Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with Infection


  • Please log in to reply
17 replies to this topic

#1 UnderProblems

UnderProblems

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 19 January 2012 - 02:51 PM

Hey, I am suffered from a potential virus. One day something appeared in my startup folder and when I tried to delete it it said program was in use. As this was happening something by the name of 'windows command process' was opening constantly, after a while it stopped as I just kept deleting all the files that made it pop-up using unlocker however i'm almost positive i'm still badly infected. First of all, there's many files that are getting downloaded to my computer without me knowing or approving aswell as me running a scan using panda active scan and at about 32% while it was going through the infected files my computer completely froze, this is very un-common and really never happens, although i'm unaware i'm under the assumption theirs some sort of trojan downloader or something of that nature on my computer that's causing this. i'm also in fear of knowing that there may be people using my computer or keylogging me, i'm really scared and need alot of help removing all this. The problems have started recently, within the past week I'd say.

I'm using Windows Vista. Any help will be greatly appreciated thank you very much for reading!

Edited by UnderProblems, 19 January 2012 - 03:56 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:37 AM

Posted 19 January 2012 - 06:06 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 January 2012 - 05:23 AM

Ok small update, reformatted laptop twice using product recovery disc and i'm still fearing the chances of infection.

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 1 x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
COMODO Internet Security
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 3
Out of date Java installed!
Adobe Flash Player 11.1.102.55
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
TOSHIBA Toshiba Online Product Information TOPI.exe
``````````End of Log````````````

#4 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 January 2012 - 05:26 AM

FSS Results:

Farbar Service Scanner Version: 18-01-2012 01
Ran by Harvy (administrator) on 26-01-2012 at 10:25:17
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D

C:\Windows\system32\Drivers\afd.sys
[2008-01-21 02:24] - [2008-01-21 02:24] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2008-01-21 02:25] - [2008-01-21 02:25] - 0891448 ____A (Microsoft Corporation) FC6E2835D667774D409C7C7021EAF9C4

C:\Windows\system32\dnsrslvr.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0086528 ____A (Microsoft Corporation) F5A0F1DA1ED8B429597E71D27D976E31

C:\Windows\system32\mpssvc.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B

C:\Windows\system32\bfe.dll
[2008-01-21 02:23] - [2008-01-21 02:23] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2008-01-21 02:23] - [2008-01-21 02:23] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23

C:\Windows\system32\wscsvc.dll
[2008-01-21 02:23] - [2008-01-21 02:23] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C

C:\Windows\system32\wbem\WMIsvc.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5

C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2008-01-21 02:25] - [2008-01-21 02:25] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D

C:\Windows\system32\es.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0262144 ____A (Microsoft Corporation) F4BF4FA769DB51B106D2B4B35256988B

C:\Windows\system32\cryptsvc.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2008-01-21 02:24] - [2008-01-21 02:24] - 0547328 ____A (Microsoft Corporation) 33FB1F0193EE2051067441492D56113C



**** End of log ****

#5 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 January 2012 - 05:32 AM

MiniToolBox by Farbar Version: 18-01-2012
Ran by Harvy (administrator) on 26-01-2012 at 10:26:54
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost

========================= IP Configuration: ================================

Atheros AR5006EX Wireless Network Adapter = Wireless Network Connection (Connected)
Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0) = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Harvy-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Belkin

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : Atheros AR5006EX Wireless Network Adapter
Physical Address. . . . . . . . . : 00-1B-9E-E4-03-DA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::41d:a0a8:c187:5ee6%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 26 January 2012 09:22:39
Lease Expires . . . . . . . . . . : 03 March 2148 16:55:57
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-1E-33-39-7F-D5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{856F800F-B3BE-4AB4-8AC4-7329B54AB333}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : isatap.Belkin
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:892:16c2:3f57:fdf9(Preferred)
Link-local IPv6 Address . . . . . : fe80::892:16c2:3f57:fdf9%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 209.85.147.104
209.85.147.105
209.85.147.103
209.85.147.147
209.85.147.106
209.85.147.99



Pinging google.com [209.85.147.103] with 32 bytes of data:

Reply from 209.85.147.103: bytes=32 time=74ms TTL=51

Reply from 209.85.147.103: bytes=32 time=71ms TTL=51



Ping statistics for 209.85.147.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 71ms, Maximum = 74ms, Average = 72ms

Server: UnKnown
Address: 192.168.2.1

Name: yahoo.com
Addresses: 98.139.180.149
209.191.122.70
72.30.2.43
98.137.149.56



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=178ms TTL=47

Reply from 209.191.122.70: bytes=32 time=184ms TTL=47



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 178ms, Maximum = 184ms, Average = 181ms

Server: UnKnown
Address: 192.168.2.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Request timed out.

Request timed out.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time=3ms TTL=128

Reply from 127.0.0.1: bytes=32 time=2ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 3ms, Average = 2ms

===========================================================================
Interface List
11 ...00 1b 9e e4 03 da ...... Atheros AR5006EX Wireless Network Adapter
10 ...00 1e 33 39 7f d5 ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{856F800F-B3BE-4AB4-8AC4-7329B54AB333}
13 ...00 00 00 00 00 00 00 e0 isatap.Belkin
14 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.6 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.6 281
192.168.2.6 255.255.255.255 On-link 192.168.2.6 281
192.168.2.255 255.255.255.255 On-link 192.168.2.6 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.6 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.6 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 18 ::/0 On-link
1 306 ::1/128 On-link
14 18 2001::/32 On-link
14 266 2001:0:5ef5:79fb:892:16c2:3f57:fdf9/128
On-link
11 281 fe80::/64 On-link
14 266 fe80::/64 On-link
11 281 fe80::41d:a0a8:c187:5ee6/128
On-link
14 266 fe80::892:16c2:3f57:fdf9/128
On-link
1 306 ff00::/8 On-link
14 266 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/26/2012 09:44:32 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: MSXML 4.0 SP2 (KB954430) -- Error 1935. An error occured during the installation of assembly component {31CDA6DB-15C0-8B7B-A06B-D6B9ABF34537}. HRESULT: 0x80071A90. assembly interface: IAssemblyCacheItem, function: Commit, assembly name: policy.4.1.Microsoft.MSXML2R,type="win32-policy",version="4.1.1.0",publicKeyToken="6bd6b9abf345378f",processorArchitecture="x86"

Error: (01/26/2012 09:23:31 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/25/2012 06:30:29 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/24/2012 10:17:00 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/24/2012 09:44:15 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/24/2012 09:27:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/24/2012 09:06:41 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {66854ee7-4d59-40f6-9703-1ad136b93488}

Error: (01/24/2012 09:05:27 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {66854ee7-4d59-40f6-9703-1ad136b93488}

Error: (01/24/2012 09:04:36 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {66854ee7-4d59-40f6-9703-1ad136b93488}

Error: (01/24/2012 09:04:23 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {66854ee7-4d59-40f6-9703-1ad136b93488}


System errors:
=============
Error: (01/26/2012 09:44:46 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070643Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430){2B0B2515-192D-470A-9745-4A3FB7C0203A}106

Error: (01/26/2012 09:22:30 AM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (01/25/2012 11:02:58 PM) (Source: DCOM) (User: )
Description: {FE9617F6-E606-42AA-BECC-0E9CDA246D63}

Error: (01/25/2012 11:02:38 PM) (Source: DCOM) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}

Error: (01/25/2012 11:02:27 PM) (Source: DCOM) (User: )
Description: {C2BFE331-6739-4270-86C9-493D9A04CD38}

Error: (01/25/2012 06:28:51 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (01/24/2012 11:37:12 PM) (Source: DCOM) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}

Error: (01/24/2012 11:36:58 PM) (Source: DCOM) (User: )
Description: {C2BFE331-6739-4270-86C9-493D9A04CD38}

Error: (01/24/2012 10:15:20 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (01/24/2012 10:13:54 PM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader 8.1.0 (Version: 8.1.0)
Atheros Driver Installation Program (Version: 7.1)
Atheros Wi-Fi Protected Setup Library
Camera Assistant Software for Toshiba (Version: 1.7.175.0123)
CD/DVD Drive Acoustic Silencer (Version: 2.02.01)
Comodo Dragon (Version: 15.0)
COMODO GeekBuddy (Version: 3.3.217083.59)
COMODO Internet Security (Version: 5.9.25057.2197)
Compatibility Pack for the 2007 Office system (Version: 12.0.4518.1014)
Desktop SMS (Version: 1.2.0)
DVD MovieFactory for TOSHIBA (Version: 5.51)
Google Earth (Version: 4.0.2737)
Gyazo 1.0
HDAUDIO Soft Data Fax Modem with SmartCP (Version: 7.70.00.50)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java™ 6 Update 3 (Version: 1.6.0.30)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Home and Student 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Works (Version: 9.7.0621)
Microsoft XML Parser (Version: 8.20.8730.4)
Mozilla Firefox 9.0.1 (x86 en-GB) (Version: 9.0.1)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
myphotobook 3.5 (Version: 3.5)
NetWaiting (Version: 2.5.50)
Opera 11.61 (Version: 11.61.1250)
Picasa 2 (Version: 2.0)
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.5559)
Realtek USB 2.0 Card Reader (Version: )
Skype™ 5.5 (Version: 5.5.124)
Synaptics Pointing Device Driver (Version: 10.1.8.0)
TOSHIBA Assist (Version: 2.01.04)
TOSHIBA ConfigFree (Version: 7.1.27)
TOSHIBA Disc Creator (Version: 2.0.1.1.a)
TOSHIBA DVD PLAYER (Version: 1.20.10)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Face Recognition (Version: 1.0.2.32)
TOSHIBA Hardware Setup (Version: 2.00.06)
TOSHIBA Manuals (Version: 7.35)
Toshiba Online Product Information (Version: 1.00.0012)
TOSHIBA Recovery Disc Creator (Version: 2.0.0.1b)
TOSHIBA Supervisor Password (Version: 2.00.03)
TOSHIBA Value Added Package (Version: 1.1.14)
TRDCReminder (Version: 1.00.0014)
TRORDCLauncher (Version: 1.0.0.1)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.2980)
WinRAR 4.10 (32-bit) (Version: 4.10.0)

========================= Memory info: ===================================

Percentage of memory in use: 73%
Total physical RAM: 2037.22 MB
Available physical RAM: 543.1 MB
Total Pagefile: 4311.66 MB
Available Pagefile: 1875.37 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.51 MB

========================= Partitions: =====================================

1 Drive c: (Vista) (Fixed) (Total:55.66 GB) (Free:34.21 GB) NTFS
2 Drive e: (Data) (Fixed) (Total:54.66 GB) (Free:49.89 GB) NTFS

========================= Users: ========================================

User accounts for \\HARVY-PC

Administrator Guest Harvy


**** End of log ****

#6 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 January 2012 - 05:50 AM

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.26.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Harvy :: HARVY-PC [administrator]

Protection: Enabled

26/01/2012 10:30:57
mbam-log-2012-01-26 (10-30-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 163414
Time elapsed: 18 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 January 2012 - 05:58 AM

For some reason the last one won't open, i think my anti virus is blocking it, i tried to close my anti virus and stuff but it still wont open.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:37 AM

Posted 26 January 2012 - 11:34 AM

Try to run aswMBR from safe mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 27 January 2012 - 02:46 PM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-27 19:31:33
-----------------------------
19:31:33.685 OS Version: Windows 6.0.6002 Service Pack 2
19:31:33.685 Number of processors: 2 586 0xF0D
19:31:33.685 ComputerName: HARVY-PC UserName: Harvy
19:31:35.401 Initialize success
19:37:37.938 AVAST engine defs: 12012700
19:44:28.574 The log file has been saved successfully to "C:\Users\Harvy\Desktop\aswMBR.txt"

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:37 AM

Posted 27 January 2012 - 04:07 PM

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

==================================================

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 29 January 2012 - 07:12 AM

Bootkit Remover
© 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

#12 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 29 January 2012 - 07:13 AM

ListParts by Farbar
Ran by Harvy on 29-01-2012 at 12:11:52
Windows Vista (X86)
Running From: C:\Users\Harvy\Desktop
************************************************************

========================= Memory info ======================

Percentage of memory in use: 63%
Total physical RAM: 2037.22 MB
Available physical RAM: 749.75 MB
Total Pagefile: 4315.71 MB
Available Pagefile: 2325.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.74 MB

======================= Partitions =========================

1 Drive c: (Vista) (Fixed) (Total:55.66 GB) (Free:16.94 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive e: (Data) (Fixed) (Total:54.66 GB) (Free:49.89 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 56 GB 1501 MB
Partition 3 Primary 55 GB 57 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Vista NTFS Partition 56 GB Healthy System (partition with boot components)

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E Data NTFS Partition 55 GB Healthy



****** End Of Log ******

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:37 AM

Posted 29 January 2012 - 02:52 PM

So far all looks clean.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#14 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 30 January 2012 - 01:49 PM

Ok, I used TFC and i'm using ESET after the reboot, also some .tmp file asks for permision to continue everytime I turn on my computer, I'm not sure about the name but it says 'Google.inc' somewhere on it, I never click accept and always decline. Aswell as that but MBAM always says 'Stopped potentionally dangerous Process going out to Skype.exe/firefox.exe' or something along those lines. However I disabled my antivirus and i'm in the process of running ESET Online Scanner, also thank you for all your help!

#15 UnderProblems

UnderProblems
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 30 January 2012 - 04:24 PM

Ok I used ESET Online Scanner and it found nothing. http://gyazo.com/9711ca0187b64258e7d1d1bc55e0e0ed
That's a screen shot of the results, I didn't uninstall it, I simply closed it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users