Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan?


  • Please log in to reply
20 replies to this topic

#1 Confounded

Confounded

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 October 2009 - 06:28 AM

Hi guys, need some advice please.

I'm running Vista SP2 32bit.

It all happened very fast but I think(?) I encountered a trojan, as I got a very brief warning (from defender?) and then my laptop restarted.

I immediately unplugged the router as a security measure and have not been back on the internet since.

I have found that AVG does not have any active components nor can I reinstall it. Also cleanup, hijack this and mbam will not load.

I downloaded windows malicious software removal from another laptop to a cd-rom and tried to run it but get the message "Extraction failed mrtstub.exe is not a valid Win32 application". The file name is "windows-kb890830-v3.0"

When pressing F8 at startup I can get to the startup options screen but when I select "safe mode" it seems to just load normally i.e. not in safe mode.

Any advice on what to do next and am I right not to go onto the internet or could that potentially solve the problem?

Many thanks in anticipation

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:42 AM

Posted 26 October 2009 - 08:03 AM

Welcome to BC :thumbsup:

We will need internet connection, or the ability to transfer files for this clean...

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 October 2009 - 10:26 AM

Welcome to BC :thumbsup:

We will need internet connection, or the ability to transfer files for this clean...

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.


Many thanks for the quick response.

I used a USB drive to transfer the files to the infected machine. I still have not been on the internet with it.

Of those four links the first 3 could not be run as administrator (no option) and all 3 showed a black box with no writing in for around 8 - 10 seconds.

The 4th link however could be run as admin, showed a black box for a little while longer then very briefly displayed three lines of text that I think said something along the lines of "completed successfully".


The next thing to do from your list is to go onto the internet to run mbam. Can I just double check that this is a) essential (can updates be downloaded anywhere else, I cant find them?) and :flowers: relatively safe to do as I am paranoid about data being stolen/further problems.

Just trying to be extra cautious.

Thanks again

EDIT: I should also add I just tried to run mbam as admin but the splash screen appears for a millisecond then dissapears. I have also tried renaming the file and loading it but the same thing happens.

Edited by Confounded, 26 October 2009 - 10:29 AM.


#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:42 AM

Posted 26 October 2009 - 12:35 PM

EDIT: I should also add I just tried to run mbam as admin but the splash screen appears for a millisecond then dissapears. I have also tried renaming the file and loading it but the same thing happens.


It sounds like through the forth link the program did what it was supposed to do.

Try to get updates from here. The link I had was moved

Edit: Sorry, About MBAM... It will not run after running RKill?

Edited by rigel, 26 October 2009 - 12:36 PM.
Added comment.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 October 2009 - 01:02 PM

Thanks for your help so far, I think we may be getting somewhere.

I have no idea what rkill does, but from the name I would guess it temporarily kills the process whatever it is?

Anyway, a friend suggested I try the free version of PrevX which just scans, with the option of buying the full version if it finds something.

The first time I ran it it got stuck on some file but I'm wondering whether rkill has helped as I ran rkill a second time after a reboot, then launched prevx and it completed the scan and found numerous high risk files for removal. Unfortunately I couldnt find a way to save that list so I went ahead and paid the 20 for the full version.

It has seemed to work and I can now run malwarebytes (maybe the prevx thing is irrelevant, maybe rkill worked then I rebooted then ran mbam??? So confused!:thumbsup:)

Having said that Prevx found and removed a lot of high risk files I have just ran malwarebytes and have cleaned/quarantined many new files not picked up with PrevX as per your instructions. They are posted below, it looks ok now?

Any idea what program actually worked here and is there anything else I should do? Either way it seems that there is a solution for others here (somewhere) that may be having similar problems.

Malwarebytes' Anti-Malware 1.41
Database version: 3036
Windows 6.0.6002 Service Pack 2

26/10/2009 17:52:58
mbam-log-2009-10-26 (17-52-58).txt

Scan type: Quick Scan
Objects scanned: 85244
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 215

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sK9Ou0s (Worm.Bagle) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Worm.Bagle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\german.exe (Worm.Bagle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Worm.Bagle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Alun\AppData\Roaming\drivers\downld (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\hidires (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\hidires\lang (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\hidires\WDIR (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\hidires\webserver (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Alun\AppData\Roaming\drivers\downld\1002072.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\1003897.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\1004506.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\309739.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\465491.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\4958663.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5168344.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5168578.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5168656.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5199638.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5201338.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5233989.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5237203.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5239917.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5290914.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5292427.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5292973.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5293753.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5294658.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5294673.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5317699.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5319275.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5319774.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\536518.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\537673.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\537688.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5389631.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5394186.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\5395996.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\573178.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\574957.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\576454.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\613863.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\615439.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\615876.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\616812.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\617108.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\617124.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\636530.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\637778.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\638387.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\683409.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\686419.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\686950.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\700725.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\701786.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\701801.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\708478.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\716356.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\717557.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\717963.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\717979.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\718790.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\769911.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\777711.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\778491.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\780270.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\787836.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\789333.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\791439.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\792141.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\806213.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\858364.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\860797.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\861499.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\862311.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\863496.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\896912.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\898799.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\899361.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\926427.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\928939.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\929578.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\943057.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\944040.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\944352.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\951325.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\956301.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\957019.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\987595.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\992431.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\drivers\downld\994131.exe (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\hidires\names.txt (Worm.Bagle) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\1 Cool Menu FX Tool - Java 1.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\2X ApplicationServer 5.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\2_Avg.Anti.Virus.Pro.7.+.Crack.and.Serial(By.Ice.Icool).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\3DWin_2.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\A1_Jummfa_DVDCutter_and_Merger_5.03.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Abaiko Disk Space Monitor 3.02.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Abykus SE 3.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Access_Animation_2.80.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Active_Sound_Studio_Professional_2.1_[Key+Serial].zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Alinda 0.4 (alpha).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Animated_Trees_Screensaver_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\ArtumSoft_Universal_Password_Generator_2.0_[KeyGen].zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Arusoft_Password_Recovery_Plus_2.1_(Cracked).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Battlefield_2_Point_of_Existence_2_mod.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Battlefield_Vietnam_Recruit_Snyder's_Vietnam_Mod.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\BFTelnet_-Telnet_Server_1.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Bidsort 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Book_of_God's_Dreams_1.0_Key.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Bt Watcher Pro 1.2.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\BufferZone Security for P2P File Sharing 2.10-37.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Canon_PowerShot_A75_Firmware_Update_1.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\CD3WD_Miscellaneous_IV_3.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\CellHalma_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\ClearView Transliterator 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Club Sentry Software 6.3.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\CodeGuide_7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Comic Book Creator 1.0.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Command & Conquer Generals - Cameo skin set.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\commandLine_Automation_for_.NET_1.0.0.8_(Key+Serial).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Context_Highlight_0.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Converber 1.7.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\CrossFont 5.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Cryptomax_1.5.2_(Key).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\DBF_Converter_1.50.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Decision_Assistant_Model_Excel_30.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Desktility_2.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\DIPLink_1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\DownHoax_1.02.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Easy_Contacts_Manager_1.38_[KeyGen].zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\EmailPipe_2.2_(Serial).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Export Query to Text for SQL server Professional 1.06.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\ExportFavs 2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\EZ-ROM Standard Edition.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\FDBGet_1.2.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\FFA Harvester 1.2.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\File Cutter 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\FireMule 0.4.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Font Test 1.0.0.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Free_and_Easy_Biorhythm_Calculator_3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Function_Analyzer_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\GainSet 1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Game_of_the_Winds_2.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Genkisoft_TurboHex_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Globex_3.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Grammarian_Pro_X_1.5.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Handy Dandy Planner 2.75.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Highland_Warriors_1.1_patch_(English).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\ImageSize 1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\JFDraw_1.8.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Kaspersky.Internet.Security.2006.6.0.10.121.KeyGen.LoRd07.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\LanRaptor_1.02.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\LDAP Client 1.2 [Key].zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Linguata German 4.6.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\LingvoSoft Talking Picture Dictionary 2008 Italian - Polish 1.2.26.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\LingvoSoft_Suite_2006_English_French_1.0.0_[Patch].zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\LoneMail_Collector_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\LopeEdit Pro 5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Marratech 6 build 892.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\MediaU Radio Player 2.1.0.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\minimonCPU 0.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\mIRCStats 1.23.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Motherflooder_3.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\MP3 Audio from Video tool 3.30.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Multiplayer_Championship_Poker_(Palm_OS)_4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\NDRZilla_1.5_(Key+Serial).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Network_Anywhere_Personal_Edition_2.07.05.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Norman Virus Control 5.99.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\No_One_Lives_Forever_Source_Code_1.003.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\NY_Traffic_1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Omaha_Toolbar_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\One-click_Ringtone_Converter_1.9.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Paradise_Photo_Screensaver_2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Parallaxis_iAlbum_1.1.3.93_(Serial).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Partition Find and Mount 2.31.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\PC Diary Calendar 2008 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\PDF Content Split 1.25.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\PDF_Manager_PDF2TXT_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\PicaJet_2.5.0.466.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Pocket_Productivity_Shopping_List_1.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Presentation_Prompter_4.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Presto Transfer Thunderbird 1.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Privacy Cleaner 4.10.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\ProSchematic 1.01.014.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Q3Bench_3.00_Beta.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\R Color Code 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Radio-SkyPipe 2.0.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\ReadyToPrint Organizer 4.82.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Resolution Changer 1.0.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Safedisc 2 Cleaner 1.2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Salon Organizer 8.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Screenshot_Captor_2.11.04.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Site Security Management Utility 1.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\sitewebdesk 6.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Slideshow Magic 4.0.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\SmartMinimizer_2.2_KeyGen.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Smileyville_1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\SQL Dictionary Multilingual Database Dutch 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\StopMotion_Camera_1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Synchronizer_1.2_Key+Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\SystemReport 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Tallyem 1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\TestComplete 6.50.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\The_GateKeeper_3.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Tiger II Tools 1.1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\TimeCount_3.0_Crack.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Unifier 3.2 (Cracked).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Veox Projekt Standard 5.95.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\VideoResizer 1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Volume Logic for Winamp 1.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Vortex Screen Saver 0.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\WebCloner Offline Browser 2.6 [Crack].zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Web_Buttons_2.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\WinBootInfo 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\WinClean Pro 1.00 Crack.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\WinCleaner_Antivirus_8.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\WOOWEB-PRO 4.47.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\WorldSave_99.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\XHTML_Mobile_Profile_0.5.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Alun\AppData\Roaming\m\shared\Yosemite by The Drawing Hand 5.6.zip (Trojan.Agent) -> Quarantined and deleted successfully.



#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:42 AM

Posted 26 October 2009 - 05:35 PM

RKill is one of our new tools by our very own Grinler :thumbsup:

Please update and rerun Malwarebytes and post a fresh log.

Next:
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 27 October 2009 - 06:19 AM

Please update and rerun Malwarebytes and post a fresh log.


using update 3038

Malwarebytes' Anti-Malware 1.41
Database version: 3038
Windows 6.0.6002 Service Pack 2

27/10/2009 11:18:06
mbam-log-2009-10-27 (11-18-06).txt

Scan type: Quick Scan
Objects scanned: 86067
Time elapsed: 10 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll try the other suggestions now and report back

#8 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 27 October 2009 - 09:52 AM

Right, the short story is that I eventually managed to get into safe mode, couldn't run ATF in safe mode (Runtime error '481': invalid picture), did run SuperAS in safe mode, it found 4 adware tracking cookies. Rebooted into normal mode, no log found in SuperAS. Then also ran ATF in normal mode and deleted as per instructions.

The long story should it be relevant:

1. pressing F8 on reboot and choosing "safe mode" did not work and kept bringing me back to the normal desktop mode
2. tried to access "safe mode" by using run>msconfig>safeboot
3. the boot sequence kept looping, going nowhere
4. I then used F8 and chose "last known good configuration" which loaded in safe mode
5. searched for and tried to run ATF-cleaner both as administrator and normally, both ways showed a Runtime error as above and failed to load
6. Ran SuperAS and it found 4 adware tracking cookies.
7. Went back into run>msconfig>boot and unchecked safe boot.
8. Rebooted in normal mode.
9. No SuperAS log found as in instructions
10. Ran ATF-Cleaner in normal mode and cleaned all temp and browser files as per instructions.



Two things I noticed whilst in safe mode which may or not be relevant:

a ) Whilst in msconfig, the general tab had "selective startup" checked with "load system services" and "load startup items" checked below it. Should this be "Normal Startup" rather than "selective"?

and,

b ) ATF-Cleaner>Properties>Compatibility Tab had "privacy level run as admin" unchecked and grayed out.





Does it matter that ATF could not be run in safe mode and only in normal mode. And also why am I having the problems getting into SafeMode in the first place?


Lastly, Windows defender seems to be unable to load, do I need to get this back up and running?

Edited by Confounded, 27 October 2009 - 10:06 AM.


#9 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 27 October 2009 - 12:11 PM

rigel, just a quick one im running superAS and getting the 4 same tracking cookies, will hopefully post now if it lets me

EDIT: running SuperAS in normal, not safemode.

Edited by Confounded, 27 October 2009 - 12:15 PM.


#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:42 AM

Posted 27 October 2009 - 12:18 PM

Let's use an alternate for ATF

Please download TFC

by Old Timer and save it to your desktop.

alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right
    -click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted
    to completion.
  • Important! If TFC prompts you to reboot, please do so
    immediately. If not prompted, manually reboot the machine anyway to ensure a complete
    clean.
Your startup should be Normal. Were you excluding items during start-up that may have been a problem?

Let's run ESET

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 27 October 2009 - 04:05 PM

1. TFC removed around 1400MB of data

2. I have changed the startup back to normal. (I think I did stop some programs from starting on startup - all the silly little programs you get with a new laptop)

3. Eset scan results are below:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9a258da5bb223a4aa32a470d1889a326
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-10-27 06:24:42
# local_time=2009-10-27 06:24:42 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 77867 77867 0 0
# compatibility_mode=5892 16776574 100 95 90771 94197745 0 0
# compatibility_mode=8199 22379965 100 97 71365 2436031 0 0
# scanned=111022
# found=0
# cleaned=0
# scan_time=2865
# nod_component=V3 Build:0x30000000



#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:42 AM

Posted 27 October 2009 - 08:40 PM

How are things running now?

Let's do one more scan...
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 28 October 2009 - 06:29 AM

Normal mode scan, I will try it in safe mode just to be sure. How does it look? My laptop seems to be operating well, just want to make sure whatever it was has gone.


GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-28 11:27:21
Windows 6.0.6002 Service Pack 2
Running: 7rxr6nei.exe; Driver: C:\Users\Alun\AppData\Local\Temp\kgtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwAssignProcessToJobObject [0x89D26280]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwCreateThread [0x89D262C0]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwOpenProcess [0x89D26550]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwOpenThread [0x89D26410]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwProtectVirtualMemory [0x89D26320]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwSetContextThread [0x89D26240]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwTerminateProcess [0x89D26680]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwTerminateThread [0x89D26370]
SSDT \SystemRoot\System32\drivers\pxsec.sys (Prevx Realtime Analysis/Prevx) ZwWriteVirtualMemory [0x89D263B0]

INT 0x72 ? 86546BF8
INT 0x72 ? 86546BF8
INT 0x72 ? 86546BF8
INT 0x72 ? 86546BF8
INT 0x82 ? 86546BF8
INT 0x92 ? 8471ABF8
INT 0x92 ? 8471ABF8
INT 0x92 ? 8471ABF8
INT 0x92 ? 8471ABF8
INT 0x92 ? 8471ABF8
INT 0xA2 ? 86546BF8
INT 0xA2 ? 86546BF8
INT 0xB2 ? 86546BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 191 81EC48D4 4 Bytes [80, 62, D2, 89] {AND BYTE [EDX-0x2e], 0x89}
.text ntkrnlpa.exe!KeSetEvent + 221 81EC4964 4 Bytes [C0, 62, D2, 89] {SHL BYTE [EDX-0x2e], 0x89}
.text ntkrnlpa.exe!KeSetEvent + 3F1 81EC4B34 4 Bytes [50, 65, D2, 89]
.text ntkrnlpa.exe!KeSetEvent + 40D 81EC4B50 4 Bytes [10, 64, D2, 89] {ADC [EDX+EDX*8-0x77], AH}
.text ntkrnlpa.exe!KeSetEvent + 431 81EC4B74 4 Bytes [20, 63, D2, 89]
.text ...
? System32\Drivers\spzq.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8DFE641B 5 Bytes JMP 865461D8
.text a82ulqqe.SYS 8E183000 22 Bytes [82, 83, 1D, 82, 6C, 82, 1D, ...]
.text a82ulqqe.SYS 8E183017 45 Bytes [00, 32, 17, 7A, 80, 3D, 15, ...]
.text a82ulqqe.SYS 8E183045 135 Bytes JMP 69FD81EB
.text a82ulqqe.SYS 8E1830CE 10 Bytes [00, 00, 00, 00, 00, 00, F6, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; IDIV BYTE [ECX-0x25]; DEC ECX}
.text a82ulqqe.SYS 8E1830DA 12 Bytes [00, 00, 02, 00, 00, 00, 26, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[220] kernel32.dll!SetUnhandledExceptionFilter 7686A84F 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\Explorer.EXE[2700] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C9 7565B364 4 Bytes [B0, 22, 00, 10] {MOV AL, 0x22; ADD [EAX], DL}

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806976D6] \SystemRoot\System32\Drivers\spzq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80697042] \SystemRoot\System32\Drivers\spzq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80697800] \SystemRoot\System32\Drivers\spzq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806970C0] \SystemRoot\System32\Drivers\spzq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069713E] \SystemRoot\System32\Drivers\spzq.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A6E9C] \SystemRoot\System32\Drivers\spzq.sys
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortNotification] 9831BC8D
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortWritePortUchar] 33000000
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortWritePortUlong] 40C683C9
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortGetPhysicalAddress] C10FF041
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] FF45C60E
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortGetScatterGatherList] 8BA8EB01
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortReadPortUchar] 11890855
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortStallExecution] CB8BD08A
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortGetParentBusType] 0ACC87C7
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortRequestCallback] 00010000
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortWritePortBufferUshort] D6FF0000
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortGetUnCachedExtension] E8F475FF
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortCompleteRequest] FFFFF118
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortMoveMemory] 00FF7D80
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 0090850F
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 75FF0000
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] E8006A08
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortReadPortUshort] 0001E60A
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 000081E9
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortInitialize] 087D8300
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortGetDeviceBase] BF7B7501
IAT \SystemRoot\System32\Drivers\a82ulqqe.SYS[ataport.SYS!AtaPortDeviceStateChange] [8E1A8FB0] \SystemRoot\System32\Drivers\a82ulqqe.SYS (ATAPI IDE Miniport Driver/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[664] @ C:\Windows\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00B61210] C:\Program Files\NewTech Infosystems\Acer Backup Manager\Pehook.dll (Backup Manager Module/NewTech Infosystems, Inc.)
IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002480] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)
IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001DA0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)
IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [100027D0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)
IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001290] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 850AE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\fastfat \FatCdrom 86DDE1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 8471C1F8
Device \Driver\usbuhci \Device\USBPDO-0 863081F8
Device \Driver\PCI_PNP2013 \Device\00000051 spzq.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{C50B5E64-FEB9-43A5-8D7F-A5168348F856} 86CA61F8
Device \Driver\usbuhci \Device\USBPDO-1 863081F8
Device \Driver\usbehci \Device\USBPDO-2 863071F8
Device \Driver\sptd \Device\496608024 spzq.sys
Device \Driver\usbuhci \Device\USBPDO-3 863081F8
Device \Driver\usbuhci \Device\USBPDO-4 863081F8
Device \Driver\usbuhci \Device\USBPDO-5 863081F8
Device \Driver\usbuhci \Device\USBPDO-6 863081F8
Device \Driver\volmgr \Device\HarddiskVolume1 8471C1F8
Device \Driver\usbehci \Device\USBPDO-7 863071F8
Device \Driver\volmgr \Device\HarddiskVolume2 8471C1F8
Device \Driver\cdrom \Device\CdRom0 8630B1F8
Device \Driver\cdrom \Device\CdRom1 8630B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 850AC1F8
Device \Driver\atapi \Device\Ide\IdePort0 850AC1F8
Device \Driver\atapi \Device\Ide\IdePort1 850AC1F8
Device \Driver\atapi \Device\Ide\IdePort2 850AC1F8
Device \Driver\atapi \Device\Ide\IdePort3 850AC1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 850AC1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 850AD1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 850AD1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 850AD1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 850AD1F8
Device \Driver\cdrom \Device\CdRom2 8630B1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{55F64E52-78B4-4C0D-AD54-E54E2BEEB433} 86CA61F8
Device \Driver\netbt \Device\NetBt_Wins_Export 86CA61F8
Device \Driver\Smb \Device\NetbiosSmb 86C3C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 8648F1F8
Device \Driver\usbuhci \Device\USBFDO-0 863081F8
Device \Driver\usbuhci \Device\USBFDO-1 863081F8
Device \Driver\usbehci \Device\USBFDO-2 863071F8
Device \Driver\usbuhci \Device\USBFDO-3 863081F8
Device \Driver\usbuhci \Device\USBFDO-4 863081F8
Device \Driver\usbuhci \Device\USBFDO-5 863081F8
Device \Driver\usbuhci \Device\USBFDO-6 863081F8
Device \Driver\usbehci \Device\USBFDO-7 863071F8
Device \Driver\a82ulqqe \Device\Scsi\a82ulqqe1Port5Path0Target1Lun0 864931F8
Device \Driver\a82ulqqe \Device\Scsi\a82ulqqe1Port5Path0Target0Lun0 864931F8
Device \Driver\a82ulqqe \Device\Scsi\a82ulqqe1 864931F8
Device \FileSystem\fastfat \Fat 86DDE1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\cdfs \Cdfs 86EF41F8

---- Threads - GMER 1.0.15 ----

Thread System [4:476] 86D81930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD7 0xB7 0x27 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x50 0x6D 0x65 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x00 0x15 0x99 0xF8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7F 0xA2 0x1B 0x12 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD7 0xB7 0x27 0x34 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x50 0x6D 0x65 0x92 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x00 0x15 0x99 0xF8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7F 0xA2 0x1B 0x12 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD7 0xB7 0x27 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x50 0x6D 0x65 0x92 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x00 0x15 0x99 0xF8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7F 0xA2 0x1B 0x12 ...

---- EOF - GMER 1.0.15 ----



#14 Confounded

Confounded
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 28 October 2009 - 06:59 AM

Tried to run GMER in safe mode, still having problems using the normal F8 method to get into safemode. Used the msconfig>boot way.

Then tried to run GMER, it started but got a message that it stopped working. GMER showed it hanged on \Device\Harddisk Volume Shadow Copy 1

Clicked OK and got a blue screen before restarting.

Repeated the process and the same thing happened again but this time without the blue screen.

As a side note, defender is still failing to load with the message:

Application failed to initilaize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search help and support for how to start a service manually.

Guess I just need to start it manually then?

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:42 AM

Posted 28 October 2009 - 07:48 AM

Redownload (New version) and rerun RKill. See if that help with safe mode.

You also may need to reload defender.

Also GMER looks fine.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users