Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IDK :|


  • This topic is locked This topic is locked
10 replies to this topic

#1 ikawz

ikawz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 30 November 2011 - 10:52 AM

Warning Pop-up #1
Windows - Delayed Write Failed

Failed to save all components for the file \\System32\\00004e87. The file i corrupted or unreadable. This error may be caused by a PC hardware problem.

this pop-up warning appears about 20-24 times at once each with a different file name, every 5-15 minutes, and i have no idea how to fix it.

Warning Pop-up #2
RAM memory reliability is extremely low. This problem may cause system failure.

Warning Pop-up #3
Hard drive clusters are partly damaged. Segment load failure.

Warning Pop-up #4
Windows OS can't detect a free hard drive space. hard drive error.

Warning Pop-up #5....
Files indexation process failed.

please help, I have no idea how to fix any of these problems :|

Edited by ikawz, 30 November 2011 - 12:02 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:22 PM

Posted 01 December 2011 - 02:54 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 ikawz

ikawz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 01 December 2011 - 09:56 AM

DDS Log
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_29
Run by Brandon at 8:47:12 on 2011-12-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4027.1691 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\nvvsvc.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\ThpSrv.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\system32\Dwm.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\windows\Explorer.EXE
C:\Users\Brandon\AppData\Roaming\54951\F276E.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Users\Brandon\AppData\Roaming\51DA0\lvvm.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Brandon\AppData\Roaming\Microsoft\6EA5\E1D.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\ProgramData\ngDasGEEwafx.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ProgramData\Twmh4Ccf4VGtFG.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\ping.exe
C:\windows\system32\conhost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Brandon\Downloads\Defogger.exe
C:\windows\system32\conhost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:61919
mWinlogon: Userinit=userinit.exe
uWinlogon: Shell=explorer.exe,C:\Users\Brandon\AppData\Roaming\54951\F276E.exe
uWindows: Load=C:\Users\Brandon\AppData\Roaming\51DA0\lvvm.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [ngDasGEEwafx.exe] C:\ProgramData\ngDasGEEwafx.exe
uRun: [E1D.exe] C:\Users\Brandon\AppData\Roaming\Microsoft\6EA5\E1D.exe
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [IZZqqjYYCwkVrON8234A] C:\windows\system32\Cloud AV 2012v121.exe
mRun: [NffEEL8ggZqhYw] C:\Users\Brandon\AppData\Roaming\dwme.exe
mRun: [E1D.exe] C:\Program Files (x86)\LP\6EA5\E1D.exe
mRun: [EjjUUCekkIrzOyx8234A] C:\Users\Brandon\AppData\Roaming\hvvSS2oobFpmGaQ\Cloud AV 2012v121.exe
mRun: [kWKK88fRL9h] C:\Users\Brandon\AppData\Roaming\dwme.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9498EDB6-3106-425E-9F50-BB6C9CE7EEB6} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CE0BAB93-F5CA-44EF-998D-D4F8FB2A5281} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CE0BAB93-F5CA-44EF-998D-D4F8FB2A5281}\E454457454142513632393 : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun-x64: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [IZZqqjYYCwkVrON8234A] C:\windows\system32\Cloud AV 2012v121.exe
mRun-x64: [NffEEL8ggZqhYw] C:\Users\Brandon\AppData\Roaming\dwme.exe
mRun-x64: [E1D.exe] C:\Program Files (x86)\LP\6EA5\E1D.exe
mRun-x64: [EjjUUCekkIrzOyx8234A] C:\Users\Brandon\AppData\Roaming\hvvSS2oobFpmGaQ\Cloud AV 2012v121.exe
mRun-x64: [kWKK88fRL9h] C:\Users\Brandon\AppData\Roaming\dwme.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Brandon\AppData\Roaming\Mozilla\Firefox\Profiles\5ev4z2aw.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61919
FF - prefs.js: network.proxy.type - 1
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20111114.002\BHDrvx64.sys [2011-11-14 1156216]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20111118.030\IDSviA64.sys [2011-11-19 488568]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2009-12-29 404992]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2011-10-21 130008]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2011-10-17 103792]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-17 1604200]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2011-10-17 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-10-17 2320920]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2009-12-29 911360]
R3 bpenum;bpenum;C:\windows\system32\DRIVERS\bpenum.sys --> C:\windows\system32\DRIVERS\bpenum.sys [?]
R3 bpmp;bpmp;C:\windows\system32\DRIVERS\bpmp.sys --> C:\windows\system32\DRIVERS\bpmp.sys [?]
R3 bpusb;bpusb;C:\windows\system32\Drivers\bpusb.sys --> C:\windows\system32\Drivers\bpusb.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-10 138360]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETw5s64.sys --> C:\windows\system32\DRIVERS\NETw5s64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-10-17 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-29 136176]
S3 acpials;ALS Sensor Filter;C:\windows\system32\DRIVERS\acpials.sys --> C:\windows\system32\DRIVERS\acpials.sys [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-29 136176]
S3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-5 340240]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-11-30 12:44:33 369664 ---ha-w- C:\ProgramData\Twmh4Ccf4VGtFG.exe
2011-11-30 12:41:16 463872 ---ha-w- C:\ProgramData\ngDasGEEwafx.exe
2011-11-26 19:52:40 284160 ---ha-w- C:\Users\Brandon\AppData\Roaming\Microsoft\6A85\315.exe
2011-11-26 03:12:08 286208 ---ha-w- C:\Users\Brandon\AppData\Roaming\firefox.exe
2011-11-25 22:52:03 -------- d--h--w- C:\ProgramData\PopCap Games
2011-11-25 22:51:09 -------- d-----w- C:\Program Files (x86)\WildGames
2011-11-25 22:50:13 -------- d-----w- C:\Program Files (x86)\WildTangent Games
2011-11-25 22:25:57 285696 ---ha-w- C:\Users\Brandon\AppData\Roaming\Microsoft\6EA5\E1D.exe
2011-11-25 22:25:57 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\51DA0
2011-11-25 22:18:13 111616 ----a-w- C:\windows\SysWow64\32Kh7Fx.com_
2011-11-24 21:21:09 -------- d--h--w- C:\Users\Brandon\AppData\Local\Diagnostics
2011-11-24 17:13:23 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\WildTangent
2011-11-24 17:10:22 -------- d--h--w- C:\Users\Brandon\AppData\Local\Microsoft Games
2011-11-24 10:29:19 1135104 ----a-w- C:\windows\System32\FntCache.dll
2011-11-24 10:29:18 902656 ----a-w- C:\windows\System32\d2d1.dll
2011-11-24 10:29:18 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2011-11-24 10:29:18 1540608 ----a-w- C:\windows\System32\DWrite.dll
2011-11-24 10:29:18 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2011-11-23 22:08:14 -------- d-----w- C:\Program Files (x86)\51DA0
2011-11-23 22:07:52 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\zwwwkUUVrl
2011-11-23 22:07:52 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\sOBBttxP0ycS1v
2011-11-23 22:07:45 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\r222obbF3pm5aJ6
2011-11-23 22:07:44 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\kKKK8ffRZ9hTwjC
2011-11-23 22:07:42 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\54951
2011-11-23 22:07:41 -------- d-----w- C:\Program Files (x86)\LP
2011-11-23 22:07:37 286208 ---ha-w- C:\Users\Brandon\AppData\Roaming\dwme.exe
2011-11-23 22:07:37 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\PDDD3oonG4aH6sJ
2011-11-23 22:07:36 -------- d--h--w- C:\Users\Brandon\AppData\Roaming\K333pnnG4a
2011-11-23 22:07:26 -------- d-----we C:\windows\system64
2011-11-23 22:06:53 -------- d--h--w- C:\Users\Brandon\AppData\Local\Adobe
2011-11-23 10:53:31 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-23 10:53:14 -------- d--h--w- C:\ProgramData\McAfee Security Scan
2011-11-23 10:53:12 -------- d-----w- C:\Program Files (x86)\McAfee Security Scan
2011-11-22 17:45:05 -------- d--h--w- C:\Users\Brandon\AppData\Local\Apple Computer
2011-11-22 17:44:48 34152 ----a-w- C:\windows\System32\drivers\GEARAspiWDM.sys
2011-11-22 17:44:48 126312 ----a-w- C:\windows\System32\GEARAspi64.dll
2011-11-22 17:44:48 107368 ----a-w- C:\windows\SysWow64\GEARAspi.dll
2011-11-22 17:44:32 -------- d-----w- C:\Program Files\iPod
2011-11-22 17:44:31 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-11-22 17:44:31 -------- d-----w- C:\Program Files\iTunes
2011-11-22 17:44:31 -------- d-----w- C:\Program Files (x86)\iTunes
2011-11-22 17:43:22 -------- d--h--w- C:\Users\Brandon\AppData\Local\Apple
2011-11-22 17:42:45 -------- d-----w- C:\Program Files\Bonjour
2011-11-22 17:42:45 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-11-22 06:14:01 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E4D37719-7612-4386-AD00-6E1326A0BD44}\mpengine.dll
2011-11-21 10:42:19 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-12 02:28:09 -------- d-----w- C:\Program Files (x86)\Image-Line
2011-11-12 02:27:55 348160 ----a-w- C:\windows\SysWow64\msvcr71.dll
2011-11-12 02:27:55 1060864 ----a-w- C:\windows\SysWow64\mfc71.dll
2011-11-12 02:27:54 1700352 ----a-w- C:\windows\SysWow64\gdiplus.dll
2011-11-10 13:29:12 -------- d-----w- C:\windows\SysWow64\Adobe
2011-11-09 21:52:30 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 21:52:30 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 21:52:30 1897328 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-11-09 21:52:29 3141120 ----a-w- C:\windows\System32\win32k.sys
2011-11-05 00:00:11 -------- d--h--w- C:\Users\Brandon\jagexcache1
.
==================== Find3M ====================
.
2011-10-21 05:36:51 174200 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-10-03 09:06:03 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
2011-10-01 03:21:20 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:59:14 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
.
============= FINISH: 8:48:27.62 ===============


@@@@@


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 10/20/2011 12:16:39 PM
System Uptime: 11/30/2011 6:05:32 PM (14 hours ago)
.
Motherboard: TOSHIBA | | NWQAA
Processor: Intel® Core™ i7 CPU Q 740 @ 1.73GHz | CPU | 1734/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 584 GiB total, 542.077 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Windows Firewall Authorization Driver
Device ID: ROOT\LEGACY_MPSDRV\0000
Manufacturer:
Name: Windows Firewall Authorization Driver
PNP Device ID: ROOT\LEGACY_MPSDRV\0000
Service: mpsdrv
.
==== System Restore Points ===================
.
RP12: 11/9/2011 5:59:36 AM - Scheduled Checkpoint
RP13: 11/10/2011 3:00:11 AM - Windows Update
RP14: 11/11/2011 3:00:13 AM - Windows Update
RP15: 11/21/2011 5:41:50 AM - Windows Update
RP16: 11/22/2011 1:13:52 AM - Windows Update
RP17: 11/22/2011 12:43:23 PM - Installed iTunes
RP18: 11/25/2011 7:32:27 AM - Windows Update
RP19: 11/30/2011 8:18:49 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
Adobe Shockwave Player 11.6
Amazon Links
Apple Application Support
Apple Software Update
Bejeweled
Bejeweled 2 Deluxe
Chuzzle Deluxe
FATE
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Intel® Management Engine Components
Intel® Rapid Storage Technology
Java Auto Updater
Java™ 6 Update 29
Jewel Quest - Heritage
JMicron Flash Media Controller Driver
Junk Mail filter update
Label@Once 1.0
McAfee Security Scan Plus
Microsoft Choice Guard
Microsoft Office 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 8.0 (x86 en-US)
MSVCRT
Norton Internet Security
NVIDIA PhysX
NVIDIA Updatus
Plants vs. Zombies
Polar Bowler
Quickbooks Financial Center
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Skype Click to Call
Skype™ 5.5
swMSM
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA DVD PLAYER
TOSHIBA eco Utility
TOSHIBA Face Recognition
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Sleep Utility
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update Installer for WildTangent Games App
Utility Common Driver
Wheel of Fortune 2
WildTangent Games
WildTangent Games App (Toshiba Games)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
12/1/2011 8:17:53 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
11/30/2011 8:11:27 AM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
11/30/2011 8:11:07 AM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error: Cannot create a file when that file already exists.
11/30/2011 8:11:07 AM, Error: Service Control Manager [7000] - The Windows Firewall Authorization Driver service failed to start due to the following error: Cannot create a file when that file already exists.
11/25/2011 7:48:12 AM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 5 time(s).
11/25/2011 7:32:31 AM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 4 time(s).
11/25/2011 5:08:20 PM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 7 time(s).
11/25/2011 12:01:19 PM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 6 time(s).
11/24/2011 9:26:58 PM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 2 time(s).
11/24/2011 8:59:01 PM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 1 time(s).
11/24/2011 10:10:40 PM, Error: Service Control Manager [7034] - The Wireless PAN DHCP Server service terminated unexpectedly. It has done this 3 time(s).
.
==== End Of File ===========================

GMER
Ark.Txt

^ Was not able to check on these:

-System
-Sections
-Devices
-Modules
-Process
-Threads
-Libraries

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-01 09:34:30
Windows 6.1.7600
Running: gmer.exe


---- Files - GMER 1.0.15 ----

File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\searchCABJOJ0S.htm 417 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\searchCAGKZFSR.htm 417 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\searchCAP514P2.htm 417 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\searchCAXLU5IM.htm 417 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\searchCAY5MC3G.htm 417 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\adif_px[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\adif_px[1].php 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\Freida%20Pinto-DGG-031629[1].jpg 5184 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\pubsub_glam.ads_glam[1].metrics 25550 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\cc-mastercard[1].jpg 1928 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\vp[1] 1277 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\jquery.ui.widget.min[1].js 3287 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\DtVzOo0exCL[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\thumbnail[1].jpg 4506 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\ywa[1].js 23574 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\viewChannelModule[1].act 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\41499_1083243399_7781_q[1].jpg 2286 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\justin_bieber_g9123[1].jpg 5839 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\script100[1].js 4138 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\a4199[1].jpg 9626 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\rr4083[1].jpg 6420 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\rss[1].gif 330 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\370769_1703606684_1086404184_q[1].jpg 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\lyrs=m@164000000&hl=en&src=api&x=19796&s=&y=24291&z=16&s=Galileo[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\lyrs=m@164000000&hl=en&src=api&x=19797&s=&y=24289&z=16&s=[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\lyrs=m@164000000&hl=en&src=api&x=4682&y=6264&z=14&s=Galile[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\3fns6GTgzWh[1].css 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\B5095601[1].10;sz=728x90;pc=[TPAS_ID];ord=2837188442034851665 37991 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H4QDWAMD\ping[5].gif 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\zmpfc[1].js 30720 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\zpu[2].htm 1340 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\shadow50[1].png 665 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\3fns6GTgzWh[1].css 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\DaQC-gckDZ8[1].css 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\sddefault[1].jpg 46030 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\markerB[1].png 918 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\markerie[1].gif 709 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\markerTransparent[1].png 260 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\4e1a2e0eba26e[1].xml 1497 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\4e1a2e0eba26e_ads[1].js 7477 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\4e79c7ebc8236_ads[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\jquery.min[3].js 70843 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\smc[1].png 389 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\cached_iframe[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\header_08[1].jpg 2798 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\header_09[1].jpg 1604 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\header_11[1].jpg 15298 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\header_24[1].jpg 466 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\header_25[1].jpg 431 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\ads[5].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\clk[1] 19993 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\configloaded[4].htm 6 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\90second_10_goodfellas[1].flv 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\crossdomain[10].xml 201 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\init[2].htm 6 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\1464_config[1].xml 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\admanager[1].swf 57388 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\community[1].htm 36855 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\-[1].jpg 1273 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\play-trans[2].png 674 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\0cbf49b009f880b5108646ca741e4b86c6f28332[1].jpg 6535 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\top_left_920x90_banner[1].htm 875 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\blog_wijits[1] 599 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\keywest[1].jpg 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\offerCSS_Dodge_160x600[1].xml 613 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\OfferTemplates_Dodge_160x600[1].xml 41770 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\638w359h[1].jpg 120260 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\728x90_12.1[1].swf 52072 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\dot[6].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\mtest[2].htm 4466 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\1x1[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\p_23705_128_72[1].jpg 3655 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\p_29184_128_72[1].jpg 2980 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KUYAQIMC\service[5].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\xd_proxy[1].php 2482 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\369968[1].htm 7163 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\AdDisplayTrackerServlet[4].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\js_048450c720045af8ee18ec2d4e41d85a_7[1].js 1611 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\taste_cheese_300x250[1].jpg 29872 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\visit[5].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\login_status[2].php 58 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\dvtp_src[1].js 4906 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\b[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\css_78212a3f82a3222b5f65cf223b780d43_0[1].css 470 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\culo-1111-3[1].jpg 5579 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\culo-1111-5[1].jpg 4182 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\culo-add-1111-3[1].jpg 7109 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\nicole-scherzinger-011810-2[1].jpg 5896 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\notify[1].gif 49 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SJ6N6Y54\adif_px[2].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0529B30V.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\F50L3U1X.txt 202 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6112K83X.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\WJ9JFJ3T.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\IVHP0G94.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\V67YG3LF.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\JTI4A5I3.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\RB9LNMCI.txt 1965 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\C9NYKQXM.txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KCIVJPVX.txt 6554 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\9TQ1GCHR.txt 0 bytes
File C:\Windows\Temp\flaBE5A.tmp 4003372 bytes
File C:\Windows\Temp\flaD48A.tmp 2658138 bytes

---- EOF - GMER 1.0.15 ----

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 05 December 2011 - 10:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430064 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 ikawz

ikawz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 05 December 2011 - 08:14 PM

Current problems:

Warning Pop-up #1
Windows - Delayed Write Failed

Failed to save all components for the file \\System32\\00004e87. The file i corrupted or unreadable. This error may be caused by a PC hardware problem.

this pop-up warning appears about 20-24 times at once each with a different file name, every 5-15 minutes, and i have no idea how to fix it.

Warning Pop-up #2
RAM memory reliability is extremely low. This problem may cause system failure.

Warning Pop-up #3
Hard drive clusters are partly damaged. Segment load failure.

Warning Pop-up #4
Windows OS can't detect a free hard drive space. hard drive error.

Warning Pop-up #5....
Files indexation process failed.
---------------------------

DDS Log:
Attached File  DDS1.txt   27.64KB   1 downloads

GMER Log:

^ Was not able to check these on/off:

-System
-Sections
-Devices
-Modules
-Process
-Threads
-Libraries

Attached File  gmer log.log   10.88KB   0 downloads

Edited by ikawz, 05 December 2011 - 08:16 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 06 December 2011 - 11:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I have identified a ZeroAccess backdoor infection.

I want to ensure we have sufficient recovery options before we continue. We will do this by first creating a System recovery disk and then by creating a bootable xPud disk that can be used to access the disk if the need arises. You will need two blank writeable CD's/DVD's for this. We will also create a system restore point. Please follow the instructions below.

Step 1 - Create System Recovery disk
  • Click on the Start button.
  • In the Search programs and files text box type recdisc and press Return.
  • The Create a System Repair Disk window should open.
  • Ensure your CD/DVD writer drive is selected and that there is a blank disk in the drive.
  • Click on the Create Disk button and allow the process to finish.

Step 2 - Create bootable xPud USB disk
  • Click here to download xPud. Save it to your Desktop. We will use this later.

    Download and Install ImgBurn
  • Click Here to download ImgBurn. Save it to your Desktop.
  • Double click the file to install the program. Accept the default options and let the installation finish.
  • Once installed follow the steps below to create a bootable disk using the ISO image downloaded earlier.
    Create Bootable Xpud Disk
  • Launch ImgBurn.
  • Select the Option to Write Image file to disk.
  • Click on the folder icon next to the text Please select a file.
  • In the window that appears browse to your desktop and select the file xpud-0.9.2.iso
  • Ensure your CD/DVD writer is selected in the Destination drop down menu and that you have a blank CD/DVD in the drive.
  • Select the Verify checkbox and click the Write icon.
  • ImgBurn will burn the iso image to the disk and let you know if it was succesful or not.

Step 3 - Create a System Restore Point
  • Right-click on the Computer icon and select Properties.
  • In the left pane under Tasks ... click on System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  • Select the System Protection tab ...then choose Create.
  • In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  • Click OK ...then close the System Restore dialog.

Please leave the System Restore function "turned on" until we are finished and I give you the 'all clean' sign.
If you have successfully created a System Restore Point...we can proceed.

If successful with all the steps we can proceed. Otherwise let me know. DO NOT proceeding with the following instructions.

===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:

    [b]
    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
    
    :filefind
    consrv.dll  
    [/b]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post the ComboFix and the SystemLook logs.

#7 ikawz

ikawz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 08 December 2011 - 09:44 PM

I was not able to Create a System Restore Point

- could not access the pane 'Tasks' in order to continue

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 09 December 2011 - 09:31 AM

Try this way.

BackupYour Registry with ERUNT
  • Please go here, scroll down to ERUNT, and download.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

p.s.
On a Vista or Windows 7 operating system, right click the Erunt.exe and run as Administrator.

#9 ikawz

ikawz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 09 December 2011 - 03:55 PM

ugh...
this came up after installing and trying to run the program comboFix

"ComboFix.exe is not a valid Win32 application"

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 10 December 2011 - 10:06 AM

I need to check your partition table.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB) and this one,
Windows 7 64-Bit (x64) Recovery Environment

Create a bootable CD, 1 for Gparted and 1 for the Windows 7 Recovery Enviroment, from the ISO images. You can use ImgBurn do this.


This will help you burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
==

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image

I need to see a print screen of this last image.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:22 PM

Posted 16 December 2011 - 11:46 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users