Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "System Security 2011"


  • Please log in to reply
15 replies to this topic

#1 mzguy

mzguy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 23 October 2011 - 06:44 PM

Hello,

I've been infected with a fake anti-virus program that displays as "System Security 2011."

Avast detected malware, and said it was stopped, but my computer began to run slow. I went into the task manager and found a suspiciously named process (random letters and numbers), and when I ended the process, my computer went to a BSOD and restarted. On startup a new program I had not seen before popped up called "System Security 2011." It looks like an anti-virus program, shows me a whole bunch of fake warnings and wants me to pay for it.

The program blocks me from using my keyboard on restart, so I can't press F8 and get into safemode. When I try to Ctrl-Alt-Dlt it tells me that I cannot. I am able to access the task manager if I do it first thing when my computer starts up, before the program starts. However, even if I end the tasks/processes right away more continue to pop up. I can open some programs but everything runs insanely slow. I tried downloading a copy of SUPERAntiSpyware Portable onto a thumb drive but I cannot open it.

Can anyone help me or point me in the right direction?

BC AdBot (Login to Remove)

 


#2 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 23 October 2011 - 08:00 PM

Well I got SUPERAntiSpyware to run a scan, and it found quite a few infected files that I removed/quarantined using the software. After a restart though, the virus is still there and doesn't seem to be affected.

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:43 AM

Posted 23 October 2011 - 10:09 PM

Follow this guide: http://www.bleepingcomputer.com/virus-removal/remove-system-security-2011

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#4 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 03:03 PM

Thank you so much for that link, it took a long time but I was able to run Malwarebyte's Anti-Malware and it seems to have removed the fake AV software. I am still having some minor lingering issues afterwards.


Once I got it to run in Safe Mode, I ran RKill and then Anti-Malware. I started a full scan and then went to sleep. When I woke up, the computer had somehow restarted in normal mode, the virus was still there, and all my files/folders on the desktop appear hidden, as well as my Start->All Programs list just saying "empty". The files on the desktop are see-through, and I can still access them. It doesn't appear that anything is deleted or anything, I simply want to make sure this is just a matter of some setting being checked as "hidden," and not a more serious sign that the virus is still on my computer.

I restarted into safe mode (the files were also "hidden" in safe mode), ran the scan again, and several hours later when I clicked to "remove all files" it gave me a memory error and the program closed. So, I had to scan several times, each time aborting the scan and deleting some of the files. I did this until I could do a full scan and delete all the files it found without running into memory issues.

When restarted back into normal mode after this, everything seems better but like it is still running slightly slow. Avast (the AV software i had installed previously) immediately popped up that it had blocked a trojan horse, which concerns me. This is similar to the warning I got right before the virus took over.


So I guess at this point I am looking for advice on what to do next. First, how do I unhide all my files? And also, is there any software you would recommend I use to make sure I am completely free of this virus? And lastly, is there any recommended software (preferably free) to help prevent this from ever happening again?

Thank you in advance to anyone willing to read my problems and help :)

#5 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 03:32 PM

It appears that I also have that google redirect malware. Lots of links from google send me to a nobelsearch.net redirect address which then sends me to the norton antivirus page or to a blank page with nothing but a "continue" button on it (which I have obviously not clicked).

Any tips?

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:43 AM

Posted 24 October 2011 - 03:33 PM

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.

Then....

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 04:15 PM

First of all, I just want to say that you kick ass, Broni. Thanks for helping some random stranger on the internet deal with a very stressful and frustrating computer situation :)

I ran unhide.exe, and the folders in my start menu reappeared, but about half of them are 'empty'. The files/folders on my desktop appear to have been unhidden successfully though. Honestly I don't really care about the start menu, as long as everything functions correctly.

Trying the next step now.

#8 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 04:24 PM

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
avast! Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 17
Out of date Java installed!
Adobe Flash Player 10.0.32.18
Adobe Reader 9.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

windows defender MpCmdRun.exe
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:43 AM

Posted 24 October 2011 - 04:27 PM

Good news :)

but about half of them are 'empty'.

In your spare time go here: http://www.smartestcomputing.us.com/topic/46010-how-to-restore-files-hiddendeleted-by-windows-recovery-virus/, scroll down to:
In case, program's link shows as (empty):

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 04:31 PM

When I ran MiniToolBox, I checked the appropriate boxes and got a "nslookup.exe - Ordinal Not Found" error.
The exact text is:
The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll.

I got the error two times and then the program seemed to run normally. I will send you a PM with the contents of that scan.

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:43 AM

Posted 24 October 2011 - 04:34 PM

I need the log pasted here. No PM.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 04:35 PM

Oh and I already installed MBAM, that is actually the program that finally worked to delete the corrupt files while in safe mode. Is it worth running again in normal mode or should I skip that step?

#13 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 04:37 PM

MiniToolBox by Farbar
Ran by Administrator (administrator) on 24-10-2011 at 17:25:20
Windows 7 Home Premium (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:53581

========================= FF Proxy Settings: ==============================

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 53581
"network.proxy.type", 0
========================= Hosts content: =================================


94.63.240.133 www.google.com
94.63.240.134 www.bing.com


========================= IP Configuration: ================================The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Nick-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI Gigabit Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-1F-D0-DA-20-73
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5479:4e4a:1238:2673%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 24, 2011 3:51:42 PM
Lease Expires . . . . . . . . . . : Tuesday, October 25, 2011 7:06:02 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 167780304
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-25-E4-60-00-1F-D0-DA-20-73
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{5E1A0406-C875-40C5-BDF6-FE61AD2FB231}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:142a:344:9eac:9b5d(Preferred)
Link-local IPv6 Address . . . . . : fe80::142a:344:9eac:9b5d%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Pinging google.com [72.14.204.103] with 32 bytes of data:
Reply from 72.14.204.103: bytes=32 time=37ms TTL=52
Reply from 72.14.204.103: bytes=32 time=39ms TTL=52

Ping statistics for 72.14.204.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 37ms, Maximum = 39ms, Average = 38ms

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=46ms TTL=49
Reply from 209.191.122.70: bytes=32 time=46ms TTL=49

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 46ms, Maximum = 46ms, Average = 46ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...00 1f d0 da 20 73 ......Realtek RTL8168D/8111D Family PCI Gigabit Ethernet NIC (NDIS 6.0)
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.4 276
192.168.1.4 255.255.255.255 On-link 192.168.1.4 276
192.168.1.255 255.255.255.255 On-link 192.168.1.4 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.4 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.4 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:142a:344:9eac:9b5d/128
On-link
11 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::142a:344:9eac:9b5d/128
On-link
11 276 fe80::5479:4e4a:1238:2673/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 mswsock.dll [File Not found] ()
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 mswsock.dll [File Not found] ()
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [193824] (Apple Inc.)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/24/2011 03:56:45 PM) (Source: Microsoft-Windows-LoadPerf) (User: SYSTEM)SYSTEM
Description: Installing the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (10/24/2011 03:56:45 PM) (Source: Microsoft-Windows-LoadPerf) (User: SYSTEM)SYSTEM
Description: Unable to update the performance counter strings defined for the 009 language ID. The first DWORD in the Data section contains the error code.

Error: (10/24/2011 03:52:36 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/24/2011 03:39:45 PM) (Source: Microsoft-Windows-LoadPerf) (User: SYSTEM)SYSTEM
Description: Installing the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (10/24/2011 03:39:45 PM) (Source: Microsoft-Windows-LoadPerf) (User: SYSTEM)SYSTEM
Description: Unable to update the performance counter strings defined for the 009 language ID. The first DWORD in the Data section contains the error code.

Error: (10/24/2011 03:34:35 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/24/2011 10:37:02 AM) (Source: Application Error) (User: )
Description: Faulting application name: ping.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc964
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000004
Faulting process id: 0x82c
Faulting application start time: 0xping.exe0
Faulting application path: ping.exe1
Faulting module path: ping.exe2
Report Id: ping.exe3

Error: (10/24/2011 07:07:33 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/24/2011 05:37:59 AM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\servicing\TrustedInstaller.exe; Description = Windows Modules Installer; Error = 0x80042302).

Error: (10/24/2011 05:37:59 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007041d, The service did not respond to the start or control request in a timely fashion.
.


System errors:
=============
Error: (10/24/2011 04:34:58 PM) (Source: Service Control Manager) (User: )
Description: The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).

Error: (10/24/2011 03:55:53 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%5

Error: (10/24/2011 03:55:53 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%5

Error: (10/24/2011 03:55:52 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.

Error: (10/24/2011 03:55:53 PM) (Source: PNRPSvc) (User: )
Description: 0x80070005

Error: (10/24/2011 03:55:52 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%5

Error: (10/24/2011 03:55:52 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%5

Error: (10/24/2011 03:55:51 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.

Error: (10/24/2011 03:55:51 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%5

Error: (10/24/2011 03:55:51 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%5


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system (Version: 12.0.6425.1000)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe Flash Player 10 ActiveX (Version: 10.3.183.7)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Reader 9.1 (Version: 9.1.0)
Adobe Shockwave Player 11.6 (Version: 11.6.0.626)
AIM 6
Amazon MP3 Downloader 1.0.10
Amnesia: The Dark Descent
Apple Application Support (Version: 1.4.1)
Apple Mobile Device Support (Version: 3.3.0.69)
Apple Software Update (Version: 2.1.2.120)
ASIO4ALL (Version: 2.10 Beta 1)
AutoHotkey 1.0.48.03 (Version: 1.0.48.03)
avast! Free Antivirus (Version: 6.0.1289.0)
Batman: Arkham Asylum
Battlefield 3™ Open Beta (Version: 1.0.0.0)
Battlefield: Bad Company 2
Battlelog Web Plugins (Version: 0.80.0)
Belkin F7D1101 Basic Wireless USB Adapter (Version: 1.0.0.4)
Bonjour (Version: 2.0.4.0)
Browser Configuration Utility (Version: 1.0.4.9)
Cake Poker 2.0 (Version: 2.0.1.3386)
Call of Duty: Modern Warfare 2
Call of Duty: Modern Warfare 2 - Multiplayer
Camtasia Studio 6 (Version: 6.0.3)
Counter-Strike: Source
Creative ALchemy (Version: 1.25)
Creative Audio Control Panel (Version: 2.56)
Creative Software AutoUpdate (Version: 1.40)
Creative Sound Blaster Properties x64 Edition
Creative System Information
Crysis 2
Crysis Warhead
Crysis Wars
CuteFTP 8 Lite (Version: 8.3.3)
doubleTwist (Version: 3.1.4.11347)
Dystopia
erLT (Version: 1.20.0137)
ESN Sonar (Version: 0.70.0)
ffdshow [rev 2527] [2008-12-19] (Version: 1.0)
Full Tilt Poker (Version: 4.39.9.WIN.FullTilt.COM)
GameSpy Comrade (Version: 1.5.0.156)
Garry's Mod
Gigabyte Raid Configurer (Version: 1.00.0000)
GIMPshop 2.2.8 (Version: 2.2.8)
GoldenEye: Source - HalfLife 2 Mod
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Holdem Manager (Version: 1.07)
Intel® Matrix Storage Manager
iTunes (Version: 10.1.1.4)
Java™ 6 Update 17 (Version: 6.0.170)
Kies mini (Version: 1.00.0000)
Killing Floor
Left 4 Dead
Left 4 Dead 2
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Mass Effect 2
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.88.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Hybrid 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mount and Blade
Mount&Blade: Warband
Mozilla Firefox 7.0.1 (x86 en-US) (Version: 7.0.1)
n52te Editor (Version: 5.01)
NVIDIA Drivers (Version: 1.10)
NVIDIA PhysX (Version: 9.09.0814)
NVIDIA Stereoscopic 3D Driver (Version: 7.16.11.9107)
OMP Index Reference Increment (64-bit) (Version: 1.0.0)
Origin (Version: 8.3.0.3527)
PokerStars
PokerStove version 1.23
PostgreSQL 8.3 (Version: 8.3)
Project64 1.6 (Version: 1.6)
PunkBuster Services (Version: 0.991)
QuickTime (Version: 7.69.80.9)
Razer DeathAdder™ Mouse (Version: 5.01)
Realtek 8169 8168 8101E 8102E Ethernet Driver (Version: 1.00.0000)
Reason 4.0 (Version: 4.0)
RunBetterPoker.com MergeKeys Beta
SAMSUNG USB Driver for Mobile Phones (Version: 1.3.2300.0)
SitNGo Wizard
Skype Toolbars (Version: 5.5.7896)
Skype™ 5.3 (Version: 5.3.120)
Sound Blaster X-Fi Xtreme Audio (Version: 1.0)
StarCraft II (Version: 1.1.1.16605)
Steam (Version: 1.0.0.0)
Street Fighter IV
TableNinja (Version: 1.2.92)
TableNinjaFT (Version: 1.1.23)
Team Fortress 2
TeamViewer 6 (Version: 6.0.10722)
TournamentParser
Unity (Version: )
Unity Web Player (Version: 2.5.1f5_24931)
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Viewpoint Media Player
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WinRAR archiver

========================= Memory info: ===================================

Percentage of memory in use: 46%
Total physical RAM: 6142.27 MB
Available physical RAM: 3296.13 MB
Total Pagefile: 12282.68 MB
Available Pagefile: 9633.71 MB
Total Virtual: 4095.88 MB
Available Virtual: 3975.29 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:931.51 GB) (Free:448.56 GB) NTFS

========================= Users: ========================================

User accounts for \\NICK-PC

Administrator ASPNET Guest
Nick postgres


**** End of log ****

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:43 AM

Posted 24 October 2011 - 04:38 PM

You may be infected with ZeroAccess rootkit.

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 mzguy

mzguy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 24 October 2011 - 05:05 PM

Ahh bummer, I was afraid of that.

Well thank you, I truly appreciate the help.
Time to take a break to get my mind off this before it drives me crazy. :)
I will start the process tonight.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users