Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer restarting, possible rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 canuckerfan

canuckerfan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 03 August 2012 - 08:15 AM

Hello,

So I've been given a computer to me and it's in pretty rough shape. I was able to remove some viruses use Microsoft security essentials and everything seemed fine at first. But then a pop up appeared shortly after booting up that says "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now". I tried the "shutdown -a" command, but it didn't help. I also tried booting into safe mode without networking and the message still came. I tried a Kaspersky recovery disk scan, and although it did remove some trojans, the restart message is still coming. I've googled just about everything and I have no idea how to get rid of this pesky thing. Any ideas?

BC AdBot (Login to Remove)

 


#2 canuckerfan

canuckerfan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 03 August 2012 - 05:14 PM

So I did a scan with FRST on the infected computer and here's the log:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 03-08-2012 15:11:08
Running from F:\
Windows Vista ™ Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

================================ Services (Whitelisted) ==================

3 BrYNSvc; "C:\Program Files\Browny02\BrYNSvc.exe" [245760 2010-01-25] (Brother Industries, Ltd.)
2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [440872 2008-04-23] (Broadcom Corporation.)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-08] (Nuance Communications, Inc.)
2 PSI_SVC_2; "C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [185632 2007-07-24] (Protexis Inc.)

========================== Drivers (Whitelisted) =============

3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [47360 2010-03-18] (VSO Software)
3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2687512 2009-04-30] (Logitech Inc.)
1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-03 14:06 - 2012-08-03 14:07 - 00000000 ____D C:\Users\nisha basra\Desktop\New Folder
2012-08-02 22:35 - 2012-08-02 22:35 - 00001417 ____A C:\Users\nisha basra\Desktop\shutdown -a - Shortcut.lnk
2012-08-02 21:43 - 2012-08-02 21:43 - 00000165 ___AH C:\Users\nisha basra\Desktop\~$Invoice.xlsx
2012-08-02 21:09 - 2012-08-02 21:10 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-02 21:07 - 2012-08-02 21:07 - 00000000 ____D C:\Users\nisha basra\AppData\Local\Macromedia
2012-08-02 21:04 - 2012-08-02 22:48 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 21:04 - 2012-08-02 21:04 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-02 20:15 - 2012-08-02 20:15 - 00000910 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-21 17:32 - 2012-07-25 11:24 - 00000000 ____D C:\Users\nisha basra\Documents\professional communication
2012-07-17 17:51 - 2012-07-17 17:51 - 00128944 ____A C:\Users\nisha basra\Documents\PN_s_role_in_Infection_Control.pptx


============ 3 Months Modified Files ========================

2012-08-03 14:06 - 2012-04-09 10:02 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-03 14:06 - 2009-09-20 17:17 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-03 14:06 - 2006-11-02 04:45 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-03 14:06 - 2006-11-02 04:45 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-03 14:05 - 2011-09-09 08:35 - 00004935 ____A C:\Windows\setupact.log
2012-08-03 14:05 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-03 05:51 - 2006-11-02 04:58 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-02 22:53 - 2012-04-21 21:10 - 00001356 ____A C:\Users\nisha basra\AppData\Local\d3d9caps.dat
2012-08-02 22:48 - 2012-08-02 21:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 22:35 - 2012-08-02 22:35 - 00001417 ____A C:\Users\nisha basra\Desktop\shutdown -a - Shortcut.lnk
2012-08-02 21:43 - 2012-08-02 21:43 - 00000165 ___AH C:\Users\nisha basra\Desktop\~$Invoice.xlsx
2012-08-02 21:17 - 2012-04-09 10:02 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-02 21:14 - 2009-04-25 14:21 - 00002627 ____A C:\Users\nisha basra\Desktop\Microsoft Office Word 2007.lnk
2012-08-02 21:10 - 2011-02-10 10:35 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-02 21:10 - 2009-04-25 14:50 - 01149982 ____A C:\Windows\WindowsUpdate.log
2012-08-02 21:10 - 2006-11-02 02:33 - 00710590 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-02 21:04 - 2012-08-02 21:04 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-02 21:04 - 2011-12-11 09:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-02 21:03 - 2011-08-28 18:18 - 00095924 ____A C:\Windows\PFRO.log
2012-08-02 20:15 - 2012-08-02 20:15 - 00000910 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-23 19:33 - 2012-03-20 19:21 - 00024726 ____A C:\Users\nisha basra\Desktop\Invoice.xlsx
2012-07-17 17:51 - 2012-07-17 17:51 - 00128944 ____A C:\Users\nisha basra\Documents\PN_s_role_in_Infection_Control.pptx
2012-07-12 17:16 - 2012-04-09 10:03 - 00001975 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-03 12:46 - 2011-08-26 12:36 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-26 19:41 - 2006-11-02 04:44 - 00436584 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-26 18:55 - 2011-08-23 17:54 - 00102864 ____A C:\Users\nisha basra\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-26 18:53 - 2012-06-26 18:53 - 00001774 ____A C:\Users\Public\Desktop\Pageburst.lnk
2012-06-26 18:50 - 2012-06-26 18:50 - 89536608 ____A (Ingram Digital ) C:\Users\nisha basra\Documents\saunders drug guide.exe
2012-06-21 18:49 - 2010-03-18 23:32 - 00000060 ____A C:\Users\nisha basra\AppData\Roaming\Printer.ini
2012-06-12 18:07 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-04 16:12 - 2012-06-04 16:12 - 00000307 ____A C:\Users\nisha basra\Documents\Computer - Shortcut.lnk
2012-06-02 14:19 - 2012-06-18 20:31 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 20:31 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 20:31 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 20:31 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 20:31 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-18 20:30 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:12 - 2012-06-18 20:31 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-18 20:31 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-18 20:30 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 11:25 - 2010-01-30 09:58 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-29 18:50 - 2009-09-02 17:21 - 00000952 __ASH C:\Users\All Users\KGyGaAvL.sys
2012-05-17 15:11 - 2012-06-12 18:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-12 18:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-12 18:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-12 18:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-12 18:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-12 18:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-12 18:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-12 18:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-12 18:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-12 18:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-12 18:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-12 18:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-12 18:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-12 18:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 11:51 - 2012-06-12 16:37 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 18:40 - 2012-05-14 18:40 - 03597902 ____A C:\Users\nisha basra\Documents\Attachments_2012_05_14.zip
2012-05-12 07:02 - 2012-04-25 09:14 - 00443856 ____A C:\Users\nisha basra\Documents\final vih-2.pptx

ZeroAccess:
C:\Windows\Installer\{774ce546-913e-ad41-1571-6fa1576fdb19}
C:\Windows\Installer\{774ce546-913e-ad41-1571-6fa1576fdb19}\@
C:\Windows\Installer\{774ce546-913e-ad41-1571-6fa1576fdb19}\L
C:\Windows\Installer\{774ce546-913e-ad41-1571-6fa1576fdb19}\U
C:\Windows\Installer\{774ce546-913e-ad41-1571-6fa1576fdb19}\U\00000001.@

ZeroAccess:
C:\Users\nisha basra\AppData\Local\{774ce546-913e-ad41-1571-6fa1576fdb19}
C:\Users\nisha basra\AppData\Local\{774ce546-913e-ad41-1571-6fa1576fdb19}\@
C:\Users\nisha basra\AppData\Local\{774ce546-913e-ad41-1571-6fa1576fdb19}\L
C:\Users\nisha basra\AppData\Local\{774ce546-913e-ad41-1571-6fa1576fdb19}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe C5488EA6408AD0C3CC3E3CB876CBBED4 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 1979.4 MB
Available physical RAM: 1712.98 MB
Total Pagefile: 1913.29 MB
Available Pagefile: 1780.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:111.44 GB) (Free:27.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:111.44 GB) (Free:109.69 GB) NTFS
4 Drive f: (NEW VOLUME) (Removable) (Total:14.92 GB) (Free:14.92 GB) FAT32
5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:1.34 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 619 KB
Disk 1 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 111 GB 10 GB
Partition 3 Primary 111 GB 121 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 111 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D DATA NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NEW VOLUME FAT32 Removable 15 GB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-02 21:10

======================= End Of Log ==========================

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:59 PM

Posted 04 August 2012 - 12:18 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{774ce546-913e-ad41-1571-6fa1576fdb19}
C:\Users\nisha basra\AppData\Local\{774ce546-913e-ad41-1571-6fa1576fdb19}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

  • While you are still booted into System Recovery Options run FRST.

    Type the following in the edit box after "Search:" so it looks like this:

    Search: services.exe

    Click Search button and post the log it makes to your reply.


Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:59 PM

Posted 10 August 2012 - 03:18 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users