Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

You are my last hope, computer gods


  • This topic is locked This topic is locked
19 replies to this topic

#1 Ghostface

Ghostface

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 05 March 2013 - 10:47 AM

Hey guys!

 

I consider myself relatively computer literate and have survived several viruses without needing to ask for help, but I believe this is the end of the line! 

 

Basically I think I have that annoying Java virus that has been going around recently as Avast picked it up several times and I removed it. Now I may still have it or by removing it I have done damage to Windows. 

 

My computer freezes on a black screen when I try start it normally and I can only get it to work by using Safe Mode. Windows Installer is also broken and when I try run a boot time scan in Avast my computer restarts once it has scanned a certain file. 

 

Update: Just ran the Farbar recovery tool and it gave me the following warnings:

C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!

C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!

 

So yeah..... multiple problems for me. Java is a real ball buster. Can anyone help? 



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 06 March 2013 - 07:12 AM

Greetings Ghostface and welcome to the Forums,

 

Your description sounds more like a zeroaccess rootkit infection...can you tell us what you did to remove whatever you have removed so far?

Also, please let us know if you have capabilities of reinstalling Windows...that is, do you have the installation media handy? It would also be good if you could provide us with the dds and attach.txt logs. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 06 March 2013 - 10:26 AM

Hey thanks!
 
I just followed Avast's advice and removed the virus which was labelled as a Java Trojan. I also did the same in Malware Bytes. This seems to have done my computer more bad than good so I'm assuming it's either not fully gone yet or I removed something important. 
 
I can reinstall windows if need be. 
 
When running Hijack this, I received the following message: For some reason your system denied access to the hosts file. 
 
I've attached a bunch of logs. Thanks again!

Logs posted by Oh My!

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.17.2
Run by Jimmy at 15:19:23 on 2013-03-06
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.764.111 [GMT 0:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\eMachines\eMachines Recovery Management\NotificationCenter\Notification.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{DD2CB0AB-039A-451A-A5CB-6F8F8043469D} : DHCPNameServer = 192.168.1.1 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
x64-mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
x64-BHO: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner64.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [Acer ePower Management] C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-03-06 15:03:21 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E02840D4-CF8A-4795-A0F0-32DBBCA774C8}\mpengine.dll
2013-03-06 15:03:20 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-03-06 14:50:18 -------- d-s---w- C:\Windows\SysWow64\Microsoft
2013-03-06 13:59:24 184832 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
2013-03-06 13:59:21 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2013-03-06 13:37:55 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-06 13:37:53 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-03-06 13:36:21 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-06 13:21:35 -------- d-----w- C:\Users\Jimmy\AppData\Roaming\Malwarebytes
2013-03-06 13:19:34 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-06 13:19:32 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-06 13:19:10 -------- d-----w- C:\Users\Jimmy\AppData\Local\Programs
2013-03-06 11:34:11 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-03-06 11:33:35 -------- d-----w- C:\Users\Jimmy\AppData\Local\Apps
2013-03-06 11:33:30 -------- d-----w- C:\Users\Jimmy\AppData\Local\Deployment
2013-03-06 11:33:25 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-03-06 11:32:37 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-03-06 11:32:37 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-03-05 23:21:30 -------- d-----w- C:\Users\Jimmy\AppData\Local\Google
2013-03-05 20:28:05 -------- d-----r- C:\Backup
2013-03-05 20:13:37 -------- d-sh--w- C:\found.001
2013-03-05 20:07:41 34872 ----a-w- C:\Windows\System32\drivers\usbfilter.sys
2013-03-05 20:07:41 -------- d-----w- C:\Program Files (x86)\AMD
2013-03-05 20:05:05 -------- d-----w- C:\Program Files\ATI
2013-03-05 20:05:01 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2013-03-05 11:48:30 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2013-03-05 11:48:30 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2013-03-05 11:47:16 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-03-05 11:45:41 -------- d-----w- C:\Program Files (x86)\Microsoft
2013-03-05 11:45:07 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2013-03-05 11:43:19 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\a17183921ce1996\DXSETUP.exe
2013-03-05 11:43:19 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\a17183921ce1996\dsetup32.dll
2013-03-05 11:43:18 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\a17183921ce1996\DSETUP.dll
2013-03-05 11:42:17 140066664 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlcFA65.tmp
2013-03-05 11:41:49 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2013-03-05 11:41:26 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B6C86095-1DCE-479D-8328-306D0B9780AE}\offreg.dll
2013-03-05 11:39:31 -------- d-----w- C:\Windows\SysWow64\Atheros_L1e
2013-03-05 11:38:12 -------- d-----w- C:\Program Files\Synaptics
2013-03-05 11:34:38 -------- d-----w- C:\Users\Jimmy\AppData\Local\ATI
2013-03-05 11:31:56 -------- d-----w- C:\Users\Jimmy\AppData\Local\VirtualStore
2013-03-05 11:30:40 9162192 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B6C86095-1DCE-479D-8328-306D0B9780AE}\mpengine.dll
2013-03-05 11:30:25 -------- d-----w- C:\Program Files (x86)\OEM
2013-03-04 14:10:48 -------- d-----w- C:\FRST
2013-03-02 15:31:00 -------- d-----w- C:\ProgramData\Malwarebytes
2013-02-08 11:15:56 -------- d-----w- C:\ProgramData\Condusiv Technologies
.
==================== Find3M ====================
.
2013-03-05 20:08:03 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
.
============= FINISH: 15:21:48.01 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 05/03/2013 11:29:18
System Uptime: 06/03/2013 14:51:19 (1 hours ago)
.
Motherboard: eMachines | | eMachines E627
Processor: AMD Athlon™ Processor TF-20 | Socket S1G1 | 800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 137 GiB total, 62.994 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 05/03/2013 11:38:49 - Installed Atheros Communications Inc.® AR81Family Gigabit/Fastsýë
RP2: 05/03/2013 11:47:31 - Installed DirectX
RP3: 06/03/2013 11:29:55 - Windows Update
RP4: 06/03/2013 12:03:23 - avast! Free Antivirus Setup
RP5: 06/03/2013 13:26:22 - Installed Java 7 Update 17
RP6: 06/03/2013 13:56:42 - Windows Update
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1 MUI
AMD USB Filter Driver
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
ATI Catalyst Install Manager
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Choice Guard
Compatibility Pack for the 2007 Office system
eBay Worldwide
eMachines Games
eMachines Power Management
eMachines Recovery Management
eMachines Registration
eMachines ScreenSaver
eMachines Updater
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Identity Card
Java 7 Update 17
Java Auto Updater
Junk Mail filter update
Launch Manager
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft Application Error Reporting
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Works
MSVCRT
Norton Online Backup
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Script Editor Help (KB963671)
Welcome Center
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
.
==== End Of File ===========================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:01:52, on 06/03/2013
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Jimmy\Downloads\HijackThis.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0809&m=e627&r=273603130315l0364z175r4812339n
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8895 bytes

Attached Files


Edited by Oh My, 11 March 2013 - 10:34 AM.


#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 06 March 2013 - 04:13 PM

Hijackthis will always render that message in Vista or Windows 7 if you fail to right-click and select "Run as administrator". Let's see a combofix scan log now please:

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled (Microsoft Security Essentials users can disregard the Windows Defender disable instruction since while MSE is installed, Windows Defender is disabled already by default).

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.



The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
 

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

 

 


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 07 March 2013 - 03:22 AM

Hi, thank you for your help. Here is the Combofix log attached. You'll notice it says that Avast Anti Virus was running but it was actually not as I followed the instructions posted earlier to disable it. 

 

My computer often turns off and shows a blue screen during a scan, saying some critical data has been edited. I left Combofix running over night and when I woke up the computer had restarted so if this isn't the complete scan log that is probably what happened. 

 

Edit: I just ran a second scan and it said: cant write C://32788R22FWJFW/Wnircmd.3xe combo fix before the computer shut down again.

 

 

 ComboFix 13-03-05.01 - Jimmy 06/03/2013  23:41:24.1.1 - x64

Microsoft Windows 7 Home Premium   6.1.7600.0.1252.2.1033.18.764.166 [GMT 0:00]
Running from: c:\users\Jimmy\Downloads\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-06 to 2013-03-06  )))))))))))))))))))))))))))))))
.
.
2013-03-07 00:15 . 2013-03-07 00:15 -------- d-----w- c:\program files\DIFX
2013-03-07 00:15 . 2013-03-07 00:15 -------- dc----w- c:\windows\system32\DRVSTORE
2013-03-07 00:15 . 2009-04-03 11:39 34872 ----a-w- c:\windows\system32\drivers\usbfilter.sys
2013-03-07 00:15 . 2013-03-07 00:15 -------- d-----w- c:\program files (x86)\AMD
2013-03-07 00:12 . 2013-03-07 00:12 -------- d-----w- c:\program files\ATI
2013-03-07 00:12 . 2013-03-07 00:14 -------- d-----w- c:\program files (x86)\ATI Technologies
2013-03-07 00:12 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F326BBD-CEC1-4A59-B8F7-B374BF225F69}\mpengine.dll
2013-03-06 23:50 . 2013-03-06 23:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-06 23:07 . 2013-03-06 23:07 -------- d-----w- c:\program files (x86)\SoulseekNS
2013-03-06 20:52 . 2013-02-28 08:36 33472 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 20:52 . 2013-02-28 08:36 377992 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-06 20:52 . 2013-02-28 08:36 71064 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 20:52 . 2013-02-28 08:36 68992 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-06 20:52 . 2013-02-28 08:36 1025880 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-06 20:52 . 2013-02-28 08:36 177672 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-06 20:52 . 2013-02-28 08:36 65408 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 20:52 . 2013-02-28 08:36 80888 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 20:52 . 2013-02-28 08:35 287840 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-06 20:50 . 2013-02-28 08:36 41664 ----a-w- c:\windows\avastSS.scr
2013-03-06 20:49 . 2013-03-06 20:49 -------- d-----w- c:\program files\AVAST Software
2013-03-06 20:39 . 2012-02-15 06:27 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2013-03-06 20:39 . 2012-02-15 05:44 826368 ----a-w- c:\windows\SysWow64\rdpcore.dll
2013-03-06 20:39 . 2012-02-15 04:47 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2013-03-06 20:39 . 2012-02-15 04:46 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-03-06 20:03 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2013-03-06 20:03 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2013-03-06 20:03 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2013-03-06 20:03 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2013-03-06 20:03 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2013-03-06 20:03 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2013-03-06 20:03 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2013-03-06 20:02 . 2012-06-02 15:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2013-03-06 20:02 . 2012-06-02 15:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2013-03-06 19:37 . 2006-11-29 13:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll
2013-03-06 19:37 . 2006-11-29 13:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll
2013-03-06 19:36 . 2013-03-06 19:36 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2013-03-06 19:34 . 2013-03-06 19:34 -------- d-----w- c:\program files (x86)\Microsoft
2013-03-06 19:34 . 2013-03-06 19:34 -------- d-----w- c:\program files (x86)\Windows Live SkyDrive
2013-03-06 19:33 . 2013-03-06 19:38 -------- d-----w- c:\program files (x86)\Windows Live
2013-03-06 19:31 . 2013-03-06 19:31 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
2013-03-06 19:28 . 2013-03-06 19:28 -------- d-----w- c:\windows\SysWow64\Atheros_L1e
2013-03-06 19:27 . 2013-03-06 19:27 -------- d-----w- c:\program files\Synaptics
2013-03-06 19:22 . 2013-03-06 19:22 -------- d-----w- c:\program files (x86)\OEM
2013-03-06 19:22 . 2013-03-06 19:22 -------- d-----w- c:\users\Public\eMachines
2013-03-06 19:21 . 2013-03-06 19:24 -------- d-----w- c:\users\Jimmy
2013-03-06 19:21 . 2013-03-06 19:21 -------- d-----w- C:\Recovery
2013-03-05 20:28 . 2013-03-05 23:26 -------- d-----r- C:\Backup
2013-03-05 20:13 . 2013-03-05 20:13 -------- d-----w- C:\found.001
2013-03-04 14:10 . 2013-03-05 10:44 -------- d-----w- C:\FRST
2013-03-02 15:31 . 2013-03-02 15:31 -------- d-----w- c:\programdata\Malwarebytes
2013-02-08 11:15 . 2013-02-08 11:15 -------- d-----w- c:\programdata\Condusiv Technologies
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-07 00:16 . 2009-08-22 01:59 6 ----a-w- c:\windows\system32\PLD_Framework.cmd
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-08-22 02:23 433648 ----a-w- c:\programdata\Partner\Partner.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-22 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-07-27 1157128]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R3 Partner Service;Partner Service;c:\programdata\Partner\Partner.exe [2009-08-22 332272]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-29 203264]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-02-28 80888]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-08-06 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-07-27 58880]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-06 20:09 1630672 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-03-06 20:03]
.
2013-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-03-06 20:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-08-22 02:23 750064 ----a-w- c:\programdata\Partner\Partner64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-02-28 08:35 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-17 19:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-17 19:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-17 19:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-17 19:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-08-06 828960]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273603130315l0364z175r4812339n
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273603130315l0364z175r4812339n
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273603130315l0364z175r4812339n
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-06  23:55:30
ComboFix-quarantined-files.txt  2013-03-06 23:55
.
Pre-Run: 69,385,826,304 bytes free
Post-Run: 69,324,906,496 bytes free
.
- - End Of File - - E95BAD2C465CC2201723781703CE0EFF

Edited by Ghostface, 07 March 2013 - 03:47 AM.


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 07 March 2013 - 09:14 AM

Tell me please, can you provide the scan logs that Avast produced, wherein the software quarantined some file(s) that it complained of? Also, do you have access to another computer to use while we work on the affected system? It may be that Avast has removed something that Windows needs, infected or not, and restoring something that it removed, may be necessary...we shall see. Let's first take a look at those logs before we decide how to proceed next. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 07 March 2013 - 09:58 AM

Yes, I have access to another computer. Unfortunately I can't access the Malwarebytes or Avast logs because I reinstalled both after they stopped working. 



#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 07 March 2013 - 10:35 AM

Ok, then in that case, let's put everything else aside for now, and check the integrity of that system's critical files.

Click Start-->All Programs-->Accessories-->Command Prompt.
Right click on Command Prompt. On the pop-up right click context menu, select “Run as Administrator”...then type or copy and paste the following at the command prompt:
SFC /scannow
...and press the enter key. You will see Beginning system scan. This process will take some time.

The progress will display in the command window showing the percentage of completion. Please be patient and wait for the scan to complete. Upon completion, ideally, the output will show:
Windows Resource Protection did not find any integrity violations.
Please post back your results. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 08 March 2013 - 10:30 AM

Yup, that's the message I received!

 

Shortly before my computer restarted with a blue screen again.....



#10 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 08 March 2013 - 10:47 AM

More info|: 

 

 

Problem signature:
  Problem Event Name: BlueScreen
  OS Version: 6.1.7600.2.0.0.768.3
  Locale ID: 4105
 
Additional information about the problem:
  BCCode: 109
  BCP1: A3A039D892933B17
  BCP2: B3B7465EE5117755
  BCP3: 00000000C0000082
  BCP4: 0000000000000007
  OS Version: 6_1_7600
  Service Pack: 0_0
  Product: 768_1
 
Files that help describe the problem:
  C:\Windows\Minidump\030813-31168-01.dmp
  C:\Users\Jimmy\AppData\Local\Temp\WER-599683-0.sysdata.xml


#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 08 March 2013 - 01:18 PM

My Request

"...Please post back your results. Thanks!"



Your reply

"Yup, that's the message I received!

Shortly before my computer restarted with a blue screen again.....


...I must be missing something. There seems to be a disconnect between my request, and your reply. You said, "Yup..." as though you are answering someone's question which reguired a yes or no answer. Is this posting meant for me? Were you perhaps chatting with someone on some messenger service and maybe posted it here instead?

Anyway, please let me know how the requested scan went for you. If YOU are having blue screen issues, I could look into that for you too but I hesitate to address it since the information you posted does seem to apply to someone else that you may have been talking with. Please advise.

 

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 08 March 2013 - 03:05 PM

I was referring to you saying "Upon completion, ideally, the output will show:
Windows Resource Protection did not find any integrity violations."

 

That is the message and the only output I received.

 

My two main issues are the constant shut down of my computer due to a blue screen and the inability to use windows installer.


Edited by Ghostface, 09 March 2013 - 05:54 AM.


#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 09 March 2013 - 08:32 AM

I see now, thank you for that explanation. I'd like to determine if we can identify unsigned drivers which may be troublesome for that system.

 

Not all of them are, and many well known authored programs will contain unsigned drivers simply due to a "fiscal" issue that may concern that particular company or individual who authored the software (as this is a feature available to program developers for a fee). Along with this,  a scan for malicious code will also be performed with this utility so...
Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application. Click the "Change parameters". Under Additional options, check the box next to "Verify Driver Digital Signature" and "Detect TDLFS file system" then click the OK button.
  • Click the Start scan button.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • You may be prompted to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file back here on your next reply.
  • ...otherwise, if a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". If this was the case, then we need to see that log.

...AND, if this results in another blue screen stop error message, write down exactly what appears at the bottom of your screen before you do a hard restart. Then, please try to reboot the system and see if you can enter safe mode (without networking). If you can enter safe mode, then try performing the above instructions for running this scan and post back the resulting log. Thanks, and good luck!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 Ghostface

Ghostface
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 11 March 2013 - 04:19 AM

The results say no threat was found.

 

Basically what I think happened is I deleted the virus during a boot scan and it must have been attached to an important part of windows and removed a file necessary for windows to run efficiently. 



#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:26 PM

Posted 11 March 2013 - 04:26 AM

May I see the log please? I was interested in two things...infection results (which you've already satisfied) and the information regarding unsigned drivers (which should be detailed in the log). Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users