Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not access programs


  • Please log in to reply
3 replies to this topic

#1 Mirrorii

Mirrorii

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 18 July 2011 - 03:47 AM

Hello,

The other day my kid tells me that he can't get something to work, and when I look at the computer I noticed that the generic windows xp button/window style wasn't on anymore. Nor could I select them from the display properties menu. After finding a copy of the luna theme and installing it, it still wouldn't work. The themes service kept stopping on its own. After a reboot, still nothing working. Then when I tried to open IE (to work on my fasfa) it popped up "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

When I tried to open firefox, I got the same message. After that I tried running a scan through AVG Free, and that wouldn't open. I rebooted into safe mode with networking, tried again, and no go. I re-downloaded the installers for Firefox and AVG, and it would let me install Firefox and it works, but ONLY if I'm in safe mode and only AFTER I re-install it every time I boot up into safe mode. Since then I've downloaded Avira Antivir Personal, Malwarebytes' Anti-Malware, Security Task Manager, Tdsskiller, SUPERAntiSpyware, spybot S&D, RootRepeal, Emsisoft AntiMalware, ATFCleaner, and Doctor Delete.

if I run them in normal mode, it won't let me install them, and if I install them in safe mode then boot to normal mode, it won't let me run them and will tell me: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Every time, same with Firefox or even some of my games. Every time I boot into safe mode, I must also re-install any of these programs before I can use them. I will post all the most recent logs that I have from the different programs that I can find the logs for.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2011/07/17 23:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6DE9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AC3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7115000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$NtUninstallKB14117$
Status: Locked to the Windows API!

Path: C:\WINDOWS\KB2508272.log:SummaryInformation
Status: Invisible to the Windows API!

Path: C:\Program Files\Mozilla Firefox\update.locale
Status: Invisible to the Windows API!

Path: C:\Program Files\Mozilla Firefox\updater.ini
Status: Invisible to the Windows API!

Path: C:\Program Files\Mozilla Firefox\install.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\Program Files\Mozilla Firefox\browserconfig.properties
Status: Invisible to the Windows API!

Path: C:\Program Files\Mozilla Firefox\dictionaries
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator.USER-3C3A64D9E0\Application Data\Mozilla\Firefox\Profiles\7kuqq8zc.default\formhistory.sqlite-journal
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator.user-3c3a64d9e0\application data\mozilla\firefox\profiles\7kuqq8zc.default\sessionstore.js
Status: Size mismatch (API: 5833, Raw: 5001)

Path: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110717-234801-2C885794\00000000-C72582C0.av$
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc7435

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc6c5c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc30b0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc6031

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc5eae

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc6693

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc74b5

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc34e1

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc3574

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc6f27

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc3307

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc671f

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc7229

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc367d

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\fwdrv.sys" at address 0xf6fc7186

==EOF==

Security Task Manager: Computer USER-3C3A64D9E0, User Administrator, 7/18/2011 12:30:52 AM

Name Rating PID CPU Memory Active File Type Start Title, Description Company : product

Windows NT Logon Application 76% 600 1.7 MB C:\WINDOWS\system32\winlogon.exe Program 11:44:50 PM by Windows NT Session Manager Microsoft Corporation : Microsoft® Windows® Operating System
adw30.386 66% c:\afterdrk\adw30.386 Driver when Windows starts, Registry: system.ini -
Firefox 54% 384 2% 45.2 MB 0:03 C:\Program Files\Mozilla Firefox\firefox.exe Program 11:50:52 PM nsAppShell:EventWindow Mozilla Corporation : Firefox
adw30.exe 54% c:\afterdrk\adw30.exe Program when Windows starts, Registry: win.ini -
Java™ Platform SE binary 48% C:\Program Files\Java\jre6\bin\jp2ssv.dll Internet when Internet Explorer starts Java™ Plug-In 2 SSV Helper (Browser Extension) Sun Microsystems, Inc. : Java™ Platform SE 6 U24
RootRepeal 44% 1252 2% 7.9 MB 0:04 C:\Documents and Settings\Owner\My Documents\Downloads\RootRepeal.exe Program 11:48:49 PM by Windows Explorer Rootkit detection and removal tool : RootRepeal
Generic Host Process for Win32 Services 43% 896 4.1 MB C:\WINDOWS\system32\svchost.exe Program 11:45:03 PM by Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Services and Controller app 40% 644 3.3 MB C:\WINDOWS\system32\services.exe Program 11:44:55 PM by Windows NT Logon Application Microsoft Corporation : Microsoft® Windows® Operating System
LSA Shell (Export Version) 40% 664 1.7 MB 0:01 C:\WINDOWS\system32\lsass.exe Program 11:44:56 PM by Windows NT Logon Application Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 40% 812 4.6 MB C:\WINDOWS\system32\svchost.exe Program 11:45:01 PM by Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 40% 956 14.6 MB 0:01 C:\WINDOWS\system32\svchost.exe Program 11:45:04 PM by Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 40% 1068 3.6 MB C:\WINDOWS\system32\svchost.exe Program 11:45:04 PM by Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Generic Host Process for Win32 Services 40% 1116 3.0 MB C:\WINDOWS\system32\svchost.exe Program 11:45:05 PM by Services and Controller app Microsoft Corporation : Microsoft® Windows® Operating System
Application Compatibility Client Library 40% C:\WINDOWS\system32\apphelp.dll DLL Microsoft Corporation : Microsoft® Windows® Operating System
Microsoft Text Frame Work Service IME 40% C:\WINDOWS\system32\msctfime.ime DLL Microsoft Corporation : Microsoft® Windows® Operating System
Windows Genuine Advantage Notifications 36% 1536 8.9 MB C:\WINDOWS\system32\WgaTray.exe Program 11:45:16 PM by Windows NT Logon Application Microsoft Corporation : Microsoft Genuine Advantage
Windows Shell Common Dll 30% C:\WINDOWS\system32\SHELL32.dll Program when Windows starts, Registry: Machine\ShellServiceObjectDelayLoad & Machine\ShellServiceObjectDelayLoad PostBootReminder PostBootReminder object (not active) Microsoft Corporation : Microsoft® Windows® Operating System
Daemon AutoRun Application 26% C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe Program when Windows starts, Registry: Machine\Run {F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99} (not active) : Daemon AutoRun Application
SUPERAntiSpyware.exe 21% C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Program when Windows starts, Registry: User\Run SUPERAntiSpyware (not active) -
Windows NT Session Manager 16% 528 0.4 MB C:\WINDOWS\System32\smss.exe Program 11:44:41 PM Microsoft Corporation : Microsoft® Windows® Operating System
Client Server Runtime Process 16% 576 3.3 MB 0:05 C:\WINDOWS\system32\csrss.exe Program 11:44:46 PM by Windows NT Session Manager Microsoft Corporation : Microsoft® Windows® Operating System
Windows TaskManager 12% 832 1.9 MB 0:01 C:\WINDOWS\system32\taskmgr.exe Program 11:47:21 PM by Windows NT Logon Application Windows Task Manager, CPU Usage: 13% Microsoft Corporation : Microsoft® Windows® Operating System
Windows Management Instrumentation (winmgmt) 8% C:\WINDOWS\system32\wbem\WMIsvc.dll Service during system start-up by svchost.exe Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Nero 7 Ultra Edition 6% C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe Program when Windows starts, Registry: Machine\Run NeroCheck - Changed for new NeroCd2k installer - NeroFilterCheck (not active) Nero AG : Nero AG NeroCheck  www.nero.com
QuickTime 6% C:\Program Files\QuickTime\QTTask.exe Program when Windows starts, Registry: Machine\Run QuickTime Task (not active) Apple Inc. : QuickTime  www.apple.com
Windows Error Reporting Dump Reporting Tool 5% C:\WINDOWS\system32\dumprep.exe Program when Windows starts, Registry: Machine\Run & Machine\Run UserFaultCheck (not active) Microsoft Corporation : Microsoft® Windows® Operating System
Security Task Manager 5% 452 8% 8.0 MB 0:12 C:\Program Files\Security Task Manager\TaskMan.exe Program 11:50:29 PM by Windows Explorer Security Task Manager A. & M. Neuber Software : Security Task Manager  www.neuber.com
Logical Disk Manager (DMServer) 4% C:\WINDOWS\System32\dmserver.dll Service during system start-up by svchost.exe Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corp. : Logical Disk Manager for Windows NT
WebClient (WebClient) 3% C:\WINDOWS\System32\webclnt.dll Service during system start-up by svchost.exe Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
TCP/IP NetBIOS Helper (LmHosts) 3% C:\WINDOWS\System32\lmhsvc.dll Service during system start-up by svchost.exe Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation : Microsoft® Windows® Operating System
Remote Registry (RemoteRegistry) 3% C:\WINDOWS\system32\regsvc.dll Service during system start-up by svchost.exe Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
DNS Client (DnsCache) 3% C:\WINDOWS\System32\dnsrslvr.dll Service during system start-up by svchost.exe Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Windows Audio (AudioSrv) 3% C:\WINDOWS\System32\audiosrv.dll Service during system start-up by svchost.exe Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Computer Browser (Browser) 3% C:\WINDOWS\System32\browser.dll Service during system start-up by svchost.exe Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Cryptographic Services (CryptSvc) 3% C:\WINDOWS\System32\cryptsvc.dll Service during system start-up by svchost.exe Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
DHCP Client (DHCP) 3% C:\WINDOWS\System32\dhcpcsvc.dll Service during system start-up by svchost.exe Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation : Microsoft® Windows® Operating System
Error Reporting Service (ERSvc) 3% C:\WINDOWS\System32\ersvc.dll Service during system start-up by svchost.exe Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation : Microsoft® Windows® Operating System
Server (LanmanServer) 3% C:\WINDOWS\System32\srvsvc.dll Service during system start-up by svchost.exe Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Workstation (LanmanWorkstation) 3% C:\WINDOWS\System32\wkssvc.dll Service during system start-up by svchost.exe Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Task Scheduler (Schedule) 3% C:\WINDOWS\system32\schedsvc.dll Service during system start-up by svchost.exe Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Secondary Logon (Seclogon) 3% C:\WINDOWS\System32\seclogon.dll Service during system start-up by svchost.exe Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
System Event Notification (SENS) 3% C:\WINDOWS\system32\sens.dll Service during system start-up by svchost.exe Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation : Microsoft® Windows® Operating System
Windows Firewall/Internet Connection Sharing (ICS) (Sharedaccess) 3% C:\WINDOWS\System32\ipnathlp.dll Service during system start-up by svchost.exe Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation : Microsoft® Windows® Operating System
System Restore Service (SRService) 3% C:\WINDOWS\system32\srsvc.dll Service during system start-up by svchost.exe Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation : Microsoft® Windows® Operating System
Themes (Themes) 3% C:\WINDOWS\System32\shsvcs.dll Service during system start-up by svchost.exe Provides user experience theme management. Microsoft Corporation : Microsoft® Windows® Operating System
Distributed Link Tracking Client (TrkWks) 3% C:\WINDOWS\system32\trkwks.dll Service during system start-up by svchost.exe Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation : Microsoft® Windows® Operating System
Windows Time (W32Time) 3% C:\WINDOWS\system32\w32time.dll Service during system start-up by svchost.exe Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Microsoft Corporation : Microsoft® Windows® Operating System
Wireless Zero Configuration (WZCSVC) 3% C:\WINDOWS\System32\wzcsvc.dll Service during system start-up by svchost.exe Provides automatic configuration for the 802.11 adapters Microsoft Corporation : Microsoft® Windows® Operating System
Security Center (wscsvc) 3% C:\WINDOWS\system32\wscsvc.dll Service during system start-up by svchost.exe Monitors system security settings and configurations. Microsoft Corporation : Microsoft® Windows® Operating System
Background Intelligent Transfer Service (BITS) 3% C:\WINDOWS\system32\qmgr.dll Service during system start-up by svchost.exe Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. Microsoft Corporation : Microsoft® Windows® Operating System
Automatic Updates (wuauserv) 3% C:\WINDOWS\system32\wuauserv.dll Service during system start-up by svchost.exe Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Microsoft Corporation : Microsoft® Windows® Operating System
Shell Hardware Detection (ShellHWDetection) 3% C:\WINDOWS\System32\shsvcs.dll Service during system start-up by svchost.exe Provides notifications for AutoPlay hardware events. Microsoft Corporation : Microsoft® Windows® Operating System
Help and Support (helpsvc) 3% C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll Service during system start-up by svchost.exe Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
DCOM Server Process Launcher (DcomLaunch) 3% C:\WINDOWS\system32\rpcss.dll Service during system start-up by svchost.exe Provides launch functionality for DCOM services. Microsoft Corporation : Microsoft® Windows® Operating System
Remote Procedure Call (RPC) (RpcSs) 3% C:\WINDOWS\system32\rpcss.dll Service during system start-up by svchost.exe Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation : Microsoft® Windows® Operating System
Windows Driver Foundation - User-mode Driver Framework (WUDFSvc) 3% C:\WINDOWS\System32\WUDFSvc.dll Service during system start-up by svchost.exe Manages user-mode driver host processes Microsoft Corporation : Microsoft® Windows® Operating System
PowerDVD RC Service 2% C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe Program when Windows starts, Registry: Machine\Run RemoteControl (not active) CyberLink : PowerDVD
Language Application 2% C:\Program Files\CyberLink\PowerDVD\Language\Language.exe Program when Windows starts, Registry: Machine\Run LanguageShortcut (not active) CyberLink : Language Application
Antivirus System Tray Tool 2% C:\Program Files\Avira\AntiVir Desktop\avgnt.exe Program when Windows starts, Registry: Machine\Run avgnt (not active) Avira GmbH : AntiVir Desktop
Remote Access Connection Manager (Rasman) 0% C:\WINDOWS\System32\rasmans.dll Service manual by svchost.exe Creates a network connection. Microsoft Corporation : Microsoft® Windows® Operating System
TouchPad Driver Helper Application 0% C:\Program Files\Synaptics\SynTP\SynTPLpr.exe Program when Windows starts, Registry: Machine\Run SynTPLpr (not active) Synaptics, Inc. : Synaptics Pointing Device Driver
Synaptics TouchPad Enhancements 0% C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Program when Windows starts, Registry: Machine\Run SynTPEnh (not active) Synaptics, Inc. : Synaptics Pointing Device Driver
Web Site Monitor 0% C:\WINDOWS\system32\webcheck.dll Program when Windows starts, Registry: Machine\ShellServiceObjectDelayLoad WebCheck WebCheck (not active) Microsoft Corporation : Windows® Internet Explorer
Systray shell service object 0% C:\WINDOWS\system32\stobject.dll Program when Windows starts, Registry: Machine\ShellServiceObjectDelayLoad SysTray SysTray (not active) Microsoft Corporation : Microsoft® Windows® Operating System
Windows Portable Device Shell Service Object 0% C:\WINDOWS\system32\WPDShServiceObj.dll Program when Windows starts, Registry: Machine\ShellServiceObjectDelayLoad WPDShServiceObj WPDShServiceObj Class (not active) Microsoft Corporation : Microsoft® Windows® Operating System
On-Demand Scanner 0% 1032 96.3 MB 0:54 C:\Program Files\Avira\AntiVir Desktop\avscan.exe Program 11:48:01 PM Luke Filewalker Avira GmbH : AntiVir Desktop
Windows Explorer 0% 1548 5.3 MB 0:10 C:\WINDOWS\Explorer.EXE Program 11:45:16 PM Downloads Microsoft Corporation : Microsoft® Windows® Operating System
Removable Storage (Ntmssvc) 0% C:\WINDOWS\system32\ntmssvc.dll Service manual by svchost.exe Removable Storage Manager Microsoft Corporation : Microsoft® Windows Whistler® Operating System
Java Auto Updater 0% C:\Program Files\Common Files\Java\Java Update\jusched.exe Program when Windows starts, Registry: Machine\Run Java™ Update Scheduler - SunJavaUpdateSched (not active) Sun Microsystems, Inc. : Java™ Platform SE Auto Updater 2 0
Malwarebytes' Anti-Malware version 1.51.1.1800 0% C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe Program when Windows starts, Registry: Machine\Run Malwarebytes' Anti-Malware (not active) Malwarebytes Corporation : Malwarebytes' Anti-Malware  www.malwarebytes.org
COM+ Event System (EventSystem) 0% C:\WINDOWS\system32\es.dll Service manual by svchost.exe Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : COM Services
HTTP SSL (HTTPFilter) 0% C:\WINDOWS\System32\w3ssl.dll Service manual by svchost.exe This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Internet Information Services
Alerter (Alerter) 0% C:\WINDOWS\system32\alrsvc.dll Service started disabled by svchost.exe Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Universal Plug and Play Device Host (upnphost) 0% C:\WINDOWS\System32\upnphost.dll Service manual by svchost.exe Provides support to host Universal Plug and Play devices. Microsoft Corporation : Microsoft® Windows® Operating System
SSDP Discovery Service (SSDPSRV) 0% C:\WINDOWS\System32\ssdpsrv.dll Service manual by svchost.exe Enables discovery of UPnP devices on your home network. Microsoft Corporation : Microsoft® Windows® Operating System
Application Management (AppMgmt) 0% C:\WINDOWS\System32\appmgmts.dll Service manual by svchost.exe Provides software installation services such as Assign, Publish, and Remove. Microsoft Corporation : Microsoft® Windows® Operating System
Fast User Switching Compatibility (FastUserSwitchingCompatibility) 0% C:\WINDOWS\System32\shsvcs.dll Service manual by svchost.exe Provides management for applications that require assistance in a multiple user environment. Microsoft Corporation : Microsoft® Windows® Operating System
Messenger (Messenger) 0% C:\WINDOWS\System32\msgsvc.dll Service started disabled by svchost.exe Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation : Microsoft® Windows® Operating System
Network Connections (Netman) 0% C:\WINDOWS\System32\netman.dll Service manual by svchost.exe Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Microsoft Corporation : Microsoft® Windows® Operating System
Network Location Awareness (NLA) (Nla) 0% C:\WINDOWS\System32\mswsock.dll Service manual by svchost.exe Collects and stores network configuration and location information, and notifies applications when this information changes. Microsoft Corporation : Microsoft® Windows® Operating System
Remote Access Auto Connection Manager (Rasauto) 0% C:\WINDOWS\System32\rasauto.dll Service manual by svchost.exe Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Microsoft Corporation : Microsoft® Windows® Operating System
Routing and Remote Access (Remoteaccess) 0% C:\WINDOWS\System32\mprdim.dll Service started disabled by svchost.exe Offers routing services to businesses in local area and wide area network environments. Microsoft Corporation : Microsoft® Windows® Operating System
Telephony (Tapisrv) 0% C:\WINDOWS\System32\tapisrv.dll Service manual by svchost.exe Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Microsoft Corporation : Microsoft® Windows® Operating System
Windows Management Instrumentation Driver Extensions (Wmi) 0% C:\WINDOWS\System32\advapi32.dll Service manual by svchost.exe Provides systems management information to and from drivers. Microsoft Corporation : Microsoft® Windows® Operating System
Network Provisioning Service (xmlprov) 0% C:\WINDOWS\System32\xmlprov.dll Service manual by svchost.exe Manages XML configuration files on a domain basis for automatic network provisioning. Microsoft Corporation : Microsoft® Windows® Operating System
Portable Media Serial Number Service (WmdmPmSN) 0% C:\WINDOWS\system32\MsPMSNSv.dll Service manual by svchost.exe Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device. Microsoft Corporation : Windows Media Device Manager
Network Access Protection Agent (napagent) 0% C:\WINDOWS\System32\qagentrt.dll Service manual by svchost.exe Allows windows clients to participate in Network Access Protection Microsoft Corporation : Microsoft® Windows® Operating System
Health Key and Certificate Management Service (hkmsvc) 0% C:\WINDOWS\System32\kmsvc.dll Service manual by svchost.exe Manages health certificates and keys (used by NAP) Microsoft Corporation : Microsoft® Windows® Operating System
Terminal Services (TermService) 0% C:\WINDOWS\System32\termsrv.dll Service manual by svchost.exe Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. Microsoft Corporation : Microsoft® Windows® Operating System
Windows Image Acquisition (WIA) (StiSvc) 0% C:\WINDOWS\system32\wiaservc.dll Service manual by svchost.exe Provides image acquisition services for scanners and cameras. Microsoft Corporation : Microsoft® Windows® Operating System
Terminal Services (TermService) 0% C:\WINDOWS\System32\termsrv.dll Service manual by svchost.exe Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. Microsoft Corporation : Microsoft® Windows® Operating System
Extensible Authentication Protocol Service (eaphost) 0% C:\WINDOWS\System32\eapsvc.dll Service manual by svchost.exe Provides windows clients Extensible Authentication Protocol Service Microsoft Corporation : Microsoft® Windows® Operating System
Wired AutoConfig (dot3svc) 0% C:\WINDOWS\System32\dot3svc.dll Service manual by svchost.exe This service performs IEEE 802.1X authentication on Ethernet interfaces Microsoft Corporation : Microsoft® Windows® Operating System

Avira AntiVir Personal
Report file date: Sunday, July 17, 2011 23:48

Scanning for 2789985 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Safe mode with network
Username : Administrator
Computer name : USER-3C3A64D9E0

Version information:
BUILD.DAT : 10.0.0.650 31822 Bytes 6/17/2011 15:43:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 6/17/2011 18:36:21
AVSCAN.DLL : 10.0.3.0 46440 Bytes 6/17/2011 18:37:04
LUKE.DLL : 10.0.3.2 104296 Bytes 6/17/2011 18:36:49
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 13:53:55
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 13:53:56
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 18:36:57
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 18:18:22
VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 18:18:22
VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 18:18:22
VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 18:18:23
VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 18:18:23
VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 18:18:23
VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 18:18:23
VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 18:18:23
VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 18:18:23
VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 07:49:15
VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 21:10:35
VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 21:39:56
VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 20:44:57
VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 13:03:40
VBASE018.VDF : 7.11.9.143 132096 Bytes 6/10/2011 22:53:41
VBASE019.VDF : 7.11.9.172 141824 Bytes 6/14/2011 12:29:55
VBASE020.VDF : 7.11.9.214 144896 Bytes 6/15/2011 22:32:34
VBASE021.VDF : 7.11.9.244 196608 Bytes 6/16/2011 23:51:31
VBASE022.VDF : 7.11.9.245 2048 Bytes 6/16/2011 23:51:31
VBASE023.VDF : 7.11.9.246 2048 Bytes 6/16/2011 23:51:31
VBASE024.VDF : 7.11.9.247 2048 Bytes 6/16/2011 23:51:31
VBASE025.VDF : 7.11.9.248 2048 Bytes 6/16/2011 23:51:31
VBASE026.VDF : 7.11.9.249 2048 Bytes 6/16/2011 23:51:31
VBASE027.VDF : 7.11.9.250 2048 Bytes 6/16/2011 23:51:31
VBASE028.VDF : 7.11.9.251 2048 Bytes 6/16/2011 23:51:31
VBASE029.VDF : 7.11.9.252 2048 Bytes 6/16/2011 23:51:31
VBASE030.VDF : 7.11.9.253 2048 Bytes 6/16/2011 23:51:31
VBASE031.VDF : 7.11.10.5 45056 Bytes 6/17/2011 18:49:39
Engineversion : 8.2.5.20
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 13:53:28
AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 6/16/2011 06:54:00
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 13:53:27
AESBX.DLL : 8.2.1.34 323957 Bytes 6/16/2011 06:54:00
AERDL.DLL : 8.1.9.9 639347 Bytes 6/17/2011 18:36:10
AEPACK.DLL : 8.2.6.9 557429 Bytes 6/16/2011 06:54:00
AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/16/2011 06:54:00
AEHEUR.DLL : 8.1.2.128 3547512 Bytes 6/16/2011 06:54:00
AEHELP.DLL : 8.1.17.2 246135 Bytes 6/16/2011 06:54:00
AEGEN.DLL : 8.1.5.6 401780 Bytes 6/16/2011 06:54:00
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 13:53:14
AECORE.DLL : 8.1.21.1 196983 Bytes 6/16/2011 06:54:00
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 13:53:14
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 13:53:36
AVPREF.DLL : 10.0.0.0 44904 Bytes 6/17/2011 18:36:20
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2011 18:36:20
AVREG.DLL : 10.0.3.2 53096 Bytes 6/17/2011 18:36:20
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 6/17/2011 18:36:21
AVARKT.DLL : 10.0.22.6 231784 Bytes 6/17/2011 18:36:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 6/17/2011 18:36:18
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 21:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 13:53:36
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 13:53:46
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 6/17/2011 18:37:06
RCTEXT.DLL : 10.0.58.0 97128 Bytes 6/17/2011 18:37:06

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

Start of the scan: Sunday, July 17, 2011 23:48

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '60' Module(s) have been scanned
Scan process 'taskmgr.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '89' Module(s) have been scanned
Scan process 'WgaTray.exe' - '48' Module(s) have been scanned
Scan process 'svchost.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '111' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'lsass.exe' - '48' Module(s) have been scanned
Scan process 'savedump.exe' - '26' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '63' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\Program Files\Avira\AntiVir Desktop\sched.exe
[WARNING] The file could not be opened!
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
[WARNING] The file could not be opened!
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
[WARNING] The file could not be opened!
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
[WARNING] The file could not be opened!
The registry was scanned ( '1728' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\bb2d1534e227b1fbfa238366\mrtstub.exe
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Desktop\putty.exe
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Desktop\temp\TDSSKiller.exe
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\My Documents\Downloads\avira_antivir_personal_en.exe
[0] Archive type: RAR SFX (self extracting)
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> en-us\rctext.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> wksstats.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> avgio.sys
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
--> 2k\avipbb.sys
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Documents and Settings\Owner\My Documents\Downloads\Plants vs Zombies\Plants vs Zombies\PlantsVsZombies.exe
[WARNING] The file could not be opened!
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
[WARNING] The file could not be opened!
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
[WARNING] The file could not be opened!
C:\Program Files\Avira\AntiVir Desktop\sched.exe
[WARNING] The file could not be opened!
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
[WARNING] The file could not be opened!
C:\Program Files\Internet Explorer\iexplore.exe
[WARNING] The file could not be opened!
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
[WARNING] The file could not be opened!
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
[WARNING] The file could not be opened!
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[WARNING] The file could not be opened!
C:\Program Files\SSH Communications Security\SSH Secure Shell\SshClient.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\dwwin.exe
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Documents and Settings\Owner\My Documents\Downloads\avira_antivir_personal_en.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4cdc7aac.qua'.


End of the scan: Monday, July 18, 2011 01:16
Used time: 1:26:24 Hour(s)

The scan has been done completely.

6818 Scanned directories
197489 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
19 Files cannot be scanned
197466 Files not concerned
1540 Archives were scanned
19 Warnings
1 Notes

That's all the logs I can find atm...it's late sorry lol
Any help finding out what I'm infected with and how to remove it would be appreciated very much!!

Edited by hamluis, 18 July 2011 - 07:35 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 USN Vet

USN Vet

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 18 July 2011 - 04:53 AM

If you can install in safe mode, run in safe mode; do not boot into normal mode.

In normal mode, have you run RKILL to remove known malware resources before attempting installs etc ?
Feel free to ignore my comment, just another user !

#3 Mirrorii

Mirrorii
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 18 July 2011 - 03:24 PM

The problem is as many times as I run everything in safe mode, it's still there in normal mode. And no, I haven't done rkill as I think the culprit is svchost.exe (one of them at least)as I've noticed that once the generic windows32 server (I think that's it) crashes, I have a svchost.exe pop into my taskmanager for a second, followed by dwwin.exe for a second, and they keep popping in and out too quick for me to kill either one.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 PM

Posted 18 July 2011 - 07:16 PM

hello, let's try this way.

Download FixPolicies.exe,by Bill Castner, MS-MVP to your Desktop.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar. This will create a new folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
The active malware may revert these changes at your next startup. You can safely run the utility again.


>>>

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

>>>>

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users