Should I start 6 step process?

By papa877 ยท 47 replies
Sep 30, 2011
  1. Let me just start by saying thank you for having this support.

    First of all, I found this forum after I had already done a couple things so I want to make sure I'm okay to start the steps or if my only option at this point is to reinstall windows.

    The problem started when I opened an unsafe file and my computer immediately crashed. When it restarted, windows could not start and it attempted startup repair which failed. I proceeded to do a restore from a system image which was over a year old but was the only one I had. Once I did this windows was able to start but I noticed it still wasn't right. Loading windows was extremely slow and I was being redirected on google. I went to open malwarebytes which had been previously installed and realized that the folder was there but the application and setup were both gone. After a while I got mbam reinstalled and did the quick scan which found 2 instances of rootkit which i deleted. Since my restore point was so old I had 98 windows updates which I tried to install but my computer crashed. I wasn't sure if this was from the virus or from using such an old restore point. The next day I did another mbam scan which found 3 trojan.jorik on my system. Here and there I will get a blue screen and a crash and I am unable to update windows. So should I begin your 6 step process (or is it 8 step? I have seen both) or do I have to go to the trouble of reinstalling windows? Thank you for you time!
  2. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Welcome aboard [​IMG]

    Please, complete all steps listed here:
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. papa877

    papa877 TS Rookie Topic Starter Posts: 26


    When I open GMER it appears to be doing a quick scan for just a couple of seconds and then I saved the log and the file was empty. Is this normal or is it not really scanning?
  4. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    If it doesn't find any modifications, it won't produce any log.
    Go on with others.
  5. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    6 steps completed

    Here are the logs requested. The initial gmer scan was blank. I should also note that I performed malwarebytes quick scan twice before starting this process which did produce results. I can produce those logs if needed. Thank you in advance for anyone taking the time to look at these logs.

    Malwarebytes' Anti-Malware

    Database version: 7823

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    9/30/2011 4:27:53 PM
    mbam-log-2011-09-30 (16-27-53).txt

    Scan type: Quick scan
    Objects scanned: 184925
    Time elapsed: 2 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
    Run by Nick at 17:10:07 on 2011-09-30
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8183.6107 [GMT -7:00]
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    ============== Running Processes ===============
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files (x86)\Dell Photo AIO Printer 926\dlcxmon.exe
    C:\Program Files (x86)\Dell Photo AIO Printer 926\memcard.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\System32\svchost.exe -k swprv
    ============== Pseudo HJT Report ===============
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [QFan Help] "C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe"
    mRun: [Cpu Level Up help] "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    mRun: [WheelMouse] C:\ADVANC~1\wh_exec.exe
    mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://
    TCP: DhcpNameServer =
    TCP: Interfaces\{6DE5A4D9-CDE0-4ADB-8124-4202F19D416D} : DhcpNameServer =
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [QFan Help] "C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe"
    mRun-x64: [Cpu Level Up help] "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe"
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    mRun-x64: [WheelMouse] C:\ADVANC~1\wh_exec.exe
    mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    IE-X64: {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk
    ================= FIREFOX ===================
    FF - ProfilePath - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\lh6ohrhe.default\
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    ============= SERVICES / DRIVERS ===============
    R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
    R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-9-30 136360]
    R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-9-30 269480]
    R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2010-6-2 90112]
    R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
    R2 cpuz133;cpuz133;\??\C:\Windows\system32\drivers\cpuz133_x64.sys --> C:\Windows\system32\drivers\cpuz133_x64.sys [?]
    R2 dlcx_device;dlcx_device;C:\Windows\system32\dlcxcoms.exe -service --> C:\Windows\system32\dlcxcoms.exe -service [?]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-8-18 2151640]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-9-29 17152]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    R3 rt61x64;RT61 Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr6164.sys --> C:\Windows\system32\DRIVERS\netr6164.sys [?]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\Windows\system32\DRIVERS\whfltr2k.sys --> C:\Windows\system32\DRIVERS\whfltr2k.sys [?]
    =============== Created Last 30 ================
    2011-10-01 00:02:11 49152 ----a-w- C:\Windows\SysWow64\mdhcp32.dll
    2011-09-30 23:26:09 -------- d-----w- C:\Users\Nick\AppData\Roaming\Avira
    2011-09-30 23:05:22 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
    2011-09-30 23:05:22 -------- d-----w- C:\ProgramData\Avira
    2011-09-30 23:05:22 -------- d-----w- C:\Program Files (x86)\Avira
    2011-09-30 22:55:07 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0268744-D395-43BE-9827-2DC5244BD4D2}\mpengine.dll
    2011-09-29 20:48:02 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
    2011-09-29 20:48:02 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
    2011-09-29 20:48:02 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
    2011-09-29 20:48:02 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
    2011-09-29 20:48:01 48960 ----a-w- C:\Windows\System32\netfxperf.dll
    2011-09-29 20:48:01 444752 ----a-w- C:\Windows\System32\mscoree.dll
    2011-09-29 20:48:01 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
    2011-09-29 20:48:01 1942856 ----a-w- C:\Windows\System32\dfshim.dll
    2011-09-29 20:48:01 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
    2011-09-29 20:48:01 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
    2011-09-29 07:48:17 144896 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\dlcxdrpp.dll
    2011-09-29 07:48:05 487424 ----a-w- C:\Windows\System32\tmpED1D.tmp
    2011-09-29 07:45:53 415744 ----a-w- C:\Windows\System32\dlcxcoin.dll
    2011-09-29 07:31:36 -------- d-----w- C:\Users\Nick\AppData\Roaming\Yjec
    2011-09-29 07:31:36 -------- d-----w- C:\Users\Nick\AppData\Roaming\Ucori
    2011-09-29 07:04:40 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
    2011-09-29 07:02:09 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
    2011-09-29 07:02:05 -------- d-----w- C:\Program Files (x86)\Lavasoft
    2011-09-29 06:19:29 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-09-29 05:19:01 -------- d-----we C:\Windows\system64
    2011-09-29 05:17:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-09-28 00:16:26 -------- d-----w- C:\Users\Nick\AppData\Roaming\Malwarebytes
    2011-09-28 00:16:21 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-09-28 00:16:18 -------- d-----w- C:\Program Files (x86)\Mbam
    2011-09-22 06:00:13 -------- d-----w- C:\Program Files\Dell Photo AIO Printer 926
    2011-09-22 05:59:09 -------- d-----w- C:\Program Files (x86)\Dell Photo AIO Printer 926
    2011-09-22 05:58:29 109056 ----a-w- C:\Windows\System32\dlcxvs.dll
    2011-09-22 05:58:28 1462272 ----a-w- C:\Windows\System32\dlcxg.dll
    2011-09-22 05:58:28 -------- d-----w- C:\dell
    2011-09-20 23:06:02 -------- d-----w- C:\Users\Nick\VirtualBox VMs
    2011-09-14 23:26:41 -------- d-----w- C:\Program Files\Oracle
    ==================== Find3M ====================
    2011-07-07 17:42:37 1172629 ----a-w- C:\ProgramData\SPL7F8D.tmp
    ============= FINISH: 17:10:57.06 ===============
  6. papa877

    papa877 TS Rookie Topic Starter Posts: 26


    DDS (Ver_2011-08-26.01)
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/2/2010 7:10:50 AM
    System Uptime: 9/30/2011 4:10:51 PM (1 hours ago)
    Motherboard: ASUSTeK Computer INC. | | P6X58D-E
    Processor: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz | LGA1366 | 2801/133mhz
    ==== Disk Partitions =========================
    C: is FIXED (NTFS) - 931 GiB total, 263.714 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable
    ==== Disabled Device Manager Items =============
    ==== System Restore Points ===================
    RP310: 9/28/2011 9:44:09 PM - Windows Update
    RP311: 9/28/2011 9:45:24 PM - Installed Java(TM) 6 Update 26
    RP312: 9/28/2011 10:14:02 PM - Windows Update
    RP313: 9/28/2011 10:16:00 PM - Windows Backup
    RP314: 9/29/2011 12:01:35 AM - Installed Ad-Aware
    RP315: 9/29/2011 1:11:44 AM - Windows Update
    RP316: 9/29/2011 1:25:34 AM - Windows Update
    RP317: 9/29/2011 1:47:25 PM - Windows Update
    RP318: 9/30/2011 3:07:27 AM - Windows Update
    RP319: 9/30/2011 3:49:34 AM - Windows Update
    RP320: 9/30/2011 7:19:48 AM - Windows Update
    RP321: 9/30/2011 3:54:53 PM - Windows Update
    ==== Installed Programs ======================
    Update for Microsoft Office 2007 (KB2508958)
    Active@ ISO Burner
    Adobe AIR
    Adobe Common File Installer
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Photoshop Elements 6.0
    Adobe Premiere Elements 4.0
    Adobe Premiere Elements 4.0 Templates
    Advanced Wheel Mouse
    AI Suite
    Apple Application Support
    Apple Software Update
    Application Profiles
    Avira AntiVir Personal - Free Antivirus
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center HydraVision Full
    Catalyst Control Center InstallProxy
    CCC Help English
    Crysis WARHEAD(R)
    DVD-CLONER V7.20 Build 993
    EA Download Manager
    EA Download Manager UI
    Futuremark SystemInfo
    Half-Life 2
    Half-Life 2: Episode One
    Half-Life 2: Episode Two
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) SE Development Kit 6 Update 20
    Left 4 Dead 2
    Malwarebytes' Anti-Malware version
    marvell 91xx driver
    Marvell Miniport Driver
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.3)
    NEC Electronics USB 3.0 Host Controller Driver
    NetBeans IDE 6.8
    PunkBuster Services
    Realtek High Definition Audio Driver
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Sun GlassFish Enterprise Server v3
    Team Fortress 2
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2553110)
  7. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    You're running two AV programs, Lavasoft Ad-Watch Live! Anti-Virus and Avira.
    One of them has to go.
    I suggest Lavasoft goes.


    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it:
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. papa877

    papa877 TS Rookie Topic Starter Posts: 26


    I'm trying to post the event viewer messages from past week from the attach.txt file but it is way too long from all the failed windows updates. I will continue with the steps you suggested.
  9. papa877

    papa877 TS Rookie Topic Starter Posts: 26


    I just got a blue screen and crash while running combofix.
    Here is the aswMBR.txt:

    aswMBR version Copyright(c) 2011 AVAST Software
    Run date: 2011-09-30 17:47:46
    17:47:46.958 OS Version: Windows x64 6.1.7600
    17:47:46.958 Number of processors: 8 586 0x1A05
    17:47:46.958 ComputerName: NICK-PC UserName: Nick
    17:47:51.314 Initialize success
    17:48:24.877 AVAST engine defs: 11093001
    17:48:47.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
    17:48:47.299 Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
    17:48:47.300 Device \Driver\iaStor -> MajorFunction fffffa8008fd76c0
    17:48:47.303 Disk 0 MBR read error 0
    17:48:47.305 Disk 0 MBR scan
    17:48:47.311 Disk 0 unknown MBR code
    17:48:47.314 MBR BIOS signature not found 0
    17:48:47.316 Service scanning
    17:48:50.525 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    17:48:51.944 Modules scanning
    17:48:51.948 Disk 0 trace - called modules:
    17:48:51.951 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8008fd76c0]<<
    17:48:51.955 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008fca060]
    17:48:51.961 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa8007b63050]
    17:48:51.966 \Driver\iaStor[0xfffffa8008fca980] -> IRP_MJ_CREATE -> 0xfffffa8008fd76c0
    17:48:54.083 AVAST engine scan C:\Windows
    17:49:20.387 AVAST engine scan C:\Windows\system32
    17:49:30.393 AVAST engine scan C:\Windows\system32\drivers
    17:49:40.398 AVAST engine scan C:\Users\Nick
    17:49:50.404 AVAST engine scan C:\ProgramData
    17:49:50.409 Scan finished successfully
    17:51:10.622 Disk 0 MBR has been saved successfully to "C:\Users\Nick\Desktop\MBR.dat"
    17:51:10.627 The log file has been saved successfully to "C:\Users\Nick\Desktop\aswMBR.txt"
  10. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    Now i'm getting a blue screen and crash as soon as the desktop loads in normal mode. I rebooted in safe mode.
  11. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Try to run Combofix from safe mode.
  12. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    I ran ComboFix in safe mode. It made it through all the steps and then said it was restarting windows. Once restarted combofix said it was preparing the log when I got the blue screen and crash again with a message something like:

  13. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

  14. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    i don't have either. Will any windows 7 64-bit install disk work?
  15. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    I can still boot to safe mode fine if that helps.
  16. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    What do you mean by ANY?
  17. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    It looks like your MBR is infected.
  18. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    Actually after pressing F8 and getting to the boot options I went to startup repair which has the options you mentioned above including command prompt.
  19. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Cool :).....................
  20. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    I think the command prompt showed
    or D or X, i can't remember.

    I typed the command you suggested which completed successfuly.
    Upon restart it only got as far as the starting windows screen before it crashed.
    I opened startup repair which is asking if I want the restore the computer to an earlier time using System Restore.
  21. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Go ahead....
  22. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    startup repair has failed twice now and I can't boot to safe mode anymore.

    I don't know much about what is going on so I was hoping you could enlighten me. At this point is wiping my hard drives (raid 0) my only option?
  23. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Try the process from my reply #13 one more time.

    If still same issue.....

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
  24. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    okay I just clicked on the OTLPE icon and a browse for folder box came up wanting me to select a windows directory. I'm assuming I want System Reserved (C:) which contains 2 folders Boot and System Volume Information. I just want to check what folder to select. I apologize for being ignorant. Thank you so much for all your help!
  25. papa877

    papa877 TS Rookie Topic Starter Posts: 26

    I just realized Local Disk (E:) is where all my program files are so it must be that one.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...