Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows software protection


  • This topic is locked This topic is locked
2 replies to this topic

#1 ncbobb

ncbobb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 27 March 2012 - 08:11 PM

I have a Vista machine that suddenly will not logon to desktop. It boots up and displays logins. When you login you get a box that says "Windows software protection" an unauthorized change was made to windows. Choices are close or more information. When you click more information a browser window opens and you are taken to www.microsoft.com with some stuff about windows validation. But nothing helpful. If you close the box the computer goes back to the login window. I can start in safe mode. Ran several virus scans with malwarebytes. Removed a few things. However no more viruses are detected. I still get the unauthorized box when booting normally. I can boot with safe mode.
Here is the dds log FWIW.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6000.17037
Run by Becks_Admin at 17:43:54 on 2012-03-27
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1587 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Desktop.exe
C:\Windows\Explorer.EXE
c:\program files\teamviewer\version6\TeamViewer.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wildblue.net
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2012\bdagent.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBFADcASwBQAC0ANwBaAFYAWgBSAC0ARgBLAFAAWQBBAC0AMgBVAFIAWABCAC0AUwBOAEMANwBOAA"&"inst=NwA2AC0ANQAxADMAMAAxADMAOQA5ADgALQBVADkAMAArADEALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAE4AMQBEACsAMQAtAFAATAArADkALQBEAEQAVAArADMAOQA4ADQANwAtAEQARAA5ADAAKwAxAC0AUwBUADkAMABBAFAAUAArADEALQBQADkAMABNADEAMgBDACsAMQAtAFAAOQBVACsAMQAtAFUAOQA1ACsAMQAtAFQAQgArADEALQBQADkAUgArADEA"&"prod=92"&"ver=9.0.894
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker9\BPGame.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
Trusted Zone: vectorvest.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
TCP: DhcpNameServer = 75.104.160.61
TCP: Interfaces\{367E070F-7F19-471D-842F-40EC29AFDFF9} : DhcpNameServer = 75.104.160.61
AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~2\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\becks_admin\appdata\roaming\mozilla\firefox\profiles\dnb1ssqz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wildblue.net/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-6-1 2345848]
R3 avchv;avchv Function Driver;c:\windows\system32\drivers\avchv.sys [2011-12-14 240184]
S0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2012-2-3 609984]
S1 BDVEDISK;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [2010-1-19 85128]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S2 UPDATESRV;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2012\updatesrv.exe [2012-1-2 50128]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2012-3-17 447208]
S3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [2012-2-3 63056]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-20 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S3 Update Server;BitDefender Update Server v2;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2011-10-14 307544]
.
=============== Created Last 30 ================
.
2012-03-27 16:54:36 -------- d-----w- c:\users\becks_admin\appdata\roaming\Malwarebytes
2012-03-27 16:54:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-27 16:54:20 -------- d-----w- c:\programdata\Malwarebytes
2012-03-27 16:54:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-27 13:22:55 -------- d-----w- c:\programdata\BDLogging
2012-03-17 07:00:11 447208 ----a-w- c:\windows\system32\drivers\avckf.sys
.
==================== Find3M ====================
.
2012-03-27 19:34:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-17 06:59:15 609984 ----a-w- c:\windows\system32\drivers\avc3.sys
2012-02-03 15:55:37 63056 ----a-w- c:\windows\system32\drivers\bdsandbox.sys
2012-01-02 21:46:40 360976 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
.
============= FINISH: 17:44:45.61 ===============

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 PM

Posted 31 March 2012 - 10:35 AM

Hi there,

This may not be a virus issue. However, since you ran some scans and they "Removed a few things" I'd just like to see those scan logs. Could you please find your scan logs and post them here?

Thanks,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 PM

Posted 14 April 2012 - 12:17 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users