Inactive [A] Major probs. Do I need to blow it out?

Status
Not open for further replies.
During prescan RK tells me it is dated and wants me to DL from the website. I say es and it brings me to where I DLd from not 5 minutes ago. And when I select delete after running the scan, it tells me the prog crashed. renmaed it winlogon Reran and still wanted me to DL what I just DLed. and also crashed. Now For laughs I deleted it from teh desktop and DL it again. Crashed again after starting deletetion. It crashed again when trying to delete.
BUT I copied the report this time before trying to delete.

RogueKiller V8.4.4 [Feb 1 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Puffin [Admin rights]
Mode : Scan -- Date : 02/02/2013 19:38:43
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\RunOnce : Z1 (cmd /c "C:\Users\Jeanne\Desktop\mbar\mbar\mbar.exe" /cleanup /s) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\RunOnce : *D7 (cmd /c start "" "C:\Users\Jeanne\AppData\Local\Temp\Temp1_D7.zip\D7.exe") -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AAKX-001CA SCSI Disk Device +++++
--- User ---
[MBR] 1e850b1a2a4b95f48546c2e2dd51801e
[BSP] b1eddfe3e4a458b3cc37cdde75ccdb1e : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: SAMSUNG SP2504C SCSI Disk Device +++++
--- User ---
[MBR] 8b5b659faa81e45c42691f1b52e1dc96
[BSP] 7d4755e7c820a24a8f2162a6ed0543bc : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21100544 | Size: 228114 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4]_S_02022013_02d1938.txt >>
RKreport[1]_S_02022013_02d1855.txt ; RKreport[2]_S_02022013_02d1902.txt ; RKreport[3]_S_02022013_02d1912.txt ; RKreport[4]_S_02022013_02d1938.txt
 
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Ok let combofix run. for about 4 hrs. When I came back to the machine. It had a BSOD. I booted into safemode and ran rkll then I ran combofix. 18 hours later when I came back to the machine combofix is still @ the screen where it tells you it may 10 ten minutes or for badly infected machines,scan time may easily double.
Here is the RKILL log:
======================================================
Rkill 2.4.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/03/2013 04:39:13 PM in x86 mode.
Windows Version: Windows Vista (TM) Home Premium Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)

* Windows Update (wuauserv) is not Running.
Startup Type set to: Automatic (Delayed Start)

* Windows Update (AFD) is not Running.
Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost
::1 localhost

Program finished at: 02/03/2013 04:39:24 PM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)
 
Here is the Critical event from Event viewer
Log Name: System
Source: Microsoft-Windows-Kernel-Power
Date: 2/3/2013 4:30:19 PM
Event ID: 41
Task Category: None
Level: Critical
Keywords: (2)
User: SYSTEM
Computer: Jeanne-PC
Description:
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Power" Guid="{331c3b3a-2005-44c2-ac5e-77220c37d6b4}" />
<EventID>41</EventID>
<Version>0</Version>
<Level>1</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000002</Keywords>
<TimeCreated SystemTime="2013-02-03T21:30:19.314Z" />
<EventRecordID>109511</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="8" />
<Channel>System</Channel>
<Computer>Jeanne-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="BugcheckCode">159</Data>
<Data Name="BugcheckParameter">0x3</Data>
<Data Name="BugcheckParameter">0x85f2e888</Data>
<Data Name="BugcheckParameter">0x86a25770</Data>
<Data Name="BugcheckParameter">0x859ef5c8</Data>
</EventData>
</Event>
 
Also from Event viewer


Log Name: Application
Source: ESENT
Date: 2/4/2013 12:20:05 PM
Event ID: 623
Task Category: Transaction Manager
Level: Error
Keywords: Classic
User: N/A
Computer: Jeanne-PC
Description:
wuaueng.dll (1244) SUS20ClientDataStore: The version store for this instance (0) has reached its maximum size of 8Mb. It is likely that a long-running transaction is preventing cleanup of the version store and causing it to build up in size. Updates will be rejected until the long-running transaction has been completely committed or rolled back.
Possible long-running transaction:
SessionId: 0x01590320
Session-context: 0x00000000
Session-context ThreadId: 0x00000F10
Cleanup: 1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">623</EventID>
<Level>2</Level>
<Task>14</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-04T17:20:05.000Z" />
<EventRecordID>9416</EventRecordID>
<Channel>Application</Channel>
<Computer>XXXXXX-PC</Computer>
<Security />
</System>
<EventData>
<Data>wuaueng.dll</Data>
<Data>1244</Data>
<Data>SUS20ClientDataStore: </Data>
<Data>0</Data>
<Data>8</Data>
<Data>0x01590320</Data>
<Data>0x00000000</Data>
<Data>0x00000F10</Data>
<Data>1</Data>
</EventData>
</Event>
 
Finally


Event Viewer
Log Name: Application
Source: Microsoft-Windows-EventSystem
Date: 2/3/2013 4:31:14 PM
Event ID: 4609
Task Category: Event System
Level: Error
Keywords: Classic
User: N/A
Computer: Jeanne-PC
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8fb497561}" EventSourceName="EventSystem" />
<EventID Qualifiers="49152">4609</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-03T21:31:14.000Z" />
<EventRecordID>9389</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Jeanne-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp</Data>
<Data Name="param2">45</Data>
<Data Name="param3">8007043c</Data>
</EventData>
</Event>
 
Also the Avast service is disabled and attempts to change that status whether setting to automatic or manual give access denied errors. And in either state. Start is grayed out.
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
Says Farbar is designed to [FONT=Verdana] [/FONT][FONT=Verdana]diagnose and fix boot issues. I don't think I am having any of those.[/FONT]
[FONT=Verdana]Also, it would be immensly appreciated if you could give me an idea about what you think is going on.[/FONT]
[FONT=Verdana]I'm probably looking at doing this this comming weekend.[/FONT]
 
I'm not sure yet what's going on so I want to take a look at your computer from the outside.
That's why I need FRST log.
 
I can't comment without seeing FRST log.
FRST is just a scanner. It doesn't make any changes until I ask it to do so.
 
Ok I did not get a chance to try this this past WE due to scheduling issues. Also I did get some advice to run chkdsk /f/ r then sfc.exe to find and repair any file corruption. I did get an opportunity to start that, but have not analysed the log to see what needs
replacement. That and running the app you recomended will have to wait till this comming Saturday.. Hopefully, I will have results for you then. TX
 
This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.
 
Status
Not open for further replies.
Back