MB offset 206848
03:22:42.605 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 13583 MB offset 1925703680

The systemlook log is extremely long. Is it possible for me to attach the file here rather than pasting it in sections?
_________________

Sure, no problem.

To attach a file, open the topic reply window, scroll down and below the input field you'll find a Browse button. Browse to the file you want to attach, then hit the add the file button. Click Submit and the file should be attached to your next post.

It says "The file is too big, maximum allowed size is 256 KiB".
The log is really big because I think it made note of every file with "a2" in the name. Can I email it to you?
_________________

Not possible.

How big is the file ?

5.54 mb, which is weird because it's just a notepad file.

OK, rather than post a 5M file, lets try refining the search and see if it gives us something more manageable to work with.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 16:31 on 30/12/2011 by User
Administrator - Elevation successful

========== Filefind ==========

Searching for "emsisoft"
No files found.

Searching for "a2util"
No files found.

Searching for "a2dda"
No files found.

Searching for "a2injectiondriver"
No files found.

Searching for "a2antimalware"
No files found.

Searching for "a2acc"
No files found.

========== Folderfind ==========

Searching for "emsisoft"
No folders found.

Searching for "a2util"
No folders found.

Searching for "a2dda"
No folders found.

Searching for "a2injectiondriver"
No folders found.

Searching for "a2antimalware"
No folders found.

Searching for "a2acc"
No folders found.

========== Regfind ==========

Searching for "emsisoft"
[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\Run]
"c:\program files (x86)\emsisoft anti-malware\a2guard.exe /d:60"="21"
[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\Services]
"Emsisoft Anti-Malware 6.0 - Service"="700"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\asquared.Scanner.Settings\DefaultIcon]
@="C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\A2START.EXE,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\asquared.Scanner.Settings\shell\open\command]
@="C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\A2START.EXE "/c=%1""
[HKEY_USERS\S-1-5-21-3193119406-1769082486-1526078369-1000\Software\BillP Studios\WinPatrol\Run]
"c:\program files (x86)\emsisoft anti-malware\a2guard.exe /d:60"="21"
[HKEY_USERS\S-1-5-21-3193119406-1769082486-1526078369-1000\Software\BillP Studios\WinPatrol\Services]
"Emsisoft Anti-Malware 6.0 - Service"="700"

Searching for "a2util"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_A2UTIL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_A2UTIL]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A2UTIL]

Searching for "a2dda"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_A2DDA]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_A2DDA]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A2DDA]

Searching for "a2injectiondriver"
No data found.

Searching for "a2antimalware"
No data found.

Searching for "a2acc"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft-windows-m..rds-datacontrol-rll_31bf3856ad364e35_none_5241bfa2accb7ad3]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_prnkm005.inf_31bf3856ad364e35_none_5ecd615efdfd664a\f256!amd64_kop5650u.ppd_08d55a2acc29bbed]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-m..rds-datacontrol-rll_31bf3856ad364e35_none_5241bfa2accb7ad3]

-= EOF =-

Nothing of any real concern in your log.

• Double click OTL.exe to launch the programme.
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.

• Click the Run Fix button.
• OTL will now process the instructions.
• When finished a box will open asking you to open the fix log, click OK.
• The fix log will open.
• Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

If your computer is not now running the way you expect it to, can you explain to me in what way it is acting differently,

This fix isn't going to delete WinPatrol is it?

No, it's just going to delete a couple of key values for emsisoft that are in the WinPatrol keys, that way they won't show up in WinPatrol.

I did that but it says "otl is not responding" and it has this message
Description:
A problem caused this program to stop interacting with Windows.

Problem signature:
Problem Event Name: AppHangB1
Application Name: OTL.exe
Application Version: 3.2.31.0
Application Timestamp: 2a425e19
Hang Signature: 3a44
Hang Type: 0
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Hang Signature 1: 3a44cf85255aecb09af1e6e96aeba299
Additional Hang Signature 2: 4e26
Additional Hang Signature 3: 4e26a30753311464ea7d080761d80683
Additional Hang Signature 4: 3a44
Additional Hang Signature 5: 3a44cf85255aecb09af1e6e96aeba299
Additional Hang Signature 6: 4e26
Additional Hang Signature 7: 4e26a30753311464ea7d080761d80683

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid= ... cid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Reboot your computer, then try running it again, let me know if the same thing happens.

yeah it did it again

Gary suddenly two icons just appeared on my desktop. both are called desktop.ini
i opened them. the first says
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
[LocalizedFileNames]
Play HP Games.lnk=@C:\PROGRA~2\HPGAME~1\HPGAME~1\MUISTA~1.EXE,-105
Norton 360.lnk=@C:\PROGRA~2\NORTON~2\Branding\muis.dll,-109

the other says

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

what are these? why are they suddenly on my desktop? are they dangerous?