Windows has encountered a critical problem and will restart automatic

Inactive
By frankiesweeney
Jan 10, 2013
  1. Can anyone help me get rid of this trojan please:eek:windows vista home
  2. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================

    Can you start your computer in any mode?
  3. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Yeah with a lot of restarts it works in normal mode it wont boot in safe mode .....thanks for prompt reply
  4. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
  5. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Windows is shutting down and malaware bytes wont load ......will restart .....ok windows has restarted
  6. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    What Windows version is it?
  7. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Windows vista home sp1 ..... malaware bytes is working now will try and complete checklist ...I have two computers so I can remain in contact
  8. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.10.13

    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    frank :: FRANK-PC [administrator]

    11/01/2013 00:19:30
    mbam-log-2013-01-11 (00-19-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 225011
    Time elapsed: 20 minute(s), 18 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  9. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.19088
    Run by frank at 0:47:47 on 2013-01-11
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.353.1033.18.1014.88 [GMT 0:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
    SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Acer\Mobility Center\MobilityService.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\RocketDock\RocketDock.exe
    D:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Microsoft Security Client\NisSrv.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Users\frank\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wermgr.exe
    C:\Windows\notepad.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\frank\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\System32\osk.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.babylon.com/?affID=112060&tt=4812_3&babsrc=HP_ss&mntrId=5a003357000000000000001fe2a7249a
    mStart Page = hxxp://en.ie.acer.yahoo.com
    mDefault_Page_URL = hxxp://en.ie.acer.yahoo.com
    uSearchAssistant = hxxp://www.sharewareisland.com/quicksearch.aspx
    dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - <orphaned>
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - <orphaned>
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: {a060276a-53be-45ec-8ebe-b94b1e803179} - <orphaned>
    BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
    BHO: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: MyEmoticons Class: {DCC39ACE-709B-44EA-B062-5F6BE2774644} - c:\users\frank\appdata\roaming\myemoticons\myemoticons-1.3.dll
    BHO: {f592709f-ff4a-4862-b659-4afabda56312} - <orphaned>
    EB: &Research: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program files\microsoft office\office12\REFIEBAR.DLL
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
    mRun: [ROC_ROC_JULY_P1] "c:\program files\avg secure search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Free YouTube Download - c:\users\frank\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{8A3EA5C0-84E0-4888-AEC8-935B5BA88E02} : DHCPNameServer = 192.168.1.254
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Notify: igfxcui - igfxdev.dll
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    Hosts: 127.0.0.1www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
    R1 MpKsl03ed8a5f;MpKsl03ed8a5f;c:\programdata\microsoft\microsoft antimalware\definition updates\{e81b4a53-4456-465f-a647-823416c65a77}\MpKsl03ed8a5f.sys [2013-1-11 29904]
    R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-22 180736]
    S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM106.sys [2010-8-23 1517056]
    S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-3-31 16896]
    .
    =============== Created Last 30 ================
    .
    2013-01-11 00:17:4229904----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\{e81b4a53-4456-465f-a647-823416c65a77}\MpKsl03ed8a5f.sys
    2013-01-10 14:20:226812136----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\{e81b4a53-4456-465f-a647-823416c65a77}\mpengine.dll
    2013-01-10 13:16:436812136----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2013-01-04 18:26:39477168----a-w-c:\windows\system32\npdeployJava1.dll
    2013-01-02 00:40:3721840----atw-c:\windows\system32\SIntfNT.dll
    2013-01-02 00:40:3517212----atw-c:\windows\system32\SIntf32.dll
    2013-01-02 00:40:3412067----atw-c:\windows\system32\SIntf16.dll
    2013-01-01 05:19:491409----a-w-c:\windows\QTFont.for
    .
    ==================== Find3M ====================
    .
    2013-01-10 08:35:21132511717----a-w-c:\windows\DUMP74e0.tmp
    2013-01-04 18:26:01473072----a-w-c:\windows\system32\deployJava1.dll
    2013-01-01 23:05:29171008----a-w-c:\windows\system32\apphelp.dll
    2013-01-01 11:07:0711973----a-w-c:\windows\system32\drivers\secdrv.sys
    2012-11-14 04:16:02466008----a-w-c:\windows\system32\drivers\sptd.sys
    2006-05-03 12:06:54163328--sha-r-c:\windows\system32\flvDX.dll
    2007-02-21 13:47:1631232--sha-r-c:\windows\system32\msfDX.dll
    2008-03-16 15:30:52216064--sha-r-c:\windows\system32\nbDX.dll
    2010-01-07 00:00:00107520--sha-r-c:\windows\system32\TAKDSDecoder.dll
    .
    ============= FINISH: 0:49:49.52 ===============
  10. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 27/06/2008 14:14:32
    System Uptime: 11/01/2013 00:13:49 (0 hours ago)
    .
    Motherboard: Acer | | Columbia
    Processor: Intel(R) Celeron(R) CPU 560 @ 2.13GHz | U2E1 | 2128/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is CDROM ()
    C: is FIXED (NTFS) - 32 GiB total, 6.025 GiB free.
    D: is FIXED (NTFS) - 32 GiB total, 8.827 GiB free.
    E: is CDROM ()
    F: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1217: 09/01/2013 13:10:07 - Windows Update
    RP1218: 09/01/2013 19:59:46 - Windows Update
    RP1219: 10/01/2013 14:19:18 - Windows Update
    .
    ==== Installed Programs ======================
    .
    2007 Microsoft Office system
    4oD
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer ScreenSaver
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.1.0
    Adobe Shockwave Player 11.5
    Alarm Clock v1.0
    µTorrent
    Bonjour
    Broadcom Gigabit Integrated Controller
    Business Contact Manager for Outlook 2007 SP2
    Call of Duty
    Call of Duty - United Offensive
    CCleaner
    DAEMON Tools Lite
    Debut Video Capture Software
    Deus Ex - Invisible War
    DivX Player
    DivX Setup
    DVD43 v4.4.0
    Express Rip
    FLV Player 2.0 (build 25)
    Google Chrome
    Google Drive
    Google Update Helper
    Guitar Pro 5.2
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel(R) TV Wizard
    ISO Recorder
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 38
    Launch Manager
    LightScribe 1.4.142.1
    LIVE gaming on Windows Runtime Version 1.0.6027
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft IntelliPoint 6.3
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Edition 2003
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Assessment Tool 4.0
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Virtual PC 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft XML Parser
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML4 Parser
    Multi Tracker - Version 2.1.1.2255
    MyEmoticons
    Myst III: Exile
    NTI Backup NOW! 4.7
    NTI CD & DVD-Maker
    NTI Shadow
    NVIDIA PhysX v8.04.25
    PCDJ Rock Producer
    PitchPerfect Musical Instrument Tuner
    Point-N-Click
    Power Tab Editor 1.7
    PowerDVD
    PowerISO
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Reason 1.0
    ResumeMaker Professional
    RocketDock 1.3.5
    Security Task Manager 1.8d
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Shockwave
    Skype™ 6.0
    Sound Forge 4.5c Build-281
    SoundTrek Jammer Professional v5.0.8.1
    Spybot - Search & Destroy
    SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
    Synaptics Pointing Device Driver
    SynthFont
    System Requirements Lab
    System Requirements Lab for Intel
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687407) 32-Bit Edition
    USB Multi-Channel Audio Device
    vanBasco's Karaoke Player
    VC80CRTRedist - 8.0.50727.6195
    VLC media player 1.1.11
    VoiceOver Kit
    Winamp
    Windows Media Player 5.2
    WinRAR archiver
    Xvid Video Codec
    YTD Video Downloader 3.9.2
    .
    ==== End Of File ===========================
  11. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==============================

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  12. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Just got
    Windows has encountered a critical problem and will restart automatically in one minute ....it may take some time to get it to reboot ...will keep you posted....
  13. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    I have pretty good eyesight....LOL

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  14. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Its getting kinda late over here . Dublin .will contact you tomorrow....thanks for your help and patience (y)
  15. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    No problem :)
  16. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Hi broni im back on task.......for some baffling reason I could access frst on the usb.....however windows is running kinda stable so I went back to your prev post ...will post.log texts
  17. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org
    Database version: v2013.01.11.03
    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    frank :: FRANK-PC [administrator]
    11/01/2013 04:16:16
    mbar-log-2013-01-11 (04-16-16).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 28594
    Time elapsed: 22 minute(s), 40 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  18. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : frank [Admin rights]
    Mode : Remove -- Date : 01/11/2013 03:46:55
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts
    127.0.0.1 localhost
    ::1 localhost
    127.0.0.1www.007guard.com
    127.0.0.1007guard.com
    127.0.0.1008i.com
    127.0.0.1www.008k.com
    127.0.0.1008k.com
    127.0.0.1www.00hq.com
    127.0.0.100hq.com
    127.0.0.1010402.com
    127.0.0.1www.032439.com
    127.0.0.1032439.com
    127.0.0.1www.0scan.com
    127.0.0.10scan.com
    127.0.0.11000gratisproben.com
    127.0.0.1www.1000gratisproben.com
    127.0.0.1www.1001namen.com
    127.0.0.11001namen.com
    127.0.0.1www.100888290cs.com
    127.0.0.1100888290cs.com
    [...]
    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD800BEVS-22RST0 ATA Device +++++
    --- User ---
    [MBR] fe39a3e2cc4605984a7a2d1cd92419be
    [BSP] 623e519aaf8dba25867aa950f5df4336 : Acer tatooed MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20482048 | Size: 33160 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 88393728 | Size: 33157 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2]_D_01112013_02d0346.txt >>
    RKreport[1]_S_01112013_02d0346.txt ; RKreport[2]_D_01112013_02d0346.txt
  19. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : frank [Admin rights]
    Mode : Scan -- Date : 01/11/2013 03:46:28
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts
    127.0.0.1 localhost
    ::1 localhost
    127.0.0.1www.007guard.com
    127.0.0.1007guard.com
    127.0.0.1008i.com
    127.0.0.1www.008k.com
    127.0.0.1008k.com
    127.0.0.1www.00hq.com
    127.0.0.100hq.com
    127.0.0.1010402.com
    127.0.0.1www.032439.com
    127.0.0.1032439.com
    127.0.0.1www.0scan.com
    127.0.0.10scan.com
    127.0.0.11000gratisproben.com
    127.0.0.1www.1000gratisproben.com
    127.0.0.1www.1001namen.com
    127.0.0.11001namen.com
    127.0.0.1www.100888290cs.com
    127.0.0.1100888290cs.com
    [...]
    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD800BEVS-22RST0 ATA Device +++++
    --- User ---
    [MBR] fe39a3e2cc4605984a7a2d1cd92419be
    [BSP] 623e519aaf8dba25867aa950f5df4336 : Acer tatooed MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20482048 | Size: 33160 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 88393728 | Size: 33157 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1]_S_01112013_02d0346.txt >>
    RKreport[1]_S_01112013_02d0346.txt
  20. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : frank [Admin rights]
    Mode : Remove -- Date : 01/11/2013 03:46:55
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 6 ¤¤¤
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x84E981F8)
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts
    127.0.0.1 localhost
    ::1 localhost
    127.0.0.1www.007guard.com
    127.0.0.1007guard.com
    127.0.0.1008i.com
    127.0.0.1www.008k.com
    127.0.0.1008k.com
    127.0.0.1www.00hq.com
    127.0.0.100hq.com
    127.0.0.1010402.com
    127.0.0.1www.032439.com
    127.0.0.1032439.com
    127.0.0.1www.0scan.com
    127.0.0.10scan.com
    127.0.0.11000gratisproben.com
    127.0.0.1www.1000gratisproben.com
    127.0.0.1www.1001namen.com
    127.0.0.11001namen.com
    127.0.0.1www.100888290cs.com
    127.0.0.1100888290cs.com
    [...]
    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD800BEVS-22RST0 ATA Device +++++
    --- User ---
    [MBR] fe39a3e2cc4605984a7a2d1cd92419be
    [BSP] 623e519aaf8dba25867aa950f5df4336 : Acer tatooed MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20482048 | Size: 33160 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 88393728 | Size: 33157 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2]_D_01112013_02d0346.txt >>
    RKreport[1]_S_01112013_02d0346.txt ; RKreport[2]_D_01112013_02d0346.txt
  21. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.0.6001 Windows Vista Service Pack 1 x86
    Account is Administrative
    Internet Explorer version: 8.0.6001.19088
    Java version: 1.6.0_38
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.128000 GHz
    Memory total: 1062924288, free: 144977920
    ------------ Kernel report ------------
    01/11/2013 03:51:12
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\System32\Drivers\sptd.sys
    \SystemRoot\system32\drivers\acpi.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\intelide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\DRIVERS\pcmcia.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\system32\DRIVERS\MpFilter.sys
    \SystemRoot\System32\Drivers\PxHelp20.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\msrpc.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\ecache.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\drivers\crcdisk.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\tunmp.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\igdkmd32.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\b57nd60x.sys
    \SystemRoot\system32\DRIVERS\bcmwl6.sys
    \SystemRoot\system32\DRIVERS\ohci1394.sys
    \SystemRoot\system32\DRIVERS\1394BUS.SYS
    \SystemRoot\system32\drivers\tifm21.sys
    \SystemRoot\system32\DRIVERS\sdbus.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\DKbFltr.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\nscirda.sys
    \SystemRoot\system32\drivers\irenum.sys
    \SystemRoot\System32\DRIVERS\dvd43llh.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    \SystemRoot\System32\Drivers\apbvftea.SYS
    \SystemRoot\System32\Drivers\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\VMNetSrv.sys
    \SystemRoot\system32\DRIVERS\msiscsi.sys
    \SystemRoot\system32\DRIVERS\storport.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\RTKVHDA.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    \SystemRoot\system32\drivers\modem.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\System32\DRIVERS\rasacd.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\smb.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \??\C:\Windows\system32\Drivers\vmm.sys
    \SystemRoot\System32\Drivers\SCDEmu.SYS
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\NuidFltr.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\point32k.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\irda.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\spsys.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\cdfs.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \??\C:\Windows\system32\drivers\int15.sys
    \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
    \SystemRoot\system32\drivers\peauth.sys
    \??\C:\Windows\system32\drivers\SECDRV.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\DRIVERS\xaudio.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E81B4A53-4456-465F-A647-823416C65A77}\MpKsle86443cb.sys
    \??\C:\Windows\system32\drivers\TrueSight.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Program Files\DAEMON Tools Lite\Engine.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR2
    Upper Device Object: 0xffffffff84892ac8
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000009b\
    Lower Device Object: 0xffffffff847f3440
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff85037718
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-3\
    Lower Device Object: 0xffffffff84f0d2b8
    Lower Device Driver Name: \Driver\atapi\
    Driver name found: atapi
    DriverEntry returned 0x0
    Function returned 0x0
    Host not found
    Downloaded database version: v2013.01.11.03
    Downloaded database version: v2013.01.04.01
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff85037718, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff85037408, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff85037718, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    DevicePointer: 0xffffffff8456e900, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffffff84f0d2b8, DeviceName: \Device\Ide\IdeDeviceP2T0L0-3\, DriverName: \Driver\atapi\
    ------------ End ----------
    Upper DeviceData: 0xffffffffae266f88, 0xffffffff85037718, 0xffffffff847877d8
    Lower DeviceData: 0xffffffffacc40a78, 0xffffffff84f0d2b8, 0xffffffff841388c0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: CC6623CC
    Partition information:
    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 20480000
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 20482048 Numsec = 67911680
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 88393728 Numsec = 67905536
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 80026361856 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-156281488-156301488)...
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffffff84892ac8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8696eac0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff84892ac8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\disk\
    DevicePointer: 0xffffffff847f3440, DeviceName: \Device\0000009b\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Upper DeviceData: 0xffffffffae2a56a0, 0xffffffff84892ac8, 0xffffffff847d77d8
    Lower DeviceData: 0xffffffffa99472b8, 0xffffffff847f3440, 0xffffffffa4273040
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 35A72B
    Partition information:
    Partition 0 type is Other (0xb)
    Partition is ACTIVE.
    Partition starts at LBA: 32 Numsec = 946144
    Partition file system is FAT32
    Partition is not bootable
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 484442112 bytes
    Sector size: 512 bytes
    Done!
    Performing system, memory and registry scan...
    Done!
    Scan finished
    =======================================
  22. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    As I said the system seems more stable...but restarts can fail to boot but not as bad as it was before ...im thinking this rootkit has been on the machine for a long time
  23. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    I meant to say I could not access frst on the usb ,,,sorry for confusion
  24. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ========================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  25. frankiesweeney

    frankiesweeney Newcomer, in training Topic Starter Posts: 20

    Having some problems........ combi fix ran perfect but windows shut down while I was saving text file I will run it again


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.